search

loomio / loomio

Loomio is a collaborative decision making tool
https://www.loomio.com
GNU Affero General Public License v3.0
2.37k stars 688 forks source link

Unable to connect to SSO Authentik with OAUTH #10538

Open yodatak opened 8 months ago

yodatak commented 8 months ago

Hi with podman-compose and authentik SSO i got this error:

https://loomio.XXXXXXX.org/oauth/authorize?code=968cf7d876ec42ff91XXX518a388&state= Translation missing: fr.Could not connect to oauth!

the curl command to reproduce

curl 'https://loomio.XXXXX.org/oauth/authorize?code=186711527b6d4aca9d386bcc0f96c78b&state=' --compressed -H 'User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:123.0) Gecko/20100101 Firefox/123.0' -H 'Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,/;q=0.8' -H 'Accept-Language: fr' -H 'Accept-Encoding: gzip, deflate, br' -H 'DNT: 1' -H 'Alt-Used: loomio.XXXXX.org' -H 'Connection: keep-alive' -H 'Cookie: _loomio=FCF%2B7fNwRA6UrMm%2B6yGNRT7pSioAcWtm4kBp6Mag4OfSRdOJoTuTdH4dz10kO%2FTI0cmARyu7flDuEPZEbjWY0eHbczWG9VrFwsxnPQyh50L1Ju3iWi6HltXGp5dr1fkxOiVRL40RfZeI2wokmwn7Z5reStU13WLcwH40p5zThl%2FmnOdZ%2BiLhT3obCd4ipEdHA6GnARXjufhUPoEJaXXXXXXo32C23niDfOyaAZUCasggs%2FWDFPfppjcELw5q6TaOFQu8rqz59wIw%3D%3D--aFxepjU9k4aTj1f%2F--Hq3dl7LljElgKWPx6FpUaQ%3D%3D' -H 'Upgrade-Insecure-Requests: 1' -H 'Sec-Fetch-Dest: document' -H 'Sec-Fetch-Mode: navigate' -H 'Sec-Fetch-Site: same-site' -H 'Pragma: no-cache' -H 'Cache-Control: no-cache' -H 'TE: trailers'

exemple of JWT of authentik


{
    "iss": "https://sso.XXX.org/application/o/loomio/",
    "sub": "1",
    "aud": "8iAxmfnwqjXXXXXwlxjMRBEDMcVUdLfcJ",
    "exp": 1709836451,
    "iat": 1709834651,
    "auth_time": 1709834651,
    "acr": "goauthentik.io/providers/oauth2/default",
    "amr": [
        "pwd"
    ],
    "email": "XXX@XXX.com",
    "email_verified": true,
    "name": "authentik Default Admin",
    "given_name": "authentik Default Admin",
    "preferred_username": "akadmin",
    "nickname": "akadmin",
    "groups": [
        "XXXX SSO"
    ]
}

my config of loomio

OAUTH_AUTH_URL=https://sso.XXXX.org/application/o/authorize/
OAUTH_TOKEN_URL=https://sso.XXX.org/application/o/token/
OAUTH_PROFILE_URL=https://sso.XXXX.org/application/o/userinfo/
#OAUTH_SCOPE=https://sso.XXXXX.org/application/o/loomio/.well-known/openid-configuration
OAUTH_SCOPE=email openid profile
OAUTH_APP_KEY=8iAxmfnwqjlXXXXXXxjMRBEDMcVUdLfcJ
OAUTH_APP_SECRET=FeuRaEy504GXXXXXXXXXXXX9I6dbfXp1bizBTK59zIvPUbIZ0cLzXssRm2nXeZkOgDm7ZN7mFu1MSRq6QWjce1PEcEMLAOwFJqWsbYVFyxG
OAUTH_ATTR_UID=id
OAUTH_ATTR_NAME=displayName
OAUTH_ATTR_EMAIL=mail
OAUTH_LOGIN_PROVIDER_NAME=XXXX sso

