SSO Login into Drupal using Keycloak as OAuth / OpenID Connect Provider

Overview

Drupal OAuth/OpenID Connect SSO integration enables SSO between the Drupal site and Keycloak. This setup guide helps in configuring Single Sign-On (SSO) between the Drupal site and Keycloak using the OAuth/OpenID Connect module. When you incorporate the OAuth/OpenID Connect module with the Drupal site, you can log into the Drupal site seamlessly with Keycloak credentials. This module is compatible with Drupal 7, Drupal 8, Drupal 9, Drupal 10, and Drupal 11.

Playground

Schedule a Meeting

Installation Steps

Using Composer
Using Drush
Manual Installation

Download the module:

composer require 'drupal/miniorange_oauth_client'

Navigate to Extend menu on your Drupal admin console and search for miniOrange OAuth Client Configuration using the search box.
Enable the module by checking the checkbox and click on the Install button.

You can configure the module at:

{BaseURL}/admin/config/people/miniorange_oauth_client/config_clc

Install the module:
```
drush en drupal/miniorange_oauth_client
```
Clear the cache:
```
 drush cr
```

You can configure the module at:

{BaseURL}/admin/config/people/miniorange_oauth_client/config_clc

Navigate to Extend menu on your Drupal admin console and click on Install new module.
Install the Drupal OAuth & OpenID Connect Login - OAuth2 Client SSO Login module either by downloading the zip or from the URL of the package (tar/zip).
Click on Enable newly added modules.
Enable this module by checking the checkbox and click on install button.

You can configure the module at:

{BaseURL}/admin/config/people/miniorange_oauth_client/config_clc

Configuration Steps

Configure Drupal as an OAuth Client

Go to Configuration → People → miniOrange OAuth Client Configuration in the Administration menu. (/admin/config/people/miniorange_oauth_client)

Drupal OAuth Client - select mimiorange OAuth Client Configuration

Under the Configure OAuth tab select desired OAuth Provider from the dropdown.

Note: If the desired OAuth Provider is not listed in the dropdown, please select Custom OAuth Provider / Custom OpenID Provider and continue.

Drupal OAuth Client - select OAuth Provider

Copy the Callback/Redirect URL and keep it handy. This will be required while configuring the OAuth Provider.

Note: If your provider only supports HTTPS Callback/Redirect URLs and you have an HTTP site, please make sure to enable the 'Enforce HTTPS Callback URL' checkbox at the bottom of the tab.

Enter the OAuth provider name in the Display Name text field.

Configure keycloak with version-21.1.1
Configure keycloak with version-18
Configure keycloak with lower version

Create OAuth/OpenID Single Sign-On Application in Keycloak:

Log into your Keycloak administrator console.
Select Create Realm from the master dropdown menu.

Drupal Keycloak OAuth/OIDC Single Sign On - SSO - Navigate to the master and click on Create Realm button

Enter the application name in the Realm name text field and click on the Create button to proceed.

Navigate to the Clients -> Clients list -> Create client.

Drupal Keycloak OAuth/OIDC Single Sign On - SSO - Click on create client button

In the General Settings, enter the Client ID and copy it and keep it handy to configure Drupal as OAuth client. Click on the Next button.

Drupal Keycloak OAuth/OIDC Single Sign On - SSO - enter Client ID name into the text field

In the Capability Config, enable the checkbox for Client authentication and click on the Next button.

Drupal Keycloak OAuth/OIDC Single Sign On - SSO - Enable the Client authentication checkbox

In the Login settings, paste the Callback/Redirect URL into the Valid redirect URIs text field and click on the Save button.

Drupal Keycloak OAuth/OIDC Single Sign On - SSO - Copy the Callback URL that you have copied from OAuth Client module and paste it into the field

Navigate to the Credentials tab, and copy the Client secret and keep it handy to configure Drupal as OAuth client.

Keycloak OAuth/OIDC Single Sign On - Copy the Client Secret

Go to the Keycloak Administrator console.
Navigate to Realm settings → General and copy the Realm ID by clicking on copy Icon.
Copy the Keycloak domain URL. For example, if your Keycloak is running on localhost, then the domain would be "https://localhost:8080”. (refer to the below image)

Keycloak OAuth/OIDC Single Sign On - CCopy Realm Name and Domain

Create OAuth/OpenID Single Sign-On Application in Keycloak:

First of all, Download Keycloak and install it.
Start Server: Start the keycloak server by running the _standalone.sh_ file Root Directory of keycloak/bin/standalone.sh
Create Realm: Now login to keycloak administration console and navigate to your desired realm. You can add a new realm by selecting Create Realm option.

