Create user with OpenID #1170

New Issue

TheSander562 · 2022-05-17T18:32:38Z

TheSander562 commented

2022-05-17 18:32:38 +00:00

Dear,

I would like the possibility to create new users with OpenID if registration is enabled.

It is not possible at this moment in Docker Unstable release.

Kind regards,
Sander Lambrechts

Dear, I would like the possibility to create new users with OpenID if registration is enabled. It is not possible at this moment in Docker Unstable release. Kind regards, Sander Lambrechts

konrad commented

2022-05-18 17:54:41 +00:00

What do you mean by "create new users"? With openID, the users are created on the fly when logging in with openID if they don't already exist in Vikunja's database.

TheSander562 commented

2022-05-18 20:53:57 +00:00

Well, if that is the case. In the unstable version i cant get openID to work.
It keeps telling "Could not authenticate against third party.

Using same setup as my stable only other subdomain and tried adding 1 more redirect url in Authelia.

In the logs i can find:

2022-05-18T20:50:24.187866124Z: ERROR	▶ openid/HandleCallback 115 oauth2: cannot fetch token: 400 Bad Request
Response: {"error":"invalid_grant","error_description":"The provided authorization grant (e.g., authorization code, resource owner credentials) or refresh token is invalid, expired, revoked, does not match the redirection URI used in the authorization request, or was issued to another client. The 'redirect_uri' from this request does not match the one from the authorize request."}
2022-05-17T18:30:43.865478277Z: WEB 	▶ 10.10.10.1  POST 400 /api/v1/auth/openid/homelab/callback 49.148225ms - Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/101.0.4951.64 Safari/537.36 Edg/101.0.1210.47

The redirect uri i configured in Authelia:
redirect_uris:
- https://betaak.domain.nl/auth/openid/homelab
- https://betaak.domain.nl/auth/openid/

Vikunja config:
redirecturl: https://betaak.domain.nl/auth/openid/
providers:
- name: homelab

I dont know what i am doing wrong...

Well, if that is the case. In the unstable version i cant get openID to work. It keeps telling "Could not authenticate against third party. Using same setup as my stable only other subdomain and tried adding 1 more redirect url in Authelia. In the logs i can find: ``` 2022-05-18T20:50:24.187866124Z: ERROR ▶ openid/HandleCallback 115 oauth2: cannot fetch token: 400 Bad Request Response: {"error":"invalid_grant","error_description":"The provided authorization grant (e.g., authorization code, resource owner credentials) or refresh token is invalid, expired, revoked, does not match the redirection URI used in the authorization request, or was issued to another client. The 'redirect_uri' from this request does not match the one from the authorize request."} 2022-05-17T18:30:43.865478277Z: WEB ▶ 10.10.10.1 POST 400 /api/v1/auth/openid/homelab/callback 49.148225ms - Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/101.0.4951.64 Safari/537.36 Edg/101.0.1210.47 ``` The redirect uri i configured in Authelia: redirect_uris: - https://betaak.domain.nl/auth/openid/homelab - https://betaak.domain.nl/auth/openid/ Vikunja config: redirecturl: https://betaak.domain.nl/auth/openid/ providers: - name: homelab I dont know what i am doing wrong...

konrad commented

2022-05-19 06:03:46 +00:00

Did you set the name of the authelia provider to homelab in Vikunja? The redirect URL needs to be YOURDOMAIN/auth/openid/KEY - the key is derived from the name you configured in vikunja, check /api/v1/info for it.

If you take a look at the URL in authelia when getting redirected to login there, what redirect URL does it contain?

Did you set the name of the authelia provider to `homelab` in Vikunja? The redirect URL needs to be `YOURDOMAIN/auth/openid/KEY` - the key is derived from the name you configured in vikunja, check `/api/v1/info` for it. If you take a look at the URL in authelia when getting redirected to login there, what redirect URL does it contain?

TheSander562 commented

2022-05-19 09:11:01 +00:00

The /api/v1/info shows this:

{"version":"v0.18.1+232-7b10176a10","frontend_url":"https://betaak.domain.nl","motd":"","link_sharing_enabled":true,"max_file_size":"20MB","registration_enabled":true,"available_migrators":["vikunja-file"],"task_attachments_enabled":true,"enabled_background_providers":["upload"],"totp_enabled":true,"legal":{"imprint_url":"","privacy_policy_url":""},"caldav_enabled":true,"auth":{"local":{"enabled":false},"openid_connect":{"enabled":true,"redirect_url":"auth/openid/","providers":[{"name":"homelab","key":"homelab","auth_url":"https://auth.domain.nl/api/oidc/authorization","client_id":"vikunjadev"}]}},"email_reminders_enabled":true,"user_deletion_enabled":true,"task_comments_enabled":true}

But i will check with /key behind the redirect url.

The /api/v1/info shows this: ``` {"version":"v0.18.1+232-7b10176a10","frontend_url":"https://betaak.domain.nl","motd":"","link_sharing_enabled":true,"max_file_size":"20MB","registration_enabled":true,"available_migrators":["vikunja-file"],"task_attachments_enabled":true,"enabled_background_providers":["upload"],"totp_enabled":true,"legal":{"imprint_url":"","privacy_policy_url":""},"caldav_enabled":true,"auth":{"local":{"enabled":false},"openid_connect":{"enabled":true,"redirect_url":"auth/openid/","providers":[{"name":"homelab","key":"homelab","auth_url":"https://auth.domain.nl/api/oidc/authorization","client_id":"vikunjadev"}]}},"email_reminders_enabled":true,"user_deletion_enabled":true,"task_comments_enabled":true} ``` But i will check with /key behind the redirect url.

konrad commented

2022-05-19 09:16:23 +00:00

Did you configure the redirect URL in Vikunjas openid settings? Because the one on your snippet looks wrong, it should include the full frontend URL with domain and protocol.

