Category: Keycloak

Best Django Openidc Package

I think we know the security benefits and the development benefits of using a delegated authentication protocol like OpenIDC or SAML.
However, actually doing the integration in the application can be difficult at times.

There is a lack of documentation and guidance on the best modules or packages to use for the various frameworks.
In this post I will be looking at the options available for Django when authenticating with an OpenIDC provider - Keycloak.

Using Django as an OpenIDC provider is not what I want - although it is possible with the django openidc provider package

First port of call is an anonymous web search and checking django packages authentication. Django packages seems to put everything in the auth basket where we specifically want to look at OpenIDC clients.

What we are Looking For

  • Supports or is compatible with Django 3
  • Explicit OpenIDC support (Oauth 2 is not good enough we also need the identity)
  • Good Documentation
  • A client that is not closely bound to a specific provider - but that is closely bound to the protocol specification.
  • Integrated with django admin - ie. logging in from django admin redirects
  • A client that can use django's existing permissions and a nice way to integrate with the provider maybe by way of groups...

OpenIDC Django Packages we are reviewing

If there is no decent documentation the package is discarded from review

There are ways to integrate apache and nginx with OpenIDC - the problem is making use of django's permission. Will that still be possible.

Method of Testing

We going to create a blank django project, add a model (Beer) and 2 django groups. The first group "customers" can view the beers - as staff on the admin site. The second group "creators" can add, view and change beers on the admin site.

Django Admin SSO

Decent - although documentation is lacking and it defaults to google SSO. You have to check the example settings and change it to keycloak.
Initially it did not get the id token as scope was set to email.
I had to edit the code and change the scope to opendic.
Then it would only progress is email_verified was I had to edit that code as well.

Weirdly in the changelog it mentions:

Using OpenID is now deprecated and OpenID support will be removed in a future release

OpenIDC is the future.

This package contains migrations that create the assignments table.


The problem with this library is that it forces assignments to be created before users are allowed to login. An assignment maps an OpenIDC identity to a local user - that must already exist.

This increases the administrative burden and does not do what openIDC intends - delegating auth (and groups) to the identity provider.


A decent lightweight choice - purely for admin login. Just a bit of admin on setting up a user and an assignment.

Django Social Registration

Requires 'django.contrib.sites'.


Excluded. Too old and not compatible with Django 3.

Python Social Auth

The repo looks very old in terms of recent updates on github.
However the social-core is where most of the updates happen.

Social auth core is a dependecy of the project:


The docs are not updated for keycloak settings but they are documented in the code:


SOCIAL_AUTH_ADMIN_USER_SEARCH_FIELDS = ['username', 'first_name', 'email']

SOCIAL_AUTH_KEYCLOAK_KEY = 'test-django-oidc'



I was getting an issues where the client_id (audience) set up on django was not present in the aud key of the id_token JWT. Creating the error: Invalid audience.

The workaround to solve the client_id not in the audiences is on stackoverflow.

The gist of it is in you client's mappers tab - create an audience mapper for your client_id.

You also have to override the django tempalte for admin login to add the link for keycloak login.


Overall a good quality package. Works well. Now it is just about ensuring the user gets staff status pulled through with the correct permissions from keycloak mapped to django groups.

To give a user the is_staff and relevant group assignments - the flow with python social auth is to create a pipeline as mentioned in this github issue. Here are the docs for extending the pipeline.

So we can modify the pipelines to match our requirements. If we want users to be automatically created or not etc. The default pipeline can be overriden by this setting:


Pipelines can also be defined per backend...for example: SOCIAL_AUTH_TWITTER_PIPELINE

We just need to be clear on the use of groups and roles in keycloak. Groups define the types of users in an organisation. Composite roles are for managing the application side.

In other words, groups are only an entity on keycloak side - they are not ever sent to client applications. Only the roles they assign are.

Overall I think this is a great choice

Django Boss SSO 2

Leverages other libraries namely drf-oidc-auth and mozilla-django-oidc to provide openidc auth with keycloak for django and django rest framework.

The readme has inconsistencies and does not lsit all required packages. There is too many libraries that are too similar used in my opinion.

django-oidc is used but not listed and is not django > 2 compliant.

Yes, it is not at the level required.

I do not recommend this package

Django Keycloak Auth

Specifically for drf - django rest framework.

Each viewset has to be explicity given roles:

keycloak_roles = {
    'GET': ['judge'],

I don't like this - I would prefer leveraging of djangos groups and permissions.

I am going to skip reviewing this package.

Django AllAuth

I have an issue where the response was the encoded JWT but the keycloak backend was expecting a json response.

So raised an issue and will look at this again when there is a change...

Turns out this was a problem on the settings on the provider side (keycloak) - the Userinfo signed response algorithm must be unisgned. I had it as RS256.


Mozzila Django OpenIDC

Very straight forward in setup.
We need to do a bit of nigly work to get the login link on the admin page shown below.

Remember the link the initialise the redirect code flow is:

{% translate 'Login with SSO Provider' %}

Then similar to the pipelines in python-social-auth you need to define a function for extra stuff like linking groups up and making people superusers - first names and last names etc. Although not as eligant as social auth does it...

You end up having to inherit from OIDCAuthenticationBackend and heavily customise the backend to your liking.
More so that necessary with python-social-auth.

A decent library choice buy architecturally python-social-auth is better.

