Keycloak Single-Sign-On settings?

I cannot get SSO working with Keycloak. I am using keycloak which is in a separate system.

The only pac4j log messages on startup (with com.axelor log level set to DEBUG) is:
2023-04-09 08:32:42.715 INFO 63 — [ost-startStop-1] com.axelor.auth.pac4j.AuthPac4jModule : Loading pac4j: AuthPac4jModuleLocal
2023-04-09 08:32:42.841 INFO 63 — [ost-startStop-1] com.axelor.auth.pac4j.AuthPac4jModule : Added local client: FormClient

Thus it doesn’t look as though the keycloak code is being loaded?

The auth settings I am using are:

auth.callback-url =
auth.provider.keycloak.absolute-url-required = true # have tried both true and false here.
auth.provider.keycloak.exclusive = true
auth.provider.keycloak.base-uri =
auth.provider.keycloak.realm = sso-dev
auth.provider.keycloak.client-id = axelor
auth.provider.keycloak.secret = XXXXXXX
auth.user.provisioning = create
auth.user.default-group = users
auth.logout.local = true
auth.logout.central = false

I looked through the pac4j source code to confirm what the base-uri should be set to. i.e. pac4j will add /realms/<realm>/.well-known/openid-configuration to the url and use that. This complete URL works when querying the Keycloak server (ie it returns all the required JSON info.

Is there another Axelor configuration setting that I need for the SSO provider to be loaded?
Looking at the access logs on the Keycloak’s nginx, Axelor doesn’t even try to talk to it.

I also tried just a plain openid connect and that didn’t do anything either:

auth.provider.oidc.title = My OpenID Connect
auth.provider.oidc.icon = img/signin/openid.svg
auth.provider.oidc.client-id = axelor
auth.provider.oidc.secret = XXXXXXXX
auth.provider.oidc.discovery-uri =


1 « J'aime »