[GH-ISSUE #39] Unable to setup Authelia OpenID login #5868

New Issue

Closed

opened 2026-04-20 16:16:08 -05:00 by GiteaMirror · 18 comments

GiteaMirror commented 2026-04-20 16:16:08 -05:00

Owner

Copy Link

Originally created by @RichyHBM on GitHub (Aug 4, 2022).
Original GitHub issue: https://github.com/go-vikunja/vikunja/issues/39

Hello, I've been banging my head trying to figure out why this isn't working but I have setup vikunja and authelia, both behind a traefik reverse proxy.

When I navigate to vikunja I see the "login with authelia" button, which then takes me to authelia to grant access, but upon returning me to vikunja I get a Could not authenticate against third party.

In the logs for authelia I can see the following error:

Access Request failed with error: The provided authorization grant (e.g., authorization code, resource owner credentials) or refresh token is invalid, expired, revoked, does not match the redirection URI used in the authorization request, or was issued to another client. The 'redirect_uri' from this request does not match the one from the authorize request.

Enabling debug logs in traefik I came across these logs which look suspicious:

2022-08-04T21:31:50.412829249Z time="2022-08-04T21:31:50Z" level=debug msg="vulcand/oxy/roundrobin/rr: begin ServeHttp on request" Request="{\"Method\":\"GET\",\"URL\":{\"Scheme\":\"\",\"Opaque\":\"\",\"User\":null,\"Host\":\"\",\"Path\":\"/api/oidc/authorization\",\"RawPath\":\"\",\"ForceQuery\":false,\"RawQuery\":\"client_id=authelia_vikunja_client_id\\u0026redirect_uri=https://vikunja.domain.com/auth/openid/authelia\\u0026response_type=code\\u0026scope=openid%20email%20profile\\u0026state=wtsv0g07dqd\",\"Fragment\":\"\",\"RawFragment\":\"\"},\"Proto\":\"HTTP/2.0\",\"ProtoMajor\":2,\"ProtoMinor\":0,\"Header\":{\"Accept\":[\"text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9\"],\"Accept-Encoding\":[\"gzip, deflate, br\"],\"Accept-Language\":[\"en-GB,en;q=0.9,en-US;q=0.8\"],\"Cookie\":[\"authelia_session=session\"],\"Referer\":[\"https://vikunja.domain.com/\"],\"Sec-Ch-Ua\":[\"\\\" Not;A Brand\\\";v=\\\"99\\\", \\\"Microsoft Edge\\\";v=\\\"103\\\", \\\"Chromium\\\";v=\\\"103\\\"\"],\"Sec-Ch-Ua-Mobile\":[\"?0\"],\"Sec-Ch-Ua-Platform\":[\"\\\"Windows\\\"\"],\"Sec-Fetch-Dest\":[\"document\"],\"Sec-Fetch-Mode\":[\"navigate\"],\"Sec-Fetch-Site\":[\"same-site\"],\"Sec-Fetch-User\":[\"?1\"],\"Upgrade-Insecure-Requests\":[\"1\"],\"User-Agent\":[\"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/103.0.5060.134 Safari/537.36 Edg/103.0.1264.77\"],\"X-Forwarded-Host\":[\"authelia.domain.com\"],\"X-Forwarded-Port\":[\"443\"],\"X-Forwarded-Proto\":[\"https\"],\"X-Forwarded-Server\":[\"aa1b32eff406\"],\"X-Real-Ip\":[\"192.168.1.44\"]},\"ContentLength\":0,\"TransferEncoding\":null,\"Host\":\"authelia.domain.com\",\"Form\":null,\"PostForm\":null,\"MultipartForm\":null,\"Trailer\":null,\"RemoteAddr\":\"192.168.1.44:63507\",\"RequestURI\":\"/api/oidc/authorization?client_id=authelia_vikunja_client_id\\u0026redirect_uri=https://vikunja.domain.com/auth/openid/authelia\\u0026response_type=code\\u0026scope=openid%20email%20profile\\u0026state=wtsv0g07dqd\",\"TLS\":null}"
