Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Add keycloak SSO #5711

Open
wants to merge 15 commits into
base: refactor/argilla-server/better-oauth2-integration
Choose a base branch
from

Conversation

paulbauriegel
Copy link
Contributor

Add keycloak SSO

Based on discussion in #5691

Points that need some feedback:

  • A lot of configurations are set via env variables now. Not sure if that's ideal, error messages if something is not set correctly can be rather cryptic with social auth lib
  • I added the Keycloak logo to the Oauth button id the provider is keycloak, generally the same could also be done for the HF logo not having a separate button
  • Is the documentation to set-up a keycloak server sufficient?

Type of change

  • Improvement (change adding some improvement to an existing functionality)
  • Documentation update

How Has This Been Tested
Local build & Keycloak installation as described in the documentation.

Checklist

  • I added relevant documentation
  • I followed the style guidelines of this project
  • I did a self-review of my code
  • I made corresponding changes to the documentation
  • I confirm My changes generate no new warnings
  • I have added tests that prove my fix is effective or that my feature works
  • TODO I have added relevant notes to the CHANGELOG.md file (See https://keepachangelog.com/)

@davidberenstein1957
Copy link
Member

Related #5691

@paulbauriegel
Copy link
Contributor Author

I tested it a bit with a local set-up but it does not seem to work. I need some time to debug it, to understand why it is not working.

@frascuchon frascuchon force-pushed the feature/better-oauth2-integration-keycloak branch from cc5ca0c to bf2a0f6 Compare December 5, 2024 11:34
@frascuchon
Copy link
Member

I tested it a bit with a local set-up but it does not seem to work. I need some time to debug it, to understand why it is not working.

I've pushed some missing tests to see the expected values https://github.com/argilla-io/argilla/blob/bf2a0f64a991731602cd521188dd95bb3896d7ea/argilla-server/tests/unit/api/handlers/v1/test_oauth2.py

@bulatovv
Copy link

Just wanted to check if you need any help with this? Really looking forward to this feature

@paulbauriegel
Copy link
Contributor Author

paulbauriegel commented Jan 16, 2025

@bulatovv @frascuchon I just started looking at it again after being on vacation for a while. What I see is the following behaviour:

  • Existing users even if their role is changed have no changed role in the Argilla UI

  • New users that are already added with new roles have a different problems and cannot login the first time getting a HTTP_422_UNPROCESSABLE_ENTITY the first time and with the second login time are just a annotator with basic rights

I'm looking at those things right now. Generally speaking the simple authentification with Keycloak works, what does not work are the roles & workspace assignments

@paulbauriegel
Copy link
Contributor Author

@frascuchon I updated the code for the cases that where failing for me:

  1. Multiple conflicting roles set in keycloak
  2. Creating users w. roles for which the workspaces do not exist
  3. Changing the argilla role or workspace after the creation of the user

could you check specifically in the oauth2.py if the changes against the DB are correctly implemented.

@frascuchon
Copy link
Member

Thanks, @paulbauriegel, and sorry for the late response. I need to review your changes in deep since some of them could comprise other OAuth flows. Maybe the safer way would be a specific step syncing SSO roles and workspaces with the argilla DB.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

4 participants