Third-party authentication support (maybe SSO?)

tscibilia · 2 September 2021 17:54

Well, that was access via a local IP address not via the traefik reverse proxy domain name (I’m assuming that’s why it couldn’t resolve the request). I was using the gitlab oidc settings.

However, the only thing I can figure out about why vikunja presents the login form when access locally and not when accessed through the traefik proxy, is the “sw.js” file isn’t being loaded? I’m actually seeing a 304 error for that file in the logs.

172.16.200.198 - - [02/Sep/2021:17:45:02 +0000] "GET /sw.js HTTP/1.1" 304 0 "https://MYURL/sw.js" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/92.0.4515.159 Safari/537.36" "192.168.1.184"

Not sure what to do from here, I’m glad the config is fine.

tscibilia · 2 September 2021 18:32

OK I tried deleting the local volume mounts and redeploying the stack and it seemed to have made an improvement (as in I can see the login form now). However, I’m getting an error “missing or malformed jwt” upon clicking submit.

I’m including a link to the logs for both the frontend and api containers. hastebin

kolaente · 3 September 2021 14:49

Vikunja would hide the login form if it can’t figure out if authentication is enabled or not. It does this by calling the /api/v1/info endpoint. If you can reach this through the browser it should work. If it does not, check if there are any errors in the browser dev tools console.

304 is not an error, it simply means the file hasn’t changed on the server so the browser doesn’t need to download it again.

That should only happening for routes requiring authentication, not the login route. It could be a browser issue, can you try in a private window?

Sabinno · 17 October 2021 21:14

I ended up using Keycloak successfully with the following config:

auth:
  openid:
    enabled: true
    providers:
      - name: Name
        authurl: https://KEYCLOAK_HOST/auth/realms/REALM
        clientid: vikunja
        clientsecret: xxx

Keycloak seems to provide .well-known/openid-configuration at the root of the realm, not for each protocol.

jkwan · 28 June 2022 04:16

Hi,
Are you planning to also implement the CAS SSO support ?
https://www.apereo.org/projects/cas
Best regards,

kolaente · 29 June 2022 18:51

Right now that’s not planned.

mdauphin · 7 July 2022 07:24

Hi, I just finish gitlab as SSO authentification, see my configuration:

auth:
  local:
  openid:
    enabled: true
    providers:
      - name: gitlab
        authurl: https://gitlab.example.fr
        clientid: <clientid see gitlab configuration>
        clientsecret: <clientsecret see gitlab configuration>

In gitlab go to Admin > Administration > Application > New Application