github-starred/vikunja
2
0
Fork 0
mirror of https://github.com/go-vikunja/vikunja.git synced 2026-05-08 21:08:04 -05:00
Code Issues 690 Packages Projects Releases 11 Wiki Activity

OAuth Error : issuer did not match the issuer returned by provider #2004

New Issue
Closed
opened 2026-03-22 13:50:16 -05:00 by GiteaMirror · 9 comments
GiteaMirror commented 2026-03-22 13:50:16 -05:00
Owner
Copy Link

Originally created by @3isenHeiM on GitHub (Aug 30, 2024).

Description

I'm integrating Vikunja with Authentik. Somehow, the check that Vikunja does on the Issuer URL is not passing validation, and OAuth fails.

This is the error in the logs :

vikunja-server  | 2024-08-30T09:58:51.960523154Z: ERROR ▶ openid/GetAllProviders 156 Error while getting openid provider Authentik Login: oidc: issuer did not match the issuer returned by provider, expected "https://authentik.tld/application/o/vikunja/" got "https://authentik.tld/"

Here is the config.yaml :

auth:
  openid:
    enabled: true
    providers:
      - name: "Authentik Login"
        authurl: https://authentik.tld/application/o/vikunja/
        logouturl: https://authentik.tld/application/o/vikunja/end-session/
        clientid: <redacted>
        clientsecret: <redacted>

I don't have any mean to update the issuer since it's Authentik, so I wondering how can I change this check in vikunja.

Thanks !

Vikunja Version

v0.24.0

Browser and version

No response

Can you reproduce the bug on the Vikunja demo site?

No

Screenshots

No response

Originally created by @3isenHeiM on GitHub (Aug 30, 2024). ### Description I'm integrating Vikunja with Authentik. Somehow, the check that Vikunja does on the Issuer URL is not passing validation, and OAuth fails. This is the error in the logs : ```log vikunja-server | 2024-08-30T09:58:51.960523154Z: ERROR ▶ openid/GetAllProviders 156 Error while getting openid provider Authentik Login: oidc: issuer did not match the issuer returned by provider, expected "https://authentik.tld/application/o/vikunja/" got "https://authentik.tld/" ``` Here is the config.yaml : ```yml auth: openid: enabled: true providers: - name: "Authentik Login" authurl: https://authentik.tld/application/o/vikunja/ logouturl: https://authentik.tld/application/o/vikunja/end-session/ clientid: <redacted> clientsecret: <redacted> ``` I don't have any mean to update the issuer since it's Authentik, so I wondering how can I change this check in vikunja. Thanks ! ### Vikunja Version v0.24.0 ### Browser and version _No response_ ### Can you reproduce the bug on the Vikunja demo site? No ### Screenshots _No response_
GiteaMirror added the bug label 2026-03-22 13:50:16 -05:00
GiteaMirror commented 2026-03-22 13:50:18 -05:00
Author
Owner
Copy Link

@kolaente commented on GitHub (Sep 2, 2024):

Does that happen during the start of Vikunja or when you're trying to authenticate?

@kolaente commented on GitHub (Sep 2, 2024): Does that happen during the start of Vikunja or when you're trying to authenticate?
GiteaMirror commented 2026-03-22 13:50:18 -05:00
Author
Owner
Copy Link

@3isenHeiM commented on GitHub (Sep 2, 2024):

Only when I browse to the homepage, not before

@3isenHeiM commented on GitHub (Sep 2, 2024): Only when I browse to the homepage, not before
GiteaMirror commented 2026-03-22 13:50:19 -05:00
Author
Owner
Copy Link

@kolaente commented on GitHub (Sep 2, 2024):

I'm using a very similar config with Authentik without issues. Which url is reported as the .well-known url in Authentik?

