My Vikunja won't read config.yml

1

I want to add openID to my vikunja. both authentik and vicuna are up and running.
This is my config.yml file:

auth:
  local:
    enabled: false
  openid:
    enabled: true
    redirecturl: "https://todo.mydomain.dom/auth/openid/"
    providers:
      - name: authentik
        authurl: "https://auth.mydomain.dom/application/o/vikunja"
        logouturl: "https://auth.mydomain.dom/application/o/vikunja/end-session/"
        clientid: "*************"
        clientsecret: "**************************"

I have put a config.yml file into /etc/vikunja/ first but it didn’t get read when executing docker compose up. Then I tried ~# .config/vikunja/ and restarted.
Again, https://todo.mydomain.dom/api/v1/info does not reflect that local auth is disabled and openid enabled.

I also tried adding the config to the environment in the docker-compose.yml file but it didn’t set authentik as a provider, just enabled openID and disabled local auth.

How can I make vikunja read my config file??

2

Did you mount the config file into the container?

4

I have mounted the config via my docker-compose.yml. However, the list of providers in /api/v1/info stays empty:

{
    "version": "v0.24.0",
    "frontend_url": "https://todo.mydomain.dom",
    "motd": "",
    "link_sharing_enabled": true,
    "max_file_size": "20MB",
    "registration_enabled": true,
    "available_migrators": [
        "vikunja-file",
        "ticktick"
    ],
    "task_attachments_enabled": true,
    "enabled_background_providers": [
        "upload"
    ],
    "totp_enabled": true,
    "legal": {
        "imprint_url": "",
        "privacy_policy_url": ""
    },
    "caldav_enabled": true,
    "auth": {
        "local": {
            "enabled": false
        },
        "openid_connect": {
            "enabled": true,
            "providers": []
        }
    },
    "email_reminders_enabled": true,
    "user_deletion_enabled": true,
    "task_comments_enabled": true,
    "demo_mode_enabled": false,
    "webhooks_enabled": true,
    "public_teams_enabled": false
}

EDIT: I checked the “auth url” on my authentik. It shows the config for the issuer with all discovery data correctly it seems.

{
  "issuer": "https://auth.mydomain.dom/application/o/vikunja/",
  "authorization_endpoint": "https://auth.mydomain.dom/application/o/authorize/",
  "token_endpoint": "https://auth.mydomain.dom/application/o/token/",
  "userinfo_endpoint": "https://auth.mydomain.dom/application/o/userinfo/",
  "end_session_endpoint": "https://auth.mydomain.dom/application/o/vikunja/end-session/",
  "introspection_endpoint": "https://auth.mydomain.dom/application/o/introspect/",
  "revocation_endpoint": "https://auth.mydomain.dom/application/o/revoke/",
  "device_authorization_endpoint": "https://auth.mydomain.dom/application/o/device/",
  "response_types_supported": [
    "code",
    "id_token",
    "id_token token",
    "code token",
    "code id_token",
    "code id_token token"
  ],
  "response_modes_supported": [
    "query",
    "fragment",
    "form_post"
  ],
  "jwks_uri": "https://auth.mydomain.dom/application/o/vikunja/jwks/",
  "grant_types_supported": [
    "authorization_code",
    "refresh_token",
    "implicit",
    "client_credentials",
    "password",
    "urn:ietf:params:oauth:grant-type:device_code"
  ],
  "id_token_signing_alg_values_supported": [
    "RS256"
  ],
  "subject_types_supported": [
    "public"
  ],
  "token_endpoint_auth_methods_supported": [
    "client_secret_post",
    "client_secret_basic"
  ],
  "acr_values_supported": [
    "goauthentik.io/providers/oauth2/default"
  ],
  "scopes_supported": [
    "profile",
    "email",
    "openid"
  ],
  "request_parameter_supported": false,
  "claims_supported": [
    "sub",
    "iss",
    "aud",
    "exp",
    "iat",
    "auth_time",
    "acr",
    "amr",
    "nonce",
    "email",
    "email_verified",
    "name",
    "given_name",
    "preferred_username",
    "nickname",
    "groups"
  ],
  "claims_parameter_supported": false,
  "code_challenge_methods_supported": [
    "plain",
    "S256"
  ]
}
5

Can you please share your compose file?

