How to get OpenID working with Tandoor?

[Akruidenberg]

Issue

Some time ago, i''ve asked some help at the Authentik Github for using OpenID with Traefik. I'm using Authentik for SSO. However, It did not work. Now with more research, the ENV is finally parsing, However, nothing changed. Are there more steps required for OpenID? Are there people who get OpenID working with Tandooor? @vabene1111 I've posted more info this time. Other providers like Authelia now also supporting OpenID, so examples for this are great too.

Setup Info

Version: 0.17.2 OS: OMV 5 (Debian)

ENV File:

DB_ENGINE=django.db.backends.postgresql
POSTGRES_HOST=recipes-postgres
POSTGRES_PORT=5432 
POSTGRES_PASSWORD=secret
STICKY_NAV_PREF_DEFAULT=1
POSTGRES_USER=recipes
POSTGRES_DB=recipes         
SECRET_KEY=secret
REVERSE_PROXY_AUTH=0
COMMENT_PREF_DEFAULT=1
GUNICORN_MEDIA=0
ALLOWED_HOSTS=*
COMMENT_PREF_DEFAULT=1
MEDIA_URL=/media/
STATIC_URL=/static/
SHOPPING_MIN_AUTOSYNC_INTERVAL=5
DEBUG=0
TIMEZONE=Europe/Amsterdam
SOCIALACCOUNT_PROVIDERS={ 'openid': { 'SERVERS': [ {'id':'authentik', 'name':'authentik', 'openid_url':'https://authentik.domain.com/application/o/tandoor/"'}, ]}}

  nginx-recipes:
    image: nginx:mainline-alpine
    container_name: nginx-recipes
    hostname: nginx-recipes
    restart: unless-stopped
    networks:
      - reverseproxy  
      - intern
    security_opt:
      - no-new-privileges:true         
    volumes:
      - recipes-nginx:/etc/nginx/conf.d:ro
      - recipes-config:/static     
      - recipes-media:/media
    labels:
      traefik.enable: "true"
      ## HTTP Routers
      traefik.http.routers.recipes-rtr.entrypoints: https
      ## Middlewares
      traefik.http.routers.recipes-rtr.middlewares: chain-no-auth@file  
      ## HTTP Services
      traefik.http.routers.recipes-rtr.service: recipes-svc
      traefik.http.routers.recipes-rtr.rule: Host(`recept.$DOMAINNAME`)      
      traefik.http.services.recipes-svc.loadbalancer.server.port: 80
      ## watchtower      
      com.centurylinklabs.watchtower.enable: "true"    
      diun.enable: "true"       

  recipes:
    image: vabene1111/recipes:0.17.2
    container_name: recipes
    restart: unless-stopped
    hostname: recipes
#    user: $PUID:$PGID
    networks:
      - reverseproxy
      - intern
    security_opt:
      - no-new-privileges:true   
    volumes:
      - recipes-config:/opt/recipes/staticfiles
      - recipes-nginx:/opt/recipes/nginx/conf.d
      - recipes-media:/opt/recipes/mediafiles    
    depends_on:
      - recipes-postgres
      - nginx-recipes
    env_file:
        - ./recipes.env 
    labels:
## watchtower      
      com.centurylinklabs.watchtower.enable: "true"       
      diun.enable: "true"       

  recipes-postgres:
    image: postgres:12-alpine
    container_name: recipes-postgres
    restart: unless-stopped
    hostname: recipes-postgres
#    user: $PUID:$PGID  
    env_file:
      - ./recipes-postgres.env 
    networks:
      - intern   
    security_opt:
      - no-new-privileges:true        
    secrets:
        - recipes_postgres  
    volumes:
      - recipes-postgres:/var/lib/postgresql/data    
      - $BACKUPDIR/recipes:/backup      
    environment:
      TZ: $TZ
    ## watchtower
    labels:
      com.centurylinklabs.watchtower.enable: "false"     
      diun.enable: "true"      

Other relevant information regarding your problem (proxies, firewalls, etc.)

• Using Traefik as reverseproxy

[vabene1111]

awesome and thanks for letting me know. I will make sure to include this in the next release if possible

[vabene1111]

got it merged, will need to test but am confident it should work

[ikaruswill]

Thanks! Let me pull develop and test it out tonight with Authelia OIDC provider

[Akruidenberg]

Nice! Would be nice to get it working with Authentik after so long :)

[vabene1111]

looking forward to hearing your feedback on this!

[ikaruswill]

I was able to sign in!

Successfully signed in as <username>.

• Though I had to manually create a Space and UserSpace via the admin UI. (I'm starting from a fresh install). Not sure if I misconfigured anything about automatic creation of Spaces, but it seems like no spaces were automatically created, both for the admin user and for the OIDC-created user.
• I had to set ENABLE_SIGNUP=1. Is there a way we can see this as a sign in rather than a sign up? Just thinking out loud.
• I had to manually provide an email address. One suggestion moving forward is to populate the email field here for the user, with the value obtained from email claim in the OpenID connect email scope that's commonly provided.

