Closed gitwittidbit closed 2 weeks ago
kolaente
commented
3 weeks ago Do you have the required scopes added? Vikunja needs access to the email scope.
Some providers, like Gitlab, will only share the email address with Vikunja when the user logging in has it set to public. Maybe there's a similar thing with the oidc provider you're using?
gitwittidbit
commented
3 weeks ago I am using keycloak and I believe that I can only add scopes per client but not per user. The vikunja client is set to see the email scope. Between the user that can login to vikunja and the user that can't I don't see an obvious difference with respect to the settings.
kolaente
commented
3 weeks ago Does it work with this guide? https://vikunja.io/docs/openid-example-configurations#keycloak
Just to make sure I'm understanding you correctly, you have two users in Keycloak, and one can log into Vikunja and one can't? And both have an email address set in their account and no other difference in settings?
Is there anything in Keycloak's or Vikunja's logs?
gitwittidbit
commented
3 weeks ago Sorry for bothering you. It was a configuration error: Keycloak does per default provide the email address to the client for all users. But a long time ago, I had tried to implement a scheme that would restrict access to certain clients to specific users but withholding the email address from clients a user is not supposed to use. So my new user did not have the appropriate role that would have made Keycloak provide the email address to Vikunja. I had completely forgotten about this. It's working now.
But while we are talking about OIDC authentication, when I have Vikunja list the registered users, I see two users with the same email address: one with the normal username and one with some made up username, which probably comes from the OIDC login. Is that how it is supposed to be (or might I have misconfigured something there as well)?
kolaente
commented
2 weeks ago But while we are talking about OIDC authentication, when I have Vikunja list the registered users, I see two users with the same email address: one with the normal username and one with some made up username, which probably comes from the OIDC login. Is that how it is supposed to be (or might I have misconfigured something there as well)?
Are they both coming from OIDC?
Usernames must be unique in Vikunja globally, that's why it will generate a random username when the OIDC server did not provide a preferred_username or the one it provided was already taken.
I'm closing this as the original issue was resolved.
Description
Hi,
I have been using (evaluating) Vikunja for a while now and I really like it. Thank you very much for your work!
When I create a new user, it gets setup alright (as per user list) and I can log in using the user's password. But logging in via OIDC does not work. After authenticating to the OIDC provider, the user gets redirected to Vikunja which then throws the error message from the title.
The thing is, the user has an email address configured in the OIDC provider and I can login via this OIDC provider without issues. So the OIDC login process does work obviously and the one thing the error message claims is the problem should not be.
Any guidance as to what else might be wrong?
Thank you.
Vikunja Version
0.24.4
Browser and version
Firefox. 131
Can you reproduce the bug on the Vikunja demo site?
No
Screenshots
No response