Cloudron makes it easy to run web apps like WordPress, Nextcloud, GitLab on your server. Find out more or install now.


Skip to content
  • Categories
  • Recent
  • Tags
  • Popular
  • Bookmarks
  • Search
Skins
  • Light
  • Cerulean
  • Cosmo
  • Flatly
  • Journal
  • Litera
  • Lumen
  • Lux
  • Materia
  • Minty
  • Morph
  • Pulse
  • Sandstone
  • Simplex
  • Sketchy
  • Spacelab
  • United
  • Yeti
  • Zephyr
  • Dark
  • Cyborg
  • Darkly
  • Quartz
  • Slate
  • Solar
  • Superhero
  • Vapor

  • Default (No Skin)
  • No Skin
Collapse
Brand Logo

Cloudron Forum

Apps | Demo | Docs | Install
  1. Cloudron Forum
  2. Discuss
  3. Apps with OpenID Connect Provider (beta)

Apps with OpenID Connect Provider (beta)

Scheduled Pinned Locked Moved Discuss
13 Posts 4 Posters 2.4k Views 4 Watching
  • Oldest to Newest
  • Newest to Oldest
  • Most Votes
Reply
  • Reply as topic
Log in to reply
This topic has been deleted. Only users with topic management privileges can see it.
  • girishG Offline
    girishG Offline
    girish
    Staff
    wrote on last edited by
    #2

    @nebulon Can we have mulitple key algos?

    luckowL 1 Reply Last reply
    0
    • girishG girish

      @nebulon Can we have mulitple key algos?

      luckowL Offline
      luckowL Offline
      luckow
      translator
      wrote on last edited by
      #3

      @girish maybe the same problem with Freescout? https://freescout.net/module/saml/

      Requirements
      Signature Algorithm is RSA-SHA256.

      Pronouns: he/him | Primary language: German

      1 Reply Last reply
      0
      • nebulonN Away
        nebulonN Away
        nebulon
        Staff
        wrote on last edited by
        #4

        Yes we can support multiple ones https://github.com/panva/node-oidc-provider/blob/main/docs/README.md#jwks

        I went for the recommended format first. Some more info about key algorithms https://www.scottbrady91.com/jose/jwts-which-signing-algorithm-should-i-use

        1 Reply Last reply
        2
        • luckowL luckow

          Autodiscovery does not work and after manual entry of endpoints:

          ID token validate failed with error: Only RS256 signature validation is supported. Token reports using EdDSA
          

          Maybe this is the reason -> https://github.com/BookStackApp/BookStack/issues/3206

          nebulonN Away
          nebulonN Away
          nebulon
          Staff
          wrote on last edited by
          #5

          @luckow I have added RS256 now, but so far I haven't managed to get to the point to see the signature validation error. Can you spot something missing in my test env file:

          OIDC_NAME=Cloudron
          OIDC_DISPLAY_NAME_CLAIMS=name
          OIDC_CLIENT_ID=bookstackid
          OIDC_CLIENT_SECRET=bookstacksecret
          OIDC_ISSUER=https://nebulon.space
          OIDC_ISSUER_DISCOVER=false
          OIDC_AUTH_ENDPOINT=https://my.nebulon.space/openid/auth
          OIDC_TOKEN_ENDPOINT=https://my.nebulon.space/openid/token
          

          The autodiscovery via .well-known also failed like you mentioned.

          luckowL 1 Reply Last reply
          1
          • nebulonN nebulon marked this topic as a question on
          • nebulonN nebulon

            @luckow I have added RS256 now, but so far I haven't managed to get to the point to see the signature validation error. Can you spot something missing in my test env file:

            OIDC_NAME=Cloudron
            OIDC_DISPLAY_NAME_CLAIMS=name
            OIDC_CLIENT_ID=bookstackid
            OIDC_CLIENT_SECRET=bookstacksecret
            OIDC_ISSUER=https://nebulon.space
            OIDC_ISSUER_DISCOVER=false
            OIDC_AUTH_ENDPOINT=https://my.nebulon.space/openid/auth
            OIDC_TOKEN_ENDPOINT=https://my.nebulon.space/openid/token
            

            The autodiscovery via .well-known also failed like you mentioned.

            luckowL Offline
            luckowL Offline
            luckow
            translator
            wrote on last edited by
            #6

            @nebulon I followed
            https://www.bookstackapp.com/docs/admin/oidc-auth/

            With OIDC_ISSUER_DISCOVER=true the error is

            OIDC Discovery Error: Unexpected issuer value found on discovery response
            

            With OIDC_ISSUER_DISCOVER=false the error is

            unrecognized route or not allowed method (GET on /interaction/uNAJ4bnbXdzrsVTA7pIl9/confirm)
            

            I have no idea, but maybe
            OIDC_PUBLIC_KEY=https://my.example.org/openid/jwks is wrong.
            The documentation says something with a .pem file:

