Cannot Configure OpenID Login

[lotusexpeditor]

Prerequisites

• [x ] I read the Deployment and Setup section of the OpenCTI documentation as well as the Troubleshooting page and didn't find anything relevant to my problem.
• [x ] I went through old GitHub issues and couldn't find anything relevant
• [ x] I googled the issue and didn't find anything relevant

Description

Cannot configure OpenID login with Authentik software.

I have traced the issue to this line. It seems like !user condition meets but I'm not sure. (https://github.com/OpenCTI-Platform/opencti/blob/e1e65d3d07034b222b5945f00b8c7b184fea607d/opencti-platform/opencti-graphql/src/http/httpPlatform.js#L243)

Environment

1. OS (where OpenCTI server runs): Official docker image
2. OpenCTI version: OpenCTI 5.3.17
3. OpenCTI client: frontend
4. Other environment details: Ubuntu 20.04 with docker, Portainer as orchestration system

Reproducible Steps

Steps to create the smallest reproducible scenario:

1. Click OPENID LOGIN on main page
2. Authenticate with Authentik, redirect occurs
3. After /auth/oic/callback?code=xxxxx ; redirects to /dashboard path and prints Unknown Error

Additional information

Oauth token content from authentik logs

ID Token

{ "iss": "https://sso.ourbase.home.arpa/application/o/opencti/", "sub": "redacted", "aud": "redacted", "exp": redacted, "iat": redacted, "auth_time": redacted, "acr": "goauthentik.io/providers/oauth2/default", "c_hash": null, "nonce": null, "at_hash": "redacted", "claims": { "email": "lotus@ourbase.home.arpa", "email_verified": true, "name": "lotus", "given_name": "lotus", "family_name": "", "preferred_username": "lotus", "nickname": "lotus", "groups": [ "opencti_default" ] } }

Applied OpenCTI OpenID configuration

  - PROVIDERS__OPENID__STRATEGY=OpenIDConnectStrategy 
  - "PROVIDERS__OPENID__CONFIG__LABEL=OPENID LOGIN"
  - PROVIDERS__OPENID__CONFIG__ISSUER=${OID_CFG_ISSUER}
  - PROVIDERS__OPENID__CONFIG__CLIENT_ID=${OID_CLIENT_ID}
  - PROVIDERS__OPENID__CONFIG__CLIENT_SECRET=${OID_CLIENT_SECRET}
  - "PROVIDERS__OPENID__CONFIG__REDIRECT_URIS=[\"https://opencti.ourbase.home.arpa/auth/oic/callback\"]"
  - "PROVIDERS__OPENID__CONFIG__ROLES_MANAGEMENT__ROLES_SCOPE="groups"
  - "PROVIDERS__OPENID__CONFIG__ROLES_MANAGEMENT__ROLES_PATH=[\"claims.groups\"]"
  - "PROVIDERS__OPENID__CONFIG__ROLES_MANAGEMENT__ROLES_MAPPING=[\"opencti_default:Default\"]"
  - "PROVIDERS__OPENID__CONFIG__ROLES_MANAGEMENT__TOKEN_REFERENCE="id_token"

[lotusexpeditor]

After some debugging, it turns out OpenCTI expects JWT (RS256) but Authentik was responding with a HS256 one in my past configuration.

Besides, In OpenID configuration discovery, It was explicitly declared as HS256.

"Unknown error" message from OpenCTI platform is not enough, should be improved.

[ZachChristensen28]

I saw the same thing as above, with Authentik responding with an HS256. In my Authentik provider, I set the Signing key to the default certificate in the settings (as opposed to no key), which fixed the problem.