I was able to get Authentik OpenID setup by following the guide, and mapping a config.yml with the information into my docker under the api section.
However, when I click ‘Log in with Authentik login’, it logs me in as ‘authentik Default Admin’, not my usual/default user. How can I link the SSO login to my own previously exisiting user?
Users are individual per login provider. For vikunja, a local user and a user from a third party with provider are completely separate.
You could solve this by setting the user id of the openid user to the id of the local user you created earlier and then delete the local user. Make a backup before doing this!
Thank you, that makes sense. As far as I understand I make the ‘authentik’ user my ‘main’ user then delete the local (they’re both me, and I’m the only user, so it’s no big deal).
Unfortunately, ‘authentik login’ has now disappeared from my login page (local login still works as expected). I’m not sure what’s changed and it looks like I have some troubleshooting to do.
I manually added a config.yaml into my compose using the following:
and the /opt/appdata/vikunja/config.yaml as:
# Local authentication will let users log in and register (if enabled) through the db.
# This is the default auth mechanism and does not require any additional configuration.
# Enable or disable local authentication
# OpenID configuration will allow users to authenticate through a third-party OpenID Connect compatible provider.<br/>
# The provider needs to support the `openid`, `profile` and `email` scopes.<br/>
# **Note:** Some openid providers (like gitlab) only make the email of the user available through openid claims if they have set it to be publicly visible.
# If the email is not public in those cases, authenticating will fail.
# **Note 2:** The frontend expects to be redirected after authentication by the third party
# to <frontend-url>/auth/openid/<auth key>. Please make sure to configure the redirect url with your third party
# auth service accordingly if you're using the default Vikunja frontend.
# Take a look at the [default config file](https://github.com/go-vikunja/api/blob/main/config.yml.sample) for more information about how to configure openid authentication.
# Enable or disable OpenID Connect authentication
# A list of enabled providers
# The name of the provider as it will appear in the frontend.
- name: "authentik Login"
# The auth url to send users to if they want to authenticate using OpenID Connect.
authurl: https://auth.[my domain]/application/o/vikunja/
# The client ID used to authenticate Vikunja at the OpenID Connect provider.
# The client secret used to authenticate Vikunja at the OpenID Connect provider.
Does Authentik show up at
/api/v1/info on your instance?
If it doesn’t there should be an error message on startup of the api
Interesting it does but my ‘providers’ now appears blank:
after “providers”:}}, I did not edit or change that here (I only removed my domain in the other lines), that’s literally how it appears on the /api screen.
If you restart the api and access the
/info endpoint again, is there anything in the logs?
docker restart vikunja-api (= the service name I gave it in compose) and visited
/api/v1/info in my browser = no change. I’m not sure where to find any additional logs, I’m new to Vikunja (and self-hosting) so I’m learning as I go.
docker logs vikunja-api or
docker compose logs should give you the logs. You can also use
-f and it will show you logs as they happen.
Ah thanks, I do indeed see an error:
⇨ http server started on [::]:3456
2023-10-31T12:27:56.82182832Z: ERROR ▶ openid/GetAllProviders 0ab Error while getting openid provider authentik Login: 404 Not Found:
Edit: in follow-up, this looks like something on the Authentik side, so I just deleted everything there and re-followed the steps in the instructions. I can see ‘Authentik Login’ on my login screen now, and will proceed to your posted solution to make that my default user and delete the local. Thanks for all the help!
Ok, I followed these steps: logged in to Vikunja via Authentik, which created a user called
authentik Default Admin, changed it to my name, then logged out, logged back in as local and deleted my account. I also disabled local account login in the config.yml.
Hower, now when I login with Authentik, my name keeps defaulting to
authentik Default Admin.
The name is pulled from authentik iirnlc, you might want to change it there.
While I’m following up there, I restarted Vikunja from scratch and created my user with Authentik login. Interesting, in the Vikunja CLI using:
docker exec -it vikunja-api /app/vikunja/vikunja user list
It outputs the correct username and email that were forwarded by Authentik:
So it does look like the right info is perhaps getting to Vikunja!
This is the same info as my local user (same user, same email) but they were separate users. Any other ones I had created along the way messing with Authentik all appeared to have their own x-y-z names automatically generated by vikunja in the user list (which is why I just ended up deleted everything and starting from scatch).
Are you talking about the username or the display name? Those are two different names.
Sorry yes, when I log into the Vikunja webui my name shows up as
authentik default admin and when I change it in the settings of the webui, it saves, but then reverts back to
authentik default admin when I log out and log back in.
In the CLI, I took at look at the existing users, the username and email created by authentik login within the CLI are both correct.
Sorry for the confusion, I should clarify my issue is with the display name in the webui, and I discovered that the username and user email are correct when an account is created with Authentik.
That was done on purpose. You need to change the display name in Authentik.
Thanks again and for your patience, I was confused because I thought my name was set in Authentik, but I was incorrect. There is indeed both a username and a separate display name there too. I had not changed the display name field, just the username. I was confounding the two as the same thing.
In Authentik, go to Directory/Users/your username, edit. Then change the second line ‘Name’: