Hello,
I was able to get Authentik OpenID setup by following the guide, and mapping a config.yml with the information into my docker under the api section.
However, when I click ‘Log in with Authentik login’, it logs me in as ‘authentik Default Admin’, not my usual/default user. How can I link the SSO login to my own previously exisiting user?
Users are individual per login provider. For vikunja, a local user and a user from a third party with provider are completely separate.
You could solve this by setting the user id of the openid user to the id of the local user you created earlier and then delete the local user. Make a backup before doing this!
Thank you, that makes sense. As far as I understand I make the ‘authentik’ user my ‘main’ user then delete the local (they’re both me, and I’m the only user, so it’s no big deal).
Unfortunately, ‘authentik login’ has now disappeared from my login page (local login still works as expected). I’m not sure what’s changed and it looks like I have some troubleshooting to do.
I manually added a config.yaml into my compose using the following:
api:
volumes:
- /opt/appdata/vikunja/config.yml:/etc/vikunja/config.yml
and the /opt/appdata/vikunja/config.yaml as:
auth:
# Local authentication will let users log in and register (if enabled) through the db.
# This is the default auth mechanism and does not require any additional configuration.
local:
# Enable or disable local authentication
enabled: true
# OpenID configuration will allow users to authenticate through a third-party OpenID Connect compatible provider.<br/>
# The provider needs to support the `openid`, `profile` and `email` scopes.<br/>
# **Note:** Some openid providers (like gitlab) only make the email of the user available through openid claims if they have set it to be publicly visible.
# If the email is not public in those cases, authenticating will fail.
# **Note 2:** The frontend expects to be redirected after authentication by the third party
# to <frontend-url>/auth/openid/<auth key>. Please make sure to configure the redirect url with your third party
# auth service accordingly if you're using the default Vikunja frontend.
# Take a look at the [default config file](https://github.com/go-vikunja/api/blob/main/config.yml.sample) for more information about how to configure openid authentication.
openid:
# Enable or disable OpenID Connect authentication
enabled: true
# A list of enabled providers
providers:
# The name of the provider as it will appear in the frontend.
- name: "authentik Login"
# The auth url to send users to if they want to authenticate using OpenID Connect.
authurl: https://auth.[my domain]/application/o/vikunja/
# The client ID used to authenticate Vikunja at the OpenID Connect provider.
clientid: [redacted]
# The client secret used to authenticate Vikunja at the OpenID Connect provider.
clientsecret: [redacted]
Does Authentik show up at /api/v1/info on your instance?
If it doesn’t there should be an error message on startup of the api
Interesting it does but my ‘providers’ now appears blank:
{"version":"v0.21.0","frontend_url":"https://todo.[mydomain]/","motd":"","link_sharing_enabled":true,"max_file_size":"20MB","registration_enabled":false,"available_migrators":["vikunja-file","ticktick","todoist"],"task_attachments_enabled":true,"enabled_background_providers":["upload"],"totp_enabled":true,"legal":{"imprint_url":"","privacy_policy_url":""},"caldav_enabled":true,"auth":{"local":{"enabled":true},"openid_connect":{"enabled":true,"redirect_url":"https://todo.[mydomain]/auth/openid/","providers":[]}},"email_reminders_enabled":true,"user_deletion_enabled":true,"task_comments_enabled":true}
after “providers”:}}, I did not edit or change that here (I only removed my domain in the other lines), that’s literally how it appears on the /api screen.
If you restart the api and access the /info endpoint again, is there anything in the logs?
I used docker restart vikunja-api (= the service name I gave it in compose) and visited /api/v1/info in my browser = no change. I’m not sure where to find any additional logs, I’m new to Vikunja (and self-hosting) so I’m learning as I go.
docker logs vikunja-api or docker compose logs should give you the logs. You can also use -f and it will show you logs as they happen.
Ah thanks, I do indeed see an error:
⇨ http server started on [::]:3456
2023-10-31T12:27:56.82182832Z: ERROR ▶ openid/GetAllProviders 0ab Error while getting openid provider authentik Login: 404 Not Found:
Edit: in follow-up, this looks like something on the Authentik side, so I just deleted everything there and re-followed the steps in the instructions. I can see ‘Authentik Login’ on my login screen now, and will proceed to your posted solution to make that my default user and delete the local. Thanks for all the help!
Ok, I followed these steps: logged in to Vikunja via Authentik, which created a user called authentik Default Admin, changed it to my name, then logged out, logged back in as local and deleted my account. I also disabled local account login in the config.yml.
Hower, now when I login with Authentik, my name keeps defaulting to authentik Default Admin.
The name is pulled from authentik iirnlc, you might want to change it there.
While I’m following up there, I restarted Vikunja from scratch and created my user with Authentik login. Interesting, in the Vikunja CLI using:
docker exec -it vikunja-api /app/vikunja/vikunja user list
It outputs the correct username and email that were forwarded by Authentik:
So it does look like the right info is perhaps getting to Vikunja!
This is the same info as my local user (same user, same email) but they were separate users. Any other ones I had created along the way messing with Authentik all appeared to have their own x-y-z names automatically generated by vikunja in the user list (which is why I just ended up deleted everything and starting from scatch).
Are you talking about the username or the display name? Those are two different names.
Sorry yes, when I log into the Vikunja webui my name shows up as authentik default admin and when I change it in the settings of the webui, it saves, but then reverts back to authentik default admin when I log out and log back in.
In the CLI, I took at look at the existing users, the username and email created by authentik login within the CLI are both correct.
Sorry for the confusion, I should clarify my issue is with the display name in the webui, and I discovered that the username and user email are correct when an account is created with Authentik.
That was done on purpose. You need to change the display name in Authentik.
