Closed Akruidenberg closed 2 years ago
awesome and thanks for letting me know. I will make sure to include this in the next release if possible
got it merged, will need to test but am confident it should work
Thanks! Let me pull develop and test it out tonight with Authelia OIDC provider
Nice! Would be nice to get it working with Authentik after so long :)
looking forward to hearing your feedback on this!
I was able to sign in!
Successfully signed in as <username>.
Space
and UserSpace
via the admin UI. (I'm starting from a fresh install). Not sure if I misconfigured anything about automatic creation of Spaces, but it seems like no spaces were automatically created, both for the admin user and for the OIDC-created user.ENABLE_SIGNUP=1
. Is there a way we can see this as a sign in rather than a sign up? Just thinking out loud.email
address. One suggestion moving forward is to populate the email
field here for the user, with the value obtained from email
claim in the OpenID connect email
scope that's commonly provided.awesome, glad it worked.
On point 1, I must have misconfigured something somewhere. Let me figure that out or discuss it separately since it's unrelated to OIDC.
Valid points for 2 and 3. 👍. I'm somewhat conversant in Django so I might be able to help. Let me dig through the code base first.
Awesome, Feel free to give it a try, if you have any questions let me knwk, probably best in a new issue.
Using the "beta" image in docker, with oauth (authelia).
Like ikaruswill said, I had to set ENABLE_SIGNUP=1
.
After logging in, I was presented with the options to either join a space via token or create a new space though.
Config for tandoor:
SOCIALACCOUNT_PROVIDERS = { "openid_connect": { "SERVERS": [ { "id": "tandoor", "name": "Authelia", "server_url": "https://mydomain.com", "token_auth_method": "client_secret_basic", "APP": { "client_id": "tandoor", "secret": "<super_secret>", }, } ] }}
SOCIAL_PROVIDERS=allauth.socialaccount.providers.openid_connect
Config for authelia:
...
- id: tandoor
description: tandoor
secret: <super_secret>
public: false
authorization_policy: two_factor
audience: []
scopes:
- openid
- groups
- email
- profile
redirect_uris:
- https://mydomain.com/accounts/tandoor/login/callback/
grant_types:
- refresh_token
- authorization_code
response_types:
- code
response_modes:
- form_post
- query
- fragment
userinfo_signing_algorithm: none
Since the original topic was Authentik here is the part for it
The formatting of the providers string doesnt matter. Replace the server_url with your application, my slug is called recipes
SOCIALACCOUNT_PROVIDERS={ "openid_connect": { "SERVERS": [{ "id": "authentik", "name": "Authentik", "server_url": "https://domain.tld/application/o/recipes/.well-known/openid-configuration", "token_auth_method": "client_secret_basic", "APP": { "client_id": "YXZ", "secret": "YXZ" } } ] } }
SOCIAL_PROVIDERS=allauth.socialaccount.providers.openid_connect
You have to add your mail on first login, there could be a way to automatically read it from supplied scopes but I didn't check further
Since the original topic was Authentik here is the part for it
The formatting of the providers string doesnt matter. Replace the server_url with your application, my slug is called recipes
SOCIALACCOUNT_PROVIDERS={ "openid_connect": { "SERVERS": [{ "id": "authentik", "name": "Authentik", "server_url": "https://domain.tld/application/o/recipes/.well-known/openid-configuration", "token_auth_method": "client_secret_basic", "APP": { "client_id": "YXZ", "secret": "YXZ" } } ] } }
SOCIAL_PROVIDERS=allauth.socialaccount.providers.openid_connect
You have to add your mail on first login, there could be a way to automatically read it from supplied scopes but I didn't check further
First thank you for the 2 env variables that we have to setup :) Can you share the settings we have to create under the provider entry in authentik as well?
You only have to create an OAuth2/OpenID Provider.
You have to define https://tandoor.example.org/accounts/authentik/login/callback/
as Redirect URIs/Origins
NOTE Change tandoor.example.org to your tandoor URL.
Take note of the Client ID
and the Client Secret
accounts/authentik/login/callback/
ok it seems to work, ty very much. what if I have already my local users in tandoor and they match the same username from authentik.
It seems that authentik trys to create new users and the old ones have to be deleted, is that right?
EDIT: Ok, login with local user and find the social authentication login there :)
I ran into the following issue: I had to encode the %
. My key contained %sh
somewhere and this was the error in Authelia:
time="2023-04-08T20:56:53-07:00" level=error msg="Access Request failed with error: The request is missing a required parameter, includes an invalid parameter value, includes a parameter more than once, or is otherwise malformed. The client secret in the HTTP authorization header could not be decoded from 'application/x-www-form-urlencoded'. invalid URL escape '%sh'" method=POST path=/api/oidc/token remote_ip=172.19.0.1 stack=
After putting the secret key through escape("...")
it all worked.
I also configured OIDC with Authentik and Tandoor! Thanks for the examples :).
I was wondering if there is a way to completely disable local user login (username + password)... And in best case automatically redirect to Authentik login when accessing tandoor...
+1 on the suggestions from @ikaruswill and @koseduhemak to:
ENABLE_SIGNUP=1
.In the meantime I will be resorting to using reverse proxy (header) authentication to simulate this behaviour.
