❓ Question: Internal Error while setting the OIDC

[Simandre]

🙋‍♂️ Question

Hello!

I'm trying to setup SSO on my NAS, using pingvin-share on a docker on said host. I was able to run the SSO Server on my NAS, add an app entry to generate Client ID & Secrets, callback URL and the Wellknown URL too.

I was also able to go to the admin panel and fill the corresponding fields:

However, the connection fails at when trying to log via SSO, and I don't understand OpenID enought to getwhat is wrong. Server side, the logs says a successful attempts ("User ••• signed in to application Pinginv via SSO."), but there is an internal error Client side. It looks like the Username is not managed, or the claim is not able to bind my Pingvin account with my server account (I have redacted sensible part of the log)

2023/12/12 01:33:38 stderr      at async OAuthController.callback (/opt/app/backend/dist/src/oauth/oauth.controller.js:53:13)
2023/12/12 01:33:38 stderr      at async OAuthService.link (/opt/app/backend/dist/src/oauth/oauth.service.js:77:9)
2023/12/12 01:33:38 stderr      at zr.request (/opt/app/backend/node_modules/@prisma/client/runtime/library.js:122:7307)
2023/12/12 01:33:38 stderr      at zr.handleAndLogRequestError (/opt/app/backend/node_modules/@prisma/client/runtime/library.js:122:7697)
2023/12/12 01:33:38 stderr      at zr.handleRequestError (/opt/app/backend/node_modules/@prisma/client/runtime/library.js:122:8007)
2023/12/12 01:33:38 stderr      at Ur (/opt/app/backend/node_modules/@prisma/client/runtime/library.js:115:5803)
2023/12/12 01:33:38 stderr  Argument `providerUsername` is missing.
2023/12/12 01:33:38 stderr  
2023/12/12 01:33:38 stderr       })
2023/12/12 01:33:38 stderr         }
2023/12/12 01:33:38 stderr       +   providerUsername: String
2023/12/12 01:33:38 stderr           providerUserId: "•••",
2023/12/12 01:33:38 stderr           provider: "oidc",
2023/12/12 01:33:38 stderr           userId: "•••",
2023/12/12 01:33:38 stderr         data: {
2023/12/12 01:33:38 stderr  → 77 await this.prisma.oAuthUser.create({
2023/12/12 01:33:38 stderr    76 }
2023/12/12 01:33:38 stderr    75     ]);
2023/12/12 01:33:38 stderr    74         `provider_${provider}`,
2023/12/12 01:33:38 stderr  
2023/12/12 01:33:38 stderr  /opt/app/backend/dist/src/oauth/oauth.service.js:77:37
2023/12/12 01:33:38 stderr  Invalid `this.prisma.oAuthUser.create()` invocation in
2023/12/12 01:33:38 stderr  PrismaClientValidationError: 
2023/12/12 01:33:38 stderr  Argument `providerUsername` is missing.
2023/12/12 01:33:38 stderr  
2023/12/12 01:33:38 stderr       })
2023/12/12 01:33:38 stderr         }
2023/12/12 01:33:38 stderr       +   providerUsername: String
2023/12/12 01:33:38 stderr           providerUserId: "•••",
2023/12/12 01:33:38 stderr           provider: "oidc",
2023/12/12 01:33:38 stderr           userId: "•••",
2023/12/12 01:33:38 stderr         data: {
2023/12/12 01:33:38 stderr  → 77 await this.prisma.oAuthUser.create({
2023/12/12 01:33:38 stderr    76 }
2023/12/12 01:33:38 stderr    75     ]);
2023/12/12 01:33:38 stderr    74         `provider_${provider}`,
2023/12/12 01:33:38 stderr  
2023/12/12 01:33:38 stderr  /opt/app/backend/dist/src/oauth/oauth.service.js:77:37
2023/12/12 01:33:38 stderr  Invalid `this.prisma.oAuthUser.create()` invocation in
2023/12/12 01:33:38 stderr  [Nest] 40  - 12/12/2023, 1:33:38 AM   ERROR [ExceptionsHandler]  

According to this documentation it looks like the Authorization scope and the Username claim has to be set Client side.

Can someone help me figure this out?

[zz5840]

This appears to be due to the provider not following the specification. According to the OpenID Connect specification here, a name should be provided to be used as user's display name. Which OpenID provider are you using?

[Simandre]

I'm using Synology SSO, but I did not find any settings to check what is correctly given. I do stumble upon the same problem with the docker image of FreshRSS, that I was able to solve:

  freshrss:
    image: freshrss/freshrss:latest
    environment:
      # See https://freshrss.github.io/FreshRSS/en/admins/16_OpenID-Connect.html
      OIDC_ENABLED: 1
      OIDC_PROVIDER_METADATA_URL: •••
      OIDC_CLIENT_ID: •••
      OIDC_CLIENT_SECRET: ••• 
      OIDC_CLIENT_CRYPTO_KEY: •••
      OIDC_REMOTE_USER_CLAIM: username  # <-
      OIDC_SCOPES: openid # <-
      OIDC_X_FORWARDED_HEADERS: X-Forwarded-Host X-Forwarded-Port X-Forwarded-Proto

So, if I understand you correctly, I was able to make it work with this image because I specified to the client which claim member from the server to use as to reconcile the user to ; but in the case of Pingvin it's using default members that is not provided by the server, isn't it? If it's the case, why I was able to fix using username as the member to claim, but here the member is not given via the providedUsername member?

[zz5840]

Yes, I'll add a claim config soon.

[Simandre]

Quick follow up:

I was able to add the required member, and bind my user (not admin) account to my provider account and be logged in.

To be nit-picky:

• on the logging screen, it opens a new tab/window that resolve to the same page once logged — that makes the previous tab useless, it could be nice to stay on the same tab.
• not in the translation system yet.
• otherwise works like a charm so far — you rock! 💯

[zz5840]

@stonith404 I have no idea why the translation doesn't work. Could you check it?

[stonith404]

@zz5840 @Simandre Oh, I forgot to merge the Crowdin (translation tool) pull request before releasing. It will be fixed in the next release.