[Bug]: Cannot use GitHub for OAuth/OIDC login #2293

New Issue

Closed

opened 2026-02-28 20:09:18 -06:00 by GiteaMirror · 7 comments

GiteaMirror commented 2026-02-28 20:09:18 -06:00

Owner

Copy Link

Originally created by @3ulalia on GitHub (Jul 19, 2025).

Verified issue does not already exist?

• I have searched and found no existing issue

What happened?

OpenID cannot be enabled when GitHub is selected as an OAuth provider; doing so in the web UI yields the hard-coded "configure it in the server" message, while doing so in the config file or environment variables and then attempting to activate OpenID through the JS script yields:

TypeError: authorization_endpoint must be configured on the issuer
    at assertIssuerConfiguration (/app/node_modules/openid-client/lib/helpers/assert.js:17:11)
    at Client.authorizationUrl (/app/node_modules/openid-client/lib/client.js:287:5)
    at loginWithOpenIdSetup (file:///app/src/accounts/openid.js:114:24)
    at process.processTicksAndRejections (node:internal/process/task_queues:95:5)
    at async file:///app/src/app-account.js:75:36

How can we reproduce the issue?

1. Install Actual Budget. (I am using Docker, but use your choice of installation.
2. Set the following environment variables:

ACTUAL_OPENID_CLIENT_SECRET=nopelmao
ACTUAL_OPENID_SERVER_HOSTNAME=http://actual.mydomain.org
ACTUAL_OPENID_ENFORCE=true
ACTUAL_OPENID_USERINFO_ENDPOINT=https://api.github.com/user
ACTUAL_OPENID_AUTHORIZATION_ENDPOINT=https://github.com/login/oauth/authorize
ACTUAL_OPENID_TOKEN_ENDPOINT=https://github.com/login/oauth/access_token
ACTUAL_OPENID_CLIENT_ID=notthisoneeither
ACTUAL_OPENID_AUTH_METHOD=oauth2
ACTUAL_OPENID_PROVIDER_NAME=GitHub

3. Run the scripts/enable-openid.js script from the terminal.
4. Attempt to log in using OpenID.
5. See the above error.
6. ???
7. no profit :(

Where are you hosting Actual?

Docker

What browsers are you seeing the problem on?

Firefox

Operating System

Linux

Originally created by @3ulalia on GitHub (Jul 19, 2025). ### Verified issue does not already exist? - [x] I have searched and found no existing issue ### What happened? OpenID cannot be enabled when GitHub is selected as an OAuth provider; doing so in the web UI yields the hard-coded "configure it in the server" message, while doing so in the config file or environment variables and then attempting to activate OpenID through the JS script yields: ``` TypeError: authorization_endpoint must be configured on the issuer at assertIssuerConfiguration (/app/node_modules/openid-client/lib/helpers/assert.js:17:11) at Client.authorizationUrl (/app/node_modules/openid-client/lib/client.js:287:5) at loginWithOpenIdSetup (file:///app/src/accounts/openid.js:114:24) at process.processTicksAndRejections (node:internal/process/task_queues:95:5) at async file:///app/src/app-account.js:75:36 ``` ### How can we reproduce the issue? 1. Install Actual Budget. (I am using Docker, but use your choice of installation. 2. Set the following environment variables: ``` ACTUAL_OPENID_CLIENT_SECRET=nopelmao ACTUAL_OPENID_SERVER_HOSTNAME=http://actual.mydomain.org ACTUAL_OPENID_ENFORCE=true ACTUAL_OPENID_USERINFO_ENDPOINT=https://api.github.com/user ACTUAL_OPENID_AUTHORIZATION_ENDPOINT=https://github.com/login/oauth/authorize ACTUAL_OPENID_TOKEN_ENDPOINT=https://github.com/login/oauth/access_token ACTUAL_OPENID_CLIENT_ID=notthisoneeither ACTUAL_OPENID_AUTH_METHOD=oauth2 ACTUAL_OPENID_PROVIDER_NAME=GitHub ``` 3. Run the `scripts/enable-openid.js` script from the terminal. 4. Attempt to log in using OpenID. 5. See the above error. 6. ??? 7. no profit :( ### Where are you hosting Actual? Docker ### What browsers are you seeing the problem on? Firefox ### Operating System Linux

GiteaMirror added the openidbug labels 2026-02-28 20:09:18 -06:00

GiteaMirror closed this issue 2026-02-28 20:09:19 -06:00

GiteaMirror commented 2026-02-28 20:09:20 -06:00

Author

Owner

Copy Link

@matt-fidd commented on GitHub (Jul 20, 2025):

That sounds to me like there's something you need to do on the GitHub side first.