            # Path to identity provider token signing public RSA key
            OIDC_PUBLIC_KEY=file:///keys/idp-public-key.pem
            

            Pronouns: he/him | Primary language: German

            luckowL 1 Reply Last reply
            1
            • luckowL luckow

              @nebulon I followed
              https://www.bookstackapp.com/docs/admin/oidc-auth/

              With OIDC_ISSUER_DISCOVER=true the error is

              OIDC Discovery Error: Unexpected issuer value found on discovery response
              

              With OIDC_ISSUER_DISCOVER=false the error is

              unrecognized route or not allowed method (GET on /interaction/uNAJ4bnbXdzrsVTA7pIl9/confirm)
              

              I have no idea, but maybe
              OIDC_PUBLIC_KEY=https://my.example.org/openid/jwks is wrong.
              The documentation says something with a .pem file:

              # Path to identity provider token signing public RSA key
              OIDC_PUBLIC_KEY=file:///keys/idp-public-key.pem
              
              luckowL Offline
              luckowL Offline
              luckow
              translator
              wrote on last edited by
              #7

              @luckow Update: after going "back" to the Bookstack home page (with the sso login button) and clicking again (with a valid login on my oic provider), I get the error again:

              ID token validate failed with error: Only RS256 signature validation is supported. Token reports using EdDSA
              

              Pronouns: he/him | Primary language: German

              1 Reply Last reply
              1
              • nebulonN Away
                nebulonN Away
                nebulon
                Staff
                wrote on last edited by
                #8

                Wrong forum section, I will move this to support as it is more like a generic OpenID thread now.

                I managed to get freescout working now with https://freescout.net/module/oauth-login/ and the added RS256 signature validation. We should be able to get this into 7.4.1

                luckowL 1 Reply Last reply
                2
                • nebulonN nebulon moved this topic from BookStack on
                • nebulonN nebulon

                  Wrong forum section, I will move this to support as it is more like a generic OpenID thread now.

                  I managed to get freescout working now with https://freescout.net/module/oauth-login/ and the added RS256 signature validation. We should be able to get this into 7.4.1

                  luckowL Offline
                  luckowL Offline
                  luckow
                  translator
                  wrote on last edited by
                  #9

                  @nebulon btw. we also have a UI glitch

                  a6c23b94-3e42-414c-a359-6c4ee7e5a9e7-image.png

                  Pronouns: he/him | Primary language: German

                  1 Reply Last reply
                  1
                  • nebulonN Away
                    nebulonN Away
                    nebulon
                    Staff
                    wrote on last edited by
                    #10

                    I have removed the display of the secret now. Also 7.4.1 will support multiple redirectURIs with native app support. This was required for getting immich to work.

                    Lets keep those issues coming so we can fix that up one-by-one

                    1 Reply Last reply
                    2
                    • nebulonN nebulon marked this topic as a regular topic on
                    • girishG girish moved this topic from Support on
                    • luckowL Offline
                      luckowL Offline
                      luckow
                      translator
                      wrote on last edited by
                      #11

                      To test Superset with Oauth we need an additional library

                      Apr 10 13:10:48 from authlib.integrations.flask_client import OAuth
                      Apr 10 13:10:48 ModuleNotFoundError: No module named 'authlib'
                      

                      Referring to https://superset.apache.org/docs/installation/configuring-superset/#custom-oauth2-configuration

                      Pronouns: he/him | Primary language: German

                      girishG 1 Reply Last reply
                      1
                      • luckowL luckow

                        To test Superset with Oauth we need an additional library

                        Apr 10 13:10:48 from authlib.integrations.flask_client import OAuth
                        Apr 10 13:10:48 ModuleNotFoundError: No module named 'authlib'
                        

                        Referring to https://superset.apache.org/docs/installation/configuring-superset/#custom-oauth2-configuration

                        girishG Offline
                        girishG Offline
                        girish
                        Staff
                        wrote on last edited by
                        #12

                        @luckow thanks, added it for next package release.

                        1 Reply Last reply
                        1
                        • luckowL luckow referenced this topic on
                        • andreasduerenA Offline
                          andreasduerenA Offline
                          andreasdueren
                          wrote on last edited by andreasdueren
                          #13

                          I'm still struggling to properly set up openID with my applications. For example with Leantime I get The received provider https://my.domain.tld/openid does not match the local setting https://my.domain.tld/.well-known/openid-configuration after authentification. And ctfreak will complain that redirect_uris for native clients using http as a protocol can only use loopback addresses as hostnames and using https won't work.

                          1 Reply Last reply
                          1
                          • andreasduerenA andreasdueren referenced this topic on
                          Reply
                          • Reply as topic
                          Log in to reply
                          • Oldest to Newest
                          • Newest to Oldest
                          • Most Votes


                          • Login

                          • Don't have an account? Register

                          • Login or register to search.
                          • First post
                            Last post
                          0
                          • Categories
                          • Recent
                          • Tags
                          • Popular
                          • Bookmarks
                          • Search