mirror of
https://github.com/go-vikunja/vikunja.git
synced 2026-07-15 22:32:29 -05:00
OIDC Connect - issuer did not match the issuer returned by provider #318
Open
opened 2025-11-01 20:53:43 -05:00 by GiteaMirror
·
8 comments
No Branch/Tag Specified
main
renovate/major-dev-dependencies
renovate/postcss-8.x
fix-subtask-root-null-safety
renovate/crowdin-github-action-2.x
renovate/postgres-18
renovate/actions-setup-node-6.x
renovate/github.com-labstack-echo-v5-5.x
renovate/tar-7.x
renovate/pnpm
claude/task-event-field-changes-ws73g2
renovate/github.com-labstack-echo-jwt-v5-5.x
renovate/marked-18.x
pr-swarm-assets
feat-mcp
feat-audit-sinks
claude/per-user-feature-toggles-vqlg8x
docs-v2-query-param
feat-project-templates
claude/veans-question-xBFkq
spike-huma-openapi3
claude/investigate-swagger3-support-nyyUa
feat-list-view-buckets
ci-mysql-8-test
codex/analyze-codebase-for-email-task-feature
csv-import-feature
claude/email-reply-comments-wpdcQ
fix-oidc-pkce-support
fix/overview-subtasks-expand
feat/bucket-select-task-detail
feat-soft-delete-projects
claude/review-bot-design-plan-cf5C3
claude/project-scoped-api-tokens-KTqR3
claude/explore-openclaw-integration-KQEzg
claude/project-scoped-api-tokens-yv5KS
fix-duplicate-close-button
feat-list-view-sorting
feat/official-vite-sentry-plugin
feat/highlight-overdue-tasks
feat/add-enter-key-form-submission-handling
feat/TipTap-nits
feat/update-caldavtimetotimestamp-parsing
feat-phosphor-icons
wip-plans
claude/investigate-issue-2173-llKme
fix-description-text-drag
feat-custom-keyboard-shortcuts
pr-1845-ci
codex/fix-drag-and-drop-behavior-inconsistency
copilot/add-clickable-labels-for-filtering
copilot/fix-issue-1786
playwright-migration
fix-kanban-repeating-wip
copilot/fix-1498
feature/replace-axios
codex/upgrade-to-tailwind-4.1.8-using-pnpm
codex/add-cypress-test-for-avatar-types
feature/biome
feature/oxc
codex/update-flexsearch-to-0.8.205
4r6ni9-codex/fix-deprecated-sass-@import-usage
codex/fix-deprecated-sass-@import-usage
codex/add-cypress-test-for-task-list-refresh-fix
codex/fix-quick-add-magic-not-adding-tasks
codex/fix-all-type-errors
codex/fix-mimetype-for-docs.json
feature/caldav-from-scratch
feature/gh-actions-hetzner
fix-ci
feat/new-logger
jyte-better-dev-config
feat/add-team-member-with-enter
fix/button-and-icon-types
fix/notifications-component-name-collision
feature/null-time
renovate/tailwindcss-4.x
feature/unplugin-vue-router
fix/deprecated-import
feature/zod-schema
renovate/golangci-golangci-lint-1.x
fix/tiptap-editor-reactive-destructuring
release/0.24
feat/improve-add-task
fix/saved-filter-search
feat/webp-and-avif-attachment-previews
feature/migrate-back-to-bulma
fix/sass-add-missing-list-import
feature/sticky-demo-bar
fix/gantt-view-switch
feature/typesense-position-join
feature/focus-visible
dependencies/golangci-lint
feature/better-filter-syntax
fix/tiptap-task-list
renovate/github.com-golang-jwt-jwt-v4-5.x
feature/hide-forbidden-related-tasks
renovate/golang-1.x
release/0.20
release/0.17
release/0.16
release/0.15
release/0.14
v2.3.0
v2.2.2
v2.2.1
v2.2.0
v2.1.0
v2.0.0
v1.1.0
v1.0.0
v1.0.0-rc4
v1.0.0-rc3
v1.0.0-rc2
v1.0.0-rc1
v1.0.0-rc0
v0.24.6
v0.24.5
v0.24.4
v0.24.3
v0.24.2
v0.24.1
v0.24.0
v0.23.0
v0.22.1
v0.22.0
0.21.0
v0.21.0
v0.20.4
v0.20.5
v0.20.3
v0.20.2
v0.20.1
v0.20.0
v0.19.2
v0.19.1
v0.19.0
vue3
v0.18.1
v0.18.0
v0.17.1
v0.17.0
v0.16.1
v0.16.0
v0.15.1
v0.15.0
v0.14.1
v0.14.0
v0.13.1
v0.13
v0.12
v0.11
v0.10
v0.9
v0.8
v0.7
v0.6
v0.5
v0.4
v0.3
v0.2
v0.1
Labels
Clear labels
area/api
area/attachments
area/auth
area/avatars
area/backup-restore
area/caldav
area/calendar-view
area/comments
area/config
area/database
area/desktop
area/docker
area/email
area/favorites
area/filters
area/frontend
area/gantt
area/i18n
area/import-export
area/internal-code
area/kanban
area/labels
area/list-view
area/mobile
area/notifications
area/permissions
area/projects
area/pwa
area/recurring-tasks
area/reminders
area/search
area/shortcuts
area/subtasks
area/sync
area/table-view
area/task-editor
area/task-metadata
area/task-relations
area/teams
area/theming
area/time-tracking
area/typesense
area/views
area/webhooks
bug
changes requested
concern/accessibility
concern/performance
concern/regression
concern/ux
confirmed
db/mysql
dependencies
enhancement
good first issue
help wanted
integration/inbound
integration/outbound
kind/bug
kind/feature
needs reproduction
pull-request
question
security
support
upstream issue
waiting for reply
wontfix
Mirrored from GitHub Pull Request
No Label
help wanted
Milestone
No items
No Milestone
Projects
Clear projects
No project
No Assignees
Notifications
Due Date
No due date set.
