OpenID redirect never occurs #1036

Open
opened 7 months ago by s87651 · 14 comments
s87651 commented 7 months ago

I've setup Vikunja API and Client on my server, and it's configured to use my OpenID provider, Authentik.

On previous stable versions, I was actually able to login, before performing any action would subsequently get me kicked out, and logging in again immediately wouldn't work. I could check back then that calls to the API to login would stall out for an entire minute before getting dropped. They did seem to reach the server from the Vikunja logs, but it did not appear to want to give a proper response back to the client.

I'm now on unstable for both the API and Client, and logging in from the OpenID provider gets directed to a page with just the MOTD on it. Attempting to navigate to any of the servicable parts of client would just prompt you to login again. Unfortunately checking logs for the API shows that no request was even possibly made, suggesting that the internal router may just be dropping it, or the URL doesn't exist.

For instance it is redirecting to https://sub.domain.tld/auth/openid/..., but both the the API claims it's never reached, so I assume it's something with the URL.

I've setup Vikunja API and Client on my server, and it's configured to use my OpenID provider, Authentik. On previous stable versions, I was actually able to login, before performing any action would subsequently get me kicked out, and logging in again immediately wouldn't work. I could check back then that calls to the API to login would stall out for an entire minute before getting dropped. They did seem to reach the server from the Vikunja logs, but it did not appear to want to give a proper response back to the client. I'm now on unstable for both the API and Client, and logging in from the OpenID provider gets directed to a page with just the MOTD on it. Attempting to navigate to any of the servicable parts of client would just prompt you to login again. Unfortunately checking logs for the API shows that no request was even possibly made, suggesting that the internal router may just be dropping it, or the URL doesn't exist. For instance it is redirecting to `https://sub.domain.tld/auth/openid/...`, but both the the API claims it's never reached, so I assume it's something with the URL.
konrad added the
kind/bug
label 7 months ago
Owner

When you get redirected to the client where it shows just the motd, what does that look like?

Are there any errors in the browser console at that point?

Are you using openid as the only auth provider or do you have Vikunja's local auth still enabled?

When you get redirected to the client where it shows just the motd, what does that look like? Are there any errors in the browser console at that point? Are you using openid as the only auth provider or do you have Vikunja's local auth still enabled?
Poster

When you get redirected to the client where it shows just the motd, what does that look like?

It's just a page with the llama in the bottom right and the MOTD in the middle. Very blank with no additional information. I can screenshot it if you really want. From what I can tell it's literally just this page: https://kolaente.dev/vikunja/frontend/src/branch/main/src/components/home/contentNoAuth.vue

Are there any errors in the browser console at that point?

Nope. It's completely void of any errors, just warnings about fonts.

Are you using openid as the only auth provider or do you have Vikunja's local auth still enabled?

OpenID is enabled as the only auth provider, Local auth is completely disabled.

> When you get redirected to the client where it shows just the motd, what does that look like? It's just a page with the llama in the bottom right and the MOTD in the middle. Very blank with no additional information. I can screenshot it if you really want. From what I can tell it's literally just this page: https://kolaente.dev/vikunja/frontend/src/branch/main/src/components/home/contentNoAuth.vue > Are there any errors in the browser console at that point? Nope. It's completely void of any errors, just warnings about fonts. > Are you using openid as the only auth provider or do you have Vikunja's local auth still enabled? OpenID is enabled as the only auth provider, Local auth is completely disabled.
Owner

@s87651 Is this reproducable for you with the latest unstable version (api and frontend)?

What's your Vikunja openid and Authentik config?

I could not reproduce it.

@s87651 Is this reproducable for you with the latest unstable version (api and frontend)? What's your Vikunja openid and Authentik config? I could not reproduce it.
Poster

@konrad Yes, this is still reproducable and still happening with the latest unstable version on both.

My current Vikunja config is here:

auth:
    local:
        enabled: false
    openid:
        enabled: true
        redirecturl: 'https://todo.example.com/auth/openid/'
        providers:
        - name: "extprovider"
          authurl: 'https://authentik.example.com/application/o/vikunja/'
          clientid: "redacted client id"
          clientsecret: "redacted client secret"

Not really sure my Authentik config for the application matters since it's I just use the defaults.

