OIDC group sync with Keycloak?

poVoq · January 22, 2025, 11:11pm

Is it possible to sync groups via the OIDC login support in ODK-Central?

Keycloak allows you to set custom groups and it would be nice if users could automatically join projects in ODK Central that have the same name as those groups.

The reverse that joining a project in ODK Central adds one to a group in Keycloak would be nice as well.

atanu · January 23, 2025, 2:16am

Looking for the answer.

LN · January 24, 2025, 10:49pm

There is not currently any built-in functionality to sync users from an OIDC provider.

Your best bet right now would be to build your own small script or service. For example, you could periodically poll for users in both Central and Keycloak and align the two lists. Alternately, you could use an event-based approach using https://github.com/p2-inc/keycloak-events and ideas from Webhooks in ODK Central - #16 by spwoodcock

spwoodcock · January 24, 2025, 11:33pm

If there is an event created in the audit logs for the action you need (audits table), then you could possibly have that trigger a request to the keycloak API to do what you need.

It's a bit convoluted, but could work!

poVoq · January 25, 2025, 12:01am

Thanks for the suggestions. That webhook system for Central sounds interesting, but in that combination it seems like it would only allow to push changes from Central to Keycloak, while for my application I would be more interested in the reverse.

I guess a script that interacts with the Central API could work though.

atanu · April 12, 2025, 9:08am

@poVoq i am reviving this thread to test the Keycloak-OIDC integration. Can you share your experience and outcome on this?

poVoq · April 12, 2025, 4:21pm

The problem is that it only does very basic login for already existing accounts, and due to it blocking API access I can't easily create users and assign them to projects via an external script either.

atanu · April 12, 2025, 5:08pm

I am guessing that the keycloak-integration does login only for existing accounts, because ODK doesn't have any signup concept, for example:

[screenshot - {DOMAIN}#/login?next=/]

Earlier, i created the public sign up for the CAPIBuilder, a wrapper on top of the ODK API.

[Screenshot]

Rough plan:

Sign up: For the org domain, i can use the CAPIBuilder to make a request to Keycloak, get it validated with the keycloack tenant, and get the credentials and send the request to ODK SSO endpoint.

Need to map the User roles with respect to the organization (e.g., User: ABC, role: Program Manager, Organization: ACME Corporation) shall be a Project Manager in ODK.

Login: In the same way, user enters the login credentials to get validated througn Keycloak and redirects back to CAPIBuilder.

poVoq · April 12, 2025, 5:51pm

Maybe I am overlooking something in your plan, but with SSO currently making the ODK API inaccessible, how will that work?