Can't configure OpenID with Azure

[NLE-IENA]

Description

Hello,

I'm trying to configure openid connection with Azure Entra ID. I don't usually have issue to connect application to Azure Entra ID (already have some) but I still have a problem with Vikunja. You're my last hope.

I use the docker installation and have mount a config.yml (copied from the sample and edited with my parameters). This part is ok but the application seems to not found the routes to my Azure conf.

Here my error:

2024-07-18T14:23:11.417750941Z: WEB     ▶ 82.66.162.100  GET 200 /workbox-v7.0.0/workbox-sw.js 224.612µs - Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/126.0.0.0 Safari/537.36 Edg/126.0.0.0

2024-07-18T14:23:11.504642469Z: ERROR   ▶ openid/GetAllProviders 0e0 Error while getting openid provider Azure: 404 Not Found:

2024-07-18T14:23:11.504842449Z: WEB     ▶ 82.66.162.100  GET 200 /api/v1/info 112.370337ms - Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/126.0.0.0 Safari/537.36 Edg/126.0.0.0

We can see a 404 error but can't understand why.

Here my auth configuration: `auth: local: enabled: true

openid:
    enabled: true
    redirecturl: "https://vikunja.mydomain/auth/openid/"  <-- I found a previous issue which explain to take care to the "/" here
    providers:
        - name: "Azure"
          authurl: "https://login.microsoftonline.com/my_tenant/oauth2/v2.0/authorize"
          # Leave empty or delete key, if you do not want to be redirected.
          #logouturl:
          clientid: my_client
          clientsecret: my_secret
          scope: openid email profile`

We can also see in the api/v1/info page the provider not appaers:

{
    "version": "v0.24.0",
    "frontend_url": "https://vikunja.mydomain/",
    "motd": "",
    "link_sharing_enabled": true,
    "max_file_size": "20MB",
    "registration_enabled": true,
    "available_migrators": [
        "vikunja-file",
        "ticktick"
    ],
    "task_attachments_enabled": true,
    "enabled_background_providers": [
        "upload"
    ],
    "totp_enabled": true,
    "legal": {
        "imprint_url": "",
        "privacy_policy_url": ""
    },
    "caldav_enabled": true,
    "auth": {
        "local": {
            "enabled": true
        },
        "openid_connect": {
            "enabled": true,
            "providers": []   <--- HERE
        }
    },
    "email_reminders_enabled": true,
    "user_deletion_enabled": true,
    "task_comments_enabled": true,
    "demo_mode_enabled": false,
    "webhooks_enabled": true,
    "public_teams_enabled": false
}

Can you help me find what's wrong please ?

Thank you Nicolas

Vikunja Version

0.24

Browser and version

No response

Can you reproduce the bug on the Vikunja demo site?

No

Screenshots

No response

[kolaente]

The authurl should be the issuer url. I don't really know anything about Azure Entrada, but the URL you have in there looks like the authorize URL.

Also check out the docs: https://vikunja.io/docs/openid#step-2-configure-vikunja

[NLE-IENA]

Hello, thanks for your answer but it's not logic. In the documentation I look and you re-sent, it's clearly write to use authurl. So that's what I use for my Azure. It seemed to me that openid works the same way everywhere which makes it so interesting.

Nevermind with your answer I manage to pass through the error. For those who encounter the problem, here is the url that I had to enter in my authurl variable: https://sts.windows.net/.

I also had to modify the redirection url in my Azure app because I indicated this one by following the documentation: https://vikunja.mydomain/auth/openid/ whereas this is the one that Azure expected https://vikunja.mydomain/auth/openid/azure.

Finally I still need a little help @kolaente because now the link with Azure seems well done but the tool gives me the following error.

ERROR   ▶ openid/HandleCallback 12c Claim does not contain an email address for provider Azure
ERROR   ▶ openid/HandleCallback 12d No email provided

However, I have correctly configured the access rights to my applications on the following elements.

[kolaente]

I also had to modify the redirection url in my Azure app because I indicated this one by following the documentation: https://vikunja.mydomain/auth/openid/ whereas this is the one that Azure expected https://vikunja.mydomain/auth/openid/azure.

The redirect url mentioned in the docs is the one for Vikunja's auth.redirecturl. In Azure you need to use the url you found out.

Finally I still need a little help @kolaente because now the link with Azure seems well done but the tool gives me the following error.

Does your user allow email sharing? I don't know how Azure handles this, but some providers require the user to agree to email sharing for third party providers. Quoting from https://vikunja.io/docs/config-options/#openid:

Some openid providers (like Gitlab) only make the email of the user available through OpenID if they have set it to be publicly visible. If the email is not public in those cases, authenticating will fail.

[NLE-IENA]

I struggled a bit to understand your last point but it's ok now ! Thank you ! I'll try to configure teams now but it's already really good.

Are you interesseted by my configurations, urls, steps, etc in Azure and Vikunja conf for the documentation maybe ?

Thank you Nicolas

[kolaente]

I'd love a contribution to the examples! https://vikunja.io/docs/openid-example-configurations

[NLE-IENA]

Ok so for Azure:

Configuration in Vikunja Application

1. authurl in the application's configuration file: The expected value for both the application and Azure is: "https://sts.windows.net/<tenant_id>/"

Configuration in Azure

1. Redirect URL: The redirect URL should be: "https://vikunja.iena.com/auth/openid/<provider_name_in_conf_file>"

2. Authorized APIs:

The following delegated APIs must be authorized:

• email
• openid
• profile
• User.Read

3. Creating a Secret

4. Token Configuration:

In the application's token configuration, add an optional claim:

• Select ID and then email.

Do you need/want more details ?

[kolaente]

I think that should work. Added your text (with a few modifications) to https://vikunja.io/docs/openid-example-configurations#azure-entrada-id

Many thanks!