@konrad Yes, this is still reproducable and still happening with the latest unstable version on both. My current Vikunja config is here: ```yaml auth: local: enabled: false openid: enabled: true redirecturl: 'https://todo.example.com/auth/openid/' providers: - name: "extprovider" authurl: 'https://authentik.example.com/application/o/vikunja/' clientid: "redacted client id" clientsecret: "redacted client secret" ``` Not really sure my Authentik config for the application matters since it's I just use the defaults.
Owner

What is the exact url in Vikunja where you get redirected to after logging in in Authentik?

What is the exact url in Vikunja where you get redirected to after logging in in Authentik?
Poster

I get redirected to https://todo.example.com/auth/openid/extprovider?code=redacted&state=redacted.

Occassionally (usually after app restart), I'll get logged in, but it won't be too soon after that my requests stop working and logging in will just get me stuck at that URL, or worse, I'll login with nothing working.

I get redirected to `https://todo.example.com/auth/openid/extprovider?code=redacted&state=redacted`. Occassionally (usually after app restart), I'll get logged in, but it won't be too soon after that my requests stop working and logging in will just get me stuck at that URL, or worse, I'll login with nothing working.
Owner

Could you open the network tab in the dev tools while trying to authenticate (you may need to enable "persist logs" to avoid requests getting cleared out while redirecting you to new pages), filter for xhr requests and check if there's a POST request to https://todo.example.com/api/v1/auth/openid/extprovider/callback? If there is such a request, what is its response? If not, anything in the browser logs?

btw how are you hosting?

Could you open the network tab in the dev tools while trying to authenticate (you may need to enable "persist logs" to avoid requests getting cleared out while redirecting you to new pages), filter for xhr requests and check if there's a `POST` request to `https://todo.example.com/api/v1/auth/openid/extprovider/callback`? If there is such a request, what is its response? If not, anything in the browser logs? btw how are you hosting?
Poster

If there is such a request, what is its response? If not, anything in the browser logs?

Looks like it fails with Status Code 504.

btw how are you hosting?

DigitalOcean Kubernetes Platform.

> If there is such a request, what is its response? If not, anything in the browser logs? Looks like it fails with Status Code 504. > btw how are you hosting? DigitalOcean Kubernetes Platform.
Owner

Looks like it fails with Status Code 504.

What's in the server logs? 504 indicates something is wrong with your proxy. It should have additional logging.

DigitalOcean Kubernetes Platform.

What's your config? (Vikunja, helm, proxy etc)

> Looks like it fails with Status Code 504. What's in the server logs? 504 indicates something is wrong with your proxy. It should have additional logging. > DigitalOcean Kubernetes Platform. What's your config? (Vikunja, helm, proxy etc)
Poster

Looks like it fails with Status Code 504.

What's in the server logs? 504 indicates something is wrong with your proxy. It should have additional logging.

As much as I'd like this to be the case, I do not believe it is. I have multiple applications setup on the cluster, using OpenID Connect with no issue, plus your own APIs on Vikunja are completely reachable and fine (even the callback URL returns if using OPTIONS). There seems to be some failure mode that isn't being handled or displayed in any of the logs, and this seems evident from the proxy logs when calling the request.

(logs from the proxy)

2021/12/16 13:42:43 [error] 175#175: *22956214 upstream timed out (110: Operation timed out) while reading response header from upstream, client: {Client IP Redacted}, server: todo.api.example.com, request: "POST /api/v1/auth/openid/extprovider/callback HTTP/2.0", upstream: "http://{Vikunja Internal Pod IP Redacted}:3456/api/v1/auth/openid/extprovider/callback", host: "todo.api.example.com", referrer: "https://todo.example.com/"

{Client IP Redacted} - - [16/Dec/2021:13:42:43 +0000] "POST /api/v1/auth/openid/extprovider/callback HTTP/2.0" 504 562 "https://todo.example.com/" "{User Agent}" 101 60.000 [{Pod Name}] [] {Vikunja Internal Pod IP Redacted}:3456 0 60.002 504 c604e5b440de1062b324d8225352904f

DigitalOcean Kubernetes Platform.

