A PAS plugin to set roles to imio keycloak users

Navigation

Verified details

These details have been verified by PyPI
Project links
Maintainers
Avatar for anuttinck from gravatar.com anuttinck Avatar for bsuttor from gravatar.com bsuttor Avatar for remdub from gravatar.com remdub

Unverified details

These details have not been verified by PyPI
Project links
Meta
  • License: GNU General Public License v2 (GPLv2) (GPL version 2)
  • Author: iMio
  • Tags Python , Plone , CMS
  • Requires: Python >=3.10
  • Provides-Extra: test
Classifiers
Report project as malware

Project description

pas.plugins.kimug

A PAS plugin to set roles to imio keycloak users

Kimug is a acronym for "Keycloak IMio User & Group"

Installation

Install pas.plugins.kimug:

make build

Create the Plone site:

make create-site

Test / dev environment

Init dev environment

You have to initialize a certificate with tests/mkcert.sh .

Start dev environment

make docker-start

This command will start a keycloak instance available at https://keycloak.127.0.0.1.nip.io

Tests dev accounts

Realm login e-mail password
master admin admin
imio kimug kimug_at_imio.be kimug
plone plone plone_at_imio.be plone
sso-apps imio-apps-plone_belleville-ac imio-apps_at_kimug.be Kimug123456***

Export keycloak realms

cd tests
docker compose exec keycloak /opt/keycloak/bin/kc.sh export --file /opt/keycloak/data/import/realm-imio.json --realm imio
docker compose exec keycloak /opt/keycloak/bin/kc.sh export --file /opt/keycloak/data/import/realm-plone.json --realm plone
docker compose exec keycloak /opt/keycloak/bin/kc.sh export --file /opt/keycloak/data/import/realm-sso-apps.json --realm sso-apps

Run test

.venv/bin/tox -e test -s

or only one class

.venv/bin/pytest tests -s -k TestMigration

Contribute

License

The project is licensed under GPLv2.

Contributors

  • iMio [devops@imio.be]

1.5.2 (2026-06-02)

New features:

  • get_keycloak_users_from_oidc_sso_apps now includes SSO apps users that are missing optional fields: missing email is filled as {username}@kimug.be; missing first and last name are filled as the username and sso-apps respectively. [remdub] sso-apps-users-default-fields

1.5.1 (2026-06-02)

New features:

  • Add upgrade step (1002→1003) that registers the oidc_sso_apps plugin, applies OIDC settings, and syncs SSO Apps users from Keycloak into Plone on existing instances. [remdub] upgrade-1003-oidc-sso-apps

1.5.0 (2026-05-29)

New features:

  • Add SSO apps authentication via a second PAS plugin (oidc_sso_apps) backed by a dedicated sso-apps Keycloak realm. Bearer tokens are routed to the correct plugin by inspecting the iss claim; Plone users are created automatically on first access. A sync view (/keycloak_sso_apps_users) lets administrators bulk-import SSO app users. Configure via SSO_APPS_CLIENT_ID, SSO_APPS_CLIENT_SECRET, SSO_APPS_URL, SSO_APPS_ACCESS_GROUP. [remdub] sso-apps-authentication

Bug fixes:

  • Security: Kimug bearer-token authentication now verifies JWT signatures against the Keycloak realm's JWKS with RS256, and checks iss, aud, exp, iat. Previously jwt.decode(..., options={"verify_signature": False}) accepted any JWT — including attacker-forged tokens — allowing account takeover by sending Authorization: Bearer <unsigned.jwt>. _decode_token now returns None on any verification failure instead of raising, so the PAS authentication chain degrades cleanly. Configure keycloak_url, keycloak_realm, keycloak_issuer and keycloak_audience via environment variables (audience defaults to account). [bsuttor] kimug-jwt-verify

1.4.3 (2026-03-24)

  • DEVOPS-339 : Fix ConflictError when multiple Zope instances start simultaneously and commit OIDC settings [remdub]

1.4.2 (2025-12-10)

  • Set administrator role for users in group iA.Smartweb-admin with an imio address. [bsuttor]

1.4.1 (2025-11-25)

  • WEB-4331 : Set Allowed Groups with environment variable [remdub]

1.4.0 (2025-11-04)

  • Upgrade dev environment to Plone 6.1.3 [remdub]

  • Override views related to user management We no longer create or modify users in Plone This is now handled by Keycloak [remdub]

  • Remove deprecated methods related to redirect uris We are not using those methods anymore since 1.3.0 [remdub]