Dependencies
No dependencies set.
Reference: github-starred/vikunja#318
Reference in New Issue
Block a user
Blocking a user prevents them from interacting with repositories, such as opening or commenting on pull requests or issues. Learn more about blocking a user.
Delete Branch "%!s()"
Deleting a branch is permanent. Although the deleted branch may continue to exist for a short time before it actually gets removed, it CANNOT be undone in most cases. Continue?
Originally created by @AgusTor-TRW on GitHub (Nov 25, 2024).
Description
Greetings,
We’ve recently installed Vikunja within our Docker Container stack after testing out its functionalities and we’ve noticed the following issue with connecting Vikunja to Keycloak via internal address (as declared in Keycloak, the backend URL)
All of our services exist within the same docker network and have no problem connecting and authenticating with Keycloak, however when attempting the same configuration with Vikunja, we recieve the following error:
Error while getting openid provider keycloak: oidc: issuer did not match the issuer returned by provider, expected "http://<internal-keycloak-address>:8080/realms/<realm-name>" got "https://<external-keycloak-address>/keycloak/realms/<realm-name>"From our testing, we noted that Vikunja attempts to connect to the external Keycloak URL (taken from the response from the discovery URL) when we switch the Keycloak frontend URL to be the same as the internal address within Keycloak’s configuration, Vikunja no longer reports the error but Keycloak can no longer authenticate/redirect due to being on an address inaccessible from the outside. This obviously breaks authentication for all the other services as they are not directly accessible from the outside and only redirected using an Apache Reverse Proxy. (For example, we also host a Gitea thats configured to authenticate with Keycloak using the internal URL which works fine with the current setup)
Our configuration for Vikunja is as follows:
We are not certain if it’s a misconfiguration on our end, a bug with vikunja or maybe Vikunja following the OIDC spec alot more strictly than the rest of our services that are working (Gitea, Nextcloud, etc.)
Thank you in advance
This post was originally posted to the Vikunja Community Forum
Vikunja Version
Latest
Browser and version
Firefox Latest
Can you reproduce the bug on the Vikunja demo site?
No
Screenshots
No response
@chark1es commented on GitHub (Dec 6, 2024):
I dont know if this is correct, but I think its due to how the link is being parsed.
Ill try seeing if I can test it using authentik with a port as the URL.
@kolaente commented on GitHub (Dec 6, 2024):
The
oidc.NewProviderwill use the value that's reported by the provider on.well-known. @AgusTor-TRW what does/.well-known/openid-configurationreport on your Keycloak installation?@AgusTor-TRW commented on GitHub (Dec 10, 2024):
I do not see a field declared as "provider" within the JSON response from https://[external-URL]/keycloak/realms/[domain-name]/.well-known/openid-configuration
The first few lines of the response is as follows:
If you require more info from out openid-configuration JSON please let me know.
@kolaente commented on GitHub (Dec 11, 2024):
There won't be a response field called
providerin the response, but Vikunja will use the values reported by that endpoint to find the urls used to communicate with the openid provider.My next best guess is the mixture of internal and external urls in your Keycloak configuration.
@AgusTor-TRW commented on GitHub (Dec 11, 2024):
Yes, I believe that's the issue. Vikunja seems to compare the frontend URL (as received by the .well-known) to the backchannel URL (as indicated by config.yml).
I don't know if comparing them is the intended behavior when an application uses the backchannel auth per the OIDC spec but OIDC/keycloak should allow for having a different URLs
@kolaente commented on GitHub (Dec 11, 2024):
To me, this looks like an edge case and a potential security issue. To Vikunja, this looks like "I made the request to this endpoint, but the response came from this other endpoint" - which it will refuse because the config says it should only be talking to the endpoint that's configured. Otherwise, it would be possible to change that endpoint on the fly, essentially doing a Man-in-the-middle attack. It's interesting that Keycloak even allows this in their config.
Is there a reason you're not using the same url for everything?
@AgusTor-TRW commented on GitHub (Dec 11, 2024):
We're using the same backchannel URL for all the services hosted on our Docker container stack behind an Apache Reverse Proxy, as based on Keycloak's documentation where it can "connect with Keycloak through your local network, while the server remains publicly accessible". This also lines up with how they suggest to segment exposed paths when using a reverse proxy
Our services (such as Nextcloud, Gitea and Vikunja) don't connect out to the internet and thus have to use the internal address but the user needs to log in on a publicly available URL to actually authenticate themselves with keycloak
@AgusTor-TRW commented on GitHub (Jan 15, 2025):
Have there been any updates to this issue?