OIDC Authentication for Taiga API not working (Keycloak + robrotheram/taiga-back-openid)

Hi again,

In addition to the UI and WebSocket issues, I’m also trying to set up OIDC authentication for the Taiga API using Keycloak as the identity provider.

:brick: Setup

  • Taiga is running in Docker using the image: robrotheram/taiga-back-openid.
  • The frontend login via Keycloak works fine.
  • API access without authentication returns data correctly (e.g., list of projects).
  • I’m using Keycloak at http://192.168.150.28:7214/realms/taiga with a client configured as taiga-mzrf.

My docker.env file contains the necessary OIDC variables like:

  • OIDC_CLIENT_ID
  • OIDC_CLIENT_SECRET
  • OIDC_ISSUER
  • OIDC_AUDIENCE

I’ve also added the external plugin taiga-contrib-openid-auth to the taiga-back container.

:cross_mark: Problem

When trying to authenticate via API using an access token from Keycloak, I get this error:

{
  "detail": "Given token not valid for any token type",
  "code": "token_not_valid",
  "messages": [
    {
      "token_class": "AccessToken",
      "token_type": "access",
      "message": "Token is invalid or expired"
    }
  ]
}

The access token is fresh (lifetime 30 minutes), and verified as active via Keycloak introspection.

:white_check_mark: What I’ve tried

  • OIDC client properly configured in Keycloak (realm = taiga)
  • Token introspection shows active: true
  • Enabled taiga-contrib-openid-auth and checked AUTHENTICATION_BACKENDS
  • Also tested with taigaio/taiga-contrib-oidc-auth
  • Rebuilt the container multiple times

:folded_hands: What I need

  • Help with properly configuring OIDC for API access.
  • Clarification if deeper customization of taiga-back is needed (e.g., extra Python libs).
  • Best practices for setting AUTHENTICATION_BACKENDS and other OIDC-related Django settings.

Thanks again for your support!