Error 403 when trying to authenticate with Keycloak client using OpenID connect plugin

Error 403 when trying to authenticate with Keycloak client using OpenID connect plugin

by Eurecat Academy -
Number of replies: 1

Hello,

We have set up a client in Keycloak.

We attempted to connect Keycloak with Moodle 4.2.2+ (Build: 20230822) using the OpenID Connect plugin (https://moodle.org/plugins/auth_oidc) to enable users to log in via Single Sign-On (SSO).

We have taken the following steps:

  1. We created the client in Keycloak.
  2. We set the redirect URI (provided by the plugin) in Keycloak.
  3. In the plugin settings in Moodle, we configured the authorization endpoint, token endpoint, resource, identity provider (IdP) type: other, and client secret.
  4. We tested logging in. We were able to log in using OpenID, which directed us to Keycloak. However, when it attempted to redirect to Moodle, we encountered the following error:

403 Forbidden

You don't have permission to access this resource.

Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.

Any help will be appreciated.

Average of ratings: -
In reply to Eurecat Academy

Re: Error 403 when trying to authenticate with Keycloak client using OpenID connect plugin

by Emma Richardson -
Picture of Documentation writers Picture of Particularly helpful Moodlers Picture of Plugin developers
Ok, where are you seeing IDP type in Moodle settings?
This is what you should be doing:
In Keycloak, new openid client. Just do the following settings:
Client ID - what you enter in Keycloak also gets entered in Moodle for ClientID
Name - just what you want to see it listed as in Keycloak
Enabled = On
Login Theme - only change from default if you have a custom theme
Client Protocol - openid-connect
Access Type - confidential (this is what creates the secret etc)
Standard Flow Enabled - on
Driect Access Grants Enabled - on
(I have everything else turned off)
Valid redirect URIs - yoursite.com/admin/oauth2callback.php
I have post logout redirecting to my website but you don't have to have this
Base URL - yousite.com
That should be all you need to change in Keycloak - save
In Moodle, new Oauth2 with following settings:
Name - only for listing in Moodle
Client ID - must match what is in Keycloak
Client Secret - copied from Credentials tab in Keycloak
Service Base URL - https://yourkeycloaksite.com/realms/your realm name here
This service will be used - Login Page and Internal Services
Scopes Included - openid profile email (I added those to both online and offline access fields)
Save
Ideally Moodle will reach out to keycloak and create all the endpoints so you do not need to do anything there - at that point it should just work...
Average of ratings: -