-
Autodiscovery does not work and after manual entry of endpoints:
ID token validate failed with error: Only RS256 signature validation is supported. Token reports using EdDSA
Maybe this is the reason -> https://github.com/BookStackApp/BookStack/issues/3206
-
@girish maybe the same problem with Freescout? https://freescout.net/module/saml/
Requirements
Signature Algorithm is RSA-SHA256.
-
Yes we can support multiple ones https://github.com/panva/node-oidc-provider/blob/main/docs/README.md#jwks
I went for the recommended format first. Some more info about key algorithms https://www.scottbrady91.com/jose/jwts-which-signing-algorithm-should-i-use
-
@luckow I have added RS256 now, but so far I haven't managed to get to the point to see the signature validation error. Can you spot something missing in my test env file:
OIDC_NAME=Cloudron OIDC_DISPLAY_NAME_CLAIMS=name OIDC_CLIENT_ID=bookstackid OIDC_CLIENT_SECRET=bookstacksecret OIDC_ISSUER=https://nebulon.space OIDC_ISSUER_DISCOVER=false OIDC_AUTH_ENDPOINT=https://my.nebulon.space/openid/auth OIDC_TOKEN_ENDPOINT=https://my.nebulon.space/openid/token
The autodiscovery via .well-known also failed like you mentioned.
-
-
@nebulon I followed
https://www.bookstackapp.com/docs/admin/oidc-auth/With
OIDC_ISSUER_DISCOVER=true
the error isOIDC Discovery Error: Unexpected issuer value found on discovery response
With
OIDC_ISSUER_DISCOVER=false
the error isunrecognized route or not allowed method (GET on /interaction/uNAJ4bnbXdzrsVTA7pIl9/confirm)
I have no idea, but maybe
OIDC_PUBLIC_KEY=https://my.example.org/openid/jwks
is wrong.
The documentation says something with a .pem file:# Path to identity provider token signing public RSA key OIDC_PUBLIC_KEY=file:///keys/idp-public-key.pem
-
@luckow Update: after going "back" to the Bookstack home page (with the sso login button) and clicking again (with a valid login on my oic provider), I get the error again:
ID token validate failed with error: Only RS256 signature validation is supported. Token reports using EdDSA
-
Wrong forum section, I will move this to support as it is more like a generic OpenID thread now.
I managed to get freescout working now with https://freescout.net/module/oauth-login/ and the added RS256 signature validation. We should be able to get this into 7.4.1
-
-
-
-
To test Superset with Oauth we need an additional library
Apr 10 13:10:48 from authlib.integrations.flask_client import OAuth Apr 10 13:10:48 ModuleNotFoundError: No module named 'authlib'
Referring to https://superset.apache.org/docs/installation/configuring-superset/#custom-oauth2-configuration
-
-
I'm still struggling to properly set up openID with my applications. For example with Leantime I get
The received provider https://my.domain.tld/openid does not match the local setting https://my.domain.tld/.well-known/openid-configuration
after authentification. And ctfreak will complain thatredirect_uris for native clients using http as a protocol can only use loopback addresses as hostnames
and using https won't work. -