Did you configure the frontend URL?

Did you configure the redirect URL in Vikunjas openid settings? Because the one on your snippet looks wrong, it should include the full frontend URL with domain and protocol. Did you configure the frontend URL?

TheSander562 commented

2022-05-19 09:19:58 +00:00

auth:
  local:
    enabled: false
  openid:
    enabled: true
    redirecturl: https://betaak.domain.nl/auth/openid/homelab
    providers:
      - name: homelab
        authurl: https://auth.domain.nl
        clientid: vikunjadev
        clientsecret: secret

This is how i set it up now. WIth key behind the url and still not works, before i had the url with /auth/openid/

I see the other question now, this is my frontendurl :
frontendurl: "https://betaak.domain.nl"

``` auth: local: enabled: false openid: enabled: true redirecturl: https://betaak.domain.nl/auth/openid/homelab providers: - name: homelab authurl: https://auth.domain.nl clientid: vikunjadev clientsecret: secret ``` This is how i set it up now. WIth key behind the url and still not works, before i had the url with /auth/openid/ I see the other question now, this is my frontendurl : frontendurl: "https://betaak.domain.nl"

TheSander562 commented

2022-05-19 09:28:02 +00:00

Also not related to this (can create seperate issue for this):

2022-05-19T09:26:02.257376763Z: INFO	▶ cmd/func2 04e Vikunja version v0.18.1+232-7b10176a10
2022-05-19T09:26:02.258187748Z: CRITICAL	▶ routes/createRateLimiter 04f Unknown Rate limit store "keyvalue"

If i put keyvalue in the config instead of memory, it will generate this error. Setting all the values where keyvalue is used to say memory, it is working (and starting the api)
With this setting it doenst even start the api container.

Also not related to this (can create seperate issue for this): ``` 2022-05-19T09:26:02.257376763Z: INFO ▶ cmd/func2 04e Vikunja version v0.18.1+232-7b10176a10 2022-05-19T09:26:02.258187748Z: CRITICAL ▶ routes/createRateLimiter 04f Unknown Rate limit store "keyvalue" ``` If i put keyvalue in the config instead of memory, it will generate this error. Setting all the values where keyvalue is used to say memory, it is working (and starting the api) With this setting it doenst even start the api container.

konrad commented

2022-05-22 16:50:09 +00:00

The auth url for the provider in Vikunja should be either https://betaak.domain.nl/ or https://betaak.domain.nl/auth/openid/ depending on your openid provider.

The redirect url configured in Vikunja's config should be https://betaak.domain.nl/auth/openid/ - Since you configured your frontend url the easiest would be to leave this setting empty and it will set it automatically.

Now, in your openID provider your allowed redirect url should be https://betaak.domain.nl/auth/openid/homelab/.

Also not related to this (can create seperate issue for this):

That looks like a different problem, please go ahead and create an issue.

The auth url for the provider in Vikunja should be either `https://betaak.domain.nl/` or `https://betaak.domain.nl/auth/openid/` depending on your openid provider. The redirect url configured _in Vikunja's config_ should be `https://betaak.domain.nl/auth/openid/` - Since you configured your frontend url the easiest would be to leave this setting empty and it will set it automatically. Now, in your openID provider your allowed redirect url should be `https://betaak.domain.nl/auth/openid/homelab/`. > Also not related to this (can create seperate issue for this): That looks like a different problem, please go ahead and create an issue.

konrad commented

2022-05-23 20:14:21 +00:00

As it turns out, there was indeed a problem in how the redirect url was set in config. This should be fixed with f5ebada913, could you check with the latest unstable version once the CI released the new unstable version in ~30 min?

As it turns out, there was indeed a problem in how the redirect url was set in config. This should be fixed with f5ebada913, could you check with the latest unstable version once the CI released the new unstable version in ~30 min?

TheSander562 commented

2022-05-23 20:39:48 +00:00

Alright, will check it now. Thank you.

TheSander562 commented

2022-05-23 21:03:08 +00:00

Great, it is fixed now. Got it working by using this config:

In my openID provider my allowed redirect url is now (without it wouldn't work): https://betaak.domain.nl/auth/openid/homelab/

And the redirecturl in Vikunja config is: https://betaak.domain.nl/auth/openid/

Great, it is fixed now. Got it working by using this config: In my openID provider my allowed redirect url is now (without it wouldn't work): `https://betaak.domain.nl/auth/openid/homelab/` And the redirecturl in Vikunja config is: `https://betaak.domain.nl/auth/openid/`

konrad commented

2022-05-23 21:17:47 +00:00

Great it works now!

konrad closed this issue

2022-05-23 21:17:47 +00:00

konrad referenced this issue from a commit

2024-02-07 14:00:30 +00:00

fix(deps): update dependency marked to v4.0.7 (#1170)

Sign in to join this conversation.