kolaente
commented
2 months ago Does that happen during the start of Vikunja or when you're trying to authenticate?
Closed 3isenHeiM closed 2 months ago
kolaente
commented
2 months ago Does that happen during the start of Vikunja or when you're trying to authenticate?
3isenHeiM
commented
2 months ago Only when I browse to the homepage, not before
kolaente
commented
2 months ago I'm using a very similar config with Authentik without issues. Which url is reported as the .well-known url in Authentik?
3isenHeiM
commented
2 months ago /application/o/vikunja/.well-known/openid-configuration
kolaente
commented
2 months ago If you open that url, what is the response?
3isenHeiM
commented
2 months ago Browsing to this I get the expected json.
{
"issuer": "https://auth.tld/",
"authorization_endpoint": "https://auth.tld/application/o/authorize/",
"token_endpoint": "https://auth.tld/application/o/token/",
"userinfo_endpoint": "https://auth.tld/application/o/userinfo/",
"end_session_endpoint": "https://auth.tld/application/o/vikunja/end-session/",
"introspection_endpoint": "https://auth.tld/application/o/introspect/",
"revocation_endpoint": "https://auth.tld/application/o/revoke/",
"device_authorization_endpoint": "https://auth.tld/application/o/device/",
"response_types_supported": [
"code",
"id_token",
"id_token token",
"code token",
"code id_token",
"code id_token token"
],
"response_modes_supported": [
"query",
"fragment",
"form_post"
],
"jwks_uri": "https://auth.tld/application/o/vikunja/jwks/",
"grant_types_supported": [
"authorization_code",
"refresh_token",
"implicit",
"client_credentials",
"password",
"urn:ietf:params:oauth:grant-type:device_code"
],
"id_token_signing_alg_values_supported": [
"RS256"
],
"subject_types_supported": [
"public"
],
"token_endpoint_auth_methods_supported": [
"client_secret_post",
"client_secret_basic"
],
"acr_values_supported": [
"goauthentik.io/providers/oauth2/default"
],
"scopes_supported": [
"openid",
"email",
"profile"
],
"request_parameter_supported": false,
"claims_supported": [
"sub",
"iss",
"aud",
"exp",
"iat",
"auth_time",
"acr",
"amr",
"nonce",
"email",
"email_verified",
"name",
"given_name",
"preferred_username",
"nickname",
"groups"
],
"claims_parameter_supported": false,
"code_challenge_methods_supported": [
"plain",
"S256"
]
}That's what I don't understand, the root of the URL is the same, and yet it complains.
The issue is that my IdP (Authentik) does not allow to change the issuer field, it's the FQDN of the server.
kolaente
commented
2 months ago The issuer reported from Authentik should be https://auth.tld/application/o/vikunja/. In my Authentik setup this is the case, so my guess is this is an issue with your setup. Do you see anything in Authentik's logs?
3isenHeiM
commented
2 months ago Yup indeed it was an issue in Authentik's provider configuration.
The option issuer_mode had to be set to per_provider (API reference).
Description
I'm integrating Vikunja with Authentik. Somehow, the check that Vikunja does on the Issuer URL is not passing validation, and OAuth fails.
This is the error in the logs :
Here is the config.yaml :
I don't have any mean to update the issuer since it's Authentik, so I wondering how can I change this check in vikunja.
Thanks !
Vikunja Version
v0.24.0
Browser and version
No response
Can you reproduce the bug on the Vikunja demo site?
No
Screenshots
No response