As a side-note, the following quote from the docs caught me off-guard seeing as ENABLE_SIGNUP=1
would be required (and so users can sign up locally without using a public social provider anyways):
If you choose Google, Github or any other publicly available service as your authentication provider anyone with an account on that site can create an account on your installation. A new account does not have any permission but it is still not recommended to give public access to your installation.
For those of you still struggeling, it might be because you use a self signed certifcate.
If this is the case, make sure you added it to the host properly. (Example for Debian)
Bind the certificate store file under volumes
of the web_recipes
container with something like this:
volumes:
- staticfiles:/opt/recipes/staticfiles
- nginx_config:/opt/recipes/nginx/conf.d
- mediafiles:/opt/recipes/mediafiles
- /etc/ssl/certs/ca-certificates.crt:/etc/ssl/certs/ca-certificates.crt:ro
and add this environment variable to your docker-compose file:
REQUESTS_CA_BUNDLE=/etc/ssl/certs/ca-certificates.crt
This makes python recognize the systems certificate store.
After that, I was able to login via OIDC.
+1 to implementing exactly what @itsmejoeeey suggested.
You only have to create an OAuth2/OpenID Provider.
You have to define
https://tandoor.example.org/accounts/authentik/login/callback/
as Redirect URIs/OriginsNOTE Change tandoor.example.org to your tandoor URL.
Take note of the
Client ID
and theClient Secret
this callback URL seems not to work anymore, maybe someone else got a hint for that?
You only have to create an OAuth2/OpenID Provider. You have to define
https://tandoor.example.org/accounts/authentik/login/callback/
as Redirect URIs/OriginsNOTE Change tandoor.example.org to your tandoor URL.
Take note of the
Client ID
and theClient Secret
this callback URL seems not to work anymore, maybe someone else got a hint for that?
I got mine working with the following redirect uri: https://tandoor.example.com/accounts/oidc/authentik/login/callback/
@bpbradley Thank you so much! I've been trying to figure out all morning why my new set up wasn't working.
Hello all. I'm coming into this a bit late, but was hoping to get some assistance with getting Tandoor integrated with Authentik. When I successfully log in, I am redirected to the Authentik application page, not Tandoor.
I've added the following environment variables to my docker-compose:
SOCIAL_PROVIDERS: "allauth.socialaccount.providers.openid_connect"
SOCIALACCOUNT_PROVIDERS: '{ "openid_connect": { "SERVERS": [ { "id": "authentik", "name": "Authentik", "server_url": "https://my.authentik.url/application/o/tandoor/.well-known/openid-configuration", "token_auth_method": "client_secret_basic", "APP": { "client_id": "clientId", "secret": "clientSecret" } } ] } }'
In my Authentik provider, I have set the following as my redirect URI:
https://my.tandoor.url/accounts/authentik/login/callback/
However, I get a 404 when I try and access the /accounts/authentik/login/callback/ URL directly, so I'm thinking that is the issue? I've seen some comments about setting things up in the Django admin UI, but I'm not sure exactly what to update - sites/social accounts?
Would appreciate any pointers. :)
I ran into this too.... add in oidc as per below: https://my.tandoor.url/accounts/oidc/authentik/login/callback/
I ran into this too.... add in oidc as per below: https://my.tandoor.url/accounts/oidc/authentik/login/callback/
Thanks @j007bond007 , that's definitely helped. I also needed to add these environment variables to the tandoor container:
REMOTE_USER_AUTH: "1"
SOCIAL_DEFAULT_ACCESS: "1"
SOCIAL_DEFAULT_GROUP: "guest"
But once that was done, I was able to register new accounts through Authentik without too many issues. Thanks so much! :)
You only have to create an OAuth2/OpenID Provider.
You have to define
https://tandoor.example.org/accounts/authentik/login/callback/
as Redirect URIs/OriginsNOTE Change tandoor.example.org to your tandoor URL.
Take note of the
Client ID
and theClient Secret
To anyone else finding their way here from the future who saw this and noticed they already that this correct Redirect URI but recently started getting Redirect URI Errors, this has recently changed. I deleted this field and saved it to see if it populated itself and it did
As others have stated, it is in fact now "https://tandoor.example.org/accounts/oidc/authentik/login/callback/" the /oidc/ directory is new. I was looking right at it in this thread and scratching my head not realising I wasn't looking at the same URL and wondered why everyone was repeating themselves haha. This is somewhat of a recent change as it worked without this for about a year or so.
tl;dr don't be me and rush
Issue
Some time ago, i''ve asked some help at the Authentik Github for using OpenID with Traefik. I'm using Authentik for SSO. However, It did not work. Now with more research, the ENV is finally parsing, However, nothing changed. Are there more steps required for OpenID? Are there people who get OpenID working with Tandooor? @vabene1111 I've posted more info this time. Other providers like Authelia now also supporting OpenID, so examples for this are great too.
Setup Info
Version: 0.17.2 OS: OMV 5 (Debian)
ENV File:
Other relevant information regarding your problem (proxies, firewalls, etc.)