6

Here you go. The path is /root/ because its an LXC container

version: '3'

services:
    vikunja:
        image: vikunja/vikunja
        environment:
            VIKUNJA_SERVICE_PUBLICURL: "https://todo.mydomain.dom"
            VIKUNJA_DATABASE_HOST: db
            VIKUNJA_DATABASE_PASSWORD: "*********"
            VIKUNJA_DATABASE_TYPE: mysql
            VIKUNJA_DATABASE_USER: vikunja
            VIKUNJA_DATABASE_DATABASE: vikunja
            VIKUNJA_SERVICE_JWTSECRET: "************"
        ports:
            - 3456:3456
        volumes:
            - ./files:/app/vikunja/files
            - /root/todo-app/config.yml:/etc/vikunja/config.yml
        depends_on:
            db:
                condition: service_healthy
        restart: unless-stopped
    db:
        image: mariadb:10
        command: --character-set-server=utf8mb4 --collation-server=utf8mb4_unicode_ci
        environment:
            MYSQL_ROOT_PASSWORD: "***********"
            MYSQL_USER: vikunja
            MYSQL_PASSWORD: "***********"
            MYSQL_DATABASE: vikunja
        volumes:
            - ./db:/var/lib/mysql
        restart: unless-stopped
        healthcheck:
            test: ["CMD-SHELL", "mysqladmin ping -h localhost -u $$MYSQL_USER --password=$$MYSQL_PASSWORD"]
            interval: 2s
            start_period: 30s
7

May try the OpenID variables in your compose instead

8

I got the openID variables working, but you cannot add a provider in the compose file. It has to be a config.

9

First of all, setting most of the OpenID config via environment variables is not supported yet, it has to be the config.yml.

Try to mount it to /app/vikunja/config.yml within the container:

services:
    vikunja:
        volumes:
            - /root/todo-app/config.yml:/app/vikunja/config.yml
1 Like
10

Does it work if you mount the config file into /app/vikunja/config.yml in the container?

There should be a log message when Vikunja starts about the config file it uses. What does that say?

11

I tried, but the providers are still shown as an empty list. I would suspect authentik, but the issuer url is online and shows everything needed. Really not sure what’s the issue here…

12

Anything in the logs?

14 
2024-07-15T09:03:53.908344675Z: ERROR â–¶ openid/GetAllProviders 0e1 Error while getting openid provider authentik: Get "https://auth.mydomain.dev/application/o/vikunja/.well-known/openid-configuration": dial tcp myIpaddress:443: connect: connection refused

Accessing the ip only in my browser via https reveals that the certificate is invalid for calling the site via ip, the domain itself has it set correctly. .dev TLDs have https enforced by default. HOWEVER, when trying it via https and I say “ignore” on the error page, then I get forwarded to my authentik login site. Can I tell vikunja to skip this cert warning somehow?

15

No, you can’t. You need to fix your certs.

(Theoretically, you can use a self-signed certificate and import the root ca into your OS-Level trust store, then Vikunja should use that as well - that’s not supported with Docker though)

16

The server I am running this on serves multiple domains with the same ip and an nginx routes depending on incoming domain. Just accessing the domain instead of ip works perfectly fine. I am unsure how I can “fix my certs” there.

Edit: Again, the .dev domain enforces https, but vikunja sends the request via http and that fails. are there any configs for that?

Edit2: The request just failed. It does not get through at all. Its before any certs are traded or anything

17

I mean you need to use a valid Certificate for your Authentik installation. Let’s Encrypt works just fine.

You could use a redirect to “upgrade” insecure requests to https

18

Connection refused is not a certificate issue - I suggest troubleshooting basic connectivity from the machine running Vikunja.