What's your config? (Vikunja, helm, proxy etc)

I'm not actually using Helm, I've set up the Deployments, Services, and Ingress as so. As for the proxy, I use the default NGINX Ingress Controll er that comes with Kubernetes, and the config for it is rather small.

apiVersion: v1
kind: ConfigMap
metadata:
  name: ingress-nginx-controller
  namespace: ingress-nginx
data:
  allow-snippet-annotations: 'true'
  compute-full-forwarded-for: 'true'
  enable-brotli: 'true'
  proxy-body-size: 756m
  use-forwarded-headers: 'true'
  use-proxy-protocol: 'true'

There is also a Load Balancer to ensure traffic reaches the cluster.

apiVersion: v1
kind: Service
metadata:
name: ingress-nginx-controller
namespace: ingress-nginx
annotations:
  service.beta.kubernetes.io/do-loadbalancer-hostname: authentik.example.com
spec:
ports:
  - name: http
    protocol: TCP
    appProtocol: http
    port: 80
    targetPort: http
    nodePort: 31690
  - name: https
    protocol: TCP
    appProtocol: https
    port: 443
    targetPort: https
    nodePort: 32090
type: LoadBalancer
sessionAffinity: None
externalTrafficPolicy: Cluster
> > Looks like it fails with Status Code 504. > > What's in the server logs? 504 indicates something is wrong with your proxy. It should have additional logging. As much as I'd like this to be the case, I do not believe it is. I have multiple applications setup on the cluster, using OpenID Connect with no issue, plus your own APIs on Vikunja are completely reachable and fine (even the callback URL returns if using OPTIONS). There seems to be some failure mode that isn't being handled or displayed in any of the logs, and this seems evident from the proxy logs when calling the request. (logs from the proxy) ``` 2021/12/16 13:42:43 [error] 175#175: *22956214 upstream timed out (110: Operation timed out) while reading response header from upstream, client: {Client IP Redacted}, server: todo.api.example.com, request: "POST /api/v1/auth/openid/extprovider/callback HTTP/2.0", upstream: "http://{Vikunja Internal Pod IP Redacted}:3456/api/v1/auth/openid/extprovider/callback", host: "todo.api.example.com", referrer: "https://todo.example.com/" {Client IP Redacted} - - [16/Dec/2021:13:42:43 +0000] "POST /api/v1/auth/openid/extprovider/callback HTTP/2.0" 504 562 "https://todo.example.com/" "{User Agent}" 101 60.000 [{Pod Name}] [] {Vikunja Internal Pod IP Redacted}:3456 0 60.002 504 c604e5b440de1062b324d8225352904f ``` > > DigitalOcean Kubernetes Platform. > > What's your config? (Vikunja, helm, proxy etc) I'm not actually using Helm, I've set up the Deployments, Services, and Ingress [as so](https://paste.rs/a43.yaml). As for the proxy, I use the default NGINX Ingress Controll er that comes with Kubernetes, and the config for it is rather small. ```yaml apiVersion: v1 kind: ConfigMap metadata: name: ingress-nginx-controller namespace: ingress-nginx data: allow-snippet-annotations: 'true' compute-full-forwarded-for: 'true' enable-brotli: 'true' proxy-body-size: 756m use-forwarded-headers: 'true' use-proxy-protocol: 'true' ``` There is also a Load Balancer to ensure traffic reaches the cluster. ```yaml apiVersion: v1 kind: Service metadata: name: ingress-nginx-controller namespace: ingress-nginx annotations: service.beta.kubernetes.io/do-loadbalancer-hostname: authentik.example.com spec: ports: - name: http protocol: TCP appProtocol: http port: 80 targetPort: http nodePort: 31690 - name: https protocol: TCP appProtocol: https port: 443 targetPort: https nodePort: 32090 type: LoadBalancer sessionAffinity: None externalTrafficPolicy: Cluster ```
Owner

Can you verify the Vikunja API container can reach authentik from within the container?

