Can't configure OpenID with Azure #1975

New Issue

GiteaMirror · 2026-03-22T13:49:00-05:00

GiteaMirror commented

2026-03-22 13:49:00 -05:00

Originally created by @NLE-IENA on GitHub (Jul 18, 2024).

Description

Hello,

I'm trying to configure openid connection with Azure Entra ID.
I don't usually have issue to connect application to Azure Entra ID (already have some) but I still have a problem with Vikunja. You're my last hope.

I use the docker installation and have mount a config.yml (copied from the sample and edited with my parameters).
This part is ok but the application seems to not found the routes to my Azure conf.

Here my error:

2024-07-18T14:23:11.417750941Z: WEB     ▶ 82.66.162.100  GET 200 /workbox-v7.0.0/workbox-sw.js 224.612µs - Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/126.0.0.0 Safari/537.36 Edg/126.0.0.0

2024-07-18T14:23:11.504642469Z: ERROR   ▶ openid/GetAllProviders 0e0 Error while getting openid provider Azure: 404 Not Found:

2024-07-18T14:23:11.504842449Z: WEB     ▶ 82.66.162.100  GET 200 /api/v1/info 112.370337ms - Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/126.0.0.0 Safari/537.36 Edg/126.0.0.0

We can see a 404 error but can't understand why.

Here my auth configuration:
`auth:
local:
enabled: true

openid:
    enabled: true
    redirecturl: "https://vikunja.mydomain/auth/openid/"  <-- I found a previous issue which explain to take care to the "/" here
    providers:
        - name: "Azure"
          authurl: "https://login.microsoftonline.com/my_tenant/oauth2/v2.0/authorize"
          # Leave empty or delete key, if you do not want to be redirected.
          #logouturl:
          clientid: my_client
          clientsecret: my_secret
          scope: openid email profile`

We can also see in the api/v1/info page the provider not appaers:

{
    "version": "v0.24.0",
    "frontend_url": "https://vikunja.mydomain/",
    "motd": "",
    "link_sharing_enabled": true,
    "max_file_size": "20MB",
    "registration_enabled": true,
    "available_migrators": [
        "vikunja-file",
        "ticktick"
    ],
    "task_attachments_enabled": true,
    "enabled_background_providers": [
        "upload"
    ],
    "totp_enabled": true,
    "legal": {
        "imprint_url": "",
        "privacy_policy_url": ""
    },
    "caldav_enabled": true,
    "auth": {
        "local": {
            "enabled": true
        },
        "openid_connect": {
            "enabled": true,
            "providers": []   <--- HERE
        }
    },
    "email_reminders_enabled": true,
    "user_deletion_enabled": true,
    "task_comments_enabled": true,
    "demo_mode_enabled": false,
    "webhooks_enabled": true,
    "public_teams_enabled": false
}

Can you help me find what's wrong please ?

Thank you
Nicolas

Vikunja Version

0.24

Browser and version

No response

Can you reproduce the bug on the Vikunja demo site?