Create Realm: Enter Realm Name and click on CREATE to add realm.

Enter the Client ID and click on the Save button.

Enable the Client authentication and click on the Save button.

Paste the copied (in step1) callback url into the Valid Redirect URLs text area and click on the Save button.

Create OAuth/OpenID Single Sign-On Application in Keycloak:

First of all, Download Keycloak and install it.
Start Server: Start the keycloak server by running the _standalone.sh_ file Root Directory of keycloak/bin/standalone.sh
Add Realm: Now login to keycloak administration console and navigate to your desired realm. You can add a new realm by selecting Create Realm option.

Create Realm: Enter Realm Name and click on CREATE to add realm.

Now, enter the Display name and click on the Save button.

Navigate to the Clients tab and click on Create button.

Enter the Client ID and click on the Save button.

Paste the previously copied Callback/Redirect URL into the Valid Redirect URLs text field and click on Save button.

Integrating Drupal with Keycloak:

Go to miniOrange OAuth Client module.
In Drupal’s Configure OAuth tab paste the copied Client ID and Client Secret from Keyclaok in the Client ID and Client Secret text fields.

Keycloak OAuth/OIDC Single Sign On - Paste client credentials

In Drupal’s Configure OAuth tab, replace "Keycloak_base_URL" with the copied Keycloak domain URL and realm-name with copied Realm name in the Authorize Endpoint, Access Token Endpoint, and Get User Info Endpoint text fields. Then, click on the Save Configuration button to proceed.

Enter the following information in the corresponding text fields of the Configure OAuth tab of them Drupal OAuth Client module.

Scope	openid email profile
Authorize Endpoint	(Keycloak base URL)/realms/{realm-name}/protocol/openid-connect/auth
Access Token Endpoint	(Keycloak base URL)/realms/{realm-name}/protocol/openid-connect/token
Get User Info Endpoint	(Keycloak base URL)/realms/{realm-name}/protocol/openid-connect/userinfo

Keycloak OAuth/OIDC Single Sign On - Paste Realm Name and Domain Save Configuration

Integrating Drupal with Keycloak:

Copy the Client ID from the Keycloak application, client ID will be your client name.

Navigate to the Credentials tab and copy the Client Secret.

In Drupal’s Configure OAuth tab paste the copied Client ID and Client Secret (copied from the Keycloak Portal) in the Client ID and Client Secret text-field.

Copy the Keycloak Domain and Keycloak realm.
Replace the copied Keycloak Domain & Keycloak realm with the {your Domain} and {realm-name} in the Authorize Endpoint, Access Token Endpoint, and Get User Info Endpoint respectively.
Click on the Save Configuration button.

Keycloak Scope and Endpoints:

Enter the following information in the corresponding text fields of the Configure OAuth tab of them Drupal OAuth Client module.

Scope	openid email profile
Authorize Endpoint	(Keycloak base URL)/realms/{realm-name}/protocol/openid-connect/auth
Access Token Endpoint	(Keycloak base URL)/realms/{realm-name}/protocol/openid-connect/token
Get User Info Endpoint	(Keycloak base URL)/realms/{realm-name}/protocol/openid-connect/userinfo

Integrating Drupal with Keycloak:

Copy the Client ID from the Keycloak application, client ID will be your client name.

Navigate to the Credentials tab and copy the Client Secret.

In Drupal’s Configure OAuth tab paste the copied Client ID and Client Secret (copied from the Keycloak Portal) in the Client ID and Client Secret text-field.

Copy the Keycloak Domain and Keycloak realm.
Replace the copied Keycloak Domain & Keycloak realm with the {your Domain} and {realm-name} in the Authorize Endpoint, Access Token Endpoint, and Get User Info Endpoint respectively.
Click on the Save Configuration button.

Keycloak Scope and Endpoints:

Enter the following information in the corresponding text fields of the Configure OAuth tab of them Drupal OAuth Client module.

Scope	openid email profile
Authorize Endpoint	(Keycloak base URL)/realms/{realm-name}/protocol/openid-connect/auth
Access Token Endpoint	(Keycloak base URL)/realms/{realm-name}/protocol/openid-connect/token
Get User Info Endpoint	(Keycloak base URL)/realms/{realm-name}/protocol/openid-connect/userinfo

Test Connection between Drupal and OAuth Provider

After successfully saving the configurations, please click on the Perform Test Configuration button to test the connection between Drupal and OAuth Provider.