and here the loomio logs 

1e4edb3b04b2 I, [2024-03-07T17:54:53.044102 #28]  INFO -- : source=rack-timeout id=e89d0015-ff49-4bf7-b376-8dd34fad8b35 timeout=15000ms state=ready
1e4edb3b04b2 I, [2024-03-07T17:54:53.048882 #28]  INFO -- : [e89d0015-ff49-4bf7-b376-8dd34fad8b35] method=GET path=/ format=html controller=RootController action=index status=302 allocations=6745 duration=3.82 view=0.00 db=0.00 location=https://loomio.XXXXX.org/dashboard
1e4edb3b04b2 I, [2024-03-07T17:54:53.049365 #28]  INFO -- : source=rack-timeout id=e89d0015-ff49-4bf7-b376-8dd34fad8b35 timeout=15000ms service=5ms state=completed
1e4edb3b04b2 I, [2024-03-07T17:54:53.086027 #28]  INFO -- : source=rack-timeout id=38cb924d-df92-4a12-b321-c41b4daaedbd timeout=15000ms state=ready
1e4edb3b04b2 I, [2024-03-07T17:54:53.091632 #28]  INFO -- : [38cb924d-df92-4a12-b321-c41b4daaedbd] method=GET path=/dashboard format=html controller=ApplicationController action=index status=200 allocations=7039 duration=4.56 view=0.95 db=0.00
1e4edb3b04b2 I, [2024-03-07T17:54:53.092211 #28]  INFO -- : source=rack-timeout id=38cb924d-df92-4a12-b321-c41b4daaedbd timeout=15000ms service=6ms state=completed
1e4edb3b04b2 I, [2024-03-07T17:54:53.879513 #14]  INFO -- : source=rack-timeout id=3e748347-06c5-4b2a-bf8d-f658ee221d0b timeout=15000ms state=ready
1e4edb3b04b2 I, [2024-03-07T17:54:53.907913 #14]  INFO -- : [3e748347-06c5-4b2a-bf8d-f658ee221d0b] method=GET path=/api/v1/boot/site format=json controller=API::V1::BootController action=site status=200 allocations=8033 duration=25.76 view=4.21 db=0.00
1e4edb3b04b2 I, [2024-03-07T17:54:53.910633 #14]  INFO -- : source=rack-timeout id=3e748347-06c5-4b2a-bf8d-f658ee221d0b timeout=15000ms service=31ms state=completed
1e4edb3b04b2 X-Accel-Mapping header missing
1e4edb3b04b2 X-Accel-Mapping header missing
1e4edb3b04b2 I, [2024-03-07T17:54:54.461268 #14]  INFO -- : source=rack-timeout id=04f4b571-0019-4bbc-9f01-9d39c264aadb timeout=15000ms state=ready
1e4edb3b04b2 X-Accel-Mapping header missing
1e4edb3b04b2 I, [2024-03-07T17:54:54.501387 #14]  INFO -- : [04f4b571-0019-4bbc-9f01-9d39c264aadb] method=GET path=/api/v1/polls format=json controller=API::V1::PollsController action=index status=200 allocations=9065 duration=15.03 view=0.26 db=13.08