@kolaente commented on GitHub (Sep 2, 2024): I'm using a very similar config with Authentik without issues. Which url is reported as the .well-known url in Authentik?
GiteaMirror commented 2026-03-22 13:50:20 -05:00
Author
Owner
Copy Link

@3isenHeiM commented on GitHub (Sep 3, 2024):

/application/o/vikunja/.well-known/openid-configuration

image

@3isenHeiM commented on GitHub (Sep 3, 2024): `/application/o/vikunja/.well-known/openid-configuration` ![image](https://github.com/user-attachments/assets/406fcbcf-f53c-43b8-8bd6-4f4579dbb6ee)
GiteaMirror commented 2026-03-22 13:50:20 -05:00
Author
Owner
Copy Link

@kolaente commented on GitHub (Sep 3, 2024):

If you open that url, what is the response?

@kolaente commented on GitHub (Sep 3, 2024): If you open that url, what is the response?
GiteaMirror commented 2026-03-22 13:50:21 -05:00
Author
Owner
Copy Link

@3isenHeiM commented on GitHub (Sep 4, 2024):

Browsing to this I get the expected json.

{
  "issuer": "https://auth.tld/",
  "authorization_endpoint": "https://auth.tld/application/o/authorize/",
  "token_endpoint": "https://auth.tld/application/o/token/",
  "userinfo_endpoint": "https://auth.tld/application/o/userinfo/",
  "end_session_endpoint": "https://auth.tld/application/o/vikunja/end-session/",
  "introspection_endpoint": "https://auth.tld/application/o/introspect/",
  "revocation_endpoint": "https://auth.tld/application/o/revoke/",
  "device_authorization_endpoint": "https://auth.tld/application/o/device/",
  "response_types_supported": [
    "code",
    "id_token",
    "id_token token",
    "code token",
    "code id_token",
    "code id_token token"
  ],
  "response_modes_supported": [
    "query",
    "fragment",
    "form_post"
  ],
  "jwks_uri": "https://auth.tld/application/o/vikunja/jwks/",
  "grant_types_supported": [
    "authorization_code",
    "refresh_token",
    "implicit",
    "client_credentials",
    "password",
    "urn:ietf:params:oauth:grant-type:device_code"
  ],
  "id_token_signing_alg_values_supported": [
    "RS256"
  ],
  "subject_types_supported": [
    "public"
  ],
  "token_endpoint_auth_methods_supported": [
    "client_secret_post",
    "client_secret_basic"
  ],
  "acr_values_supported": [
    "goauthentik.io/providers/oauth2/default"
  ],
  "scopes_supported": [
    "openid",
    "email",
    "profile"
  ],
  "request_parameter_supported": false,
  "claims_supported": [
    "sub",
    "iss",
    "aud",
    "exp",
    "iat",
    "auth_time",
    "acr",
    "amr",
    "nonce",
    "email",
    "email_verified",
    "name",
    "given_name",
    "preferred_username",
    "nickname",
    "groups"
  ],
  "claims_parameter_supported": false,
  "code_challenge_methods_supported": [
    "plain",
    "S256"
  ]
}
@3isenHeiM commented on GitHub (Sep 4, 2024): Browsing to this I get the expected json. ```json { "issuer": "https://auth.tld/", "authorization_endpoint": "https://auth.tld/application/o/authorize/", "token_endpoint": "https://auth.tld/application/o/token/", "userinfo_endpoint": "https://auth.tld/application/o/userinfo/", "end_session_endpoint": "https://auth.tld/application/o/vikunja/end-session/", "introspection_endpoint": "https://auth.tld/application/o/introspect/", "revocation_endpoint": "https://auth.tld/application/o/revoke/", "device_authorization_endpoint": "https://auth.tld/application/o/device/", "response_types_supported": [ "code", "id_token", "id_token token", "code token", "code id_token", "code id_token token" ], "response_modes_supported": [ "query", "fragment", "form_post" ], "jwks_uri": "https://auth.tld/application/o/vikunja/jwks/", "grant_types_supported": [ "authorization_code", "refresh_token", "implicit", "client_credentials", "password", "urn:ietf:params:oauth:grant-type:device_code" ], "id_token_signing_alg_values_supported": [ "RS256" ], "subject_types_supported": [ "public" ], "token_endpoint_auth_methods_supported": [ "client_secret_post", "client_secret_basic" ], "acr_values_supported": [ "goauthentik.io/providers/oauth2/default" ], "scopes_supported": [ "openid", "email", "profile" ], "request_parameter_supported": false, "claims_supported": [ "sub", "iss", "aud", "exp", "iat", "auth_time", "acr", "amr", "nonce", "email", "email_verified", "name", "given_name", "preferred_username", "nickname", "groups" ], "claims_parameter_supported": false, "code_challenge_methods_supported": [ "plain", "S256" ] } ```
GiteaMirror commented 2026-03-22 13:50:21 -05:00
Author
Owner
Copy Link