OAuth-OIDC-Client-Configuration-Check-Connection-with-OAuth-Provider

On a Test Configuration popup, if you don't have any active sessions on the same browser, you will be requested to login to the OAuth Provider. After successfully logging, you will be provided a list of attributes received from the OAuth Provider.
Select the Email Attribute from the dropdown menu in which the user's email ID is obtained and click on the Done button.

Note: Mapping the Email Attribute is mandatory to perform SSO i.e. login to the Drupal site with OAuth Provider credentials.

Drupal OAuth Client - select Email Attribute

On the Attribute & Role Mapping tab, please select the Username Attribute from the dropdown list and click on the Save Configuration button.

Drupal OAuth Client - select user attribute and click save configuration

Now log out and go to your Drupal site’s login page. You will automatically find a Login with OAuth Provider link there. If you want to add the SSO link to other pages as well, please follow the steps given in the image below:

Drupal OAuth Client - add link on other pages

Need Assistance?

If you face any issues during the configuration or if you want some additional features, please contact us at drupalsupport@xecurify.com.

Additional Features:

Troubleshooting:

More FAQs ➔

Getting error: 'Username not received. Check your Attribute Mapping configuration.' OR Getting Error: 'Email not received. Check your Attribute Mapping configuration.'

Follow the steps mentioned HERE

I am getting "Client Credentials were not found in the headers or body"
when I try to perform test configuration

Follow the steps mentioned HERE

After I click on the logout in Drupal, it sends me back to the Drupal homepage. However, when I try to login with other user, it doesn't ask me to login but automatically logs me in with same user

The logout functionality you've mentioned here is the default behavior of a module. It's logging you out of Drupal but not from your Application/Provider. To allow the module to logout from your provider/application account (what you are looking for), you need to make the below configurations: [know more]

I purchased the paid Drupal module and replaced it with the free module, but still I am not able to use paid features.

As you have upgraded to one of our paid versions of the Drupal module and replaced the free module with the paid one, you must first activate the paid module. Please refer to the below steps. [Know more]

Single Sign On

SAML Service Provider

OAuth/OpenId Connect Client (SSO)

Social Login Social Sharing

Headless Single Sign-On

SAML Identity Provider

OAuth/OpenId Connect Server

Login using YourMembership

Auto Login and Register using JWT

Help & Support

Multi-Factor Authentication (MFA)

Two Factor Authentication

WooCommerce Password Reset Over OTP

OTP Over Phone Call

Bulk SMS/WhatsApp Notification

OTP Verification

Limit OTP Request

Receive OTP and Notifications on WhatsApp

Help & Support

LDAP/Active Directory Integrations

LDAP/Active Directory Integration for WordPress

WP Staff/Employee Search Directory for Active Directory

LDAP/AD Integration for Cloud & Shared Hosted WordPress

Forms Integration with Active Directory for WordPress

Help & Support

Office365 Integration

SharePoint WordPress

PowerBI WordPress Integration

Outlook and MS Teams Integration

Azure AD / Office 365 app Integrations

Dynamics CRM 365 WordPress Integration

Help & Support

WooCommerce Integration

WooCommerce Product Sync

WooCommerce Integrator

Dynamics CRM 365 WordPress Integration

Object Data Sync for Salesforce

Help & Support

Decentralised ID

Digital ID Login

Web3 WordPress Authentication

WordPress Web3 Suite

WordPress NFT Marketplace

WordPress Smart Contracts

Help & Support

Add-Ons

Page and Post Restriction

LearnDash Integrator

WooCommerce Integrator

SSO Login Audit

Paid Membership Pro integrator

Media Restriction

BuddyPress Integrator

WordPress Discord Integrator

Guest User Login

SCIM User Provisioning

MemberPress Integrator

SSO Session Management

Attribute based redirection

Other Plugins

REST API Authentication

Custom API for WordPress

Firebase Authentication

WordPress Online Proctoring for LMS

No Code Automation

Object Data Sync for Salesforce

WP User Sync Integration for Third Party Apps

WP User and Login Management

Management tool for Web Agency

Help & Support

Single Sign On

SAML SSO

Crowd SSO

Kerberos / NTLM SSO

Helpdesk SSO Integration

OAuth/OpenID SSO

Git Authentication

Advance SSO Option

Help & Support

User Management