No

Screenshots

No response

Originally created by @NLE-IENA on GitHub (Jul 18, 2024). ### Description Hello, I'm trying to configure openid connection with Azure Entra ID. I don't usually have issue to connect application to Azure Entra ID (already have some) but I still have a problem with Vikunja. You're my last hope. I use the docker installation and have mount a config.yml (copied from the sample and edited with my parameters). This part is ok but the application seems to not found the routes to my Azure conf. Here my error: ``` 2024-07-18T14:23:11.417750941Z: WEB ▶ 82.66.162.100 GET 200 /workbox-v7.0.0/workbox-sw.js 224.612µs - Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/126.0.0.0 Safari/537.36 Edg/126.0.0.0 2024-07-18T14:23:11.504642469Z: ERROR ▶ openid/GetAllProviders 0e0 Error while getting openid provider Azure: 404 Not Found: 2024-07-18T14:23:11.504842449Z: WEB ▶ 82.66.162.100 GET 200 /api/v1/info 112.370337ms - Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/126.0.0.0 Safari/537.36 Edg/126.0.0.0 ``` We can see a 404 error but can't understand why. Here my auth configuration: `auth: local: enabled: true openid: enabled: true redirecturl: "https://vikunja.mydomain/auth/openid/" <-- I found a previous issue which explain to take care to the "/" here providers: - name: "Azure" authurl: "https://login.microsoftonline.com/my_tenant/oauth2/v2.0/authorize" # Leave empty or delete key, if you do not want to be redirected. #logouturl: clientid: my_client clientsecret: my_secret scope: openid email profile` We can also see in the api/v1/info page the provider not appaers: ``` { "version": "v0.24.0", "frontend_url": "https://vikunja.mydomain/", "motd": "", "link_sharing_enabled": true, "max_file_size": "20MB", "registration_enabled": true, "available_migrators": [ "vikunja-file", "ticktick" ], "task_attachments_enabled": true, "enabled_background_providers": [ "upload" ], "totp_enabled": true, "legal": { "imprint_url": "", "privacy_policy_url": "" }, "caldav_enabled": true, "auth": { "local": { "enabled": true }, "openid_connect": { "enabled": true, "providers": [] <--- HERE } }, "email_reminders_enabled": true, "user_deletion_enabled": true, "task_comments_enabled": true, "demo_mode_enabled": false, "webhooks_enabled": true, "public_teams_enabled": false } ``` Can you help me find what's wrong please ? Thank you Nicolas ### Vikunja Version 0.24 ### Browser and version _No response_ ### Can you reproduce the bug on the Vikunja demo site? No ### Screenshots _No response_

GiteaMirror closed this issue

2026-03-22 13:49:00 -05:00

GiteaMirror commented

2026-03-22 13:49:01 -05:00

@kolaente commented on GitHub (Jul 19, 2024):

The authurl should be the issuer url. I don't really know anything about Azure Entrada, but the URL you have in there looks like the authorize URL.

Also check out the docs: https://vikunja.io/docs/openid#step-2-configure-vikunja

@kolaente commented on GitHub (Jul 19, 2024): The authurl should be the issuer url. I don't really know anything about Azure Entrada, but the URL you have in there looks like the authorize URL. Also check out the docs: https://vikunja.io/docs/openid#step-2-configure-vikunja

GiteaMirror commented

2026-03-22 13:49:01 -05:00

@NLE-IENA commented on GitHub (Jul 19, 2024):

Hello, thanks for your answer but it's not logic.
In the documentation I look and you re-sent, it's clearly write to use authurl.
So that's what I use for my Azure. It seemed to me that openid works the same way everywhere which makes it so interesting.

Nevermind with your answer I manage to pass through the error. For those who encounter the problem, here is the url that I had to enter in my authurl variable: https://sts.windows.net/<tenant_id>.

I also had to modify the redirection url in my Azure app because I indicated this one by following the documentation: https://vikunja.mydomain/auth/openid/ whereas this is the one that Azure expected https://vikunja.mydomain/auth/openid/azure.

Finally I still need a little help @kolaente because now the link with Azure seems well done but the tool gives me the following error.

ERROR   ▶ openid/HandleCallback 12c Claim does not contain an email address for provider Azure
ERROR   ▶ openid/HandleCallback 12d No email provided

However, I have correctly configured the access rights to my applications on the following elements.

@NLE-IENA commented on GitHub (Jul 19, 2024): Hello, thanks for your answer but it's not logic. In the documentation I look and you re-sent, it's clearly write to use authurl. So that's what I use for my Azure. It seemed to me that openid works the same way everywhere which makes it so interesting. Nevermind with your answer I manage to pass through the error. For those who encounter the problem, here is the url that I had to enter in my authurl variable: https://sts.windows.net/<tenant_id>. I also had to modify the redirection url in my Azure app because I indicated this one by following the documentation: https://vikunja.mydomain/auth/openid/ whereas this is the one that Azure expected https://vikunja.mydomain/auth/openid/azure. Finally I still need a little help @kolaente because now the link with Azure seems well done but the tool gives me the following error. ``` ERROR ▶ openid/HandleCallback 12c Claim does not contain an email address for provider Azure ERROR ▶ openid/HandleCallback 12d No email provided ``` However, I have correctly configured the access rights to my applications on the following elements. ![image](https://github.com/user-attachments/assets/e0b9c194-3851-4af4-bbd8-649ab7d9a520)

GiteaMirror commented

2026-03-22 13:49:01 -05:00

@kolaente commented on GitHub (Jul 19, 2024):

I also had to modify the redirection url in my Azure app because I indicated this one by following the documentation: https://vikunja.mydomain/auth/openid/ whereas this is the one that Azure expected https://vikunja.mydomain/auth/openid/azure.

