OpenID authentication via Synology SSO server

aeonoea · 23 September 2024 21:42

Hi all,

I am trying to set up authentication using the SSO server from my Diskstation. It seems not many users know that there’s OpenID service built in to their Synology, since there is almost no mentions or tutorials on the web. Via trial and error I managed to get a bunch of web apps working with it already and it works great - so far! I am not sure if I’m doing it wrong in this case or if it’s just not compatible with certain apps.

Basic setup was done through docker compose, and both containers are running healthy. I can access the web interface via reverse proxy, do all the basic tasks, send out emails etc. except the OpenID login would never show up.

Maybe someone can point me in the right direction? I pasted the relevant sections below.

service:
  enableregistration: false

openid:
    enabled: true
    redirecturl: https://vikunja.domain.tld/auth/openid/
    providers:
      - name: OpenID
        authurl: https://id.domain.tld/webman/sso
        clientid: xxx
        clientsecret: xxx

And here what is being returned when calling /.well-known/openid-configuration manually:

{
   "authorization_endpoint" : "https://id.domain.tld/webman/sso/SSOOauth.cgi",
   "claims_supported" : [ "aud", "email", "exp", "groups", "iat", "iss", "sub", "username" ],
   "code_challenge_methods_supported" : [ "S256", "plain" ],
   "grant_types_supported" : [ "authorization_code", "implicit" ],
   "id_token_signing_alg_values_supported" : [ "RS256" ],
   "issuer" : "https://id.domain.tld/webman/sso",
   "jwks_uri" : "https://id.domain.tld/webman/sso/openid-jwks.json",
   "response_types_supported" : [ "code", "code id_token", "id_token", "id_token token" ],
   "scopes_supported" : [ "email", "groups", "openid" ],
   "subject_types_supported" : [ "public" ],
   "token_endpoint" : "https://id. domain.tld/webman/sso/SSOAccessToken.cgi",
   "token_endpoint_auth_methods_supported" : [ "client_secret_basic", "client_secret_post" ],
   "userinfo_endpoint" : "https://id. domain.tld/webman/sso/SSOUserInfo.cgi"
}

kolaente · 24 September 2024 09:31

If the option does not show up, check your logs after starting Vikunja. There should be an error message when you access the web interface for the very first time after starting Vikunja.

aeonoea · 24 September 2024 21:50

Thanks @kolaente, fortunately I am now one step further, but still stuck.

I missed to include auth: at the beginning of the config entry. I copied a sample configuration from the docs and unfortunately it is not included in some of them, only in the Authentik sample on the bottom.

Now I am getting greeted by the SSO server with the message: Invalid SSO client application. Please go to Application List page and try to add the application again.

Last time I got this message because the callback url was not correct. Is there maybe a problem with my redirect url? In some earlier forum entries I found urls that don’t include auth/openid/. However, I tried these two by removing them both from the Vikunja config and the SSO config. Here’s an example of the latter:

aeonoea · 24 September 2024 22:02

Update: it works now! I think there’s a bug but a workaround solved it.

What was wrong? The logs of the SSO server had some details:

Unable to sign in to application [vikunja] because the redirect URIs defined in this app (https://vikunja.domain.tld/auth/openid/domaintldvikunja) and SSO Server (https://vikunja.domain.tld/auth/openid/) do not match.

For some reason the app reports a different callback url, or rather added a string of domain+tld+sub at the end. I added it to the SSO server too as a workaround. Have you seen this behaviour before?

Grim73 · 25 September 2024 03:19

in my config.yaml my authurl line is in double quotes, as in:
authurl: "https://id.domain.tld/webman/sso"

same with my name line.

aeonoea · 25 September 2024 09:26

Thanks for letting me know. I did that but it makes no difference.

The redirect url is still automatically appended with “domaintldsub”

vikunja.domain.tld/auth/openid/domaintldvikunja instead of
vikunja.domain.tld/auth/openid/

kolaente · 25 September 2024 12:45

Thanks for the hint, I’ve updated the docs to fix that.

Does that come from Vikunja or the nas?

aeonoea · 30 September 2024 11:17

Does that come from Vikunja or the nas?

I am not sure, and also not sure how to find out.

On Vikunja, which logs should I enable for that and where to look for them?

kolaente · 30 September 2024 17:58

I would start with the network tab in the browser. Enable “Persist Logs”, then clear it all, filter for HTML and start the login from Vikunja. After that, you should see all requests which were made. That will allow you to inspect each of them for their query parameters. Does one of them have a redirect url set? If so, which one?