2022-08-04T21:31:50.412976126Z time="2022-08-04T21:31:50Z" level=debug msg="vulcand/oxy/roundrobin/rr: Forwarding this request to URL" Request="{\"Method\":\"GET\",\"URL\":{\"Scheme\":\"\",\"Opaque\":\"\",\"User\":null,\"Host\":\"\",\"Path\":\"/api/oidc/authorization\",\"RawPath\":\"\",\"ForceQuery\":false,\"RawQuery\":\"client_id=authelia_vikunja_client_id\\u0026redirect_uri=https://vikunja.domain.com/auth/openid/authelia\\u0026response_type=code\\u0026scope=openid%20email%20profile\\u0026state=wtsv0g07dqd\",\"Fragment\":\"\",\"RawFragment\":\"\"},\"Proto\":\"HTTP/2.0\",\"ProtoMajor\":2,\"ProtoMinor\":0,\"Header\":{\"Accept\":[\"text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9\"],\"Accept-Encoding\":[\"gzip, deflate, br\"],\"Accept-Language\":[\"en-GB,en;q=0.9,en-US;q=0.8\"],\"Cookie\":[\"authelia_session=session\"],\"Referer\":[\"https://vikunja.domain.com/\"],\"Sec-Ch-Ua\":[\"\\\" Not;A Brand\\\";v=\\\"99\\\", \\\"Microsoft Edge\\\";v=\\\"103\\\", \\\"Chromium\\\";v=\\\"103\\\"\"],\"Sec-Ch-Ua-Mobile\":[\"?0\"],\"Sec-Ch-Ua-Platform\":[\"\\\"Windows\\\"\"],\"Sec-Fetch-Dest\":[\"document\"],\"Sec-Fetch-Mode\":[\"navigate\"],\"Sec-Fetch-Site\":[\"same-site\"],\"Sec-Fetch-User\":[\"?1\"],\"Upgrade-Insecure-Requests\":[\"1\"],\"User-Agent\":[\"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/103.0.5060.134 Safari/537.36 Edg/103.0.1264.77\"],\"X-Forwarded-Host\":[\"authelia.domain.com\"],\"X-Forwarded-Port\":[\"443\"],\"X-Forwarded-Proto\":[\"https\"],\"X-Forwarded-Server\":[\"aa1b32eff406\"],\"X-Real-Ip\":[\"192.168.1.44\"]},\"ContentLength\":0,\"TransferEncoding\":null,\"Host\":\"authelia.domain.com\",\"Form\":null,\"PostForm\":null,\"MultipartForm\":null,\"Trailer\":null,\"RemoteAddr\":\"192.168.1.44:63507\",\"RequestURI\":\"/api/oidc/authorization?client_id=authelia_vikunja_client_id\\u0026redirect_uri=https://vikunja.domain.com/auth/openid/authelia\\u0026response_type=code\\u0026scope=openid%20email%20profile\\u0026state=wtsv0g07dqd\",\"TLS\":null}" ForwardURL="http://172.18.0.54:9091"
2022-08-04T21:31:50.437438581Z time="2022-08-04T21:31:50Z" level=debug msg="vulcand/oxy/roundrobin/rr: completed ServeHttp on request" Request="{\"Method\":\"GET\",\"URL\":{\"Scheme\":\"\",\"Opaque\":\"\",\"User\":null,\"Host\":\"\",\"Path\":\"/api/oidc/authorization\",\"RawPath\":\"\",\"ForceQuery\":false,\"RawQuery\":\"client_id=authelia_vikunja_client_id\\u0026redirect_uri=https://vikunja.domain.com/auth/openid/authelia\\u0026response_type=code\\u0026scope=openid%20email%20profile\\u0026state=wtsv0g07dqd\",\"Fragment\":\"\",\"RawFragment\":\"\"},\"Proto\":\"HTTP/2.0\",\"ProtoMajor\":2,\"ProtoMinor\":0,\"Header\":{\"Accept\":[\"text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9\"],\"Accept-Encoding\":[\"gzip, deflate, br\"],\"Accept-Language\":[\"en-GB,en;q=0.9,en-US;q=0.8\"],\"Cookie\":[\"authelia_session=session\"],\"Referer\":[\"https://vikunja.domain.com/\"],\"Sec-Ch-Ua\":[\"\\\" Not;A Brand\\\";v=\\\"99\\\", \\\"Microsoft Edge\\\";v=\\\"103\\\", \\\"Chromium\\\";v=\\\"103\\\"\"],\"Sec-Ch-Ua-Mobile\":[\"?0\"],\"Sec-Ch-Ua-Platform\":[\"\\\"Windows\\\"\"],\"Sec-Fetch-Dest\":[\"document\"],\"Sec-Fetch-Mode\":[\"navigate\"],\"Sec-Fetch-Site\":[\"same-site\"],\"Sec-Fetch-User\":[\"?1\"],\"Upgrade-Insecure-Requests\":[\"1\"],\"User-Agent\":[\"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/103.0.5060.134 Safari/537.36 Edg/103.0.1264.77\"],\"X-Forwarded-Host\":[\"authelia.domain.com\"],\"X-Forwarded-Port\":[\"443\"],\"X-Forwarded-Proto\":[\"https\"],\"X-Forwarded-Server\":[\"aa1b32eff406\"],\"X-Real-Ip\":[\"192.168.1.44\"]},\"ContentLength\":0,\"TransferEncoding\":null,\"Host\":\"authelia.domain.com\",\"Form\":null,\"PostForm\":null,\"MultipartForm\":null,\"Trailer\":null,\"RemoteAddr\":\"192.168.1.44:63507\",\"RequestURI\":\"/api/oidc/authorization?client_id=authelia_vikunja_client_id\\u0026redirect_uri=https://vikunja.domain.com/auth/openid/authelia\\u0026response_type=code\\u0026scope=openid%20email%20profile\\u0026state=wtsv0g07dqd\",\"TLS\":null}"

