oAuth2 Callback URL not working with Authentik SSO


I can’t seem to authenticate against Authentik using oauth.

I get sent to Authentik to login, which I do successfully. It then redirects back to Vikunja successfully, but I get the following browser error:

And Vikunja error:

2022-09-29T17:35:08.984790153Z: ERROR   ▶ openid/HandleCallback 09e oauth2: cannot fetch token: 400 Bad Request
Response: {"error": "invalid_client", "error_description": "Client authentication failed (e.g., unknown client, no client authentication included, or unsupported authentication method)"}

This is the error in the backend’s logs.

The client ID and secret both match in my SSO and Vikunja, I’ve checked this numerous times and even redone is on the SSO side, with new client ID’s and secrets. However, if I change the client ID, when I browse to the login page and try to login via oAuth, Vikunja tries to refer me back to my SSO provider with the old client ID?

Bahhh!! So frustrating.

It turns out this was an issue with redis caching.

I have the same problem, but I am not using the redis. Any suggestions please?

Do you have an error message?

I solved it hours later. In case someone have the same situation find this page in the future:

The sample config file in api/config.yml.sample at main - api - Gitea contains:

    # The url to redirect clients to. Defaults to the configured frontend url. If you're using Vikunja with the official
    # frontend, you don't need to change this value.
    # **Note:** The redirect url must exactly match the configured redirect url with the third party provider.
    # This includes all slashes at the end or protocols.
    redirecturl: <frontend url>

Following the instructions in the comments, I didn’t modify the redirecturl, which cause the vikunja directly using <frontend url>authentiklogin as redirect URL (should be https://plan.caomingjun.com/auth/openid/authentiklogin in my vikunja instance). I found this problem in the authentik logs.

What’s more, in the url in my browser, the redirect_uri is still correct, so there must be somewhere when the vikunja backend communicates with authentik it used <frontend url>authentiklogin, which be recorded in the log of authentik.

fyi authentik has a step-by-step tutorial on their website on how to setup Vikunja with it:

Just follow it and everything works like a charm :slight_smile:

1 Like