search

mealie-recipes / mealie

Mealie is a self hosted recipe manager and meal planner with a RestAPI backend and a reactive frontend application built in Vue for a pleasant user experience for the whole family. Easily add recipes into your database by providing the url and mealie will automatically import the relevant data or add a family recipe with the UI editor
https://docs.mealie.io
GNU Affero General Public License v3.0
6.81k stars 700 forks source link

[BUG] - OIDC with Zitadel - Error 404 #3546

Closed Aurel004 closed 5 months ago

Aurel004 commented 5 months ago

First Check

What is the issue you are experiencing?

Hi,

I'm trying to setup OIDC with Zitadel as an IdP.

I've already successfully setup OIDC with Authentik in the past but switched to Zitadel.

Here are my Env Variables:

OIDC_AUTH_ENABLED: true
OIDC_SIGNUP_ENABLED: false
OIDC_CONFIGURATION_URL: https://zitadel.mydomain.com/oauth/v2/authorize
OIDC_CLIENT_ID: xxxx@server
OIDC_AUTO_REDIRECT: true
OIDC_PROVIDER_NAME: Zitadel
OIDC_REMEMBER_ME: true
OIDC_ADMIN_GROUP: Admin

And the redirect URIs: image

When I go to mealie, I have a 404 Error: image

with this URL: https://menu.mydomain.com/null?protocol=oauth2&response_type=code&access_type&client_id=xxxx%40server&redirect_uri=https%3A%2F%2Fmenu.mydomain.com%2Flogin&scope=openid%20profile%20email%20groups&state=xxxx&code_challenge_method=S256&code_challenge=xxxx

It doesn't seem to redirect to Zitadel as I can't even go to the login page of Zitadel. I've tried to change the OIDC_CONFIGURATION_URL to https://zitadel.mydomain.com but facing the same error.

Do you have any idea on what is going on ?

The logs are just showing 200 OK "GET /null?protocol=oauth2[...] url

Thank you

Steps to Reproduce

1) Configure Zitadel with a new App 2) Configure Mealie with OIDC 3) Try to connect

Please provide relevant logs

Nothing relevant

Mealie Version

nightly

Deployment

Docker (Synology)

Additional Deployment Details

I cannot go back to latest docker tag because I have this error in the logs : alembic.util.exc.CommandError: Can't locate revision identified by '7788478a0338' (SQLite)

No response

Aurel004 commented 5 months ago

I was hoping on creating a new tutorial on how to configure OIDC with Zitadel but I'll have to wait a bit

cmintey commented 5 months ago

When you changed the configuration from Authentik to Zitadel, did you reset your browser cache or try in a private window? Did you set up your Zitadel client as a SPA?

Aurel004 commented 5 months ago

When you changed the configuration from Authentik to Zitadel, did you reset your browser cache or try in a private window?

Yes I used a private window

Did you set up your Zitadel client as a SPA?

What do you mean by SPA ? If the question is "Do I have setup a new app for mealie in Zitadel?" The answer is yes Here is a screenshot of the configuration 5

cmintey commented 5 months ago

I took a look at the docs for Zitadel and there is supposedly an option for a Single Page Application type, which is what you need for Mealie. Looks like from your screenshot you selected a Web application. https://zitadel.com/docs/guides/integrate/login/oidc/login-users

Aurel004 commented 5 months ago

I took a look at the docs for Zitadel and there is supposedly an option for a Single Page Application type, which is what you need for Mealie. Looks like from your screenshot you selected a Web application. https://zitadel.com/docs/guides/integrate/login/oidc/login-users

Perfect thank you ! Had an issue with [OIDC] Required claims not present. Expected: {'name', 'preferred_username', 'email'} Actual: dict_keys(['iss', 'sub', 'aud', 'exp', 'iat', 'auth_time', 'amr', 'azp', 'client_id', 'at_hash', 'c_hash']) but I got it working, I might do the tutorial

Do you know why for mealie it must be a SPA and not web ?

And 2nd question, might open an other issue for this, do you know how to go from nightly image to latest ? I have this error: alembic.util.exc.CommandError: Can't locate revision identified by '7788478a0338' (SQLite)

Thank you !

cmintey commented 5 months ago

Great! Mealie's architecture is a little weird where we have a backend which serves the front end as a SPA, so the OIDC authentication happens only in the browser, which is why it needs to be a SPA type (other IdPs will have an option for "public" which is the same concept).

