A PAS plugin to set roles to imio keycloak users
Project description
pas.plugins.kimug
A PAS plugin to set roles to imio keycloak users
Kimug is a acronym for "Keycloak IMio User & Group"
Installation
Install pas.plugins.kimug:
make build
Create the Plone site:
make create-site
Test / dev environment
Init dev environment
You have to initialize a certificate with tests/mkcert.sh .
Start dev environment
make docker-start
This command will start a keycloak instance available at https://keycloak.127.0.0.1.nip.io
Tests dev accounts
| Realm | login | password | |
|---|---|---|---|
| master | admin | admin | |
| imio | kimug | kimug_at_imio.be | kimug |
| plone | plone | plone_at_imio.be | plone |
| sso-apps | imio-apps-plone_belleville-ac | imio-apps_at_kimug.be | Kimug123456*** |
Export keycloak realms
cd tests
docker compose exec keycloak /opt/keycloak/bin/kc.sh export --file /opt/keycloak/data/import/realm-imio.json --realm imio
docker compose exec keycloak /opt/keycloak/bin/kc.sh export --file /opt/keycloak/data/import/realm-plone.json --realm plone
docker compose exec keycloak /opt/keycloak/bin/kc.sh export --file /opt/keycloak/data/import/realm-sso-apps.json --realm sso-apps
Run test
.venv/bin/tox -e test -s
or only one class
.venv/bin/pytest tests -s -k TestMigration
Contribute
License
The project is licensed under GPLv2.
Contributors
- iMio [devops@imio.be]
1.5.1 (2026-06-02)
New features:
- Add upgrade step (1002→1003) that registers the
oidc_sso_appsplugin, applies OIDC settings, and syncs SSO Apps users from Keycloak into Plone on existing instances. [remdub] upgrade-1003-oidc-sso-apps
1.5.0 (2026-05-29)
New features:
- Add SSO apps authentication via a second PAS plugin (
oidc_sso_apps) backed by a dedicatedsso-appsKeycloak realm. Bearer tokens are routed to the correct plugin by inspecting theissclaim; Plone users are created automatically on first access. A sync view (/keycloak_sso_apps_users) lets administrators bulk-import SSO app users. Configure viaSSO_APPS_CLIENT_ID,SSO_APPS_CLIENT_SECRET,SSO_APPS_URL,SSO_APPS_ACCESS_GROUP. [remdub] sso-apps-authentication
Bug fixes:
- Security: Kimug bearer-token authentication now verifies JWT signatures
against the Keycloak realm's JWKS with RS256, and checks
iss,aud,exp,iat. Previouslyjwt.decode(..., options={"verify_signature": False})accepted any JWT — including attacker-forged tokens — allowing account takeover by sendingAuthorization: Bearer <unsigned.jwt>._decode_tokennow returnsNoneon any verification failure instead of raising, so the PAS authentication chain degrades cleanly. Configurekeycloak_url,keycloak_realm,keycloak_issuerandkeycloak_audiencevia environment variables (audience defaults toaccount). [bsuttor] kimug-jwt-verify
1.4.3 (2026-03-24)
- DEVOPS-339 : Fix ConflictError when multiple Zope instances start simultaneously and commit OIDC settings [remdub]
1.4.2 (2025-12-10)
- Set administrator role for users in group iA.Smartweb-admin with an imio address. [bsuttor]
1.4.1 (2025-11-25)
- WEB-4331 : Set Allowed Groups with environment variable [remdub]
1.4.0 (2025-11-04)
-
Upgrade dev environment to Plone 6.1.3 [remdub]
-
Override views related to user management We no longer create or modify users in Plone This is now handled by Keycloak [remdub]
-
Remove deprecated methods related to redirect uris We are not using those methods anymore since 1.3.0 [remdub]
1.3.1 (2025-09-30)
- Do not gave administrator role for users in group iA.Smartweb. [bsuttor]
1.3.0 (2025-09-25)
-
Skip OIDC settings configuration when Plone site or OIDC plugin is unavailable [remdub]
-
Set "came_from" session variable from HTTP_REFERER instead of came_from request. [bsuttor]
-
In controlpanel status, check if the redirect_uris set in Keycloak match the ones set in the OIDC plugin. [remdub]
-
Set OIDC settings from environment variables on instance boot [remdub, bsuttor]
1.2.0 (2025-09-16)
-
Add controlpanel [remdub]
-
Add a view to set OIDC settings [remdub]
-
Add a view to import Keycloak users to Plone. [bsuttor]
1.1.5 (2025-09-09)
- Add upgrade-step to clean authentic users [remdub]
1.1.4 (2025-08-28)
- You should rerun migration as many times as you want. [bsuttor]
1.1.3 (2025-08-28)
- Check if realm exists and environment variables are set before migration [remdub]
1.1.2 (2025-08-27)
- Add forgot local roles on migration to Keycloak. [bsuttor & remdub]
1.1.1 (2025-08-26)
- Migrate users form Authentic to Keycloal OIDC plugin. [bsuttor]
1.1.0 (2025-07-10)
- Migrate authentic to keycloak
1.0.0 (2025-03-31)
Project details
Release history Release notifications | RSS feed
Download files
Download the file for your platform. If you're not sure which to choose, learn more about installing packages.
Source Distribution
Built Distribution
Filter files by name, interpreter, ABI, and platform.
If you're not sure about the file name format, learn more about wheel file names.
Copy a direct link to the current filters
File details
Details for the file pas_plugins_kimug-1.5.1.tar.gz.
File metadata
- Download URL: pas_plugins_kimug-1.5.1.tar.gz
- Upload date:
- Size: 105.5 kB
- Tags: Source
- Uploaded using Trusted Publishing? No
- Uploaded via: twine/6.1.0 CPython/3.13.3
File hashes
| Algorithm | Hash digest | |
|---|---|---|
| SHA256 |
f2a453cfadafa0f799252db5699a306e66ff47d33c27cb6637472a3b2c46dc18
|
|
| MD5 |
280d090795897dbfce00ac865a6ece7e
|
|
| BLAKE2b-256 |
cea2f1996bd5c99bda22291c7d62e8e071920b4d7145cc910244417f92501234
|
File details
Details for the file pas_plugins_kimug-1.5.1-py3-none-any.whl.
File metadata
- Download URL: pas_plugins_kimug-1.5.1-py3-none-any.whl
- Upload date:
- Size: 47.6 kB
- Tags: Python 3
- Uploaded using Trusted Publishing? No
- Uploaded via: twine/6.1.0 CPython/3.13.3
File hashes
| Algorithm | Hash digest | |
|---|---|---|
| SHA256 |
dae948aa60e776ee4ffb80cda9a2e8f3c8f779f79e4f11f4a5c69a7aab3e15eb
|
|
| MD5 |
3ac0d7f3417bf4b93d6323d7a322e18b
|
|
| BLAKE2b-256 |
2f7d05e47ff6771654deebff822c689bc00c12575167e3eb9f02f002ec154088
|
