Closed Simandre closed 6 months ago
This appears to be due to the provider not following the specification. According to the OpenID Connect specification here, a name should be provided to be used as user's display name. Which OpenID provider are you using?
I'm using Synology SSO, but I did not find any settings to check what is correctly given. I do stumble upon the same problem with the docker image of FreshRSS, that I was able to solve:
freshrss:
image: freshrss/freshrss:latest
environment:
# See https://freshrss.github.io/FreshRSS/en/admins/16_OpenID-Connect.html
OIDC_ENABLED: 1
OIDC_PROVIDER_METADATA_URL: •••
OIDC_CLIENT_ID: •••
OIDC_CLIENT_SECRET: •••
OIDC_CLIENT_CRYPTO_KEY: •••
OIDC_REMOTE_USER_CLAIM: username # <-
OIDC_SCOPES: openid # <-
OIDC_X_FORWARDED_HEADERS: X-Forwarded-Host X-Forwarded-Port X-Forwarded-Proto
So, if I understand you correctly, I was able to make it work with this image because I specified to the client which claim member from the server to use as to reconcile the user to ; but in the case of Pingvin it's using default members that is not provided by the server, isn't it? If it's the case, why I was able to fix using username as the member to claim, but here the member is not given via the providedUsername
member?
Yes, I'll add a claim config soon.
Quick follow up:
I was able to add the required member, and bind my user (not admin) account to my provider account and be logged in.
To be nit-picky:
@stonith404 I have no idea why the translation doesn't work. Could you check it?
@zz5840 @Simandre Oh, I forgot to merge the Crowdin (translation tool) pull request before releasing. It will be fixed in the next release.
🙋♂️ Question
Hello!
I'm trying to setup SSO on my NAS, using pingvin-share on a docker on said host. I was able to run the SSO Server on my NAS, add an app entry to generate Client ID & Secrets, callback URL and the Wellknown URL too.
I was also able to go to the admin panel and fill the corresponding fields:
However, the connection fails at when trying to log via SSO, and I don't understand OpenID enought to getwhat is wrong. Server side, the logs says a successful attempts (
"User ••• signed in to application Pinginv via SSO."
), but there is an internal error Client side. It looks like the Username is not managed, or the claim is not able to bind my Pingvin account with my server account (I have redacted sensible part of the log)According to this documentation it looks like the
Authorization scope
and theUsername claim
has to be set Client side.Can someone help me figure this out?