OpenID Connect Server not working in Outline Notes
-
The app gets stuck in a loop: auth -> tocloudron -> auth page. The following error is thrown by Outline:
Highlight: "UnauthorizedError: An email field was not returned in the profile parameter, but is required."
I think the provider isn't sending back the user's email? Please check. Simply replacing the url of my.cloudron.tld to that of keycloak works, so there's something missing bit in the Cloudron implementation. Thanks!
{"error":"An email field was not returned in the profile parameter, but is required.","stack":"UnauthorizedError: An email field was not returned in the profile parameter, but is required.\n at AuthenticationError (/app/code/build/server/errors.js:38:34)\n at OAuth2Strategy._verify (/app/code/build/server/routes/auth/providers/oidc.js:60:47)\n at /app/code/node_modules/passport-oauth2/lib/strategy.js:196:24\n at OAuth2Strategy._passportOauth.Strategy.userProfile (/app/code/build/server/routes/auth/providers/oidc.js:32:12)\n at processTicksAndRejections (node:internal/process/task_queues:96:5)","level":"error","message":"Error during authentication"}
-
@nj are you setting the
email
scope?It may be that your Keycloak client settings automatically add email claims by default, for the standard OpenID those have to be specified when the client flow is initiated https://docs.cloudron.io/user-management/#scopes-and-claims
-
@nebulon said in OpenID Connect Server not working in Outline Notes:
It may be that your Keycloak client settings automatically add email claims by default, for the standard OpenID those have to be specified when the client flow is initiated https://docs.cloudron.io/user-management/#scopes-and-claims
But it's the Outline app that initiates auth request with the Cloudron OpenID Connect server. I tried both
preferred_username
as well assub
but none worked. All other settings match with Cloudron's recommendations.Is it because
profile
doesn't includeemail
? -
That is correct,
profile
does not usually includeemail
. See https://auth0.com/docs/get-started/apis/scopes/openid-connect-scopes for more detail there.The app, in your case Outline has to request an auth flow with those scopes, so the app needs to tell the openID provider which properties (based on scope and claims) it should deliver. For which scopes have you configure Outline? It seems the default is already all three typical OpenID ones https://docs.getoutline.com/s/hosting/doc/oidc-8CPBm6uC0I
-
Link to docs for future reference - https://docs.cloudron.io/user-management/#endpoints
-
-