You can't revert to a numbered release because there have been some database migrations since the last numbered release. If you had a database backup before you switched to nightly, then you could restore that backup and go back to the numbered release.

Nightly is pretty stable so don't worry too much about it, you should be able to get back to the regular release cycle on the next version if you like

Aurel004 commented 5 months ago

Okay thank you for the explanation

Nightly is pretty stable so don't worry too much about it, you should be able to get back to the regular release cycle on the next version if you like

Okay so I juste have to wait for the next latest release ?

cmintey commented 5 months ago

Okay so I juste have to wait for the next latest release ?

Yep! Once the next tagged release is available, you can switch over to it and shouldn't have any issues

Aurel004 commented 5 months ago

Okay thank you !

Tutorial has been made : https://github.com/mealie-recipes/mealie/discussions/3557

Aurel004 commented 5 months ago

Great! Mealie's architecture is a little weird where we have a backend which serves the front end as a SPA, so the OIDC authentication happens only in the browser, which is why it needs to be a SPA type (other IdPs will have an option for "public" which is the same concept).

You can't revert to a numbered release because there have been some database migrations since the last numbered release. If you had a database backup before you switched to nightly, then you could restore that backup and go back to the numbered release.

Nightly is pretty stable so don't worry too much about it, you should be able to get back to the regular release cycle on the next version if you like

Update,

I get an infinite redirect, and the logs in mealie say: File "/opt/pysetup/.venv/lib/python3.10/site-packages/authlib/jose/rfc7517/key_set.py", line 29, in find_by_kid raise ValueError('Invalid JSON Web Key Set') ValueError: Invalid JSON Web Key Set INFO 2024-05-04T00:20:32 - [192.168.0.20:0] 307 Temporary Redirect "GET /login?direct=1 HTTP/1.1" INFO 2024-05-04T00:20:32 - [192.168.0.20:0] 401 Unauthorized "GET /api/users/self HTTP/1.1" INFO 2024-05-04T00:20:33 - [192.168.0.20:0] 500 Internal Server Error "POST /api/auth/token HTTP/1.1" ERROR 2024-05-04T00:20:33 - Exception in ASGI application

Aurel004 commented 5 months ago

Okay fast update, got it fixed somehow by updating to the last nightly tag and deleting old mealie apps in Zitadel.

My issue now is that I lose the admin role even if I configured the admin role in Zitadel, any idea on this?

cmintey commented 5 months ago

If the OIDC_ADMIN_GROUP is set, then Mealie pulls the groups claim (this is now configurable with OIDC_GROUPS_CLAIM in nightly) and looks to see if your groups contain the specified admin group. If it doesn't, then it will revoke your admin status.

So what is probably happening is your groups are not coming back in the groups claim. And your admin status is getting reset. I think I read in the Zitadel docs that there is a claim for "roles" that you might need to specify in Mealie. (OIDC_GROUPS_CLAIM=urn:zitadel:iam:org:project:roles)

Aurel004 commented 5 months ago

If the OIDC_ADMIN_GROUP is set, then Mealie pulls the groups claim (this is now configurable with OIDC_GROUPS_CLAIM in nightly) and looks to see if your groups contain the specified admin group. If it doesn't, then it will revoke your admin status.

So what is probably happening is your groups are not coming back in the groups claim. And your admin status is getting reset. I think I read in the Zitadel docs that there is a claim for "roles" that you might need to specify in Mealie. (OIDC_GROUPS_CLAIM=urn:zitadel:iam:org:project:roles)

Absolutely perfect. I was missing that _OIDC_GROUPSCLAIM env variable. I see it has just been added 19 hours ago in nightly lol

Updating the tutorial as there are some more tweaks to do in Zitadel for the urn:zitadel:iam:org:project:roles (or urn:zitadel:iam:org:project:{projectId}:roles) to appear in the response.

Thank you very much

cmintey commented 5 months ago

see it has just been added 19 hours ago in nightly

Haha yeah, I added it after I read about the roles in Zitadel. And it has come up in other cases as well, so it just offers more flexibility. Thanks for making the tutorial post!