@lelemm any ideas?

@matt-fidd commented on GitHub (Jul 20, 2025): That sounds to me like there's something you need to do on the GitHub side first. @lelemm any ideas?

GiteaMirror commented 2026-02-28 20:09:20 -06:00

Author

Owner

Copy Link

@lelemm commented on GitHub (Jul 21, 2025):

Looks like you using an old version of Actual.
The command enable-openid was removed some versions ago.
Try running this on the latest version.

The env vars looks right, based on the latest version

@lelemm commented on GitHub (Jul 21, 2025): Looks like you using an old version of Actual. The command `enable-openid` was removed some versions ago. Try running this on the latest version. The env vars looks right, based on the latest version

GiteaMirror commented 2026-02-28 20:09:21 -06:00

Author

Owner

Copy Link

@github-actions[bot] commented on GitHub (Jul 29, 2025):

This issue has been automatically closed because there have been no comments for 7 days after the "needs info" label was added. If you still need help, please feel free to reopen the issue with the requested information.

@github-actions[bot] commented on GitHub (Jul 29, 2025): This issue has been automatically closed because there have been no comments for 7 days after the "needs info" label was added. If you still need help, please feel free to reopen the issue with the requested information.

GiteaMirror commented 2026-02-28 20:09:21 -06:00

Author

Owner

Copy Link

@3ulalia commented on GitHub (Aug 5, 2025):

Sorry, to clarify - I had already set the environment variables on the latest version, and Actual promptly ignored them and did not let me click "enable OpenID", neither in the first-time settings nor in settings after setting a global password. Every time I try to select GitHub, it gives me the same "GitHub does not support discovery. You need to configure it in the server" message. I ran enable-openid because I could find nothing else to do - unsurprisingly, it did not work.

@3ulalia commented on GitHub (Aug 5, 2025): Sorry, to clarify - I had already set the environment variables on the latest version, and Actual promptly ignored them and did not let me click "enable OpenID", neither in the first-time settings nor in settings after setting a global password. Every time I try to select GitHub, it gives me the same "GitHub does not support discovery. You need to configure it in the server" message. I ran `enable-openid` because I could find nothing else to do - unsurprisingly, it did not work.

GiteaMirror commented 2026-02-28 20:09:21 -06:00

Author

Owner

Copy Link

@3ulalia commented on GitHub (Aug 5, 2025):

(I can't reopen this issue myself, but @youngcw @lelemm if you could?)

@3ulalia commented on GitHub (Aug 5, 2025): (I can't reopen this issue myself, but @youngcw @lelemm if you could?)

GiteaMirror commented 2026-02-28 20:09:22 -06:00

Author

Owner

Copy Link

@lelemm commented on GitHub (Aug 15, 2025):

Sorry for the delayed reply.
The command was removed in favor of using config file.
Every server restart, it will check for openid configuration on config.json or the env vars.
If it finds a configuration, it will enable openid for you

Check the documentation here:
https://actualbudget.org/docs/config/oauth-auth

Use this json as base:

{
    "openId": {
        "issuer": {
            "name": "Github",
            "authorization_endpoint": "https://github.com/login/oauth/authorize",
            "token_endpoint": "https://github.com/login/oauth/access_token",
            "userinfo_endpoint": "https://api.github.com/user"
        },
        "client_id": "client_id given by github",
        "client_secret": "client_secret given by github",
        "server_hostname": "your Actual Server URL (so the provider redirects you to this)",
        "authMethod": "oauth2"
    }
}

or use env vars:

ACTUAL_OPENID_AUTHORIZATION_ENDPOINT=https://github.com/login/oauth/authorize
ACTUAL_OPENID_TOKEN_ENDPOINT=https://github.com/login/oauth/access_token
ACTUAL_OPENID_USERINFO_ENDPOINT=https://api.github.com/user
ACTUAL_OPENID_CLIENT_ID=<client_id given by github>
ACTUAL_OPENID_CLIENT_SECRET=<client_secret given by github>
ACTUAL_OPENID_SERVER_HOSTNAME=<your Actual Server URL (so the provider redirects you to this)>
ACTUAL_OPENID_AUTH_METHOD=oauth2

