Closed Aurel004 closed 5 months ago
I was hoping on creating a new tutorial on how to configure OIDC with Zitadel but I'll have to wait a bit
When you changed the configuration from Authentik to Zitadel, did you reset your browser cache or try in a private window? Did you set up your Zitadel client as a SPA?
When you changed the configuration from Authentik to Zitadel, did you reset your browser cache or try in a private window?
Yes I used a private window
Did you set up your Zitadel client as a SPA?
What do you mean by SPA ? If the question is "Do I have setup a new app for mealie in Zitadel?" The answer is yes Here is a screenshot of the configuration
I took a look at the docs for Zitadel and there is supposedly an option for a Single Page Application type, which is what you need for Mealie. Looks like from your screenshot you selected a Web application. https://zitadel.com/docs/guides/integrate/login/oidc/login-users
I took a look at the docs for Zitadel and there is supposedly an option for a Single Page Application type, which is what you need for Mealie. Looks like from your screenshot you selected a Web application. https://zitadel.com/docs/guides/integrate/login/oidc/login-users
Perfect thank you !
Had an issue with [OIDC] Required claims not present. Expected: {'name', 'preferred_username', 'email'} Actual: dict_keys(['iss', 'sub', 'aud', 'exp', 'iat', 'auth_time', 'amr', 'azp', 'client_id', 'at_hash', 'c_hash'])
but I got it working, I might do the tutorial
Do you know why for mealie it must be a SPA and not web ?
And 2nd question, might open an other issue for this, do you know how to go from nightly image to latest ? I have this error: alembic.util.exc.CommandError: Can't locate revision identified by '7788478a0338'
(SQLite)
Thank you !
Great! Mealie's architecture is a little weird where we have a backend which serves the front end as a SPA, so the OIDC authentication happens only in the browser, which is why it needs to be a SPA type (other IdPs will have an option for "public" which is the same concept).
You can't revert to a numbered release because there have been some database migrations since the last numbered release. If you had a database backup before you switched to nightly, then you could restore that backup and go back to the numbered release.
Nightly is pretty stable so don't worry too much about it, you should be able to get back to the regular release cycle on the next version if you like
Okay thank you for the explanation
Nightly is pretty stable so don't worry too much about it, you should be able to get back to the regular release cycle on the next version if you like
Okay so I juste have to wait for the next latest release ?
Okay so I juste have to wait for the next latest release ?
Yep! Once the next tagged release is available, you can switch over to it and shouldn't have any issues
Okay thank you !
Tutorial has been made : https://github.com/mealie-recipes/mealie/discussions/3557
Great! Mealie's architecture is a little weird where we have a backend which serves the front end as a SPA, so the OIDC authentication happens only in the browser, which is why it needs to be a SPA type (other IdPs will have an option for "public" which is the same concept).
You can't revert to a numbered release because there have been some database migrations since the last numbered release. If you had a database backup before you switched to nightly, then you could restore that backup and go back to the numbered release.
Nightly is pretty stable so don't worry too much about it, you should be able to get back to the regular release cycle on the next version if you like
Update,
I get an infinite redirect, and the logs in mealie say:
File "/opt/pysetup/.venv/lib/python3.10/site-packages/authlib/jose/rfc7517/key_set.py", line 29, in find_by_kid raise ValueError('Invalid JSON Web Key Set')
ValueError: Invalid JSON Web Key Set
INFO 2024-05-04T00:20:32 - [192.168.0.20:0] 307 Temporary Redirect "GET /login?direct=1 HTTP/1.1"
INFO 2024-05-04T00:20:32 - [192.168.0.20:0] 401 Unauthorized "GET /api/users/self HTTP/1.1"
INFO 2024-05-04T00:20:33 - [192.168.0.20:0] 500 Internal Server Error "POST /api/auth/token HTTP/1.1"
ERROR 2024-05-04T00:20:33 - Exception in ASGI application
Okay fast update, got it fixed somehow by updating to the last nightly tag and deleting old mealie apps in Zitadel.
My issue now is that I lose the admin role even if I configured the admin role in Zitadel, any idea on this?
If the OIDC_ADMIN_GROUP
is set, then Mealie pulls the groups
claim (this is now configurable with OIDC_GROUPS_CLAIM
in nightly) and looks to see if your groups contain the specified admin group. If it doesn't, then it will revoke your admin status.
So what is probably happening is your groups are not coming back in the groups
claim. And your admin status is getting reset. I think I read in the Zitadel docs that there is a claim for "roles" that you might need to specify in Mealie. (OIDC_GROUPS_CLAIM=urn:zitadel:iam:org:project:roles
)
If the
OIDC_ADMIN_GROUP
is set, then Mealie pulls thegroups
claim (this is now configurable withOIDC_GROUPS_CLAIM
in nightly) and looks to see if your groups contain the specified admin group. If it doesn't, then it will revoke your admin status.So what is probably happening is your groups are not coming back in the
groups
claim. And your admin status is getting reset. I think I read in the Zitadel docs that there is a claim for "roles" that you might need to specify in Mealie. (OIDC_GROUPS_CLAIM=urn:zitadel:iam:org:project:roles
)
Absolutely perfect. I was missing that _OIDC_GROUPSCLAIM env variable. I see it has just been added 19 hours ago in nightly lol
Updating the tutorial as there are some more tweaks to do in Zitadel for the urn:zitadel:iam:org:project:roles (or urn:zitadel:iam:org:project:{projectId}:roles) to appear in the response.
Thank you very much
see it has just been added 19 hours ago in nightly
Haha yeah, I added it after I read about the roles in Zitadel. And it has come up in other cases as well, so it just offers more flexibility. Thanks for making the tutorial post!
First Check
What is the issue you are experiencing?
Hi,
I'm trying to setup OIDC with Zitadel as an IdP.
I've already successfully setup OIDC with Authentik in the past but switched to Zitadel.
Here are my Env Variables:
And the redirect URIs:
When I go to mealie, I have a 404 Error:
with this URL:
https://menu.mydomain.com/null?protocol=oauth2&response_type=code&access_type&client_id=xxxx%40server&redirect_uri=https%3A%2F%2Fmenu.mydomain.com%2Flogin&scope=openid%20profile%20email%20groups&state=xxxx&code_challenge_method=S256&code_challenge=xxxx
It doesn't seem to redirect to Zitadel as I can't even go to the login page of Zitadel. I've tried to change the OIDC_CONFIGURATION_URL to https://zitadel.mydomain.com but facing the same error.
Do you have any idea on what is going on ?
The logs are just showing
200 OK "GET /null?protocol=oauth2[...] url
Thank you
Steps to Reproduce
1) Configure Zitadel with a new App 2) Configure Mealie with OIDC 3) Try to connect
Please provide relevant logs
Nothing relevant
Mealie Version
nightly
Deployment
Docker (Synology)
Additional Deployment Details
I cannot go back to latest docker tag because I have this error in the logs :
alembic.util.exc.CommandError: Can't locate revision identified by '7788478a0338'
(SQLite)No response