2022-08-04T21:31:55.922716034Z time="2022-08-04T21:31:55Z" level=debug msg="vulcand/oxy/roundrobin/rr: begin ServeHttp on request" Request="{\"Method\":\"GET\",\"URL\":{\"Scheme\":\"\",\"Opaque\":\"\",\"User\":null,\"Host\":\"\",\"Path\":\"/api/oidc/authorization\",\"RawPath\":\"\",\"ForceQuery\":false,\"RawQuery\":\"client_id=authelia_vikunja_client_id\\u0026consent_id=1fd165f4-f2fb-48c9-8654-1982fe0187e4\\u0026redirect_uri=https%3A%2F%2Fvikunja.domain.com%2Fauth%2Fopenid%2Fauthelia\\u0026response_type=code\\u0026scope=openid+email+profile\\u0026state=wtsv0g07dqd\",\"Fragment\":\"\",\"RawFragment\":\"\"},\"Proto\":\"HTTP/2.0\",\"ProtoMajor\":2,\"ProtoMinor\":0,\"Header\":{\"Accept\":[\"text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9\"],\"Accept-Encoding\":[\"gzip, deflate, br\"],\"Accept-Language\":[\"en-GB,en;q=0.9,en-US;q=0.8\"],\"Cookie\":[\"authelia_session=session\"],\"Referer\":[\"https://authelia.domain.com/consent?consent_id=1fd165f4-f2fb-48c9-8654-1982fe0187e4\"],\"Sec-Ch-Ua\":[\"\\\" Not;A Brand\\\";v=\\\"99\\\", \\\"Microsoft Edge\\\";v=\\\"103\\\", \\\"Chromium\\\";v=\\\"103\\\"\"],\"Sec-Ch-Ua-Mobile\":[\"?0\"],\"Sec-Ch-Ua-Platform\":[\"\\\"Windows\\\"\"],\"Sec-Fetch-Dest\":[\"document\"],\"Sec-Fetch-Mode\":[\"navigate\"],\"Sec-Fetch-Site\":[\"same-origin\"],\"Sec-Fetch-User\":[\"?1\"],\"Upgrade-Insecure-Requests\":[\"1\"],\"User-Agent\":[\"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/103.0.5060.134 Safari/537.36 Edg/103.0.1264.77\"],\"X-Forwarded-Host\":[\"authelia.domain.com\"],\"X-Forwarded-Port\":[\"443\"],\"X-Forwarded-Proto\":[\"https\"],\"X-Forwarded-Server\":[\"aa1b32eff406\"],\"X-Real-Ip\":[\"192.168.1.44\"]},\"ContentLength\":0,\"TransferEncoding\":null,\"Host\":\"authelia.domain.com\",\"Form\":null,\"PostForm\":null,\"MultipartForm\":null,\"Trailer\":null,\"RemoteAddr\":\"192.168.1.44:63507\",\"RequestURI\":\"/api/oidc/authorization?client_id=authelia_vikunja_client_id\\u0026consent_id=1fd165f4-f2fb-48c9-8654-1982fe0187e4\\u0026redirect_uri=https%3A%2F%2Fvikunja.domain.com%2Fauth%2Fopenid%2Fauthelia\\u0026response_type=code\\u0026scope=openid+email+profile\\u0026state=wtsv0g07dqd\",\"TLS\":null}"
2022-08-04T21:31:55.922878055Z time="2022-08-04T21:31:55Z" level=debug msg="vulcand/oxy/roundrobin/rr: Forwarding this request to URL" Request="{\"Method\":\"GET\",\"URL\":{\"Scheme\":\"\",\"Opaque\":\"\",\"User\":null,\"Host\":\"\",\"Path\":\"/api/oidc/authorization\",\"RawPath\":\"\",\"ForceQuery\":false,\"RawQuery\":\"client_id=authelia_vikunja_client_id\\u0026consent_id=1fd165f4-f2fb-48c9-8654-1982fe0187e4\\u0026redirect_uri=https%3A%2F%2Fvikunja.domain.com%2Fauth%2Fopenid%2Fauthelia\\u0026response_type=code\\u0026scope=openid+email+profile\\u0026state=wtsv0g07dqd\",\"Fragment\":\"\",\"RawFragment\":\"\"},\"Proto\":\"HTTP/2.0\",\"ProtoMajor\":2,\"ProtoMinor\":0,\"Header\":{\"Accept\":[\"text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9\"],\"Accept-Encoding\":[\"gzip, deflate, br\"],\"Accept-Language\":[\"en-GB,en;q=0.9,en-US;q=0.8\"],\"Cookie\":[\"authelia_session=session\"],\"Referer\":[\"https://authelia.domain.com/consent?consent_id=1fd165f4-f2fb-48c9-8654-1982fe0187e4\"],\"Sec-Ch-Ua\":[\"\\\" Not;A Brand\\\";v=\\\"99\\\", \\\"Microsoft