@lelemm commented on GitHub (Aug 15, 2025): Sorry for the delayed reply. The command was removed in favor of using config file. Every server restart, it will check for openid configuration on config.json or the env vars. If it finds a configuration, it will enable openid for you Check the documentation here: https://actualbudget.org/docs/config/oauth-auth Use this json as base: ```json { "openId": { "issuer": { "name": "Github", "authorization_endpoint": "https://github.com/login/oauth/authorize", "token_endpoint": "https://github.com/login/oauth/access_token", "userinfo_endpoint": "https://api.github.com/user" }, "client_id": "client_id given by github", "client_secret": "client_secret given by github", "server_hostname": "your Actual Server URL (so the provider redirects you to this)", "authMethod": "oauth2" } } ``` or use env vars: ```bash ACTUAL_OPENID_AUTHORIZATION_ENDPOINT=https://github.com/login/oauth/authorize ACTUAL_OPENID_TOKEN_ENDPOINT=https://github.com/login/oauth/access_token ACTUAL_OPENID_USERINFO_ENDPOINT=https://api.github.com/user ACTUAL_OPENID_CLIENT_ID=<client_id given by github> ACTUAL_OPENID_CLIENT_SECRET=<client_secret given by github> ACTUAL_OPENID_SERVER_HOSTNAME=<your Actual Server URL (so the provider redirects you to this)> ACTUAL_OPENID_AUTH_METHOD=oauth2 ```

GiteaMirror commented 2026-02-28 20:09:22 -06:00

Author

Owner

Copy Link

@lwschan commented on GitHub (Nov 3, 2025):

I am running Actual Budget in my Kubernetes cluster with these env vars, it does not seem like it is configuring login for GitHub on server restart.

/app $ printenv | grep ACTUAL
ACTUAL_OPENID_PROVIDER_NAME=GitHub
ACTUAL_LOGIN_METHOD=openid
ACTUAL_OPENID_AUTH_METHOD=oauth2
ACTUAL_BUDGET_SERVICE_PORT_HTTP=5006
ACTUAL_OPENID_USERINFO_ENDPOINT=https://api.github.com/user
ACTUAL_OPENID_TOKEN_ENDPOINT=https://github.com/login/oauth/access_token
ACTUAL_OPENID_AUTHORIZATION_ENDPOINT=https://github.com/login/oauth/authorize
ACTUAL_BUDGET_PORT_5006_TCP_ADDR=10.43.172.63
ACTUAL_UPLOAD_FILE_SYNC_SIZE_LIMIT_MB=20
ACTUAL_BUDGET_PORT_5006_TCP_PORT=5006
ACTUAL_BUDGET_PORT_5006_TCP_PROTO=tcp
ACTUAL_BUDGET_SERVICE_HOST=10.43.172.63
ACTUAL_OPENID_SERVER_HOSTNAME=https://actual.example.com
ACTUAL_SERVER_FILES=/data/server-files
ACTUAL_TOKEN_EXPIRATION=openid-provider
ACTUAL_OPENID_ENFORCE=true
ACTUAL_USER_FILES=/data/user-files
ACTUAL_BUDGET_PORT=tcp://10.43.172.63:5006
ACTUAL_BUDGET_SERVICE_PORT=5006
ACTUAL_BUDGET_PORT_5006_TCP=tcp://10.43.172.63:5006
ACTUAL_UPLOAD_FILE_SIZE_LIMIT_MB=20
ACTUAL_MULTIUSER=true
ACTUAL_PORT=5006
ACTUAL_DATA_DIR=/data
ACTUAL_OPENID_CLIENT_ID=<id>
ACTUAL_OPENID_CLIENT_SECRET=<secret>
ACTUAL_UPLOAD_SYNC_ENCRYPTED_FILE_SYNC_SIZE_LIMIT_MB=50
ACTUAL_ALLOWED_LOGIN_METHODS=openid

This is what /account/needs-bootstrap returns before a password is set

{
    "status": "ok",
    "data": {
        "bootstrapped": false,
        "loginMethod": "openid",
        "availableLoginMethods": [],
        "multiuser": false
    }
}