@3isenHeiM commented on GitHub (Sep 5, 2024):

That's what I don't understand, the root of the URL is the same, and yet it complains.

The issue is that my IdP (Authentik) does not allow to change the issuer field, it's the FQDN of the server.

@3isenHeiM commented on GitHub (Sep 5, 2024): That's what I don't understand, the root of the URL is the same, and yet it complains. The issue is that my IdP (Authentik) does not allow to change the issuer field, it's the FQDN of the server.
GiteaMirror commented 2026-03-22 13:50:22 -05:00
Author
Owner
Copy Link

@kolaente commented on GitHub (Sep 6, 2024):

The issuer reported from Authentik should be https://auth.tld/application/o/vikunja/. In my Authentik setup this is the case, so my guess is this is an issue with your setup. Do you see anything in Authentik's logs?

@kolaente commented on GitHub (Sep 6, 2024): The `issuer` reported from Authentik should be `https://auth.tld/application/o/vikunja/`. In my Authentik setup this is the case, so my guess is this is an issue with your setup. Do you see anything in Authentik's logs?
GiteaMirror commented 2026-03-22 13:50:22 -05:00
Author
Owner
Copy Link

@3isenHeiM commented on GitHub (Sep 9, 2024):

Yup indeed it was an issue in Authentik's provider configuration.

The option issuer_mode had to be set to per_provider (API reference).

@3isenHeiM commented on GitHub (Sep 9, 2024): Yup indeed it was an issue in Authentik's provider configuration. The option `issuer_mode` had to be set to `per_provider` ([API reference](https://docs.goauthentik.io/developer-docs/api/reference/providers-oauth-2-create)).
Sign in to join this conversation.
No Branch/Tag Specified
Branches Tags
Labels
Clear labels
area/api
area/attachments
area/auth
area/avatars
area/backup-restore
area/caldav
area/calendar-view
area/comments
area/config
area/database
area/desktop
area/docker
area/email
area/favorites
area/filters
area/frontend
area/gantt
area/i18n
area/import-export
area/internal-code
area/kanban
area/labels
area/list-view
area/mobile
area/notifications
area/permissions
area/projects
area/pwa
area/recurring-tasks
area/reminders
area/search
area/shortcuts
area/subtasks
area/sync
area/table-view
area/task-editor
area/task-metadata
area/task-relations
area/teams
area/theming
area/time-tracking
area/typesense
area/views
area/webhooks
bug
changes requested
concern/accessibility
concern/performance
concern/regression
concern/ux
confirmed
db/mysql
dependencies
enhancement
good first issue
help wanted
integration/inbound
integration/outbound
kind/bug
kind/feature
needs reproduction
pull-request
Mirrored from GitHub Pull Request
 question
security
support
upstream issue
waiting for reply
wontfix
No Label bug
Milestone
No items
No Milestone
Projects
Clear projects
No project
Assignees
Clear assignees
GiteaMirror ninjasurge
No Assignees
1 Participants
Notifications
Due Date
No due date set.
Dependencies

No dependencies set.

Reference: github-starred/vikunja#2004
Delete Branch "%!s()"

Deleting a branch is permanent. Although the deleted branch may continue to exist for a short time before it actually gets removed, it CANNOT be undone in most cases. Continue?