[vabene1111]

awesome, glad it worked.

• you should always (no matter which signup) be promted to create a space if you dont have any.
• hmm thats possible that you have to set this. this could probably be fixed but i would need to really understand all that and set it up, so probably not for a while (or someone contributes the proper fix)
• the email adress is not really required for anything so dont really need to populate it but there is probably a way to pass that trough when signing up.

[ikaruswill]

On point 1, I must have misconfigured something somewhere. Let me figure that out or discuss it separately since it's unrelated to OIDC.

Valid points for 2 and 3. 👍. I'm somewhat conversant in Django so I might be able to help. Let me dig through the code base first.

[vabene1111]

Awesome, Feel free to give it a try, if you have any questions let me knwk, probably best in a new issue.

[spaddex]

Using the "beta" image in docker, with oauth (authelia).
Like ikaruswill said, I had to set ENABLE_SIGNUP=1.
After logging in, I was presented with the options to either join a space via token or create a new space though.

Config for tandoor:

SOCIALACCOUNT_PROVIDERS = { "openid_connect": { "SERVERS": [ { "id": "tandoor", "name": "Authelia", "server_url": "https://mydomain.com", "token_auth_method": "client_secret_basic", "APP": { "client_id": "tandoor", "secret": "<super_secret>", }, } ] }}
SOCIAL_PROVIDERS=allauth.socialaccount.providers.openid_connect

Config for authelia:

...
      - id: tandoor
        description: tandoor
        secret: <super_secret>
        public: false
        authorization_policy: two_factor
        audience: []
        scopes:
          - openid
          - groups
          - email
          - profile
        redirect_uris:
          - https://mydomain.com/accounts/tandoor/login/callback/
        grant_types:
          - refresh_token
          - authorization_code
        response_types:
          - code
        response_modes:
          - form_post
          - query
          - fragment
        userinfo_signing_algorithm: none

[rheaalleen]

Since the original topic was Authentik here is the part for it

The formatting of the providers string doesnt matter. Replace the server_url with your application, my slug is called recipes

SOCIALACCOUNT_PROVIDERS={ "openid_connect": { "SERVERS": [{ "id": "authentik", "name": "Authentik", "server_url": "https://domain.tld/application/o/recipes/.well-known/openid-configuration", "token_auth_method": "client_secret_basic", "APP": { "client_id": "YXZ", "secret": "YXZ" } } ] } }

SOCIAL_PROVIDERS=allauth.socialaccount.providers.openid_connect

You have to add your mail on first login, there could be a way to automatically read it from supplied scopes but I didn't check further

[nicedevil007]

Since the original topic was Authentik here is the part for it

The formatting of the providers string doesnt matter. Replace the server_url with your application, my slug is called recipes

SOCIALACCOUNT_PROVIDERS={ "openid_connect": { "SERVERS": [{ "id": "authentik", "name": "Authentik", "server_url": "https://domain.tld/application/o/recipes/.well-known/openid-configuration", "token_auth_method": "client_secret_basic", "APP": { "client_id": "YXZ", "secret": "YXZ" } } ] } }

SOCIAL_PROVIDERS=allauth.socialaccount.providers.openid_connect

You have to add your mail on first login, there could be a way to automatically read it from supplied scopes but I didn't check further

First thank you for the 2 env variables that we have to setup :) Can you share the settings we have to create under the provider entry in authentik as well?

[danaelg]

You only have to create an OAuth2/OpenID Provider.

You have to define https://tandoor.example.org/accounts/authentik/login/callback/ as Redirect URIs/Origins

NOTE Change tandoor.example.org to your tandoor URL.

Take note of the Client ID and the Client Secret

[nicedevil007]

accounts/authentik/login/callback/

ok it seems to work, ty very much. what if I have already my local users in tandoor and they match the same username from authentik.

It seems that authentik trys to create new users and the old ones have to be deleted, is that right?

EDIT: Ok, login with local user and find the social authentication login there :)

[kristof-mattei]

I ran into the following issue: I had to encode the %. My key contained %sh somewhere and this was the error in Authelia:

time="2023-04-08T20:56:53-07:00" level=error msg="Access Request failed with error: The request is missing a required parameter, includes an invalid parameter value, includes a parameter more than once, or is otherwise malformed. The client secret in the HTTP authorization header could not be decoded from 'application/x-www-form-urlencoded'. invalid URL escape '%sh'" method=POST path=/api/oidc/token remote_ip=172.19.0.1 stack=

After putting the secret key through escape("...") it all worked.

[koseduhemak]

I also configured OIDC with Authentik and Tandoor! Thanks for the examples :).

I was wondering if there is a way to completely disable local user login (username + password)... And in best case automatically redirect to Authentik login when accessing tandoor...

[itsmejoeeey]

+1 on the suggestions from @ikaruswill and @koseduhemak to:

• Allow new users to sign-in via social provider without ENABLE_SIGNUP=1.
• Populate the email field here for the user, with the value obtained from email claim in the OpenID connect email scope that's commonly provided.
• Allow the disabling of local user login + automatic redirect to the social provider.