Edge\\\";v=\\\"103\\\", \\\"Chromium\\\";v=\\\"103\\\"\"],\"Sec-Ch-Ua-Mobile\":[\"?0\"],\"Sec-Ch-Ua-Platform\":[\"\\\"Windows\\\"\"],\"Sec-Fetch-Dest\":[\"document\"],\"Sec-Fetch-Mode\":[\"navigate\"],\"Sec-Fetch-Site\":[\"same-origin\"],\"Sec-Fetch-User\":[\"?1\"],\"Upgrade-Insecure-Requests\":[\"1\"],\"User-Agent\":[\"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/103.0.5060.134 Safari/537.36 Edg/103.0.1264.77\"],\"X-Forwarded-Host\":[\"authelia.domain.com\"],\"X-Forwarded-Port\":[\"443\"],\"X-Forwarded-Proto\":[\"https\"],\"X-Forwarded-Server\":[\"aa1b32eff406\"],\"X-Real-Ip\":[\"192.168.1.44\"]},\"ContentLength\":0,\"TransferEncoding\":null,\"Host\":\"authelia.domain.com\",\"Form\":null,\"PostForm\":null,\"MultipartForm\":null,\"Trailer\":null,\"RemoteAddr\":\"192.168.1.44:63507\",\"RequestURI\":\"/api/oidc/authorization?client_id=authelia_vikunja_client_id\\u0026consent_id=1fd165f4-f2fb-48c9-8654-1982fe0187e4\\u0026redirect_uri=https%3A%2F%2Fvikunja.domain.com%2Fauth%2Fopenid%2Fauthelia\\u0026response_type=code\\u0026scope=openid+email+profile\\u0026state=wtsv0g07dqd\",\"TLS\":null}" ForwardURL="http://172.18.0.54:9091"
2022-08-04T21:31:55.995926907Z time="2022-08-04T21:31:55Z" level=debug msg="vulcand/oxy/roundrobin/rr: completed ServeHttp on request" Request="{\"Method\":\"GET\",\"URL\":{\"Scheme\":\"\",\"Opaque\":\"\",\"User\":null,\"Host\":\"\",\"Path\":\"/api/oidc/authorization\",\"RawPath\":\"\",\"ForceQuery\":false,\"RawQuery\":\"client_id=authelia_vikunja_client_id\\u0026consent_id=1fd165f4-f2fb-48c9-8654-1982fe0187e4\\u0026redirect_uri=https%3A%2F%2Fvikunja.domain.com%2Fauth%2Fopenid%2Fauthelia\\u0026response_type=code\\u0026scope=openid+email+profile\\u0026state=wtsv0g07dqd\",\"Fragment\":\"\",\"RawFragment\":\"\"},\"Proto\":\"HTTP/2.0\",\"ProtoMajor\":2,\"ProtoMinor\":0,\"Header\":{\"Accept\":[\"text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9\"],\"Accept-Encoding\":[\"gzip, deflate, br\"],\"Accept-Language\":[\"en-GB,en;q=0.9,en-US;q=0.8\"],\"Cookie\":[\"authelia_session=session\"],\"Referer\":[\"https://authelia.domain.com/consent?consent_id=1fd165f4-f2fb-48c9-8654-1982fe0187e4\"],\"Sec-Ch-Ua\":[\"\\\" Not;A Brand\\\";v=\\\"99\\\", \\\"Microsoft Edge\\\";v=\\\"103\\\", \\\"Chromium\\\";v=\\\"103\\\"\"],\"Sec-Ch-Ua-Mobile\":[\"?0\"],\"Sec-Ch-Ua-Platform\":[\"\\\"Windows\\\"\"],\"Sec-Fetch-Dest\":[\"document\"],\"Sec-Fetch-Mode\":[\"navigate\"],\"Sec-Fetch-Site\":[\"same-origin\"],\"Sec-Fetch-User\":[\"?1\"],\"Upgrade-Insecure-Requests\":[\"1\"],\"User-Agent\":[\"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/103.0.5060.134 Safari/537.36 Edg/103.0.1264.77\"],\"X-Forwarded-Host\":[\"authelia.domain.com\"],\"X-Forwarded-Port\":[\"443\"],\"X-Forwarded-Proto\":[\"https\"],\"X-Forwarded-Server\":[\"aa1b32eff406\"],\"X-Real-Ip\":[\"192.168.1.44\"]},\"ContentLength\":0,\"TransferEncoding\":null,\"Host\":\"authelia.domain.com\",\"Form\":null,\"PostForm\":null,\"MultipartForm\":null,\"Trailer\":null,\"RemoteAddr\":\"192.168.1.44:63507\",\"RequestURI\":\"/api/oidc/authorization?client_id=authelia_vikunja_client_id\\u0026consent_id=1fd165f4-f2fb-48c9-8654-1982fe0187e4\\u0026redirect_uri=https%3A%2F%2Fvikunja.domain.com%2Fauth%2Fopenid%2Fauthelia\\u0026response_type=code\\u0026scope=openid+email+profile\\u0026state=wtsv0g07dqd\",\"TLS\":null}"