Once a password is set, the same endpoint then returns

{
    "status": "ok",
    "data": {
        "bootstrapped": true,
        "loginMethod": "password",
        "availableLoginMethods": [
            {
                "method": "password",
                "active": 1,
                "displayName": "Password"
            }
        ],
        "multiuser": false
    }
}

/account/login-methods also does not have openid as the login method

{
    "status": "ok",
    "methods": [
        {
            "method": "password",
            "active": 1,
            "displayName": "Password"
        }
    ]
}

There is no prompt or button for me to login via GitHub after logging in with password

@lwschan commented on GitHub (Nov 3, 2025): I am running Actual Budget in my Kubernetes cluster with these env vars, it does not seem like it is configuring login for GitHub on server restart. ```shell /app $ printenv | grep ACTUAL ACTUAL_OPENID_PROVIDER_NAME=GitHub ACTUAL_LOGIN_METHOD=openid ACTUAL_OPENID_AUTH_METHOD=oauth2 ACTUAL_BUDGET_SERVICE_PORT_HTTP=5006 ACTUAL_OPENID_USERINFO_ENDPOINT=https://api.github.com/user ACTUAL_OPENID_TOKEN_ENDPOINT=https://github.com/login/oauth/access_token ACTUAL_OPENID_AUTHORIZATION_ENDPOINT=https://github.com/login/oauth/authorize ACTUAL_BUDGET_PORT_5006_TCP_ADDR=10.43.172.63 ACTUAL_UPLOAD_FILE_SYNC_SIZE_LIMIT_MB=20 ACTUAL_BUDGET_PORT_5006_TCP_PORT=5006 ACTUAL_BUDGET_PORT_5006_TCP_PROTO=tcp ACTUAL_BUDGET_SERVICE_HOST=10.43.172.63 ACTUAL_OPENID_SERVER_HOSTNAME=https://actual.example.com ACTUAL_SERVER_FILES=/data/server-files ACTUAL_TOKEN_EXPIRATION=openid-provider ACTUAL_OPENID_ENFORCE=true ACTUAL_USER_FILES=/data/user-files ACTUAL_BUDGET_PORT=tcp://10.43.172.63:5006 ACTUAL_BUDGET_SERVICE_PORT=5006 ACTUAL_BUDGET_PORT_5006_TCP=tcp://10.43.172.63:5006 ACTUAL_UPLOAD_FILE_SIZE_LIMIT_MB=20 ACTUAL_MULTIUSER=true ACTUAL_PORT=5006 ACTUAL_DATA_DIR=/data ACTUAL_OPENID_CLIENT_ID=<id> ACTUAL_OPENID_CLIENT_SECRET=<secret> ACTUAL_UPLOAD_SYNC_ENCRYPTED_FILE_SYNC_SIZE_LIMIT_MB=50 ACTUAL_ALLOWED_LOGIN_METHODS=openid ``` This is what `/account/needs-bootstrap` returns before a password is set ```json { "status": "ok", "data": { "bootstrapped": false, "loginMethod": "openid", "availableLoginMethods": [], "multiuser": false } } ``` Once a password is set, the same endpoint then returns ```json { "status": "ok", "data": { "bootstrapped": true, "loginMethod": "password", "availableLoginMethods": [ { "method": "password", "active": 1, "displayName": "Password" } ], "multiuser": false } } ``` `/account/login-methods` also does not have `openid` as the login method ```json { "status": "ok", "methods": [ { "method": "password", "active": 1, "displayName": "Password" } ] } ``` There is no prompt or button for me to login via GitHub after logging in with password

GiteaMirror referenced this issue 2026-02-28 20:53:26 -06:00

[PR #2293] [MERGED] Hooks for frequently made operations #4233

Sign in to join this conversation.

