Hi again,
In addition to the UI and WebSocket issues, I’m also trying to set up OIDC authentication for the Taiga API using Keycloak as the identity provider.
Setup
- Taiga is running in Docker using the image:
robrotheram/taiga-back-openid
. - The frontend login via Keycloak works fine.
- API access without authentication returns data correctly (e.g., list of projects).
- I’m using Keycloak at
http://192.168.150.28:7214/realms/taiga
with a client configured astaiga-mzrf
.
My docker.env
file contains the necessary OIDC variables like:
OIDC_CLIENT_ID
OIDC_CLIENT_SECRET
OIDC_ISSUER
OIDC_AUDIENCE
I’ve also added the external plugin taiga-contrib-openid-auth
to the taiga-back
container.
Problem
When trying to authenticate via API using an access token from Keycloak, I get this error:
{
"detail": "Given token not valid for any token type",
"code": "token_not_valid",
"messages": [
{
"token_class": "AccessToken",
"token_type": "access",
"message": "Token is invalid or expired"
}
]
}
The access token is fresh (lifetime 30 minutes), and verified as active via Keycloak introspection.
What I’ve tried
- OIDC client properly configured in Keycloak (realm =
taiga
) - Token introspection shows
active: true
- Enabled
taiga-contrib-openid-auth
and checkedAUTHENTICATION_BACKENDS
- Also tested with
taigaio/taiga-contrib-oidc-auth
- Rebuilt the container multiple times
What I need
- Help with properly configuring OIDC for API access.
- Clarification if deeper customization of
taiga-back
is needed (e.g., extra Python libs). - Best practices for setting
AUTHENTICATION_BACKENDS
and other OIDC-related Django settings.
Thanks again for your support!