In particular the 2 redirect_uri parameters:

redirect_uri=https://vikunja.domain.com/auth/openid/authelia\\u0026response_type=code\\u0026scope=openid%20email%20profile\\u0026state=wtsv0g07dqd\
redirect_uri=https%3A%2F%2Fvikunja.domain.com%2Fauth%2Fopenid%2Fauthelia\\u0026response_type=code\\u0026scope=openid+email+profile\\u0026state=wtsv0g07dqd\

The second (which I think is redirected within authelia) seems to be url encoded, could it be that when first making the request the url should be url encoded?

Originally created by @RichyHBM on GitHub (Aug 4, 2022). Original GitHub issue: https://github.com/go-vikunja/vikunja/issues/39 Hello, I've been banging my head trying to figure out why this isn't working but I have setup vikunja and authelia, both behind a traefik reverse proxy. When I navigate to vikunja I see the "login with authelia" button, which then takes me to authelia to grant access, but upon returning me to vikunja I get a `Could not authenticate against third party.` In the logs for authelia I can see the following error: > Access Request failed with error: The provided authorization grant (e.g., authorization code, resource owner credentials) or refresh token is invalid, expired, revoked, does not match the redirection URI used in the authorization request, or was issued to another client. The 'redirect_uri' from this request does not match the one from the authorize request. Enabling debug logs in traefik I came across these logs which look suspicious: ``` 2022-08-04T21:31:50.412829249Z time="2022-08-04T21:31:50Z" level=debug msg="vulcand/oxy/roundrobin/rr: begin ServeHttp on request" Request="{\"Method\":\"GET\",\"URL\":{\"Scheme\":\"\",\"Opaque\":\"\",\"User\":null,\"Host\":\"\",\"Path\":\"/api/oidc/authorization\",\"RawPath\":\"\",\"ForceQuery\":false,\"RawQuery\":\"client_id=authelia_vikunja_client_id\\u0026redirect_uri=https://vikunja.domain.com/auth/openid/authelia\\u0026response_type=code\\u0026scope=openid%20email%20profile\\u0026state=wtsv0g07dqd\",\"Fragment\":\"\",\"RawFragment\":\"\"},\"Proto\":\"HTTP/2.0\",\"ProtoMajor\":2,\"ProtoMinor\":0,\"Header\":{\"Accept\":[\"text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9\"],\"Accept-Encoding\":[\"gzip, deflate, br\"],\"Accept-Language\":[\"en-GB,en;q=0.9,en-US;q=0.8\"],\"Cookie\":[\"authelia_session=session\"],\"Referer\":[\"https://vikunja.domain.com/\"],\"Sec-Ch-Ua\":[\"\\\" Not;A Brand\\\";v=\\\"99\\\", \\\"Microsoft Edge\\\";v=\\\"103\\\", \\\"Chromium\\\";v=\\\"103\\\"\"],\"Sec-Ch-Ua-Mobile\":[\"?0\"],\"Sec-Ch-Ua-Platform\":[\"\\\"Windows\\\"\"],\"Sec-Fetch-Dest\":[\"document\"],\"Sec-Fetch-Mode\":[\"navigate\"],\"Sec-Fetch-Site\":[\"same-site\"],\"Sec-Fetch-User\":[\"?1\"],\"Upgrade-Insecure-Requests\":[\"1\"],\"User-Agent\":[\"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/103.0.5060.134 Safari/537.36 Edg/103.0.1264.77\"],\"X-Forwarded-Host\":[\"authelia.domain.com\"],\"X-Forwarded-Port\":[\"443\"],\"X-Forwarded-Proto\":[\"https\"],\"X-Forwarded-Server\":[\"aa1b32eff406\"],\"X-Real-Ip\":[\"192.168.1.44\"]},\"ContentLength\":0,\"TransferEncoding\":null,\"Host\":\"authelia.domain.com\",\"Form\":null,\"PostForm\":null,\"MultipartForm\":null,\"Trailer\":null,\"RemoteAddr\":\"192.168.1.44:63507\",\"RequestURI\":\"/api/oidc/authorization?client_id=authelia_vikunja_client_id\\u0026redirect_uri=https://vikunja.domain.com/auth/openid/authelia\\u0026response_type=code\\u0026scope=openid%20email%20profile\\u0026state=wtsv0g07dqd\",\"TLS\":null}" 2022-08-04T21:31:50.412976126Z time="2022-08-04T21:31:50Z" level=debug msg="vulcand/oxy/roundrobin/rr: Forwarding this request to URL" Request="{\"Method\":\"GET\",\"URL\":{\"Scheme\":\"\",\"Opaque\":\"\",\"User\":null,\"Host\":\"\",\"Path\":\"/api/oidc/authorization\",\"RawPath\":\"\",\"ForceQuery\":false,\"RawQuery\":\"client_id=authelia_vikunja_client_id\\u0026redirect_uri=https://vikunja.domain.com/auth/openid/authelia\\u0026response_type=code\\u0026scope=openid%20email%20profile\\u0026state=wtsv0g07dqd\",\"Fragment\":\"\",\"RawFragment\":\"\"},\"Proto\":\"HTTP/2.0\",\"ProtoMajor\":2,\"ProtoMinor\":0,\"Header\":{\"Accept\":[\"text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9\"],\"Accept-Encoding\":[\"gzip, deflate, br\"],\"Accept-Language\":[\"en-GB,en;q=0.9,en-US;q=0.8\"],\"Cookie\":[\"authelia_session=session\"],\"Referer\":[\"https://vikunja.domain.com/\"],\"Sec-Ch-Ua\":[\"\\\" Not;A Brand\\\";v=\\\"99\\\", \\\"Microsoft Edge\\\";v=\\\"103\\\", \\\"Chromium\\\";v=\\\"103\\\"\"],\"Sec-Ch-Ua-Mobile\":[\"?0\"],\"Sec-Ch-Ua-Platform\":[\"\\\"Windows\\\"\"],\"Sec-Fetch-Dest\":[\"document\"],\"Sec-Fetch-Mode\":[\"navigate\"],\"Sec-Fetch-Site\":[\"same-site\"],\"Sec-Fetch-User\":[\"?1\"],\"Upgrade-Insecure-Requests\":[\"1\"],\"User-Agent\":[\"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/103.0.5060.134 Safari/537.36 