Failing to login to with OIDC in the mobile app

Support
1

I’m trying to login to the mobile app with OIDC, but I’m running into this error after pressing Login with Frontend and authorizing the app from Authelia.

Screenshot_20240719-210410
Screenshot_20240719-2104101080×2400 115 KB

I’d be happy to provide the rest of the error, if it’s possible to view the logs.

This is my Authelia configuration for Vikunja:

identity_providers:
  oidc:
    clients:
      - client_name: "Vikunja"
        client_id: REDACTED
        client_secret: REDACTED
        public: false
        authorization_policy: 'one_factor'
        redirect_uris:
          - "https://tasks.haddock.cc/auth/openid/authelia"
        scopes:
          - "openid"
          - "email"
          - "profile"

This is my Vikunja OIDC configuration:

auth:
  local:
    enabled: false
  openid:
    enabled: true
    redirecturl: "https://tasks.haddock.cc/auth/openid/"
    providers:
    - name: "Authelia"
      authurl: "https://auth.haddock.cc"
      clientid: "REDACTED"
      clientsecret: "REDACTED"
2

I’m not using the mobile application, but I see 2 login buttons in the screenshot:

  • Login
  • Login with Frontend

I guess one is for local auth and the other is for OIDC.
According to your configuration, you have the local authentication disabled. Maybe the button Login with Frontend is for local authentication?

3

I don’t think so. Login with frontend I think is for OIDC, because it will redirect you to your OIDC provider, whereas the normal login form won’t.

4

Ok. I have the same configuration for integration with Authelia and it’s working fine in a web browser. So I guess it’s more an issue related to mobile app. I need to try.

5

Depending on how Authelia is setup, you may try ^/api/.* in Unauthorized Paths or similiar. I have to do this for my Firefly iii abacus app through Authentik.

Edit: corrected Regex for path, and name of field

6

What do you mean by Unauthorized Access?

7

After reviewing my configs, this goes in your proxy provider (if applicable).

Unauthorized Paths my mistake, screenshot of UI below:

image
image1071×210 19 KB

this is a common issue with a lot of third party apps, if this doesn’t work try removing the ^ (i.e. /api/.* Be sure to include the period as this is using Regex

8

I just downloaded the latest release and tested the flow through Authentik.
I tested and was able to duplicate your error with Authentik, so I added my first suggestion to Unauthorized Paths with the same outcome.

I can confirm working order with the following:

  • under Advanced protocol settings go to Unauthorized Paths and enter :
    • /api/.*

I am also using Nginx Proxy Manager with a custom Advanced Settings setup. I can make a full post about this if it would be helpful.

Some blind DDG’ing lead me to Authelia’s Access Control config page, looks like you may be able to use the resources option to do about the same thing, something like the following:

    resources:
    - '/api.*'

or

    resources:
    - '^/api.*'

Not sure if this is something you use, but seems to be the solution

9

Interesting, will that allow me to login with my OIDC provider in the Android app, or do I have to login with a local account?

1 Like
10

Yep! Your config looks similar to mine. Just use the Login with Frontend option, this redirected me to Authentik then to my frontend, which has my login with authentik button, which then obtains and passes creds to the app. Seems a bit repetitive at first, but makes sense being that it’s a custom frontend.

Tip if you use a security key for securing your provider, you will need to setup TOTP as well, the app doesn’t seem to pass the approval for my yubikey.

Posting from mobile(iOS) so apologies don’t have screenshots to share currently for better explanation.

1 Like
11

Thank you so much, that worked!

This is what I ended up with in my Authelia configuration file:

access_control:
  default_policy: deny
  rules:
  - domain: tasks.example.com
    policy: bypass
    resources:
    - /api.*
  # This one has to go second, so it doesn't override the first rule
  - domain: '*.example.com'
    policy: one_factor
1 Like
12

I am running into the same situation with keycloak.
I tried setting domain.com/api* as a valid redirect URI, but that did not work.