Keycloak for Oauth2

I am running CodiMD v2.4.1 (only just discovered HedgeDoc today, so I’ll need to upgrade my deployments to HedgeDoc eventually), but that is probably not relevant to my question.

I am using Keycloak as the identity provider for which I have a client app registered using the following configuration (Kubernetes deployment):


- name: CMD_OAUTH2_PROVIDERNAME
  value: "Keycloak"
- name: CMD_OAUTH2_BASEURL
  value: "https://keycloak.example.com/auth/realms/my-realm/protocol/openid-connect"
- name: CMD_OAUTH2_USER_PROFILE_URL
  value: "https://keycloak.example.com/auth/realms/my-realm/protocol/openid-connect/userinfo"
- name: CMD_OAUTH2_USER_PROFILE_USERNAME_ATTR
  value: "sub"
- name: CMD_OAUTH2_USER_PROFILE_DISPLAY_NAME_ATTR
  value: "name"
- name: CMD_OAUTH2_USER_PROFILE_EMAIL_ATTR
  value: "email"
- name: CMD_OAUTH2_TOKEN_URL
  value: "https://keycloak.example.com/auth/realms/my-realm/protocol/openid-connect/token"
- name: CMD_OAUTH2_AUTHORIZATION_URL
  value: "https://keycloak.example.com/auth/realms/my-realm/protocol/openid-connect/auth"
- name: CMD_OAUTH2_CLIENT_ID
  valueFrom:
    secretKeyRef:
      name: codimd-keycloak
      key: clientId
- name: CMD_OAUTH2_CLIENT_SECRET
  valueFrom:
    secretKeyRef:
      name: codimd-keycloak
      key: clientSecret

The authentication works well, in the sense that I see a “Log in with Keycloak” button and it creates a new user upon completing the authentication flow.

However, what I want is to only allow people with a certain Keycloak role to be able to log in. I found this Stack Overflow answer than claims to accomplish this, but it is failing for me.

My question to this community is this: is there any kind of authorization configuration in HedgeDoc itself that can be used to deny access to authenticated users based on some information (such as OAuth2 scopes email, profile, etc) provided by the OAuth2 identity provider (Keycloak in this example)?

I found a solution that is not perfect, but it at least works to deny access anyone that is not in the permitted Keycloak role. I replaced the value of CMD_OAUTH2_USER_PROFILE_USERNAME_ATTR from subemail. In the Keycloak settings, as that Stack Overflow answer explains, you can withhold certain client scopes (such as email and profile) from the response that Keycloak sends to HedgeDoc with the Oauth2 response; however, I do not see how to prevent the sub scope from being sent. Thus, changing the sub to email causes a 500 server error when someone not in the approved role tries to login. This is not ideal, because I want them to be kicked back to the home page with a “permission denied” message or something, but it will do for now.

There is the accessRoles/CMD_OAUTH2_ACCESS_ROLE feature for oauth2. https://docs.hedgedoc.org/configuration/#oauth2-login

But please note: This forum is not providing any support for the CodiMD version you mention, it’s from independent developers, with own ideas. So we neither know what features they support, nor what these config options do for them. So unless you run HedgeDoc, we can not support you here, sorry.

2 Likes