Edg/103.0.1264.77\"],\"X-Forwarded-Host\":[\"authelia.domain.com\"],\"X-Forwarded-Port\":[\"443\"],\"X-Forwarded-Proto\":[\"https\"],\"X-Forwarded-Server\":[\"aa1b32eff406\"],\"X-Real-Ip\":[\"192.168.1.44\"]},\"ContentLength\":0,\"TransferEncoding\":null,\"Host\":\"authelia.domain.com\",\"Form\":null,\"PostForm\":null,\"MultipartForm\":null,\"Trailer\":null,\"RemoteAddr\":\"192.168.1.44:63507\",\"RequestURI\":\"/api/oidc/authorization?client_id=authelia_vikunja_client_id\\u0026redirect_uri=https://vikunja.domain.com/auth/openid/authelia\\u0026response_type=code\\u0026scope=openid%20email%20profile\\u0026state=wtsv0g07dqd\",\"TLS\":null}" ForwardURL="http://172.18.0.54:9091" 2022-08-04T21:31:50.437438581Z time="2022-08-04T21:31:50Z" level=debug msg="vulcand/oxy/roundrobin/rr: completed ServeHttp on request" Request="{\"Method\":\"GET\",\"URL\":{\"Scheme\":\"\",\"Opaque\":\"\",\"User\":null,\"Host\":\"\",\"Path\":\"/api/oidc/authorization\",\"RawPath\":\"\",\"ForceQuery\":false,\"RawQuery\":\"client_id=authelia_vikunja_client_id\\u0026redirect_uri=https://vikunja.domain.com/auth/openid/authelia\\u0026response_type=code\\u0026scope=openid%20email%20profile\\u0026state=wtsv0g07dqd\",\"Fragment\":\"\",\"RawFragment\":\"\"},\"Proto\":\"HTTP/2.0\",\"ProtoMajor\":2,\"ProtoMinor\":0,\"Header\":{\"Accept\":[\"text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9\"],\"Accept-Encoding\":[\"gzip, deflate, br\"],\"Accept-Language\":[\"en-GB,en;q=0.9,en-US;q=0.8\"],\"Cookie\":[\"authelia_session=session\"],\"Referer\":[\"https://vikunja.domain.com/\"],\"Sec-Ch-Ua\":[\"\\\" Not;A Brand\\\";v=\\\"99\\\", \\\"Microsoft Edge\\\";v=\\\"103\\\", \\\"Chromium\\\";v=\\\"103\\\"\"],\"Sec-Ch-Ua-Mobile\":[\"?0\"],\"Sec-Ch-Ua-Platform\":[\"\\\"Windows\\\"\"],\"Sec-Fetch-Dest\":[\"document\"],\"Sec-Fetch-Mode\":[\"navigate\"],\"Sec-Fetch-Site\":[\"same-site\"],\"Sec-Fetch-User\":[\"?1\"],\"Upgrade-Insecure-Requests\":[\"1\"],\"User-Agent\":[\"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/103.0.5060.134 Safari/537.36 Edg/103.0.1264.77\"],\"X-Forwarded-Host\":[\"authelia.domain.com\"],\"X-Forwarded-Port\":[\"443\"],\"X-Forwarded-Proto\":[\"https\"],\"X-Forwarded-Server\":[\"aa1b32eff406\"],\"X-Real-Ip\":[\"192.168.1.44\"]},\"ContentLength\":0,\"TransferEncoding\":null,\"Host\":\"authelia.domain.com\",\"Form\":null,\"PostForm\":null,\"MultipartForm\":null,\"Trailer\":null,\"RemoteAddr\":\"192.168.1.44:63507\",\"RequestURI\":\"/api/oidc/authorization?client_id=authelia_vikunja_client_id\\u0026redirect_uri=https://vikunja.domain.com/auth/openid/authelia\\u0026response_type=code\\u0026scope=openid%20email%20profile\\u0026state=wtsv0g07dqd\",\"TLS\":null}" ``` ``` 2022-08-04T21:31:55.922716034Z time="2022-08-04T21:31:55Z" level=debug msg="vulcand/oxy/roundrobin/rr: begin ServeHttp on request" Request="{\"Method\":\"GET\",\"URL\":{\"Scheme\":\"\",\"Opaque\":\"\",\"User\":null,\"Host\":\"\",\"Path\":\"/api/oidc/authorization\",\"RawPath\":\"\",\"ForceQuery\":false,\"RawQuery\":\"client_id=authelia_vikunja_client_id\\u0026consent_id=1fd165f4-f2fb-48c9-8654-1982fe0187e4\\u0026redirect_uri=https%3A%2F%2Fvikunja.domain.com%2Fauth%2Fopenid%2Fauthelia\\u0026response_type=code\\u0026scope=openid+email+profile\\u0026state=wtsv0g07dqd\",\"Fragment\":\"\",\"RawFragment\":\"\"},\"Proto\":\"HTTP/2.0\",\"ProtoMajor\":2,\"ProtoMinor\":0,\"Header\":{\"Accept\":[\"text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9\"],\"Accept-Encoding\":[\"gzip, deflate, br\"],\"Accept-Language\":[\"en-GB,en;q=0.9,en-US;q=0.8\"],\"Cookie\":[\"authelia_session=session\"],\"Referer\":[\"https://authelia.domain.com/consent?consent_id=1fd165f4-f2fb-48c9-8654-1982fe0187e4\"],\"Sec-Ch-Ua\":[\"\\\" Not;A Brand\\\";v=\\\"99\\\", \\\"Microsoft Edge\\\";v=\\\"103\\\", \\\"Chromium\\\";v=\\\"103\\\"\"],\"Sec-Ch-Ua-Mobile\":[\"?0\"],\"Sec-Ch-Ua-Platform\":[\"\\\"Windows\\\"\"],\"Sec-Fetch-Dest\":[\"document\"],\"Sec-Fetch-Mode\":[\"navigate\"],\"Sec-Fetch-Site\":[\"same-origin\"],\"Sec-Fetch-User\":[\"?1\"],\"Upgrade-Insecure-Requests\":[\"1\"],\"User-Agent\":[\"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/103.0.5060.134 Safari/537.36 Edg/103.0.1264.77\"],\"X-Forwarded-Host\":[\"authelia.domain.com\"],\"X-Forwarded-Port\":[\"443\"],\"X-Forwarded-Proto\":[\"https\"],\"X-Forwarded-Server\":[\"aa1b32eff406\"],\"X-Real-Ip\":[\"192.168.1.44\"]},\"ContentLength\":0,\"TransferEncoding\":null,\"Host\":\"authelia.domain.com\",\"Form\":null,\"PostForm\":null,\"MultipartForm\":null,\"Trailer\":null,\"RemoteAddr\":\"192.168.1.44:63507\",\"RequestURI\":\"/api/oidc/authorization?client_id=authelia_vikunja_client_id\\u0026consent_id=1fd165f4-f2fb-48c9-8654-1982fe0187e4\\u0026redirect_uri=https%3A%2F%2Fvikunja.domain.com%2Fauth%2Fopenid%2Fauthelia\\u0026response_type=code\\u0026scope=openid+email+profile\\u0026state=wtsv0g07dqd\",\"TLS\":null}" 2022-08-04T21:31:55.922878055Z