1e4edb3b04b2 I, [2024-03-07T17:54:54.501790 #14]  INFO -- : source=rack-timeout id=04f4b571-0019-4bbc-9f01-9d39c264aadb timeout=15000ms service=41ms state=completed
955fc91def4b have current user! null []
1e4edb3b04b2 I, [2024-03-07T17:55:00.771530 #28]  INFO -- : source=rack-timeout id=291389c9-48d3-4324-875e-0ae42bd55f1e timeout=15000ms state=ready
1e4edb3b04b2 I, [2024-03-07T17:55:00.775711 #28]  INFO -- : [291389c9-48d3-4324-875e-0ae42bd55f1e] method=GET path=/oauth/oauth format=html controller=Identities::OauthController action=oauth status=302 allocations=6665 duration=3.37 view=0.00 db=0.00 location=https://sso.XXXXXX.org/application/o/authorize/
1e4edb3b04b2 I, [2024-03-07T17:55:00.776002 #28]  INFO -- : source=rack-timeout id=291389c9-48d3-4324-875e-0ae42bd55f1e timeout=15000ms service=4ms state=completed
c55b5326423d 1:M 07 Mar 2024 17:55:51.003 * 100 changes in 300 seconds. Saving...
c55b5326423d 1:M 07 Mar 2024 17:55:51.003 * Background saving started by pid 224
c55b5326423d 224:C 07 Mar 2024 17:55:51.009 * DB saved on disk
c55b5326423d 224:C 07 Mar 2024 17:55:51.009 * RDB: 0 MB of memory used by copy-on-write
c55b5326423d 1:M 07 Mar 2024 17:55:51.104 * Background saving terminated with success
1e4edb3b04b2 I, [2024-03-07T17:55:54.632563 #14]  INFO -- : source=rack-timeout id=cbfe0d3f-fb89-45b7-b5b5-9eefbc844d74 timeout=15000ms state=ready
1e4edb3b04b2 opening connection to sso.XXXX.org:443...
1e4edb3b04b2 opened
1e4edb3b04b2 starting SSL for sso.XXXX.org:443...
1e4edb3b04b2 SSL established, protocol: TLSv1.3, cipher: TLS_AES_256_GCM_SHA384
1e4edb3b04b2 <- "POST /application/o/token/ HTTP/1.1\r\nContent-Type: application/x-www-form-urlencoded; charset=UTF-8\r\nAccept-Encoding: gzip;q=1.0,deflate;q=0.6,identity;q=0.3\r\nAccept: */*\r\nUser-Agent: Ruby\r\nConnection: close\r\nSentry-Trace: 2a10172322754462a502eac6fd0b42f5-3b72b5053c74402f\r\nBaggage: sentry-trace_id=2a10172322754462a502eac6fd0b42f5,sentry-environment=production\r\nHost: sso.XXXXX.org\r\nContent-Length: 342\r\n\r\n"1e4edb3b04b2 
1e4edb3b04b2 <- 1e4edb3b04b2 "client_id=8iAxmfnwqjlxtgTFrfBubwwlxjMRBEDMcVUdLfcJ&client_secret=FeuRaEy504GAu9zrW6cnq7qg72eQnTPLOx59s27zC1X39I6dbfXp1bizBTK5XXXXXXIZ0cLzXssRm2nXeZkOgDm7ZN7mFu1MSRq6QWjce1PEcEMLAOwFJqWsbYVFyxG&code=968cf7d876ec42ff91de2a3b9518a388&redirect_uri=https%3A%2F%2Floomio.XXXXXX.org%2Foauth%2Fauthorize&grant_type=authorization_code"1e4edXXXXb04b2 
