search

henrygd / beszel

A lightweight server monitoring hub with historical data, docker stats, and alerts.
MIT License
1.04k stars 42 forks source link

Authelia OIDC #15

Closed Heavensong89 closed 1 month ago

Heavensong89 commented 1 month ago

Tried to setup Authelia, I've tried using oidc, oidc2, oidc3, and all of them with "Support PKCE" either checked or unchecked - no joy! When I click the Authelia buttons on the login page, I just get a blank pop-window. This is my authelia config, wondering if I've missed anything:


      - client_id: 'beszel'
        client_name: 'Beszel'
        client_secret: {{ secret "/secrets/oidc/beszel" }}
        pre_configured_consent_duration: '7d'
        authorization_policy: 'two_factor'
        redirect_uris:
          - 'https://beszel.example.net/api/oauth2-redirect'
        scopes:
          - 'openid'
          - 'profile'
          - 'email'
          - 'groups'
MFYDev commented 1 month ago

I am using Authentik and have no issues at all. Although Authentik and Authelia are different but the basic setting should be similar. The info you provided is not enough for me to help.

Heavensong89 commented 1 month ago

Screenshot 2024-07-25 215735

That's how I've got it setup in beszel, and then my original message is the Authelia config that goes in the yaml file

MFYDev commented 1 month ago

'https://beszel.example.net/api/oauth2-redirect'

Did you set it as your own beszel instance? or just as the example.net you pasted?

Heavensong89 commented 1 month ago

my own instance

MFYDev commented 1 month ago

https://www.authelia.com/integration/openid-connect/pocketbase/

I found a related documentation from Authelia official website. Could you please confirm your setting again by following this? Beszel backend is pocketbase. This doc should be able to guide you through everything

Heavensong89 commented 1 month ago

yes it matches this, I added in the additional userinfo_signed_response_alg option and it still isn't working - I don't think it's hitting Authelia at all, as there are no errors/warning in my authelia logs. And I just get a blank pop-up window when I click the button, I don't get an error message.


      - client_id: 'redacted'
        client_name: 'Beszel'
        client_secret: {{ secret "/secrets/oidc/beszel" }}
        pre_configured_consent_duration: '7d'
        public: false
        authorization_policy: 'two_factor'
        redirect_uris:
          - 'https://beszel.redacted.net/api/oauth2-redirect'
        scopes:
          - 'openid'
          - 'profile'
          - 'email'
          - 'groups'
        userinfo_signed_response_alg: 'none'
henrygd commented 1 month ago

Do you see any related errors in the PocketBase logs? <your-url>/_/#/logs

Heavensong89 commented 1 month ago

Screenshot 2024-07-25 223826 no errors in the log

henrygd commented 1 month ago

Not sure what to suggest here. OIDC is handled by PocketBase and other providers like Authentik and Zitadel are confirmed to be working in Beszel. Maybe someone else who uses Authelia OIDC will see this and have a solution.

I'll add it to my list to investigate but it's not top priority at the moment. Until it gets sorted out I'd recommend using a different auth method or just putting the Authelia portal in front of the whole application.

peterbuga commented 1 month ago

I use authelia just fine, here's my config:

      - client_id: 'beszel-client'
        client_name: 'Beszel OpenID Client'
        client_secret: 'SECRET'
        public: false
        authorization_policy: 'two_factor'
        redirect_uris:
          - 'https://beszel.EXAMPLE.COMh/api/oauth2-redirect'
        scopes:
          - 'email'
          - 'groups'
          - 'openid'
          - 'profile'
        userinfo_signed_response_alg: 'none'

followed the tutorial from here: https://www.authelia.com/integration/openid-connect/pocketbase/

Heavensong89 commented 1 month ago

I use authelia just fine, here's my config:

      - client_id: 'beszel-client'
        client_name: 'Beszel OpenID Client'
        client_secret: 'SECRET'
        public: false
        authorization_policy: 'two_factor'
        redirect_uris:
          - 'https://beszel.EXAMPLE.COMh/api/oauth2-redirect'
        scopes:
          - 'email'
          - 'groups'
          - 'openid'
          - 'profile'
        userinfo_signed_response_alg: 'none'

followed the tutorial from here: https://www.authelia.com/integration/openid-connect/pocketbase/

yeah that's the same config as mine, do you get a pop-up window when you click the Authelia button? I do but it's an "about:blank"

MFYDev commented 1 month ago

I think til this point we can confirm it is not Authelia or Beszel's issue. I am actually wondering maybe it might be your web server's issue or reverse proxy settings for Authelia's issue. Can you use Authelia normally with other apps?

