search

hcengineering / huly-selfhost

Huly for Self Hosting
Eclipse Public License 2.0
1.66k stars 129 forks source link

Could someboby tell me what the format of the redirect_uri should be when configuring OIDC? #83

Open vitaaaaa1 opened 4 weeks ago

vitaaaaa1 commented 4 weeks ago

I use Authentik as my OIDC provider, and I set the redirect_uri format in Authentik to "https://your-huly-instance.com/auth/callback" for callback when authentication is verified in Authentik. However, I get an error when logging in. "The request fails due to a missing, invalid, or mismatching redirection URI (redirect_uri)."

image

image

lexiv0re commented 3 weeks ago

Hi @vitaaaaa1, thanks for your interest in Huly. Fair question, currently the docs are missing this bit. I'll update them to mention that. You should be using {huly_host}:3000/auth/openid/callback or more general {huly_account_svc}/auth/openid/callback.

vitaaaaa1 commented 3 weeks ago

Hi @vitaaaaa1, thanks for your interest in Huly. Fair question, currently the docs are missing this bit. I'll update them to mention that. You should be using {huly_host}:3000/auth/openid/callback or more general {huly_account_svc}/auth/openid/callback.你好,谢谢你对Huly的关注。这是个好问题,目前文档中确实没有提到这一点。我会更新文档,说明这一点。你应该使用“或更通用的”。

Thank you for your response. Yesterday, I did get the URL in the format you described, even though I didn't fill in the redirect_uri, but when I clicked Continue with OpenId on the Huly login page, I was redirected to Authentik and then back to the Huly login page without any changes. I don't know what happened in between. These are the log messages after clicking the login button

account-1       | {"level":"info","message":"try auth via","provider":"openid","timestamp":"2024-10-23T06:51:01.342Z"}
front-1         | {"level":"info","message":"::ffff:10.20.1.6 - GET /login HTTP/1.1 200 453 - 2.362 ms\n","name":"requests","timestamp":"2024-10-23T06:51:02.276Z"}
mongodb         | {"t":{"$date":"2024-10-23T06:51:02.413+00:00"},"s":"I",  "c":"WTCHKPT",  "id":22430,   "ctx":"Checkpointer","msg":"WiredTiger message","attr":{"message":{"ts_sec":1729666262,"ts_usec":413800,"thread":"1:0x7fb00d0de640","session_name":"WT_SESSION.checkpoint","category":"WT_VERB_CHECKPOINT_PROGRESS","category_id":6,"verbose_level":"DEBUG_1","verbose_level_id":1,"msg":"saving checkpoint snapshot min: 887, snapshot max: 887 snapshot count: 0, oldest timestamp: (0, 0) , meta checkpoint timestamp: (0, 0) base write gen: 4211"}}}
front-1         | {"level":"info","message":"::ffff:10.20.1.6 - GET /config.json HTTP/1.1 200 653 - 0.534 ms\n","name":"requests","timestamp":"2024-10-23T06:51:02.551Z"}

containerinfo image

and Authentik setting image

lexiv0re commented 3 weeks ago

@vitaaaaa1 redirect to the login page in Huly means unsuccessful auth or error on the IdP side. I'd expect the account service logs to have this error but your logs show nothing useful for some reason. If you can check events log on the IdP side you may probably find an issue logged here. You can also try to check the browser logs (network tab) for failed requests.

vitaaaaa1 commented 3 weeks ago

I am using the Docker Compose file provided by you to deploy my application, and the default OIDC redirect URL is set to: FRONT_URL=http://front:8080. I later changed it to my host IP address. If you don't define it as the host IP address, it actually makes a direct browser request, rather than through the network in the Docker container. This part is strange, and I don't know if the problem is here, or what the purpose of this parameter is.

I changed this parameter to the external access address of the front-end - FRONT_URL=http://10.8.0.84:8087. At least the redirect during runtime is normal, but I am not sure if this redirect is the correct one.

image

lexiv0re commented 3 weeks ago

Yes, the external access address for FRONT_URL is a correct choice.

There are three redirects involved in OIDC auth:

  1. Huly redirects to IdP using an uri taken from OPENID_ISSUER
  2. IdP redirects back to Huly account service (this is the part configured in the IdP application that should be {huly_account_svc}/auth/openid/callback)
  3. Huly account service redirects to FRONT_URL either to the login page if the auth was unsuccessful or to the front auth page with token if everything went fine.