1e4edb3b04b2 -> "HTTP/1.1 200 OK\r\n"
1e4edb3b04b2 -> "Server: nginx\r\n"
1e4edb3b04b2 -> "Date: Thu, 07 Mar 2024 17:55:54 GMT\r\n"
1e4edb3b04b2 -> "Content-Type: application/json\r\n"
1e4edb3b04b2 -> "Content-Length: 2330\r\n"
1e4edb3b04b2 -> "Connection: close\r\n"
1e4edb3b04b2 -> "Cache-Control: no-store\r\n"
1e4edb3b04b2 -> "Pragma: no-cache\r\n"
1e4edb3b04b2 -> "Referrer-Policy: same-origin\r\n"
1e4edb3b04b2 -> "Vary: Accept-Encoding\r\n"
1e4edb3b04b2 -> "Vary: Cookie\r\n"
1e4edb3b04b2 -> "X-Authentik-Id: 10091c900b094f53aea4457d21bce285\r\n"
1e4edb3b04b2 -> "X-Content-Type-Options: nosniff\r\n"
1e4edb3b04b2 -> "X-Frame-Options: DENY\r\n"
1e4edb3b04b2 -> "X-Powered-By: authentik\r\n"
1e4edb3b04b2 -> "alt-svc: h3=\":443\"; ma=86400\r\n"
1e4edb3b04b2 -> "Strict-Transport-Security: max-age=15768000\r\n"
1e4edb3b04b2 -> "\r\n"
1e4edb3b04b2 reading 2330 bytes...
1e4edb3b04b2 -> "{\"access_token\": \"eyJhbGciOiJSUzI1NiIsImtpZCI6ImUzNDIXXXXXXXMTU2NGFiODdkNmRhZWJmYzIyNDY5IiwidHlwIjoiSldUIn0.eyJpc3MiOiJodHRwczovL3Nzby5zb2xpZGFpcmVzaW5mb3JtYXRpcXVlLm9yZy8iLCJzdWIiOiIxIiwiYXVkIjoiOGlBeG1mbndxamx4dGdURnJmQnVid3dseGpNUkJFRE1jVlVkTGZjSiIsImV4cCI6MTcwOTgzNDQ1NCwiaWF0IjoxNzA5ODM0MTU0LCJhdXRoX3RpbWUiOjE3MDk4MzQxNTAsImFjciI6ImdvYXV0aGVudGlrLmlvL3Byb3ZpZGVycy9vYXV0aDIvZGVmYXVsdCIsImF6cCI6IjhpQXhtZm53cWpseHRnVEZyZkJ1Ynd3bHhqTVJCRURNY1ZVZExmY0oiLCJ1aWQiOiJjZERBYmpNQUdZZHRSM3ROcGxXbXpyTDlEUk00dTRlUzdYaDFIOTV4In0.4c5FTXB4U5iZksNX8mDRxDQR-qrxEPDbPQZ74lGyZgI-tDWpx9zBS_huhg_Q1A86Mb9Paogw_XC8hOvJoUBFJCpcu-saPKP3e3L3BmbvRrF-xfWoU80IfVfOwxEiaWvvd2f2u8OMVnvu2FtYm2MA2qEBTuZiXswhJ_NDlM_Dy-ssaE1eYngRY733PUFywnrbEyYi7o8B1cgPYljmuszBvYzHldpQi_zKqeCZuaRX3ecd-mh9iQ1Ad-xkU1WeJOcW3FMdpL-LU5sNQG4Au9hLPX_x_ZM392aIZUsKdEsptdf2nlmCMrwK1pHi-SLR68RM_nuBrk5Yd6m67jjLy6TEBwW9PkknTwbdplo1jDA3lV9nft5ZaIYwAQ0G-QSbmPrNMIJM7PVZQEMNnKJ0w9xojahdG0qZtr3v4HYfG_guUOWCbeL4zNZmjwY262c807zCBXgHqPaCsN9mfzmukO_OvwRgJQ-yJKe8XALStMufIIOP1JU-jo35fGcGIERKGZ4nbzKcZE4zvFolsINGSTSvmx6qaSboW39KwBl1kG_rHaLMh0Z3Z9ECtRqOwAhz9dHKbvr6Z8m03Gmn7-HNHiOCv3smTMTTMzPFOZCrDlTAm1J656MQY_1BIRJkk2J5cAcOcYWUJ3Nr3NSNWJzL8EnJK4Fp49Xw6Zn28wzGe_fUQGA\", \"token_type\": \"Bearer\", \"expires_in\": 