Thanks again and for your patience, I was confused because I thought my name was set in Authentik, but I was incorrect. There is indeed both a username and a separate display name there too. I had not changed the display name field, just the username. I was confounding the two as the same thing.
In Authentik, go to Directory/Users/your username, edit. Then change the second line ‘Name’:
I have an identical config.yml, that returns:
"openid_connect":{"enabled":false,"providers":null}
Just started implementing this today, using the unstable build, any tips?
Edit: decided to Rtfm and will try adding scopes to my authentik and report back
2nd edit: adding vikunja_scopes etc did not work. here is my config
service:
# The public facing URL where your users can reach Vikunja. Used in emails and for the communication between api and frontend.
publicurl: "https://tld"
rootpath: "/etc/vikunja/"
log:
# A folder where all the logfiles should go.
path: <rootpath>logs
# Whether to show any logging at all or none
enabled: true
# Where the normal log should go. Possible values are stdout, stderr, file or off to disable standard logging.
standard: "stdout"
# Change the log level. Possible values (case-insensitive) are CRITICAL, ERROR, WARNING, NOTICE, INFO, DEBUG.
level: "DEBUG"
# Whether or not to log database queries. Useful for debugging. Possible values are stdout, stderr, file or off to disable database logging.
database: "stdout"
# The log level for database log messages. Possible values (case-insensitive) are CRITICAL, ERROR, WARNING, NOTICE, INFO, DEBUG.
databaselevel: "DEBUG"
# Whether to log http requests or not. Possible values are stdout, stderr, file or off to disable http logging.
http: "stdout"
# Echo has its own logging which usually is unnecessary, which is why it is disabled by default. Possible values are stdout, stderr, file or off to disable sta>
echo: "stdout"
# Whether or not to log events. Useful for debugging. Possible values are stdout, stderr, file or off to disable events logging.
events: "stdout"
# The log level for event log messages. Possible values (case-insensitive) are ERROR, INFO, DEBUG.
eventslevel: "DEBUG"
# Whether or not to log mail log messages. This will not log mail contents. Possible values are stdout, stderr, file or off to disable mail-related logging.
mail: "off"
# The log level for mail log messages. Possible values (case-insensitive) are ERROR, WARNING, INFO, DEBUG.
maillevel: "info"
cors:
enable: true
origins:
- "*"
migration:
todoist:
# Wheter to enable the todoist migrator or not
enable: true
# The client id, required for making requests to the todoist api
# You need to register your vikunja instance at https://developer.todoist.com/appconsole.html to get this
clientid: <scrubbed>
# The client secret, also required for making requests to the todoist api
clientsecret: <scrubbed>
# The url where clients are redirected after they authorized Vikunja to access their todoist items.
# This needs to match the url you entered when registering your Vikunja instance at todoist.
# This is usually the frontend url where the frontend then makes a request to /migration/todoist/migrate
# with the code obtained from the todoist api.
# Note that the vikunja frontend expects this to be /migrate/todoist
redirecturl: <frontend url>/migrate/todoist
auth:
# Local authentication will let users log in and register (if enabled) through the db.
# This is the default auth mechanism and does not require any additional configuration.
local:
# Enable or disable local authentication
enabled: false
# OpenID configuration will allow users to authenticate through a third-party OpenID Connect compatible provider.<br/>
```# The provider needs to support the `openid`, `profile` and `email` scopes.<br/>
# **Note:** Some openid providers (like gitlab) only make the email of the user available through openid claims if they have set it to be publicly visible.
# If the email is not public in those cases, authenticating will fail.
# **Note 2:** The frontend expects to be redirected after authentication by the third party
# to <frontend-url>/auth/openid/<auth key>. Please make sure to configure the redirect url with your third party
# auth service accordingly if you're using the default Vikunja frontend.
# Take a look at the [default config file](https://github.com/go-vikunja/api/blob/main/config.yml.sample) for more information about how to configure openid au>
openid:
# Enable or disable OpenID Connect authentication
enabled: true
# A list of enabled providers
providers:
# The name of the provider as it will appear in the frontend.
- name: "authentik Login"
# The auth url to send users to if they want to authenticate using OpenID Connect.
authurl: https://<Authentik URL>/application/o/vikunja/
logouturl: https://<Authentik URL>/application/o/vikunja/end-session/
# The client ID used to authenticate Vikunja at the OpenID Connect provider.
clientid: <client ID>
# The client secret used to authenticate Vikunja at the OpenID Connect provider.
clientsecret: <client secret>
scope: openid email profile vikunja_scope
# Prometheus metrics endpoint
metrics:
# If set to true, enables a /metrics endpoint for prometheus to collect metrics about Vikunja. You can query it from `/api/v1/metrics`.
enabled: true
# If set to a non-empty value the /metrics endpoint will require this as a username via basic auth in combination with the password below.
username:
# If set to a non-empty value the /metrics endpoint will require this as a password via basic auth in combination with the username below.
password:
Have everything proxied through NGINX Proxy Manger, and it works, get a redirect when going to <frontend url> that takes me to Authentik, then drops me off at the login page (though I have it disabled in my config)
running Version: v0.24.1-20-784cd42a7a
Edit3: after checking logs, looks like i had a syntax error, now i get the proper “login with authentik” but get ‘Could not authenticate against third party.’ when authentication.
logs reflect the following:
vikunja-1 | 2024-07-25T18:46:58.823746474Z: ERROR ▶ openid/HandleCallback 104 oauth2: "invalid_client" "Client authentication failed (e.g., unknown client, no client authentication included, or unsupported authentication method)"
Final edit: I messed up my clientid when pasting.
@kolaente how is it actually can be done? I am not sure how to set the user if of openid to the id of the local user
You’d need to edit the user in the database, with a query like update users set id = foo where username = 'bar'; (Make a backup before running this)