Heavensong89 commented 1 month ago

I think til this point we can confirm it is not Authelia or Beszel's issue. I am actually wondering maybe it might be your web server's issue or reverse proxy settings for Authelia's issue. Can you use Authelia normally with other apps?

Yes I use Authelia OIDC in several apps as well as normal authelia auth behind my *arr stack with no problems, I do think it could be to do with my Traefik as it's trying to open a pop-up window which none of my other OpenID ones do (Kasm, Homarr, Portainer etc.)

MFYDev commented 1 month ago

If Authelia can work with other apps. I will suggest you to clean up browser cache, restart Authelia, and try again. And maybe paste related logs from Authelia to here.

MFYDev commented 1 month ago

https://www.authelia.com/reference/guides/troubleshooting/

Please follow this guide and give it a try on whether if you can find any useful info.

keezppc commented 1 month ago

I think til this point we can confirm it is not Authelia or Beszel's issue. I am actually wondering maybe it might be your web server's issue or reverse proxy settings for Authelia's issue. Can you use Authelia normally with other apps?

Yes I use Authelia OIDC in several apps as well as normal authelia auth behind my *arr stack with no problems, I do think it could be to do with my Traefik as it's trying to open a pop-up window which none of my other OpenID ones do (Kasm, Homarr, Portainer etc.)

I'm using Traefik and Authentik and also get the pop up. If I switch to using the IP:PORT Authetik will authenticate but it will not using my FQDN

Heavensong89 commented 1 month ago

it isn't touching Authelia at all, but it's clearly not an issue with Beszel or PocketBase so will close the issue here and reach out on the Authelia discord 😄

Heavensong89 commented 1 month ago

I think til this point we can confirm it is not Authelia or Beszel's issue. I am actually wondering maybe it might be your web server's issue or reverse proxy settings for Authelia's issue. Can you use Authelia normally with other apps?

Yes I use Authelia OIDC in several apps as well as normal authelia auth behind my *arr stack with no problems, I do think it could be to do with my Traefik as it's trying to open a pop-up window which none of my other OpenID ones do (Kasm, Homarr, Portainer etc.)

I'm using Traefik and Authentik and also get the pop up. If I switch to using the IP:PORT Authetik will authenticate but it will not using my FQDN

is that the IP:Port of Beszel in your Authentik config? Or the IP:Port of Authelia in the Pocketbase/Beszel settings?

keezppc commented 1 month ago

It is the IP:PORT of the container and then that is used in the redirect for Authentik. I think this might actually be a Traefik issue

Heavensong89 commented 1 month ago

it is - I can get it working in Traefik if I turn off my compression middleware.

keezppc commented 1 month ago

it is - I can get it working in Traefik if I turn off my compression middleware.

This worked for me too, thanks for the solve!

Heavensong89 commented 1 month ago

so now I have it working but, I can't login! Do I need to add the user in pocketbase first for the auth to with with OIDC

Screenshot 2024-07-26 213458

henrygd commented 1 month ago

Yes, the user has to be in the users table with the same email. I think same username also works.

If you have lots of users, you can use the API to create them. Here's an example using the JS SDK with Bun:

import PocketBase from 'pocketbase'

const pb = new PocketBase('http://localhost:8090')

// authenticate
await pb.admins.authWithPassword(process.env.EMAIL as string, process.env.PASSWORD as string)

// get your users from wherever
const users = [
    {
        username: 'example-user',
        email: 'example@example.com',
        password: 'randompassword',
    },
]

for (const user of users) {
    await pb.collection('users').create({
        ...user,
        passwordConfirm: user.password,
        role: 'user',
        verified: true,
    })
}

I can look into whether it's possible to allow auto user creation if they're coming from OAuth / OIDC.

arcoast commented 1 month ago

I just came here to look for information about user creation. I use Authelia with Traefik and it's working fine, I created my first user (myself as admin) and can quite happily login with OIDC. However if I try to login as another user present in my beszel user group in my LDAP backend, I get an error as no role is specified.

I think a system where the first user is admin and then further users get the readonly or user role by default would be ideal, as they could always be promoted to admin by the existing admin.