In an ideal world, somewhere in a galaxy far, far away, I’d like to see support for LDAP or other authentication protocols. It’s nice to have my team sign in with just a single account for every service we host.
Yes, definitely. This is actually planned, it just doesn’t have a high priority currently but I’ve just moved it up the roadmap.
2 Likes
Thanks for the fast response! Do you have a publicly-available roadmap? I’d be curious to see what’s happening with the project from time to time.
Another authentication method here might be to support getting user authn from an identity aware proxy such as Pomerium. It can handle SSO and pass along a signed JWT to services behind it: https://www.pomerium.com/docs/topics/getting-users-identity.html
This looks promising, I wasn’t aware of such proxies. Thanks for pointing that out.
I’d like to focus on the usual suspects like ldap + oauth first though, but PRs welcome 
Love everything you’re doing and documenting. I came across the possibility of using oidc auth via this page, the config options page, and this task. Especially since I use keycloak and traefik forward auth on my self-hosted apps.
However, I’m having an issue setting it up and I don’t expect a lesson in oauth, but if anyone has any useful knowledge setting this up (especially if familiar with keycloak) I’d really appreciate it.
After I added a client to my master realm in keycloak and configured the yml file for vikunja, I restarted the container and at the login screen the username/password fields are gone and there are no buttons to login with keycloak. I know I must have configured something wrong and I can provide more info if you could let me know what you need to see.
Glad you’re liking it 
What does you config file look like? What is the output from /api/v1/info?
I’m attaching an image of the auth portion of the config and the output of /api/v1/info is this…
{"version":"v0.17.0+136-f8833ae8a2","frontend_url":"https://MYURL/","motd":"","link_sharing_enabled":true,"max_file_size":"20MB","registration_enabled":false,"available_migrators":null,"task_attachments_enabled":true,"enabled_background_providers":["upload"],"totp_enabled":true,"legal":{"imprint_url":"","privacy_policy_url":""},"caldav_enabled":true,"auth":{"local":{"enabled":false},"openid_connect":{"enabled":true,"redirect_url":"\u003cfrontend url\u003e","providers":[]}},"email_reminders_enabled":true,"user_deletion_enabled":true}
The only difference I see is that when IO set openid to false and local to true, the providers section looks like this
"providers":null
When you change the config to include keycloak as an auth provider and open /api/v1/info, is there anything in the server logs?
yeah when I look at the api logs it looks like i get an http/200 code, log here. When I look at the frontend log also get this…
172.16.200.191 - - [28/Aug/2021:21:03:36 +0000] "GET /favicon.ico HTTP/1.1" 200 13797 "https://MYURL/api/v1/info" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/92.0.4515.159 Safari/537.36" "192.168.1.184"
172.16.200.191 - - [28/Aug/2021:21:03:38 +0000] "GET /sw.js HTTP/1.1" 304 0 "https://MYURL/sw.js" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/92.0.4515.159 Safari/537.36" "192.168.1.184"
I tried changing the redirecturl setting to the actual url of my installation instead of the variable but it didn’t change anything.
There should be an error message in the logs in case Vikunja can’t reach the third party auth provider. I don’t know why there is none.
I do have an idea after looking at your config again: Try removing the .well-known/... part from the authurl. It should be able to figure that out by itself.
Thanks, I changed that in the config and it didn’t result in anything different. Im attaching a photo of what the frontend looks like with the settings I’ve posted above. I’ll reply with the settings in keycloak (as I can only post 1 photo per reply).
When accessing the /info endpoint for the first time, Vikunja makes a request to all external openid providers to get information about them. This usually happens through the /.well-known endpoint. If that fails, it shows an error in the logs about it.
This looks like it completely ignores the config, at least the providers part of it. Does it work if you use another openid provider? (gitlab, for example)
This config works for me, could you try that? (You’ll need to get your own secret and id obviously):
auth:
openid:
enabled: true
providers:
- name: Gitlab.com
authurl: https://gitlab.com
clientid: <id>
clientsecret: <secret>
That would help to know if the issue is somewhere within Vikunja itself or with your keycloak configuration.
I attempted to try those settings in the config but I can’t get the container to run anymore. I didn’t change the rest of the config so I’m not sure what the issue is, the redis and mariadb containers run fine. I’ll have to check back later and see if anything changed.
Any error message why it would not start?
No idea, I’m using docker swarm so it just hung in the ‘new’ state without error. I did some updates on the server and rebooted it and all is good again (in that I can run the container without error). So that was unrelated, sorry.
But I’m still not getting any error nor a login prompt even when I set up the gitlab example (using my account info). also when i browse to the api/v1/info the providers section is still blank.
here’s the api/v1/info
{"version":"v0.17.0+142-15e5a9069b","frontend_url":"https://MYURL/","motd":"","link_sharing_enabled":true,"max_file_size":"20MB","registration_enabled":false,"available_migrators":null,"task_attachments_enabled":true,"enabled_background_providers":["upload"],"totp_enabled":true,"legal":{"imprint_url":"","privacy_policy_url":""},"caldav_enabled":true,"auth":{"local":{"enabled":false},"openid_connect":{"enabled":true,"redirect_url":"\u003cfrontend url\u003e","providers":[]}},"email_reminders_enabled":true,"user_deletion_enabled":true}
and my full config… hastebin
ok, one more brief test. I opened a connection to port 80 for the frontend container and when I browsed to the IP address of the server, the login form loaded (which didn’t happen when I used traefik to handle the reverse proxy). When I try to login with that form I get a 405 error but I assume it’s because it’s not a FQDN. I also can’t browse to the /api/v1/info page when I’m using the local IP address, I’m just returned to the /login page.
10.0.0.2 - - [01/Sep/2021:03:59:57 +0000] "POST /api/v1/login HTTP/1.1" 405 559 "http://192.168.5.201:8080/login" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/92.0.4515.159 Safari/537.36" "-"
That sounds like the proxy you’re using doesn’t properly redirect requests to /api to the api container but instead they land on the frontend.
The config looks fine to me.