300, \"id_token\": \"eyJhbGciOiJSUzI1NiIsImtpZCI6ImUzNDIwZjYxOTQ3MTU2NGFiODdkNmRhZWJmYzIyNDY5IiwidHlwIjoiSldUIn0.eyJpc3MiOiJodHRwczovL3Nzby5zb2xpZGFpcmVzaW5mb3JtYXRpcXVlLm9yZy8iLCJzdWIiOiIxIiwiYXVkIjoiOGlBeG1mbndxamx4dGdURnJmQnVid3dseGpNUkJFRE1jVlVkTGZjSiIsImV4cCI6MTcwOTgzNDQ1NCwiaWF0IjoxNzA5ODM0MTU0LCJhdXRoX3RpbWUiOjE3MDk4MzQxNTAsImFjciI6ImdvYXV0aGVudGlrLmlvL3Byb3ZpZGVycy9vYXV0aDIvZGVmYXVsdCJ9.LabJ3BLkVtMc-8ahwBvcSaZXAS5lZnOrW5_Q0Jypt4UsCArwpu22sNXksLzYsmoVtKsmNePVdeEQWhvuzLhF4H4Lj4T6KxsruAzkd20THexboP29pblSg0rGCjuoEURLLxgRNtb-1xQ33U1SdRYl5WO293lIZFgKtgOHBIlYBJoi-YK7sXWaTYsesAdFspFSo51zmCb1bdue-Se8f2ohU52-mIA3WZN3NHYYubaJLx2_ann5Wjjd0QH7OCpDtzDAERbAnBuMRb6NCh7LSFs6E6bdJDQObPe4Cx8qOBRzlo89-hMx3rip7eR4A04f6_oXQt5e8g7oQ2za1GoU2fOS2D9-Ulfj2hbSRFHV_yYQxFLTZJVmdwTzbbEKnvtQEOIdELfrM8kj9QqXLXw75W-9-f_bFxGD-sTp0bTbw-x3P01yEIIua5SUlQLCeHosCWRgI_2FvCWEr6VK4OqlEuX30FkTzs6JXshhxNikpTIfjaGkhguATrZt3xIPpZOZB92Lg6qM6opCe_ak7d19IKE7oVUXKcwcDtkfjeHBiqawf3Ujxy9F_JW9rP4Uer4Mrh2fTqfK0qZ3OaUuN64B72i2Bgif6bLkT68K9CHVDFO1gIRFPw6ppiPnSCXC_8A8vpIbHkVzz02-3tumIjgs2MMpmZwehrHypHzRwsK18y651jE\"}"
1e4edb3b04b2 read 2330 bytes
1e4edb3b04b2 Conn close
1e4edb3b04b2 opening connection to sso.XXXXXX.org:443...
1e4edb3b04b2 opened
1e4edb3b04b2 starting SSL for sso.X.org:443...
1e4edb3b04b2 SSL established, protocol: TLSv1.3, cipher: TLS_AES_256_GCM_SHA384
1e4edb3b04b2 <- "GET /application/o/userinfo/? HTTP/1.1\r\nContent-Type: application/x-www-form-urlencoded; charset=UTF-8\r\nAuthorization: Bearer eyJhbGciOiJSUzI1NiIsImtpZCI6ImUzNDIwZjYxOTQ3MTU2NGFiODdkNmRhZWJmYzIyNDY5IiwidHlwIjoiSldUIn0.eyJpc3MiOiJodHRwczovL3Nzby5zb2xpZGFpcmVzaW5mb3JtYXRpcXVlLm9yZy8iLCJzdWIiOiIxIiwiYXVkIjoiOGlBeG1mbndxamx4dGdURnJmQnVid3dseGpNUkJFRE1jVlVkTGZjSiIsImV4cCI6MTcwOTgzNDQ1NCwiaWF0IjoxNzA5ODM0MTU0LCJhdXRoX3RpbWUiOjE3MDk4MzQxNTAsImFjciI6ImdvYXV0aGVudGlrLmlvL3Byb3ZpZGVycy9vYXV0aDIvZGVmYXVsdCIsImF6cCI6IjhpQXhtZm53cWpseHRnVEZyZkJ1Ynd3bHhqTVJCRURNY1ZVZExmY0oiLCJ1aWQiOiJjZERBYmpNQUdZZHRSM3ROcGxXbXpyTDlEUk00dTRlUzdYaDFIOTV4In0.4c5FTXB4U5iZksNX8mDRxDQR-qrxEPDbPQZ74lGyZgI-tDWpx9zBS_huhg_Q1A86Mb9Paogw_XC8hOvJoUBFJCpcu-saPKP3e3L3BmbvRrF-xfWoU80IfVfOwxEiaWvvd2f2u8OMVnvu2FtYm2MA2qEBTuZiXswhJ_NDlM_Dy-ssaE1eYngRY733PUFywnrbEyYi7o8