The future of Open edX Authentication

We are currently move 40,000 students to Keycloak and its a flawless experience. We help also some smaller schools to use this infrastructure and it takes only a few clicks to add another realm/school that they can maintain themselves. I can only recommend that. We played around with other platforms but all the commercial solution with a free option (most others) try to upsell you eventually. There is always that one missing feature that you end up needing (like multi-factor).

@robrap @nikoma
We would like to have some form of 2FA (email passcode, text messages (SMS), or by a token generator app) and @Agrendalath mentioned reviewing this article to see what existing solutions for this exist rather than modify/maintain the existing edX authentication flow. I’m on board with using an existing system for sure.

Also, we utilize Shibboleth 2.0 access with our school for Third-party authentication, so it looks like Keycloak might serve us well.

@nikoma, do you have directions on how you used Keycloak with Open edX platform?

@robrap Has Open edX platform made any headway on using third-party solution like Keycloak, Kratos, or Zitadel for authentication? Using these external auth providers would handle first and third-party authentication for edx-platform right?

  1. I’m not aware of anyone making progress on 2FA. I can confirm that 2U has not made progress on this front.
  2. I can confirm that 2U has also not made progress on switching to a different open source solution. At the time there were missing features we relied on, like secondary email. And then we had changes in priority that put this on hold. This may return as a priority for 2U in the future.

Robert

Thanks @robrap for the update.

If @nikoma @robrap can comment on setting up Keycloak let me know. Also, if we migrated the platform to use Keycloak for authentication, then the user accounts should stay untouched right? It would be desired to have the user continue to use the same auth_user.id and not receive a new one. We’ll have to test this out as well to ensure this is the case.

If we decide to use Keycloak for edx-platform third-party authentication, would we want to perform the following steps?

  1. Create OpenID Connect client fro Realm with Access Type Confidential with valid redirect URIs.

  2. Enable Third-Party Auth using ENABLE_THIRD_PARTY_AUTH and ENABLE_COMBINED_LOGIN_REGISTRATION on Open edX platform for the LMS application.

  3. Enable require Third-Party Auth using ENABLE_REQUIRE_THIRD_PARTY_AUTH for the LMS application, forcing all authentication/registration through the third-party auth and first-party is disabled.

  4. Enable the python-social-auth backend fro Keycloak on this LMS application. It already exists. Looks like that backend does exist for keycloak here social-core/social_core/backends/keycloak.py at 4.5.4 · python-social-auth/social-core · GitHub.
    ```
    THIRD_PARTY_AUTH_BACKENDS:

    • “social_core.backends.keycloak.KeycloakOAuth2”
      ```
  5. Supply OAuth2 client secrets via secure mapping for the LMS application.
    ```
    SOCIAL_AUTH_OAUTH_SECRETS:
    keycloak: “YOUR-KEYCLOAK-CLIENT-SECRET”
    ```

  6. Point the backend at your Keycloak realm for the LMS application.

    ```
    SOCIAL_AUTH_KEYCLOAK_KEY: “your-client-id”
    SOCIAL_AUTH_KEYCLOAK_SECRET: “unused-here-because-in-OAUTH_SECRETS” # leave but it will be ignored in favor of OAUTH_SECRETS
    SOCIAL_AUTH_KEYCLOAK_PUBLIC_KEY: “-----BEGIN PUBLIC KEY-----\nMIIBIjA…\n-----END PUBLIC KEY-----”
    SOCIAL_AUTH_KEYCLOAK_AUTHORIZATION_URL: “https://idp.example.org/realms/yourrealm/protocol/openid-connect/auth”
    SOCIAL_AUTH_KEYCLOAK_ACCESS_TOKEN_URL: “https://idp.example.org/realms/yourrealm/protocol/openid-connect/token”
    SOCIAL_AUTH_KEYCLOAK_USER_INFO_URL: “https://idp.example.org/realms/yourrealm/protocol/openid-connect/userinfo”

    Optional but handy if you want to match on email instead of username:

    SOCIAL_AUTH_KEYCLOAK_ID_KEY: "email

    ```

  7. Register a Third-Party → Provider Configuration (OAuth) with backend ‘keycloak’

Refer to this ChatGPT thread below for details for all the steps mentioned above.