Apps with OpenID Connect Provider (beta)

girish

@nebulon Can we have mulitple key algos?

luckow

@girish maybe the same problem with Freescout? https://freescout.net/module/saml/

Requirements
Signature Algorithm is RSA-SHA256.

nebulon

Yes we can support multiple ones https://github.com/panva/node-oidc-provider/blob/main/docs/README.md#jwks

I went for the recommended format first. Some more info about key algorithms https://www.scottbrady91.com/jose/jwts-which-signing-algorithm-should-i-use

nebulon

@luckow I have added RS256 now, but so far I haven't managed to get to the point to see the signature validation error. Can you spot something missing in my test env file:

OIDC_NAME=Cloudron
OIDC_DISPLAY_NAME_CLAIMS=name
OIDC_CLIENT_ID=bookstackid
OIDC_CLIENT_SECRET=bookstacksecret
OIDC_ISSUER=https://nebulon.space
OIDC_ISSUER_DISCOVER=false
OIDC_AUTH_ENDPOINT=https://my.nebulon.space/openid/auth
OIDC_TOKEN_ENDPOINT=https://my.nebulon.space/openid/token

The autodiscovery via .well-known also failed like you mentioned.

luckow

@nebulon I followed
https://www.bookstackapp.com/docs/admin/oidc-auth/

With OIDC_ISSUER_DISCOVER=true the error is

OIDC Discovery Error: Unexpected issuer value found on discovery response

With OIDC_ISSUER_DISCOVER=false the error is

unrecognized route or not allowed method (GET on /interaction/uNAJ4bnbXdzrsVTA7pIl9/confirm)

I have no idea, but maybe
OIDC_PUBLIC_KEY=https://my.example.org/openid/jwks is wrong.
The documentation says something with a .pem file:

# Path to identity provider token signing public RSA key
OIDC_PUBLIC_KEY=file:///keys/idp-public-key.pem

luckow

@luckow Update: after going "back" to the Bookstack home page (with the sso login button) and clicking again (with a valid login on my oic provider), I get the error again:

ID token validate failed with error: Only RS256 signature validation is supported. Token reports using EdDSA

nebulon

Wrong forum section, I will move this to support as it is more like a generic OpenID thread now.

I managed to get freescout working now with https://freescout.net/module/oauth-login/ and the added RS256 signature validation. We should be able to get this into 7.4.1

luckow

@nebulon btw. we also have a UI glitch

nebulon

I have removed the display of the secret now. Also 7.4.1 will support multiple redirectURIs with native app support. This was required for getting immich to work.

Lets keep those issues coming so we can fix that up one-by-one

luckow

To test Superset with Oauth we need an additional library

Apr 10 13:10:48 from authlib.integrations.flask_client import OAuth
Apr 10 13:10:48 ModuleNotFoundError: No module named 'authlib'

Referring to https://superset.apache.org/docs/installation/configuring-superset/#custom-oauth2-configuration

girish

@luckow thanks, added it for next package release.

andreasdueren

I'm still struggling to properly set up openID with my applications. For example with Leantime I get The received provider https://my.domain.tld/openid does not match the local setting https://my.domain.tld/.well-known/openid-configuration after authentification. And ctfreak will complain that redirect_uris for native clients using http as a protocol can only use loopback addresses as hostnames and using https won't work.