Skip to content

Messages: Keycloak OIDC + ProConnect Redirect Fix

Messages ships with a "ProConnect" button on the login page by default. This is the French government SSO. For self-hosted deployments, you want standard OIDC login via Keycloak.

The Fix

Two settings in .env redirect users directly to Keycloak instead of showing ProConnect:

FRONTEND_SILENT_LOGIN_ENABLED=True
MESSAGES_FRONTEND_BACKEND_SERVER=172.29.0.10:8000

FRONTEND_SILENT_LOGIN_ENABLED tells the frontend to skip the login page and redirect directly to OIDC. MESSAGES_FRONTEND_BACKEND_SERVER points Caddy to the backend's static IP.

Caddy Proxy Issues

The Messages frontend runs Caddy as a reverse proxy. Two critical fixes:

  1. Port: The frontend image listens on port 8080, not 3000. This must match the Traefik label

  2. Host header: Caddy forwards API requests to the backend. Django needs ALLOWED_HOSTS to include messages.<domain> so these proxied requests aren't rejected with 400

DJANGO_ALLOWED_HOSTS=messages.<domain>,api.messages.<domain>,backend,localhost,127.0.0.1

Post-Deploy Steps

After docker compose up -d:

# Run migrations
docker compose exec backend python manage.py migrate

# Collect static files
docker compose exec backend python manage.py collectstatic --no-input

# Create initial channels (needed for Calendars integration)
docker compose exec backend python manage.py shell -c "
from core.models import Channel
c = Channel(name='calendars', type='api_key', scope_level='global')
c.save()
print(c.id)
"