The redirect url mentioned in the docs is the one for Vikunja's auth.redirecturl. In Azure you need to use the url you found out.

Finally I still need a little help @kolaente because now the link with Azure seems well done but the tool gives me the following error.

Does your user allow email sharing? I don't know how Azure handles this, but some providers require the user to agree to email sharing for third party providers. Quoting from https://vikunja.io/docs/config-options/#openid:

Some openid providers (like Gitlab) only make the email of the user available through OpenID if they have set it to be publicly visible. If the email is not public in those cases, authenticating will fail.

@kolaente commented on GitHub (Jul 19, 2024): > I also had to modify the redirection url in my Azure app because I indicated this one by following the documentation: https://vikunja.mydomain/auth/openid/ whereas this is the one that Azure expected https://vikunja.mydomain/auth/openid/azure. The redirect url mentioned in the docs is the one for Vikunja's `auth.redirecturl`. In Azure you need to use the url you found out. > Finally I still need a little help @kolaente because now the link with Azure seems well done but the tool gives me the following error. Does your user allow email sharing? I don't know how Azure handles this, but some providers require the user to agree to email sharing for third party providers. Quoting from https://vikunja.io/docs/config-options/#openid: > Some openid providers (like Gitlab) only make the email of the user available through OpenID if they have set it to be publicly visible. If the email is not public in those cases, authenticating will fail.

GiteaMirror commented

2026-03-22 13:49:01 -05:00

@NLE-IENA commented on GitHub (Jul 19, 2024):

I struggled a bit to understand your last point but it's ok now ! Thank you !
I'll try to configure teams now but it's already really good.

Are you interesseted by my configurations, urls, steps, etc in Azure and Vikunja conf for the documentation maybe ?

Thank you
Nicolas

@NLE-IENA commented on GitHub (Jul 19, 2024): I struggled a bit to understand your last point but it's ok now ! Thank you ! I'll try to configure teams now but it's already really good. Are you interesseted by my configurations, urls, steps, etc in Azure and Vikunja conf for the documentation maybe ? Thank you Nicolas

GiteaMirror commented

2026-03-22 13:49:01 -05:00

@kolaente commented on GitHub (Jul 19, 2024):

I'd love a contribution to the examples! https://vikunja.io/docs/openid-example-configurations

@kolaente commented on GitHub (Jul 19, 2024): I'd love a contribution to the examples! https://vikunja.io/docs/openid-example-configurations

GiteaMirror commented

2026-03-22 13:49:02 -05:00

@NLE-IENA commented on GitHub (Jul 19, 2024):

Ok so for Azure:

Configuration in Vikunja Application

authurl in the application's configuration file:
The expected value for both the application and Azure is:
"https://sts.windows.net/<tenant_id>/"

Configuration in Azure

Redirect URL:
The redirect URL should be:
"https://vikunja.iena.com/auth/openid/<provider_name_in_conf_file>"
Authorized APIs:

The following delegated APIs must be authorized:

email
openid
profile
User.Read

Creating a Secret
Token Configuration:

In the application's token configuration, add an optional claim:

Select ID and then email.

Do you need/want more details ?

@NLE-IENA commented on GitHub (Jul 19, 2024): Ok so for Azure: **Configuration in Vikunja Application** 1. authurl in the application's configuration file: The expected value for both the application and Azure is: `"https://sts.windows.net/<tenant_id>/"` **Configuration in Azure** 1. Redirect URL: The redirect URL should be: `"https://vikunja.iena.com/auth/openid/<provider_name_in_conf_file>"` 2. Authorized APIs: The following delegated APIs must be authorized: - email - openid - profile - User.Read 3. Creating a Secret 4. Token Configuration: In the application's token configuration, add an optional claim: - Select ID and then email. Do you need/want more details ?

GiteaMirror commented

2026-03-22 13:49:02 -05:00

@kolaente commented on GitHub (Jul 21, 2024):

I think that should work. Added your text (with a few modifications) to https://vikunja.io/docs/openid-example-configurations#azure-entrada-id

Many thanks!