In the meantime I will be resorting to using reverse proxy (header) authentication to simulate this behaviour.

---

As a side-note, the following quote from the docs caught me off-guard seeing as ENABLE_SIGNUP=1 would be required (and so users can sign up locally without using a public social provider anyways):

If you choose Google, Github or any other publicly available service as your authentication provider anyone with an account on that site can create an account on your installation. A new account does not have any permission but it is still not recommended to give public access to your installation.

[tedstriker]

For those of you still struggeling, it might be because you use a self signed certifcate. If this is the case, make sure you added it to the host properly. (Example for Debian) Bind the certificate store file under volumes of the web_recipes container with something like this:

volumes:
      - staticfiles:/opt/recipes/staticfiles
      - nginx_config:/opt/recipes/nginx/conf.d
      - mediafiles:/opt/recipes/mediafiles
      - /etc/ssl/certs/ca-certificates.crt:/etc/ssl/certs/ca-certificates.crt:ro

and add this environment variable to your docker-compose file: REQUESTS_CA_BUNDLE=/etc/ssl/certs/ca-certificates.crt This makes python recognize the systems certificate store. After that, I was able to login via OIDC.

[AutoGitr]

+1 to implementing exactly what @itsmejoeeey suggested.

[nicedevil007]

You only have to create an OAuth2/OpenID Provider.

You have to define https://tandoor.example.org/accounts/authentik/login/callback/ as Redirect URIs/Origins

NOTE Change tandoor.example.org to your tandoor URL.

Take note of the Client ID and the Client Secret

this callback URL seems not to work anymore, maybe someone else got a hint for that?

[bpbradley]

You only have to create an OAuth2/OpenID Provider. You have to define https://tandoor.example.org/accounts/authentik/login/callback/ as Redirect URIs/Origins

NOTE Change tandoor.example.org to your tandoor URL.

Take note of the Client ID and the Client Secret

this callback URL seems not to work anymore, maybe someone else got a hint for that?

I got mine working with the following redirect uri: https://tandoor.example.com/accounts/oidc/authentik/login/callback/

[cbc02009]

@bpbradley Thank you so much! I've been trying to figure out all morning why my new set up wasn't working.

[zodac]

Hello all. I'm coming into this a bit late, but was hoping to get some assistance with getting Tandoor integrated with Authentik. When I successfully log in, I am redirected to the Authentik application page, not Tandoor.

I've added the following environment variables to my docker-compose:

      SOCIAL_PROVIDERS: "allauth.socialaccount.providers.openid_connect"
      SOCIALACCOUNT_PROVIDERS: '{ "openid_connect": { "SERVERS": [ { "id": "authentik", "name": "Authentik", "server_url": "https://my.authentik.url/application/o/tandoor/.well-known/openid-configuration", "token_auth_method": "client_secret_basic", "APP": { "client_id": "clientId", "secret": "clientSecret" } } ] } }'

In my Authentik provider, I have set the following as my redirect URI:

https://my.tandoor.url/accounts/authentik/login/callback/

However, I get a 404 when I try and access the /accounts/authentik/login/callback/ URL directly, so I'm thinking that is the issue? I've seen some comments about setting things up in the Django admin UI, but I'm not sure exactly what to update - sites/social accounts?

Would appreciate any pointers. :)

[j007bond007]

https://my.tandoor.url/accounts/authentik/login/callback/

I ran into this too.... add in oidc as per below: https://my.tandoor.url/accounts/oidc/authentik/login/callback/

[zodac]

https://my.tandoor.url/accounts/authentik/login/callback/

I ran into this too.... add in oidc as per below: https://my.tandoor.url/accounts/oidc/authentik/login/callback/

Thanks @j007bond007 , that's definitely helped. I also needed to add these environment variables to the tandoor container:

      REMOTE_USER_AUTH: "1"
      SOCIAL_DEFAULT_ACCESS: "1"
      SOCIAL_DEFAULT_GROUP: "guest"

But once that was done, I was able to register new accounts through Authentik without too many issues. Thanks so much! :)

[Avsynthe]

You only have to create an OAuth2/OpenID Provider.

You have to define https://tandoor.example.org/accounts/authentik/login/callback/ as Redirect URIs/Origins

NOTE Change tandoor.example.org to your tandoor URL.

Take note of the Client ID and the Client Secret

To anyone else finding their way here from the future who saw this and noticed they already that this correct Redirect URI but recently started getting Redirect URI Errors, this has recently changed. I deleted this field and saved it to see if it populated itself and it did

As others have stated, it is in fact now "https://tandoor.example.org/accounts/oidc/authentik/login/callback/" the /oidc/ directory is new. I was looking right at it in this thread and scratching my head not realising I wasn't looking at the same URL and wondered why everyone was repeating themselves haha. This is somewhat of a recent change as it worked without this for about a year or so.

tl;dr don't be me and rush