1.3.1 (2025-09-30)

  • Do not gave administrator role for users in group iA.Smartweb. [bsuttor]

1.3.0 (2025-09-25)

  • Skip OIDC settings configuration when Plone site or OIDC plugin is unavailable [remdub]

  • Set "came_from" session variable from HTTP_REFERER instead of came_from request. [bsuttor]

  • In controlpanel status, check if the redirect_uris set in Keycloak match the ones set in the OIDC plugin. [remdub]

  • Set OIDC settings from environment variables on instance boot [remdub, bsuttor]

1.2.0 (2025-09-16)

  • Add controlpanel [remdub]

  • Add a view to set OIDC settings [remdub]

  • Add a view to import Keycloak users to Plone. [bsuttor]

1.1.5 (2025-09-09)

  • Add upgrade-step to clean authentic users [remdub]

1.1.4 (2025-08-28)

  • You should rerun migration as many times as you want. [bsuttor]

1.1.3 (2025-08-28)

  • Check if realm exists and environment variables are set before migration [remdub]

1.1.2 (2025-08-27)

  • Add forgot local roles on migration to Keycloak. [bsuttor & remdub]

1.1.1 (2025-08-26)

  • Migrate users form Authentic to Keycloal OIDC plugin. [bsuttor]

1.1.0 (2025-07-10)

  • Migrate authentic to keycloak

1.0.0 (2025-03-31)

Project details

Verified details

These details have been verified by PyPI
Project links
Maintainers
Avatar for anuttinck from gravatar.com anuttinck Avatar for bsuttor from gravatar.com bsuttor Avatar for remdub from gravatar.com remdub

Unverified details

These details have not been verified by PyPI
Project links
Meta
  • License: GNU General Public License v2 (GPLv2) (GPL version 2)
  • Author: iMio
  • Tags Python , Plone , CMS
  • Requires: Python >=3.10
  • Provides-Extra: test
Classifiers

Release history Release notifications | RSS feed

1.8.0

1.7.2

1.7.1

1.7.0

1.6.3

1.6.2

1.6.1

1.6.0

1.5.5

1.5.4

1.5.3

This version

1.5.2

1.5.1

1.5.0

1.4.3

1.4.2

1.4.1

1.4.0

1.3.1

1.3.0

1.2.0

1.1.5

1.1.4

1.1.3

1.1.2

1.1.1

1.1.0

1.0.0

Download files

Download the file for your platform. If you're not sure which to choose, learn more about installing packages.

Source Distribution

pas_plugins_kimug-1.5.2.tar.gz (106.2 kB view details)

Uploaded Source

Built Distribution

If you're not sure about the file name format, learn more about wheel file names.

pas_plugins_kimug-1.5.2-py3-none-any.whl (47.8 kB view details)

Uploaded Python 3

File details

Details for the file pas_plugins_kimug-1.5.2.tar.gz.

File metadata

  • Download URL: pas_plugins_kimug-1.5.2.tar.gz
  • Upload date:
  • Size: 106.2 kB
  • Tags: Source
  • Uploaded using Trusted Publishing? No
  • Uploaded via: twine/6.1.0 CPython/3.13.3

File hashes

Hashes for pas_plugins_kimug-1.5.2.tar.gz
Algorithm Hash digest
SHA256 73dd25f30cebe1d992c99a114b2ebbed5fe7909a9325e818c14499d02cbeadd1
MD5 fb7d95b6cc3554faa52aa9dd2ea4ad23
BLAKE2b-256 f044e98355ce13dda2af38f7a6e7c1269a83f6f50d571acea1748f4c518cba60

See more details on using hashes here.

File details

Details for the file pas_plugins_kimug-1.5.2-py3-none-any.whl.

File metadata

File hashes

Hashes for pas_plugins_kimug-1.5.2-py3-none-any.whl
Algorithm Hash digest
SHA256 20570fd3fcb0cd625dc1b362ae2f55a15e6cd7970b46d082cd6c0969f63d9fd3
MD5 07a06842d26bb52681331e9bba9ff6b8
BLAKE2b-256 0bd1d237b6867dabbec6ce457966f1e119e589d1c2524fde2ed31148607dfce0

See more details on using hashes here.

Supported by

AWS Cloud computing and Security Sponsor Datadog Monitoring Depot Continuous Integration Fastly CDN Google Download Analytics Pingdom Monitoring Sentry Error logging StatusPage Status page