OpenID Connect Server not working in Outline Notes

nj

The app gets stuck in a loop: auth -> tocloudron -> auth page. The following error is thrown by Outline:

Highlight: "UnauthorizedError: An email field was not returned in the profile parameter, but is required."

I think the provider isn't sending back the user's email? Please check. Simply replacing the url of my.cloudron.tld to that of keycloak works, so there's something missing bit in the Cloudron implementation. Thanks!

{"error":"An email field was not returned in the profile parameter, but is required.","stack":"UnauthorizedError: An email field was not returned in the profile parameter, but is required.\n at AuthenticationError (/app/code/build/server/errors.js:38:34)\n at OAuth2Strategy._verify (/app/code/build/server/routes/auth/providers/oidc.js:60:47)\n at /app/code/node_modules/passport-oauth2/lib/strategy.js:196:24\n at OAuth2Strategy._passportOauth.Strategy.userProfile (/app/code/build/server/routes/auth/providers/oidc.js:32:12)\n at processTicksAndRejections (node:internal/process/task_queues:96:5)","level":"error","message":"Error during authentication"}

nebulon

@nj are you setting the email scope?

It may be that your Keycloak client settings automatically add email claims by default, for the standard OpenID those have to be specified when the client flow is initiated https://docs.cloudron.io/user-management/#scopes-and-claims

nj

@nebulon said in OpenID Connect Server not working in Outline Notes:

It may be that your Keycloak client settings automatically add email claims by default, for the standard OpenID those have to be specified when the client flow is initiated https://docs.cloudron.io/user-management/#scopes-and-claims

But it's the Outline app that initiates auth request with the Cloudron OpenID Connect server. I tried both preferred_username as well as sub but none worked. All other settings match with Cloudron's recommendations.

Is it because profile doesn't include email ?

nebulon

That is correct, profile does not usually include email. See https://auth0.com/docs/get-started/apis/scopes/openid-connect-scopes for more detail there.

The app, in your case Outline has to request an auth flow with those scopes, so the app needs to tell the openID provider which properties (based on scope and claims) it should deliver. For which scopes have you configure Outline? It seems the default is already all three typical OpenID ones https://docs.getoutline.com/s/hosting/doc/oidc-8CPBm6uC0I

nj

I understood that profile doesn’t include “email” and email is a separate scope. But still with stock setup in Keycloak vs Cloudron, the Keycloak version works and Cloudron version of the provider doesn’t work. This is what’s strange.

nebulon

So if you add that scope to the app's setting, does it work then or is it still not working?

nj

I'm sorry, it was an error on my part. I had used the URL /openid/userinfo instead of /openid/me.

nebulon

Ah right, I had initially an alias set, since both seem to be used on equal basis, however since in my experience many apps rely on the info of the well-known, I removed that again. It's also documented in the main openid settings page.

girish

Link to docs for future reference - https://docs.cloudron.io/user-management/#endpoints