Configuration with Keycloak

Note

This example contains the callback URLs which are required for TYPO3 v11.

Adding the OAuth2 app in Keycloak

  • Login to your Keycloak Administration Console

  • Go to your realm and create a new Client with protocol "openid-connect" and access type "confidential"

    • Enable the "Standard Flow"

    • Add the redirect URIs (backend):

      • https://<your-TYPO3-installation>/typo3/login

      • https://<your-TYPO3-installation>/typo3/oauth2/callback/handle

    • Add the redirect URIs (frontend):

      • https://<your-TYPO3-installation>/<callback-slug>

    • Save the client

    • Switch to the "Mappers" tab and configure a mapper for the ID field (which is necessary to successfully connect to TYPO3), after clicking create:

      • Enter "id" as Name

      • Choose "User Property" as Mapper Type

      • Enter "id" as Property

      • Enter "id" as Token Claim Name

      • Choose "String" as Claim JSON Type

      • Check all three check boxes

      • Save

  • Copy the client secret (Tab: Credentials) and client id

Keycloak client configuration for use with TYPO3
Keycloak mapper configuration for use with TYPO3

Adding the OAuth2 Keycloak app in TYPO3

Add the following configuration to your AdditionalConfiguration.php:

$GLOBALS['TYPO3_CONF_VARS']['EXTENSIONS']['oauth2_client'] = [
    'providers' => [
        'keycloak' => [
            'label' => 'Keycloak',
            'iconIdentifier' => 'oauth2-keycloak',
            'description' => 'Login with Keycloak',
            'scopes' => [
                \Waldhacker\Oauth2Client\Service\Oauth2ProviderManager::SCOPE_BACKEND,
            ],
            'options' => [
                'clientId' => '<your-client-id>',
                'clientSecret' => '<your-client-secret>',
                'urlAuthorize' => 'https://<keycloak-domain>/auth/realms/<your-realm>/protocol/openid-connect/auth',
                'urlAccessToken' => 'https://<keycloak-domain>/auth/realms/<your-realm>/protocol/openid-connect/token',
                'urlResourceOwnerDetails' => 'https://<keycloak-domain>/auth/realms/<your-realm>/protocol/openid-connect/userinfo',
                'responseResourceOwnerId' => 'sub',
            ],
        ],
    ],
];

Registering the icon (optional)

If you want to use a custom icon, in your site package Configuration/Icons.php register the icon like this:

<?php
   return [
       'oauth2-keycloak' => [
           'provider' => \TYPO3\CMS\Core\Imaging\IconProvider\FontawesomeIconProvider::class,
           'name' => 'key',
       ],
   ];

If you want to use the default icon instead, remove the iconIdentifier from the configuration.