B1cgPYljmuszBvYzHldpQi_zKqeCZuaRX3ecd-mh9iQ1Ad-xkU1WeJOcW3FMdpL-LU5sNQG4Au9hLPX_x_ZM392aIZUsKdEsptdf2nlmCMrwK1pHi-SLR68RM_nuBrk5Yd6m67jjLy6TEBwW9PkknTwbdplo1jDA3lV9nft5ZaIYwAQ0G-QSbmPrNMIJM7PVZQEMNnKJ0w9xojahdG0qZtr3v4HYfG_guUOWCbeL4zNZmjwY262c807zCBXgHqPaCsN9mfzmukO_OvwRgJQ-yJKe8XALStMufIIOP1JU-jo35fGcGIERKGZ4nbzKcZE4zvFolsINGSTSvmx6qaSboW39KwBl1kG_rHaLMh0Z3Z9ECtRqOwAhz9dHKbvr6Z8m03Gmn7-HNHiOCv3smTMTTMzPFOZCrDlTAm1J656MQY_1BIRJkk2J5cAcOcYWUJ3Nr3NSNWJzL8EnJK4Fp49Xw6Zn28wzGe_fUQGA\r\nAccept-Encoding: gzip;q=1.0,deflate;q=0.6,identity;q=0.3\r\nAccept: */*\r\nUser-Agent: Ruby\r\nConnection: close\r\nSentry-Trace: 2a10172322754462a502eac6fd0b42f5-3b72b5053c74402f\r\nBaggage: sentry-trace_id=2a10172322754462a502eac6fd0b42f5,sentry-environment=production\r\nHost: sso.XXXXXXX.org\r\n\r\n"1e4edb3b04b2 
1e4edb3b04b2 -> "HTTP/1.1 200 OK\r\n"
1e4edb3b04b2 -> "Server: nginx\r\n"
1e4edb3b04b2 -> "Date: Thu, 07 Mar 2024 17:55:54 GMT\r\n"
1e4edb3b04b2 -> "Content-Type: application/json\r\n"
1e4edb3b04b2 -> "Content-Length: 74\r\n"
1e4edb3b04b2 -> "Connection: close\r\n"
1e4edb3b04b2 -> "Cache-Control: no-store\r\n"
1e4edb3b04b2 -> "Pragma: no-cache\r\n"
1e4edb3b04b2 -> "Referrer-Policy: same-origin\r\n"
1e4edb3b04b2 -> "Vary: Accept-Encoding\r\n"
1e4edb3b04b2 -> "Vary: Cookie\r\n"
1e4edb3b04b2 -> "X-Authentik-Id: d8b0632d599a45e1b970XXXXXca9f21ad2\r\n"
1e4edb3b04b2 -> "X-Content-Type-Options: nosniff\r\n"
1e4edb3b04b2 -> "X-Frame-Options: DENY\r\n"
1e4edb3b04b2 -> "X-Powered-By: authentik\r\n"
1e4edb3b04b2 -> "alt-svc: h3=\":443\"; ma=86400\r\n"
1e4edb3b04b2 -> "Strict-Transport-Security: max-age=15768000\r\n"
1e4edb3b04b2 -> "\r\n"
1e4edb3b04b2 reading 74 bytes...
1e4edb3b04b2 -> "{\"sub\": \"1\", \"email\": \"XXXXX@XXXXX.com\", \"email_verified\": true}"
1e4edb3b04b2 read 74 bytes
1e4edb3b04b2 Conn close
1e4edb3b04b2 I, [2024-03-07T17:55:57.053544 #14]  INFO -- : [cbfe0d3f-fb89-45b7-b5b5-9eefbc844d74] method=GET path=/oauth/authorize format=html controller=Identities::OauthController action=create status=400 allocations=444044 duration=2418.32 view=2051.61 db=2.65
1e4edb3b04b2 I, [2024-03-07T17:55:57.053847 #14]  INFO -- : source=rack-timeout id=cbfe0d3f-fb89-45b7-b5b5-9eefbc844d74 timeout=15000ms service=2421ms state=completed

