Struggling with SSO via Authentik

Adept · 21 July 2022 05:43

I’m running Traefik + Authentik + Vikunja via Docker. So far I’ve had success logging into Vikunja via the classic username and password method (local auth?) but SSO is proving more difficult. Side note: I tried to disable local auth but that doesn’t stop the username and password textareas from showing, just shows a JWT missing error when I press login.

Trying to set up Authentik as an OpenID provider for Vikunja is proving to be difficult. I used the Traefik 2 guide from your docs and the guide from the Authentic docs too (Vikunja | authentik).

The issue seems to be that Vikunja can’t access the openid-configuration file, but I can access it just fine from my web browser via the link in the error. The error is this:

vikunja-vikunja_api-1 | 2022-07-21T05:23:10.347632475Z: ERROR openid/GetAllProviders 091 Error while getting openid provider: Get “https://auth.adept.org.au/application/o/vikunja/.well-known/openid-configuration”: dial tcp 188.166.231.66:443: i/o timeout

kolaente · 21 July 2022 07:49

Can you debug from inside the api container why it has trouble to access authelia? (Ping, curl, Traceroute etc)

Adept · 21 July 2022 09:07

Pinging the IP is fine, no problems there. Curl is not working though, it hangs. I tested curling the url on my regular terminal and it works properly. Weird.

Running curl with the verbose flag just returns this: * Trying 188.166.231.66:443...

I also tested curling Google, that worked.

kolaente · 21 July 2022 10:01

If you start any other container (an Ubuntu for example) on the same host as Vikunja, are you able to curl the openid URL from there?

Adept · 21 July 2022 14:44

I tried a clean Alpine container and the issue exists there too.

In Ubuntu the issue persists, but the version of cURL it uses has more output. Also, I let it properly time out this time.

root@6a01ce310146:/# curl -v https://auth.adept.org.au/
* Hostname was NOT found in DNS cache
*   Trying 188.166.231.66...
* connect to 188.166.231.66 port 443 failed: Connection timed out
* Failed to connect to auth.adept.org.au port 443: Connection timed out
* Closing connection 0
curl: (7) Failed to connect to auth.adept.org.au port 443: Connection timed out

I believe the solution may lie here: Docker - Hostname was NOT found in DNS cache - Stack Overflow

Edit: Running through the same process on my local machine (new Ubuntu container, curl the URL) and I can actually get this to work.

I wonder if I should point Vikunja at the hostname for the Authentik container rather than the domain?

kolaente · 21 July 2022 15:56

Is the IP curl resolved in the snippet you sent the correct one?

If authentik and the vikunja api container are in the same docker network that should work.

Adept · 12 August 2022 03:05

Here’s the results of my testing:

GET HTTPS akserver FROM vikunja_api-1: refused (port 443)
GET HTTPS akserver:9443 FROM vikunja_api-1: not refused, but curl has a problem with the self-signed cert
GET HTTPS authentik.fqdn FROM vikunja_api-1: resolves to the correct IP and port 443 as per Traefik config, but times out

GET HTTPS akserver FROM authentik-server-1: refused (port 443)
GET HTTPS akserver:9443 FROM authentik-server-1: accepted but curl rejects self-signed cert
GET HTTPS authentik.fqdn FROM authentik-server-1: resolves to the correct IP and port 443 as per Traefik config, but times out

GET HTTPS authentik.fqdn FROM traefik-1: resolves to the correct IP and port 443 as per Traefik config, but times out
GET HTTPS google.com FROM traefik-1: success
GET HTTPS www.fqdn FROM traefik-1: success

Right, this is a real-time update. Allowed port 443/tcp in ufw and it’s no longer timing out.

I assumed that wasn’t going to be the solution since everything else was already working without doing so, but anyway…

Adept · 12 August 2022 03:12

So that gets us to the next issue. Progress!

vikunja-vikunja_frontend-1 | 172.30.0.2 - - [12/Aug/2022:03:10:30 +0000] "GET /auth/openid/authentik?code=87ff36cf9eb94e728b654a47a6a7ab13&state=yygmym7icfa HTTP/1.1" 200 1452 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/103.0.0.0 Safari/537.36" "210.1.198.136"
vikunja-vikunja_api-1 | 2022-08-12T03:10:30.545589066Z: WEB ▶ 210.1.198.136 GET 200 /api/v1/info 158.006µs - Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/103.0.0.0 Safari/537.36
vikunja-vikunja_api-1 | 2022-08-12T03:10:31.020203761Z: ERROR ▶ openid/HandleCallback 091 Error verifying token for provider authentik: oidc: id token signed with unsupported algorithm, expected ["RS256"] got "HS256"
vikunja-vikunja_api-1 | 2022-08-12T03:10:31.021108642Z: ERROR ▶ openid/HandleCallback 092 oidc: id token signed with unsupported algorithm, expected ["RS256"] got "HS256"
vikunja-vikunja_api-1 | 2022-08-12T03:10:31.022731847Z: WEB ▶ 210.1.198.136 POST 500 /api/v1/auth/openid/authentik/callback 339.910733ms - Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/103.0.0.0 Safari/537.36

kolaente · 13 August 2022 06:37

Is there a setting in authentik to change the token signing algorithm?

Adept · 14 August 2022 03:44

I did a little bit of digging through the Authentik source code, found the relevant code here.

For anybody else having this issue: the fix is, make sure the provider is set to use the RSA signing key, otherwise it defaults to HS265 instead of RS256.

Problem solved! Thanks for your time koalente!

SaladCesar · 18 October 2022 11:30

Just had this issue, it works perfectly now ! Thank you for sharing your solution !