I use Authentik and am trying very hard to get Vikunja running with my configuration. Authentik is proxied by Traefik, and I am using mTLS on port 443. Therefore, I have an ‘auxiliary port’ for non-human communication on port 8443, which works perfectly with at least three other apps. In these other ‘apps,’ it is possible to specify additional OIDC values, e.g., issuer, tokenurl, userinfourl, and jwksurl. These URLs point to my Authentik on port 8443. Unfortunately, Vikunja ignores all these settings and tries to access via port 443 and fails, which is expected!
Has anyone achieved this objective with a non-standard port?
It would be very much appreciated to see these values in an update soon.
Vikunja will try to connect to these URLs on whatever Authentik tells it under its .well-known issuer URL. From your error description, I assume that’s returning the proxied URL?
I have verified that even when providing an issuer with a port (e.g., https://domain:8443/``...), Vikunja ignores the port during the discovery phase. My logs explicitly show: dial tcp [IP]:443: i/o timeout. It seems the OIDC discovery logic is hardcoded to strip the port or default to 443 for HTTPS, regardless of the config.yml or manual overrides.
Vikunja uses the URL that Authentik returns from the issuer discovery endpoint. That means, the URL that’s returned from https://auth.domain.tld/application/o/vikunja/.well-known/openid-configuration That URL only depends on what you have configured in Authentik, not the URL you gave to Vikunja.