No Branch/Tag Specified

Branches Tags

master

claude/fix-simplefin-ssrf-T31gX

claude/release-notes-validation-X7rvR

matiss/7155

claude/fix-simplefin-batch-sync-O8LcD

ai/custom-theme-dual-prefs

matiss/fix-6804

add-claude-github-actions-1772738270730

claude/analyze-internal-errors-4k6O2

react-query-rules

react-query-useSchedules

matiss/separate-lint-format

dependabot/npm_and_yarn/ajv-6.14.0

cursor/sync-performance-notification-9899

react-query-prefs

matiss/chunked-sync-and-progress-ux

v26.2.1

copilot/sub-pr-6880

fix-react-query-clear-on-close-budget

copilot/sub-pr-6140

feat/auto-note

feat/scoped-bank-sync

cursor/desktop-transactions-react-table-1d0c

fix-exhaustive-deps-App

copilot/fix-find-replace-bug

release/v26.2.0-pre

matiss/browser-tests

mobile-fix-drag-and-drop-across-groups

budget-table-v2

PayeeAutocomplete2

pglite

bugfix/plugins/fix-plugins-sw

feat/plugins/plugins-core-package

prerelease

matiss/unicode-minus-fix

cursor/fix-actual-github-issue-6206-gemini-3-pro-preview-9c37

TransactionFormPage

cursor/implement-mortgage-and-loan-account-type-78ca

tests-update-fill-with-pressSequentially

mobile/link-modal

deps/25.11

cursor/fix-update-vrt-apply-ci-job-dispatch-b324

sync-server-plugins

cursor/propose-patch-for-github-issue-5680-2a18

fix/compiler-preserve-inner-dollar-escapes

cursor/analyze-actual-budget-issue-and-propose-fix-5b70

coderabbitai/docstrings/0c070e5

cursor/add-wip-prefix-and-comment-to-prs-d78d

jfdoming/08-21-auto-focus-on-navigate-in-all-browsers

show-totals-on-mobile-budget-banners

allow-child-transactions-make-transfer

mobile-calculator-keyboard

payee-geolocation

enhance/restore_scroll_position

dm-fix-second-click-on-mobile-new-transaction-2

scrollToLocationBudget

alert-autofix-38

tsconfig-composite

mobile-fix-uncategorized-transactions-on-tracking-budgets

server-budget-handlers

fix-sql-injection-in-cleanup-template

non-chrome-draggable-workaround

mobile-budget-page-swipe-navigation

ts-db-all

stable

dark-theme-with-brand-colors

fix-mobile-delete-group

ts-db-select

UnderKoen/reconcile-context-menu

master-before-server-merge

v25.2.1

ts-runQuery

rename-redux-hooks

UnderKoen/3557-persist-state-in-history

remove-redux-CLOSE_BUDGET

fix-exhaustive-deps-errors-FinancesApp

redux-toolkit-createSlice-backup

accounts-function-component

ts-useSplitsExpanded

loot-core-server-package

useTransactios-in-TransactionEdit

react-aria-input

move-redux-to-desktop-client

QueryState-type

fix-themes-applied-late

mobile-vrts

revert-3295-spendingCardFix

react-aria-button-4

split-payee-on-mobile

twk3/pin-apis-crdt

notes-tag-autocomplete

ts-LoadBackup

dnd-kit

package-upgrades

v26.3.0

v26.2.1

v26.2.0

v26.1.0

v25.12.0

v25.11.0

v25.10.0

v25.9.0

v25.8.0

v25.7.1

v25.7.0

v25.6.1

v25.6.0

v25.5.0

v25.4.0

v25.3.1

v25.3.0

v25.2.1

v25.2.0

v25.1.0

v24.12.0

v24.11.0

v24.10.1

v24.10.0

v24.9.0

v24.8.0

v24.7.0

v24.6.0

v24.5.0

v24.4.0

v24.3.0

v24.2.0

v24.1.0

v23.12.0

v23.11.0

v23.10.0

v23.9.0

v23.8.1

v23.8.0

v23.7.2

v23.7.1

v23.7.0

v23.6.0

v23.5.0

v23.4.2

v23.4.1

v23.4.0

v23.3.2

v23.3.0

v23.2.9

v23.2.5

v23.1.12

v22.12.9

Labels

Clear labels

AI generated

API

bank sync

budgeting

bug

can’t replicate

dependencies

docker

documentation

electron

experimental feature

feature

feedback

goal templates

good first issue

help wanted

importers

maintenance

needs info

needs testing

needs triage

needs votes

openid

payees

pull-request

Mirrored from GitHub Pull Request

regression

reports

responsive

rules

schedules

server

✨ merged

split transactions

tech debt

theme

transaction import

transaction reconciliation

transactions

translations

upstream

user interface

✅ approved

wontfix

No Label bug openid

Milestone

No items

No Milestone

Projects

Clear projects

No project

Assignees

Clear assignees

GiteaMirror ninjasurge

No Assignees

1 Participants

Notifications

Subscribe

Due Date

No due date set.

Dependencies

No dependencies set.

Reference: github-starred/actual#2293