time="2022-08-04T21:31:55Z" level=debug msg="vulcand/oxy/roundrobin/rr: Forwarding this request to URL" Request="{\"Method\":\"GET\",\"URL\":{\"Scheme\":\"\",\"Opaque\":\"\",\"User\":null,\"Host\":\"\",\"Path\":\"/api/oidc/authorization\",\"RawPath\":\"\",\"ForceQuery\":false,\"RawQuery\":\"client_id=authelia_vikunja_client_id\\u0026consent_id=1fd165f4-f2fb-48c9-8654-1982fe0187e4\\u0026redirect_uri=https%3A%2F%2Fvikunja.domain.com%2Fauth%2Fopenid%2Fauthelia\\u0026response_type=code\\u0026scope=openid+email+profile\\u0026state=wtsv0g07dqd\",\"Fragment\":\"\",\"RawFragment\":\"\"},\"Proto\":\"HTTP/2.0\",\"ProtoMajor\":2,\"ProtoMinor\":0,\"Header\":{\"Accept\":[\"text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9\"],\"Accept-Encoding\":[\"gzip, deflate, br\"],\"Accept-Language\":[\"en-GB,en;q=0.9,en-US;q=0.8\"],\"Cookie\":[\"authelia_session=session\"],\"Referer\":[\"https://authelia.domain.com/consent?consent_id=1fd165f4-f2fb-48c9-8654-1982fe0187e4\"],\"Sec-Ch-Ua\":[\"\\\" Not;A Brand\\\";v=\\\"99\\\", \\\"Microsoft Edge\\\";v=\\\"103\\\", \\\"Chromium\\\";v=\\\"103\\\"\"],\"Sec-Ch-Ua-Mobile\":[\"?0\"],\"Sec-Ch-Ua-Platform\":[\"\\\"Windows\\\"\"],\"Sec-Fetch-Dest\":[\"document\"],\"Sec-Fetch-Mode\":[\"navigate\"],\"Sec-Fetch-Site\":[\"same-origin\"],\"Sec-Fetch-User\":[\"?1\"],\"Upgrade-Insecure-Requests\":[\"1\"],\"User-Agent\":[\"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/103.0.5060.134 Safari/537.36 Edg/103.0.1264.77\"],\"X-Forwarded-Host\":[\"authelia.domain.com\"],\"X-Forwarded-Port\":[\"443\"],\"X-Forwarded-Proto\":[\"https\"],\"X-Forwarded-Server\":[\"aa1b32eff406\"],\"X-Real-Ip\":[\"192.168.1.44\"]},\"ContentLength\":0,\"TransferEncoding\":null,\"Host\":\"authelia.domain.com\",\"Form\":null,\"PostForm\":null,\"MultipartForm\":null,\"Trailer\":null,\"RemoteAddr\":\"192.168.1.44:63507\",\"RequestURI\":\"/api/oidc/authorization?client_id=authelia_vikunja_client_id\\u0026consent_id=1fd165f4-f2fb-48c9-8654-1982fe0187e4\\u0026redirect_uri=https%3A%2F%2Fvikunja.domain.com%2Fauth%2Fopenid%2Fauthelia\\u0026response_type=code\\u0026scope=openid+email+profile\\u0026state=wtsv0g07dqd\",\"TLS\":null}" ForwardURL="http://172.18.0.54:9091" 2022-08-04T21:31:55.995926907Z time="2022-08-04T21:31:55Z" level=debug msg="vulcand/oxy/roundrobin/rr: completed ServeHttp on request" Request="{\"Method\":\"GET\",\"URL\":{\"Scheme\":\"\",\"Opaque\":\"\",\"User\":null,\"Host\":\"\",\"Path\":\"/api/oidc/authorization\",\"RawPath\":\"\",\"ForceQuery\":false,\"RawQuery\":\"client_id=authelia_vikunja_client_id\\u0026consent_id=1fd165f4-f2fb-48c9-8654-1982fe0187e4\\u0026redirect_uri=https%3A%2F%2Fvikunja.domain.com%2Fauth%2Fopenid%2Fauthelia\\u0026response_type=code\\u0026scope=openid+email+profile\\u0026state=wtsv0g07dqd\",\"Fragment\":\"\",\"RawFragment\":\"\"},\"Proto\":\"HTTP/2.0\",\"ProtoMajor\":2,\"ProtoMinor\":0,\"Header\":{\"Accept\":[\"text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9\"],\"Accept-Encoding\":[\"gzip, deflate, br\"],\"Accept-Language\":[\"en-GB,en;q=0.9,en-US;q=0.8\"],\"Cookie\":[\"authelia_session=session\"],\"Referer\":[\"https://authelia.domain.com/consent?consent_id=1fd165f4-f2fb-48c9-8654-1982fe0187e4\"],\"Sec-Ch-Ua\":[\"\\\" Not;A Brand\\\";v=\\\"99\\\", \\\"Microsoft Edge\\\";v=\\\"103\\\", \\\"Chromium\\\";v=\\\"103\\\"\"],\"Sec-Ch-Ua-Mobile\":[\"?0\"],\"Sec-Ch-Ua-Platform\":[\"\\\"Windows\\\"\"],\"Sec-Fetch-Dest\":[\"document\"],\"Sec-Fetch-Mode\":[\"navigate\"],\"Sec-Fetch-Site\":[\"same-origin\"],\"Sec-Fetch-User\":[\"?1\"],\"Upgrade-Insecure-Requests\":[\"1\"],\"User-Agent\":[\"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/103.0.5060.134 Safari/537.36 Edg/103.0.1264.77\"],\"X-Forwarded-Host\":[\"authelia.domain.com\"],\"X-Forwarded-Port\":[\"443\"],\"X-Forwarded-Proto\":[\"https\"],\"X-Forwarded-Server\":[\"aa1b32eff406\"],\"X-Real-Ip\":[\"192.168.1.44\"]},\"ContentLength\":0,\"TransferEncoding\":null,\"Host\":\"authelia.domain.com\",\"Form\":null,\"PostForm\":null,\"MultipartForm\":null,\"Trailer\":null,\"RemoteAddr\":\"192.168.1.44:63507\",\"RequestURI\":\"/api/oidc/authorization?client_id=authelia_vikunja_client_id\\u0026consent_id=1fd165f4-f2fb-48c9-8654-1982fe0187e4\\u0026redirect_uri=https%3A%2F%2Fvikunja.domain.com%2Fauth%2Fopenid%2Fauthelia\\u0026response_type=code\\u0026scope=openid+email+profile\\u0026state=wtsv0g07dqd\",\"TLS\":null}" ``` In particular the 2 `redirect_uri` parameters: ``` redirect_uri=https://vikunja.domain.com/auth/openid/authelia\\u0026response_type=code\\u0026scope=openid%20email%20profile\\u0026state=wtsv0g07dqd\ redirect_uri=https%3A%2F%2Fvikunja.domain.com%2Fauth%2Fopenid%2Fauthelia\\u0026response_type=code\\u0026scope=openid+email+profile\\u0026state=wtsv0g07dqd\ ``` The second (which I think is redirected within authelia) seems to be url encoded, could it be that when first making the request the url should be url encoded?