Tutorial on how to add a Login with OpenIDC link to the Admin Page

  1. Look for templates in your project folder templates directory by adding to in the TEMPLATES part:

    [os.path.join(BASE_DIR, ' ,'templates'), ]

    Remember to import os

  2. Now add the template for the login page for that folder - copy the content from env/lib/../django/contrib/admin/templates/admin/login.html into <your_project>/templates/admin/custom_login.html

    Make the changes to the template (a link to OpenIDC login)

  3. Now tell the admin site to use that template - in = 'admin/custom_login.html'

Keycloak OIDC

An enhancement on top of mozilla-django-openidc - adding the ability to link keycloak roles to groups on django.

Still not 100% now yet - as teh is_staff and is_superuser will have to be handled in a custom manner.

Using Keycloak as the Identity Provider for AWX

Good day, in this post I will show you how to use Keycloak (Open source Redhat SSO) as the identity provider for AWX.

I am basing this tutorial on the post on red hat SSO integration on and from the AWX docs on SAML authentication


You need the following set up:

  • AWX instance
  • Keycloak Instance
  • A realm with users or linked to another user source (identity brokering or user federation with LDAP)

Creating a Key Pair

Using OpenSSL or LibreSSL create a public-private key pair:

openssl req -new -x509 -days 365 -nodes -out saml.crt -keyout saml.key

On your keycloak realm -> keys -> providers -> Add (RSA)

Then upload your private key and cert you created.


  1. Log into AWX as an admin user
  2. Go to Settings -> Authentication
  3. At the top select the SAML button

    On this page the SAML Assertion Consumer Service (ACS) URL and SAML Service Provider Metadata URL are provided for you to enter on keycloak side

At this stage we can create the client for our realm

  1. Log into keycloak as realm admin
  2. Go to Clients -> Create client

    Set Client Protocol to SAML

    Go to /api/v2/settings/system on AWX to find your TOWER_URL_BASE. Add that as the Entity ID on Keycloak side.


    Then add the SAML Assertion Consumer Service (ACS) URL from AWX as the CLient SAML Endpoint on Keycloak.


Now we are done with the client creation we need to set the settings on keycloak side. Fill in the entity ID , SAML Service Provider Public Certificate and SAML Service Provider Private Key you created previously.

Now fill in any additional information:

Under SAML Service Provider Organization Info (This is just information about the identity provider):

  "en-US": {
    "url": "",
    "displayname": "Keycloak",
    "name": "keycloak"

Under SAML Service Provider Technical Contact:

    "givenName": "Some User",
    "emailAddress": ""

Under SAML Service Provider Support Contact:

    "givenName": "Some User",
    "emailAddress": ""

Under SAML Enabled Identity Providers (Info on how to connect to the provider):

   "RHSSO": {
      "attr_last_name": "last_name",
      "attr_username": "username",
      "entity_id": "",
      "attr_user_permanent_id": "name_id",
      "url": "",
      "attr_email": "email",
      "x509cert": "",
      "attr_first_name": "first_name",
      "attr_groups": "groups"

Under SAML Organization Map:

   "Default": {
      "users": true
   "Systems Engineering": {
      "admins": [
      "remove_admins": false,
      "remove_users": false,
      "users": true

Add the Mappers on Keycloak


Keycloak Error: “We’re sorry, failed to process response”

Check your Keycloak log. If the log displays

failed: org.keycloak.common.VerificationException: Client does not have a public key

set Encrypt Assertions to OFF in your Keycloak client.

Logs in to Keycloak and Redirects - but does not Login to AWX

In the AWX logs you will find this line:

social Found an Attribute element with duplicated Name

You have to Your Realm -> Client Scopes (left side) -> role_list -> Mappers -> role list -> Set Single Role Attribute to On

Boom - it works!


Using Keycloak as the identity provider for users on django and django-admin

I have used mozilla's Django OpenID Connect client before, but this time I found something called Django-AllAuth.

Django-Allauth seems packed full of features and is well maintained. So I am going to test whether I can use it with Keycloak as the identity provider for users on django and django admin.

Initial Setup

With your activated environment and existing django project:

pip install django-allauth

Add the required settings in

    # Needed to login by username in Django admin, regardless of `allauth`

    # `allauth` specific authentication methods, such as login by e-mail



# Set your keycloak url and realm
    'keycloak': {
        'KEYCLOAK_URL': 'https://keycloak.custom/auth',
        'KEYCLOAK_REALM': 'master'

To get the KEYCLOAK_URL you just add /auth to your keycloak base url.


urlpatterns = [
    path('accounts/', include('allauth.urls')),

Then migrate the db:

./ migrate

Following the instructions for registering a client on keycloak.


Set the valid redirect url for development: http://localhost:8000/accounts/keycloak/login/callback/


Set the client as confidential


Get the client id and secret


Then run the server and:

  1. Change the domain of the default site to your own
  2. Create a socialapp for each integration

That is where you add your keycloak client information.

Set the details on django admin side


Make sure to link it to the given site.Otherwise you will get an error like this: Django: SocialApp matching query does not exist

You can also use the settings configuration instead of adding details in the database

Trying it out

Log out of the admin and now do to:

Click Login with keycloak and login. It's not much to look at but functionality is key.


Once you are logged in it goes to the /accounts/profile path and 404's.

If you get a redirect_url error make sure you whitelist the redirect url you are using.

Fixing the Account/Profile 404

Why does it redirect here after a successful login - must I implement the view?

What happens on the admin side?

An active user is created.

How can groups / roles be pulled through from the user roles or client roles on keycloak?