Can't get openid connect to work


I have set up Vikunja using docker compose. Now I want to add openid connect. I understand that I have to do this through a config.yml file (which doesn’t seem to be included by default in the docker compose set up - so I have created a new one). This is being applied (as per the logs when I (re)start Vikunja) and, as I understand, overwrites anything that might be in the environment.

Using the sample config.yml file, I have edited in the configuration for my Keycloak instance and I have created a client in Keycloak.

But for the life of me, I can’t get the OIDC button to show up on the login page. The first clue I found is that when I look into the api info, the best I can do is get oidc enabled true but the providers will be empty (“”). To even get there, I had to tinker half an hour with the config file. What helped me was to remove all the comments in the auth section. With those comments, oidc enabled will show false.

Anyway, so oidc enabled now shows true but that’s it. I have tried with and without specifying the redirect url. I have tried setting values with and without quotation marks. I have tried various indentation changes. Nothing, absolutely nothing will get my Keycloak to show up (neither on the login page, nor in the api info page).

I see very few posts regarding set up issues but all of them seem to have gotten further than I have because they got the OIDC button to show up.

This is the auth section from my config.yml (anonymized)

    enabled: true
    enabled: true
    redirecturl: https://vikunja.fqdn/auth/openid/
      - name: Keycloak
        authurl: https://keycloak-fqdn/realms/realm1/protocol/openid-connect/auth
        logouturl: https://keycloak-fqdn/realms/realm1/protocol/openid-connect/logout
        clientid: vikunja
        clientsecret: xxx
        scope: openid email profile

Anyone who has/had this issue as well?


Hi @gitwittidbit ,

Your authurl is wrong. Vikunja expects the base URL of the realm (the issuer value of the OIDC metadata), see also the Keycloak example.

The value for you should be https://keycloak-fqdn/realms/realm1. Vikunja will then append /.well-known/openid-configuration and read the other URLs from there. I’ve done several changes to the docs for OpenID recently, I’ll propose another change to the docs and try to clarify a bit better. If you have any other feedback regarding the OIDC config, please let me know :slight_smile:

Oh, thanks.

I did work with the keycloak example but probably assumed that the two lines authurl and logouturl should have the same format (and “auto-completed” the authurl line :crazy_face:)

Now I do get the OIDC login button. :star_struck:

1 Like

Understandably so. IMHO the attribute authurl is not named perfectly, it collides with the actual auth endpoint in OIDC. I’ve recommended some changes to the docs, hopefully that makes it more clear.