@kolaente commented on GitHub (Jul 21, 2024): I think that should work. Added your text (with a few modifications) to https://vikunja.io/docs/openid-example-configurations#azure-entrada-id Many thanks!

GiteaMirror referenced this issue

2026-03-22 14:55:19 -05:00

[PR #1975] [MERGED] chore(deps): update actions/cache digest to 9255dc7 #3838

GiteaMirror referenced this issue

2026-04-16 13:36:08 -05:00

[PR #1975] [MERGED] chore(deps): update actions/cache digest to 9255dc7 #5379

GiteaMirror referenced this issue

2026-04-20 17:57:24 -05:00

[PR #1975] [MERGED] chore(deps): update actions/cache digest to 9255dc7 #7963

GiteaMirror referenced this issue

2026-04-23 09:08:50 -05:00

[PR #1975] [MERGED] chore(deps): update actions/cache digest to 9255dc7 #9679

Sign in to join this conversation.

Branches Tags

main

renovate/dev-dependencies

claude/analyze-beans-project-9VxoS

feat-huma-api-v2-migration

feat-v2-foundation

spike-huma-openapi3

claude/investigate-swagger3-support-nyyUa

feat-list-view-buckets

ci-mysql-8-test

codex/analyze-codebase-for-email-task-feature

feat-project-templates

csv-import-feature

claude/email-reply-comments-wpdcQ

fix-oidc-pkce-support

fix/overview-subtasks-expand

feat/bucket-select-task-detail

feat-soft-delete-projects

claude/review-bot-design-plan-cf5C3

claude/project-scoped-api-tokens-KTqR3

claude/explore-openclaw-integration-KQEzg

claude/project-scoped-api-tokens-yv5KS

fix-duplicate-close-button

feat-list-view-sorting

feat/official-vite-sentry-plugin

feat/highlight-overdue-tasks

feat/add-enter-key-form-submission-handling

feat/TipTap-nits

feat/update-caldavtimetotimestamp-parsing

feat-phosphor-icons

wip-plans

claude/investigate-issue-2173-llKme

fix-description-text-drag

feat-custom-keyboard-shortcuts

pr-1845-ci

codex/fix-drag-and-drop-behavior-inconsistency

copilot/add-clickable-labels-for-filtering

copilot/fix-issue-1786

playwright-migration

fix-kanban-repeating-wip

copilot/fix-1498

feature/replace-axios

codex/upgrade-to-tailwind-4.1.8-using-pnpm

codex/add-cypress-test-for-avatar-types

feature/biome

feature/oxc

codex/update-flexsearch-to-0.8.205

4r6ni9-codex/fix-deprecated-sass-@import-usage

codex/fix-deprecated-sass-@import-usage

codex/add-cypress-test-for-task-list-refresh-fix

codex/fix-quick-add-magic-not-adding-tasks

codex/fix-all-type-errors

codex/fix-mimetype-for-docs.json

feature/caldav-from-scratch

feature/gh-actions-hetzner

fix-ci

feat/new-logger

jyte-better-dev-config

feat/add-team-member-with-enter

fix/button-and-icon-types

fix/notifications-component-name-collision

feature/null-time

renovate/tailwindcss-4.x

feature/unplugin-vue-router

fix/deprecated-import

feature/zod-schema

renovate/golangci-golangci-lint-1.x

fix/tiptap-editor-reactive-destructuring

release/0.24

feat/improve-add-task

fix/saved-filter-search

feat/webp-and-avif-attachment-previews

feature/migrate-back-to-bulma

fix/sass-add-missing-list-import

feature/sticky-demo-bar

fix/gantt-view-switch

feature/typesense-position-join

feature/focus-visible

dependencies/golangci-lint

feature/better-filter-syntax

fix/tiptap-task-list

renovate/github.com-golang-jwt-jwt-v4-5.x

feature/hide-forbidden-related-tasks

renovate/golang-1.x

release/0.20

release/0.17

release/0.16

release/0.15

release/0.14

1 Participants

Notifications

Due Date

No due date set.

Dependencies

No dependencies set.

Reference: github-starred/vikunja#1975