Can you verify the Vikunja API container can reach authentik from within the container?
Poster

Can you verify the Vikunja API container can reach authentik from within the container?

From the public URL it's given, yes it can, and does.

Keep in mind that by default, containers usally cannot reach other containers by their hostnames or local container IP. Which is what Vikunja seems to do occassionaly. So if you don't want this behavior to happen, you should always use the public URL and don't do a recursive resolve on it.

> Can you verify the Vikunja API container can reach authentik from within the container? From the public URL it's given, yes it can, and does. Keep in mind that by default, containers usally cannot reach other containers by their hostnames or local container IP. Which is what Vikunja seems to do occassionaly. So if you don't want this behavior to happen, you should always use the public URL and don't do a recursive resolve on it.
Owner

Keep in mind that by default, containers usally cannot reach other containers by their hostnames or local container IP. Which is what Vikunja seems to do occassionaly.

Vikunja itself never tries to resolve hosts or urls manually. That's all handled by the rest of the stack.

For the openid callback, it uses the url specified in the config.

Was there anything in the Vikunja API logs?

> Keep in mind that by default, containers usally cannot reach other containers by their hostnames or local container IP. Which is what Vikunja seems to do occassionaly. Vikunja itself never tries to resolve hosts or urls manually. That's all handled by the rest of the stack. For the openid callback, it uses the url specified in the config. Was there anything in the Vikunja API logs?

@konrad Yes, this is still reproducable and still happening with the latest unstable version on both.

My current Vikunja config is here:

auth:
    local:
        enabled: false
    openid:
        enabled: true
        redirecturl: 'https://todo.example.com/auth/openid/'
        providers:
        - name: "extprovider"
          authurl: 'https://authentik.example.com/application/o/vikunja/'
          clientid: "redacted client id"
          clientsecret: "redacted client secret"

Not really sure my Authentik config for the application matters since it's I just use the defaults.

Hello there, i had my problems in the past as well. But i fixed them with this config.
One note i need to say, i am using Authelia as OpenID provider, but maybe my fix can fix yours too.

This is what i configured to make it work:

auth:
  local:
    enabled: false
  openid:
    enabled: true
    redirecturl: https://taak.domain.nl/auth/openid/
    providers:
      - name: vikunja
        authurl: https://auth.domain.nl
        clientid: clientid
        clientsecret: clientsecret

You can see i have authurl: https://auth.domain.nl and you have https://authentik.example.com/application/o/vikunja/

Otherwise what else i see what you have and i dont, is the " " or ' '. I dont use that and my config works, so you could try removing them and check if it works with new url and without ''.

> @konrad Yes, this is still reproducable and still happening with the latest unstable version on both. > > My current Vikunja config is here: > ```yaml > auth: > local: > enabled: false > openid: > enabled: true > redirecturl: 'https://todo.example.com/auth/openid/' > providers: > - name: "extprovider" > authurl: 'https://authentik.example.com/application/o/vikunja/' > clientid: "redacted client id" > clientsecret: "redacted client secret" > ``` > > Not really sure my Authentik config for the application matters since it's I just use the defaults. Hello there, i had my problems in the past as well. But i fixed them with this config. One note i need to say, i am using Authelia as OpenID provider, but maybe my fix can fix yours too. This is what i configured to make it work: ```yaml auth: local: enabled: false openid: enabled: true redirecturl: https://taak.domain.nl/auth/openid/ providers: - name: vikunja authurl: https://auth.domain.nl clientid: clientid clientsecret: clientsecret ``` You can see i have authurl: https://auth.domain.nl and you have https://authentik.example.com/application/o/vikunja/ Otherwise what else i see what you have and i dont, is the " " or ' '. I dont use that and my config works, so you could try removing them and check if it works with new url and without ''.
Sign in to join this conversation.
No Milestone
No Assignees
3 Participants
Notifications
Due Date

No due date set.

Dependencies

This issue currently doesn't have any dependencies.

Loading…
There is no content yet.