OAuth Error : issuer did not match the issuer returned by provider
Closed this issue · 9 comments
Description
I'm integrating Vikunja with Authentik. Somehow, the check that Vikunja does on the Issuer URL is not passing validation, and OAuth fails.
This is the error in the logs :
vikunja-server | 2024-08-30T09:58:51.960523154Z: ERROR ▶ openid/GetAllProviders 156 Error while getting openid provider Authentik Login: oidc: issuer did not match the issuer returned by provider, expected "https://authentik.tld/application/o/vikunja/" got "https://authentik.tld/"
Here is the config.yaml :
auth:
openid:
enabled: true
providers:
- name: "Authentik Login"
authurl: https://authentik.tld/application/o/vikunja/
logouturl: https://authentik.tld/application/o/vikunja/end-session/
clientid: <redacted>
clientsecret: <redacted>I don't have any mean to update the issuer since it's Authentik, so I wondering how can I change this check in vikunja.
Thanks !
Vikunja Version
v0.24.0
Browser and version
No response
Can you reproduce the bug on the Vikunja demo site?
No
Screenshots
No response
Does that happen during the start of Vikunja or when you're trying to authenticate?
Only when I browse to the homepage, not before
I'm using a very similar config with Authentik without issues. Which url is reported as the .well-known url in Authentik?
/application/o/vikunja/.well-known/openid-configuration
If you open that url, what is the response?
Browsing to this I get the expected json.
{
"issuer": "https://auth.tld/",
"authorization_endpoint": "https://auth.tld/application/o/authorize/",
"token_endpoint": "https://auth.tld/application/o/token/",
"userinfo_endpoint": "https://auth.tld/application/o/userinfo/",
"end_session_endpoint": "https://auth.tld/application/o/vikunja/end-session/",
"introspection_endpoint": "https://auth.tld/application/o/introspect/",
"revocation_endpoint": "https://auth.tld/application/o/revoke/",
"device_authorization_endpoint": "https://auth.tld/application/o/device/",
"response_types_supported": [
"code",
"id_token",
"id_token token",
"code token",
"code id_token",
"code id_token token"
],
"response_modes_supported": [
"query",
"fragment",
"form_post"
],
"jwks_uri": "https://auth.tld/application/o/vikunja/jwks/",
"grant_types_supported": [
"authorization_code",
"refresh_token",
"implicit",
"client_credentials",
"password",
"urn:ietf:params:oauth:grant-type:device_code"
],
"id_token_signing_alg_values_supported": [
"RS256"
],
"subject_types_supported": [
"public"
],
"token_endpoint_auth_methods_supported": [
"client_secret_post",
"client_secret_basic"
],
"acr_values_supported": [
"goauthentik.io/providers/oauth2/default"
],
"scopes_supported": [
"openid",
"email",
"profile"
],
"request_parameter_supported": false,
"claims_supported": [
"sub",
"iss",
"aud",
"exp",
"iat",
"auth_time",
"acr",
"amr",
"nonce",
"email",
"email_verified",
"name",
"given_name",
"preferred_username",
"nickname",
"groups"
],
"claims_parameter_supported": false,
"code_challenge_methods_supported": [
"plain",
"S256"
]
}That's what I don't understand, the root of the URL is the same, and yet it complains.
The issue is that my IdP (Authentik) does not allow to change the issuer field, it's the FQDN of the server.
The issuer reported from Authentik should be https://auth.tld/application/o/vikunja/. In my Authentik setup this is the case, so my guess is this is an issue with your setup. Do you see anything in Authentik's logs?
Yup indeed it was an issue in Authentik's provider configuration.
The option issuer_mode had to be set to per_provider (API reference).