How to debug this ? Anyone that make authentik work ?

robguthrie commented 8 months ago

Sorry, I've no idea. OAuth implementations vary a lot from service to service. Often you need to be able to dig right into the requests and responses to debug this. I'm not able to do this at this for you at this time. Maybe someone else can help?

yodatak commented 7 months ago

I made it work :tada: ! I plan to make a documentation to help people to use it ( i will close the issue as soon a i made the PR with documentation)

atomicthumbs commented 1 month ago

I made it work 🎉 ! I plan to make a documentation to help people to use it ( i will close the issue as soon a i made the PR with documentation)

Could you share your config? I'm having a hard time getting it working with Keycloak for OIDC authentication.

yodatak commented 1 month ago

For Authentik

@atomicthumbs

in .env file in loomio conf 

#- `OAUTH_AUTH_URL` is used to specify the auth endpoint, for example `https://sso.yourdomain.com/realms/YourRealm/protocol/openid-connect/auth`.
OAUTH_AUTH_URL=https://sso.XXXXXXXXXXXXXXXX.org/application/o/authorize/
#- `OAUTH_TOKEN_URL` is used to specify the token endpoint, for example `https://sso.yourdomain.com/realms/YourRealm/protocol/openid-connect/token`.
OAUTH_TOKEN_URL=https://sso.XXXXXXXXXXXXXXX.org/application/o/token/
#- `OAUTH_PROFILE_URL` is used to fetch the user's profile data, for example `https://sso.yourdomain.com/realms/YourRealm/protocol/openid-connect/userinfo`.
OAUTH_PROFILE_URL=https://sso.XXXXXXXXXXXXXXXX.org/application/o/userinfo/
#- `OAUTH_SCOPE` is the list of scopes passed in the auth request, for example `openid email profile`.
#https://sso.XXXXXXXXXXXX.org/application/o/loomio/.well-known/openid-configuration
OAUTH_SCOPE=openid email profilegroupless
#- `OAUTH_APP_KEY` is what OIDC refers to as the Client ID. For example, `loomio`.
OAUTH_APP_KEY=XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
#- `OAUTH_APP_SECRET` is what OIDC refers to as the Client Secret. It's a long string of letters and numbers and other characters.
OAUTH_APP_SECRET=XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
#- `OAUTH_ATTR_UID` specifies which user profile field is used for Loomio's internal unique identifier for this user. For example, `email`.
OAUTH_ATTR_UID=email
#- `OAUTH_ATTR_NAME` specifies which user profile field is used for Loomio's displayed name, for example `name`.
OAUTH_ATTR_NAME=name
#- `OAUTH_ATTR_EMAIL` specifies which user profile field is used for the Loomio account email address, for example `email`.
OAUTH_ATTR_EMAIL=email
#- `OAUTH_LOGIN_PROVIDER_NAME` is the label used for the SSO login button. The user will see this value when they're prompted to log in using SSO. For example, `Your Domain SSO`.
OAUTH_LOGIN_PROVIDER_NAME=My sso conf
#For the ATTR variables, if you're not sure what your OAuth provider is returning, you can attempt a login and check the Loomio logs to see the response.

and if needed i could add authentik conf later !

I add also a scope without group in profile because loomio don't support it yet

atomicthumbs commented 1 month ago

thank you!