In your case it looks like it made it to 3. where it redirects to the front login page due to unsuccessful auth on IdP side.

vitaaaaa1 commented 3 weeks ago

Yes, the external access address for FRONT_URL is a correct choice.是的,对于FRONT_URL的外部访问地址的选择是正确的。

There are three redirects involved in OIDC auth:OIDC认证过程中涉及三个重定向:

  1. Huly redirects to IdP using an uri taken from OPENID_ISSUERHuly 会将用户重定向到 IdP,使用的 URI 是从 OPENID_ISSUER 获取的。
  2. IdP redirects back to Huly account service (this is the part configured in the IdP application that should be {huly_account_svc}/auth/openid/callback)IdP 会将用户重定向回霍利账户服务(这是在 IdP 应用程序中配置的部分,应为 {huly_account_svc}/auth/openid/callback)。
  3. Huly account service redirects to FRONT_URL either to the login page if the auth was unsuccessful or to the front auth page with token if everything went fine.霍利账户服务会将请求重定向到FRONT_URL,如果认证失败则重定向到登录页面,如果一切顺利则重定向到带有令牌的前台认证页面。

In your case it looks like it made it to 3. where it redirects to the front login page due to unsuccessful auth on IdP side.在您的情况下,看起来它已经到达了第3步。由于IdP侧的身份验证未成功,它会重定向到主登录页面。

But neither Authentik nor huly reported error logs, I'll have to look into it again, thanks for your reply

vitaaaaa1 commented 4 days ago

Yes, the external access address for FRONT_URL is a correct choice.是的,对于FRONT_URL的外部访问地址的选择是正确的。

There are three redirects involved in OIDC auth:OIDC认证过程中涉及三个重定向:

  1. Huly redirects to IdP using an uri taken from OPENID_ISSUERHuly 会将用户重定向到 IdP,使用的 URI 是从 OPENID_ISSUER 获取的。
  2. IdP redirects back to Huly account service (this is the part configured in the IdP application that should be {huly_account_svc}/auth/openid/callback)IdP 会将用户重定向回霍利账户服务(这是在 IdP 应用程序中配置的部分,应为 {huly_account_svc}/auth/openid/callback)。
  3. Huly account service redirects to FRONT_URL either to the login page if the auth was unsuccessful or to the front auth page with token if everything went fine.霍利账户服务会将请求重定向到FRONT_URL,如果认证失败则重定向到登录页面,如果一切顺利则重定向到带有令牌的前台认证页面。

In your case it looks like it made it to 3. where it redirects to the front login page due to unsuccessful auth on IdP side.在您的情况下,看起来它已经到达了第3步。由于IdP侧的身份验证未成功,它会重定向到主登录页面。

Hello, I noticed that the official documentation for OIDC configuration has been updated, but I'm not sure how to configure the parameters to get information related to my OIDC authentication failure.

Specify the following environment variables (provided by the IdP) for the account service:

OPENID_CLIENT_ID
OPENID_CLIENT_SECRET
OPENID_ISSUER
Ensure you have configured or add the following environment variable to the front service:

ACCOUNTS_URL (This should contain the URL of the account service, accessible from the client side.)
### ACCOUNTS_URL The configured URL is a relevant link for IdP?
lexiv0re commented 4 days ago

@vitaaaaa1 what is your IdP redirect URL currently set to?

vitaaaaa1 commented 1 day ago

@vitaaaaa1 what is your IdP redirect URL currently set to?你当前设置的IdP重定向URL是什么?

The redirection URL has not been modified and still uses the following URL: http://example.domain/auth/openid/callback

lexiv0re commented 1 day ago

I think this is the problem. This URL should be set to {huly_account_svc}/auth/openid/callback where {huly_account_svc} is your account service origin.

vitaaaaa1 commented 1 day ago

帐户服务的源地址

"Account service source address" refers to the IP address from which the account service is being accessed, typically port 3000.

05865e18e46e   hardcoreeng/account:v0.6.333          "docker-entrypoint.s…"   36 seconds ago   Up 34 seconds                      0.0.0.0:3000->3000/tcp, :::3000->3000/tcp

But the callback url I configured in the Idp does already carry 3000 ports

These are the configuration parameters for the account service

  account:
    image: hardcoreeng/account:v0.6.333
    ports:
      - 3000:3000
    environment:
      - SERVER_PORT=3000
      - SERVER_SECRET=secret
      - DB_URL=mongodb://mongodb:27017
      - TRANSACTOR_URL=ws://transactor:3333;ws://example.com:3333
      - STORAGE_CONFIG=minio|minio?accessKey=minioadmin&secretKey=minioadmin
      - FRONT_URL=http://example.com:8087
      - MODEL_ENABLED=*
      - ACCOUNTS_URL=http://example.com:3000
      - ACCOUNT_PORT=3000
      - OPENID_CLIENT_ID=XXXXXX
      - OPENID_CLIENT_SECRET=XXXXXXX
      - OPENID_ISSUER=https://ldp.domain.com/application/o/huly/
lexiv0re commented 1 day ago

But the callback url I configured in the Idp does already carry 3000 ports

What callback URL did you configure and where if the redirection URL is kept default?

vitaaaaa1 commented 1 day ago

But the callback url I configured in the Idp does already carry 3000 ports但是我在Idp中配置的回调URL已经使用了3000端口。

What callback URL did you configure and where if the redirection URL is kept default?如果重定向URL保持默认值,您配置了哪个回调URL以及其位置?

The callback url is automatically obtained by my IdP service Authentik in the following format: http//:host:3000/auth/openid/callback

lexiv0re commented 1 day ago

Could you try to put that same URL as the redirect URL in your IdP config manually? I believe they must match, otherwise you'll be getting the error you see.