search

Leantime / leantime

Leantime is a goals focused project management system for non-project managers. Building with ADHD, Autism, and dyslexia in mind.
https://leantime.io
GNU Affero General Public License v3.0
4.8k stars 599 forks source link

[FEATURE] Allow OIDC Login with Zitadel #2592

Closed meinrecht closed 3 days ago

meinrecht commented 4 months ago

OIDC does not work with Zitadel Zitadel is an OIDC provider that allows to use the methods "PKCE" and "Code" by the client application.

When I configure my self-hosted Leantime-instance with the docker environment variables, that I tried to deduce from other configurations described, I am not able to authenticate with zitadel. Those are:

LEAN_OIDC_ENABLE=true
LEAN_OIDC_PROVIDER_URL=https://zitadel.example.tld
LEAN_OIDC_AUTH_URL_OVERRIDE=https://zitadel.example.tld/oauth/v2/authorize
LEAN_OIDC_TOKEN_URL_OVERRIDE=https://zitadel.example.tld/oauth/v2/token
LEAN_OIDC_USERINFO_URL_OVERRIDE=https://zitadel.example.tld/oidc/v1/userinfo
LEAN_OIDC_JWKS_URL_OVERRIDE=https://zitadel.example.tld/oauth/v2/keys
LEAN_OIDC_CREATE_USER=true
LEAN_OIDC_SCOPES="openid profile email"
LEAN_OIDC_FIELD_EMAIL=Email
LEAN_OIDC_CLIENT_ID=id
# this one should not be needed with PKCE
LEAN_OIDC_CLIENT_SECRET=secret

In Zitadel the "redirect URL" is set to: https://leantime.example.tld/oidc/callback

When using "OIDC Login" on leantime, after being redirected to my zitadel-instance and giving my credentials, I am not redirected back. When I reopen the page, where leantime sits, again, I can see an error message, that depends on the above mentioned method that zitadel should use for this client:

  1. with "PKCE":

Client error: POST https://zitadel.example.tld/oauth/v2/token resulted in a 400 Bad Request response: {"error":"invalid_request","error_description":"code_challenge required"}

So this looks, like PKCE is not supported at all.

  1. with "Code":

    Das benutzte Format für den öffentlichen Schlüssel wird noch nicht unterstützt. Bitte prüfen Sie, ob Ihr provider alternative JWKS-Endpunkte unterstützt. Für Google nutzen Sie: https://www.googleapis.com/oauth2/v1/certs (which means: the given format for the public key is not yet supported...)

There is no error message on the Zitadel side in this case.

I would like to be able to use Zitadel as OIDC provider for leantime, be it with PKCE or Code.

If that is not achievable it would at least be helpful to specify in the documentation what exactly is required from the OIDC provider for the integration to work.

Additional context

I am aware that Zitadel is not one of the most common IAM providers, but it seems others have similar problems, like in #2088 (gitlab). I also read #2009, but could not find anything helpful.

jgardner-qha commented 3 months ago

I seem to be having exactly the same problem, except with Amazon Cognito. I've set up a large number of various OAuth client applications on multiple providers, including Authentik, Keycloak, Microsoft, and Amazon Cognito, and I've never come across this frustrating problem before. What is missing in Leantime that is causing this?

marcelfolaron commented 3 months ago

PKCE is currently not supported. We are in the midst of switching some of the authentication layers and I'll take another look at that.

marcelfolaron commented 3 days ago

This should work now as of 3.3.1