Replace Drupal login with Keycloak single sign-on (SSO) is not working

I was just investigating this.

First of all, the KeycloakService doesn't work anymore since OpenID Connect module switched from configuration to config entities. Instead of loading openid_connect.settings.keycloak config, it should load an active keycloak client like in OpenIDConnectLoginForm::submitForm

    // Loading an active keycloak client.
    $clients = $this->entityTypeManager->getStorage('openid_connect_client')->loadByProperties(['plugin' => 'keycloak', 'status' => 1]);
    $client = reset($clients);

    // From there you can access the settings
    $settings = $client->getPluginCollections()['settings'];
    // or the plugin.
    $plugin = $client->getPlugin();

Same for the KeycloakController, you should load an active client and then execute the same code as OpenIDConnectLoginForm::submitForm. But when I tried this solution I got an exception :

LogicException: The controller result claims to be providing relevant cache metadata, but leaked metadata was detected. Please ensure you are not rendering content too early. Returned object class: Drupal\Core\Routing\TrustedRedirectResponse

This need more investigating and test, but I don't have time to do so, hope this help.

Thanks colin.eininger,
I have also tried to update the Code for Keycloak module in similar manner but i am also reciveing the same error in the authorize function of "/keycloak/src/Plugin/OpenIDConnectClient/Keycloak.php"

I have made this changes because I need my application to auto redirect to SSO server's login page when "user/login" page of the app has been called

Changes i made were following

File: keycloak/src/Service/KeycloakService.php >>
Replace return $this->config->get('enabled'); with return $this->config->get('status'); (in isEnabled function)
Replaced protected const OPENID_CONNECT_CONFIG_NAME = 'openid_connect.settings.keycloak'; with protected const OPENID_CONNECT_CONFIG_NAME = 'openid_connect.client.keycloak'

File: keycloak/src/Controller/KeycloakController.php
Replaced $configuration = $this->config('openid_connect.settings.keycloak')->get('settings'); with $configuration = $this->config('openid_connect.client.keycloak')->get('settings');

File: keycloak/src/Plugin/OpenIDConnectClient/Keycloak.php
Replaced 'openid_connect_client' => $this->parentEntityId, with 'openid_connect_client' => 'keycloak',

But i end up receiving following error

"LogicException: The controller result claims to be providing relevant cache metadata, but leaked metadata was detected. Please ensure you are not rendering content too early. Returned object class: Drupal\Core\Routing\TrustedRedirectResponse. in Drupal\Core\EventSubscriber\EarlyRenderingControllerWrapperSubscriber->wrapControllerExecutionInRenderContext() (line 154 of core/lib/Drupal/Core/EventSubscriber/EarlyRenderingControllerWrapperSubscriber.php)."

As i am new to Drupal I do not understand this what this error means though i tried the solution listed on internet for resolving such kind of erro but no luck.

Please help on this

There is another issue open for this: 🐛 Can't get SingleSignOut to work Active
Where some more discussion about the topic happened. That one is also part of the roadmap to getting 2.x stable.

@hiralshah1991 Your problem is this one:
https://www.drupal.org/project/keycloak/issues/3391108 🐛 Error to built redirect URL RTBC

in combination with this one:
https://www.drupal.org/node/2638686 →

The problem here is the OPENID_CONNECT_CONFIG_NAME in combination with a missing enabled config as queried in KeycloakService::isEnabled(). I assume we have to change the implementation of KeycloakService::isEnabled() to query the status config property. See attached 3382665-fix-config-enabled-flag.diff.

Ran into another problem in the KeycloakController where the old setting is used. Here's the fix: 3382665-7-fix-config-enabled-flag.diff →

@hiralshah1991 I fixed your last problem directly in Keycloak without hacking core.

https://www.drupal.org/project/keycloak/issues/3396331 🐛 LogicException when redirecting to Keycloak Needs review

As I said earlier, OpenID Connect module module changed the way it stores configuration (from config to config entities) + The user can chose the configuration id.

So hard coding "openid_connect.client.keycloak" as #6 does is not the way to go I think. First of all, the controller would be aware of which config is actually used (e.g., putting the id of the config into the route path). This way we can give it to the service to use the right config.

I don't know in which case there can be multiple keycloak config on the same site, but It's actually possible and can be a use case (like multiple realms maybe ?).

An other idea: When the admin checks the option to replace the login page, then load a keycloak config with that option but in an undefined order (+ document this behavior) and use it.

I don't know in which case there can be multiple keycloak config on the same site, but It's actually possible and can be a use case (like multiple realms maybe ?).

Example:
- Agency X using keycloak for all their Devs
- Customer X using keycloak for all their users

It's a valid use case which we actually have on some projects. I've actually also worked once for a customer where they had two keycloak instances. One for their internal employees, and one for their external users/clients/customers.

An other idea: When the admin checks the option to replace the login page, then load a keycloak config with that option but in an undefined order (+ document this behavior) and use it.

Yeah, I guess we need to perhaps have the option to set a default one for when the replace drupal login option is selected. The others of course still need to be accessible by their own path on the site.

The issue https://www.drupal.org/project/keycloak/issues/3390391 📌 Add keycloak support for multple instances from openid_connect 3.x Needs review implements support for multiple keycloak configurations and adds a global setting to choose which of the keycloak configurations that should be used to override the drupal login form.

#7 give me the next error

Symfony\Component\Routing\Exception\InvalidParameterException: Parameter "openid_connect_client" for route "openid_connect.redirect_controller_redirect" must match "[^/]++" ("" given) to generate a corresponding URL. in Drupal\Core\Routing\UrlGenerator->doGenerate() (line 209 of core/lib/Drupal/Core/Routing/UrlGenerator.php).

I have fixed #14 by changing Drupal\keycloak\Controller\KeycloakController::login() as following:

public function login() {
    $this->session->saveDestination();
    $client_name = 'keycloak';

    $config = $this->config('openid_connect.client.keycloak');
    $settings = $config->get('settings');
    $pluginCollection = new OpenIDConnectClientCollection($this->pluginManager, $client_name, $settings, $config->get('id'));
    $client = $pluginCollection->get($client_name);

    $scopes = $this->claims->getScopes();
    $_SESSION['openid_connect_op'] = 'login';
    return $client->authorize($scopes);
  }

With this change, the client_id is set and the redirect is working.

Works with applying the patch form #7 and 🐛 LogicException when redirecting to Keycloak Needs review (#8)

Now, the next error appears: "Failed to start the session because headers have already been sent by "/app/vendor/symfony/http-foundation/Response.php" at line 1315."

I have added the changes from #15 to the patch from #7. It works with the latest 2.2.x branch.

Attach interdiff between #7 and #17.

After some investigation, it looks like that 🐛 LogicException when redirecting to Keycloak Needs review is not needed. The MR calls $request->send() from there, which is done by Drupal itself.