Hello everyone,
I’m working on integrating our Vikunja instance (running in Docker) with Authentik as our Identity Provider (IdP). User login via OAuth/OpenID Connect from Authentik is already working very well, which is a huge step forward!
My Goal
I’m looking to automatically synchronize user profile pictures managed in Authentik with Vikunja. Since Vikunja doesn’t seem to handle this directly via the OAuth/OIDC login flow, I’m trying to achieve it through the Vikunja API.
My Current Approach (Workaround)
I’ve implemented a Python policy script within Authentik. After successful authentication, this script takes the user’s avatar (stored locally) and attempts to upload it to Vikunja using the /api/v1/user/settings/avatar/upload
API endpoint.
For API authentication, I’ve found that Vikunja expects a JWTKeyAuth
header scheme. So, I’m trying to use an API key retrieved from Authentik user attributes like this:
Authorization: JWTKeyAuth {api_key}
The Problem
I’m currently getting a 401 Unauthorized
error from Vikunja with the message: "missing, malformed, expired or otherwise invalid token provided"
. This suggests that the token I’m using isn’t being accepted by Vikunja, despite using the JWTKeyAuth
type.
My Questions for the Community
-
Profile Picture Synchronization via OAuth/OIDC:
Is there a recommended or existing way for profile pictures from an external IdP (like Authentik) to be automatically imported into Vikunja during the OAuth/OIDC flow, or via a specific API endpoint that handles this without requiring a separate upload process in my script? Perhaps through a specific scope or a field in the OIDC profile that Vikunja can process? -
JWTKeyAuth
Token for Automated API Uploads:
If a separate API upload remains the necessary path:- What’s the best way to obtain a valid
JWTKeyAuth
-compatible token for automated API calls (like avatar uploads)? - Are Personal Access Tokens (PATs) in Vikunja intended to be used with
JWTKeyAuth
? Or is there an API endpoint through which I can dynamically generate such a token without needing to perform a full programmatic username/password login for every action (which is often not ideal for a backend script)? The goal is to have a long-lived token that I can store securely in Authentik.
- What’s the best way to obtain a valid
Any guidance and best practices on how to achieve this profile picture synchronization securely and efficiently would be greatly appreciated!
Thanks in advance for your help!