Setting up SSO - "Error while getting OpenID provider: not found"

Support
1

Hi!
I’ve been using Vikunja for a while (self hosting using Docker) and it’s great!
However, I’ve run into an issue when trying to add it to my Authelia (OpenID Connect) instance.
I’ve set up the following configuration on the Vikunja instance:

auth:
  local:
    enabled: true
  openid:
    enabled: true
    redirecturl: <frontend-url>
    # A list of enabled providers
    providers:
      # The name of the provider as it will appear in the frontend.
      - name: authelia
        authurl: https://(my.auth.instance)/api/oidc/authorize
        clientid: vikunja
        clientsecret: "(my secret)"

This is all via a config.yml file, exposed to the API container.

Now, from within the API container, I can reach the auth instance (with (my.auth.instance)/api/oidc/authorize), but when logging into the frontend, nothing happens. I also see the following error in the log:

ERROR	▶ openid/GetAllProviders 08e Error while getting openid provider authelia: 404 Not Found: 404 Not Found

Under Authelia, I’ve set up the following:

      - id: vikunja
        description: Vikunja
        secret: '(my secret)'
        redirect_uris:
          - https://(my.vikunja.url)
        scopes:
          - openid
          - email
          - profile
          - groups

I’m sure it’s just a misconfiguration on my part, but I can’t figure out what I’m doing wrong.

If you’ve set up OpenID connect with your Vikunja instance, I’d greatly appreciate any pointers.

Thanks!

2

Try setting the auth url to https://(my.auth.instance)/.

In Authelia, the redirect url should be https://(my.vikunja.url)/auth/openid/.

3

Hi, Thank you so much for answering!
I followed your suggestion - here are my settings now:
Vikunja:

  openid:
    enabled: true
    redirecturl: https://(my.vikunja.url)
    providers:
      - name: authelia
        authurl: https://(my.auth.instance) #Trailing / does not work
        clientid: vikunja
        clientsecret: "(secret)"

Authelia:

      - id: vikunja
        description: Vikunja
        secret: '(secret)'
        redirect_uris:
          - https://(my.vikunja.url)/auth/openid/
        scopes:
          - openid
          - email
          - profile
          - groups

And now I can see the OpenID connect button, but when I click it after authenticating with Authelia I get the following error message:

{"error":"invalid_request","error_description":"The request is missing a required parameter, includes an invalid parameter value, includes a parameter more than once, or is otherwise malformed. The 'redirect_uri' parameter does not match any of the OAuth 2.0 Client's pre-registered redirect urls."}

I’m not sure what I’m doing wrong… I’d really appreciate it if you could help me spot the error.

Thanks again!

4

As it turns out, there was indeed a problem in how the redirect url was set in config. This should be fixed with f5ebada913, could you check with the latest unstable version once the CI released the new unstable version in ~30 min?

5

Thank you so much for your effort.
I updated the stack to use the unstable version, but the error remains. I can’t see anything in the logs either.

Is there anything I can provide to help you solve this?

Thanks!

6

Is the error message really still the same as this one?

7

As far as I can tell, it’s the same. Here’s how I see it in Authelia’s log:

Authorization Request failed with error: The request is missing a required parameter, includes an invalid parameter value, includes a parameter more than once, or is otherwise malformed. The 'redirect_uri' parameter does not match any of the OAuth 2.0 Client's pre-registered redirect urls." method=GET path=/api/oidc/authorization remote_ip=(my ip)
8

What version are you using? (from the vikunja version command)

9

From the API container:
Vikunja api version v0.18.1+234-acaa85083f Built with go1.16.5

10

Really weired. As far as I can tell this is more related to Authelia than Vikunja itself. I’ll try setting everything up with Authelia to see if it is reproducible

11

I managed to make it a bit further by adjusting the redirect urls whitelisted in Authelia. My updated Authelia config looks like so:

- id: vikunja
        description: Vikunja
        secret: <my secret>
        redirect_uris:
          - https://<vikunja domain>.com/auth/openid/
          - https://<vikunja domain>.com/auth/openid/authelia
          - https://<vikunja domain>.com/api/oidc/authorization
        scopes:
          - openid
          - email
          - profile

I also updated the Vikunja config to explicitly set the redirect uri:

redirecturl: https://<vikunja domain>.com/auth/openid

Vikunja shows the ‘Login with Authelia’ button. Clicking it correctly redirects me to Authelia and then back to Vikunja. Things seem good until it fails with the message Could not authenticate with third party..

In the Network trace (from browser) I see the following request failed:

POST https://<vikunja domain>.com/api/v1/auth/openid/authelia/callback

Status Code: 400

{"details":
  {
   "error":"invalid_grant",
   "error_description":"The provided authorization grant (e.g., authorization code, resource owner credentials) or refresh token is invalid, expired, revoked, does not match the redirection URI used in the authorization request, or was issued to another client. The 'redirect_uri' from this request does not match the one from the authorize request."},
   "message":"Could not authenticate against third party."
  }
}
12

The config looks correct. Can you check the authentication payload in the network tab?

I still didn’t get around to set this up locally with authelia, will try to do that to debug this properly.

There’s a recent github issue with the same problem:

13

Moving discussion over to the Github issue linked above.

14

Sorry about the very late response, but following the steps in the GitHub issue fixed this for me.

Thanks so much!