GiteaMirror closed this issue 2026-04-20 16:16:09 -05:00

GiteaMirror commented 2026-04-20 16:16:09 -05:00

Author

Owner

Copy Link

@kolaente commented on GitHub (Aug 5, 2022):

That looks odd. Can you share your openid config for Vikunja? Anything in Vikunja a logs?

<!-- gh-comment-id:1206063890 --> @kolaente commented on GitHub (Aug 5, 2022): That looks odd. Can you share your openid config for Vikunja? Anything in Vikunja a logs?

GiteaMirror commented 2026-04-20 16:16:10 -05:00

Author

Owner

Copy Link

@RichyHBM commented on GitHub (Aug 5, 2022):

Sure, openID config:

identity_providers:
  oidc:
    hmac_secret: *****
    issuer_private_key: |
      -----BEGIN RSA PRIVATE KEY-----
      *****
      -----END RSA PRIVATE KEY-----
    clients:
      - <other clients>
      - id: ******
        description: Vikunja
        secret: ******
        public: false
        authorization_policy: one_factor
        audience: []
        scopes:
          - openid
          - profile
          - email
        redirect_uris:
          - https://vikunja.example.com/auth/openid
          - https://vikunja.example.com/auth/openid/authelia
        userinfo_signing_algorithm: none

Logs, can see this error:

today at 13:03:112022-08-05T13:03:11.851291274+01:00: ERROR	▶ openid/HandleCallback 0d8 oauth2: cannot fetch token: 400 Bad Request
today at 13:03:11Response: {"error":"invalid_grant","error_description":"The provided authorization grant (e.g., authorization code, resource owner credentials) or refresh token is invalid, expired, revoked, does not match the redirection URI used in the authorization request, or was issued to another client. The 'redirect_uri' from this request does not match the one from the authorize request."}
today at 13:03:112022-08-05T13:03:11.852474909+01:00: WEB 	▶ 192.168.1.56  POST 400 /api/v1/auth/openid/authelia/callback 9.827929ms - Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/104.0.5112.81 Safari/537.36

<!-- gh-comment-id:1206371199 --> @RichyHBM commented on GitHub (Aug 5, 2022): Sure, openID config: ``` identity_providers: oidc: hmac_secret: ***** issuer_private_key: | -----BEGIN RSA PRIVATE KEY----- ***** -----END RSA PRIVATE KEY----- clients: - <other clients> - id: ****** description: Vikunja secret: ****** public: false authorization_policy: one_factor audience: [] scopes: - openid - profile - email redirect_uris: - https://vikunja.example.com/auth/openid - https://vikunja.example.com/auth/openid/authelia userinfo_signing_algorithm: none ``` Logs, can see this error: ``` today at 13:03:112022-08-05T13:03:11.851291274+01:00: ERROR ▶ openid/HandleCallback 0d8 oauth2: cannot fetch token: 400 Bad Request today at 13:03:11Response: {"error":"invalid_grant","error_description":"The provided authorization grant (e.g., authorization code, resource owner credentials) or refresh token is invalid, expired, revoked, does not match the redirection URI used in the authorization request, or was issued to another client. The 'redirect_uri' from this request does not match the one from the authorize request."} today at 13:03:112022-08-05T13:03:11.852474909+01:00: WEB ▶ 192.168.1.56 POST 400 /api/v1/auth/openid/authelia/callback 9.827929ms - Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/104.0.5112.81 Safari/537.36 ```

GiteaMirror commented 2026-04-20 16:16:10 -05:00

Author

Owner

Copy Link

@kolaente commented on GitHub (Aug 5, 2022):

And the config in Vikunja?

<!-- gh-comment-id:1206460980 --> @kolaente commented on GitHub (Aug 5, 2022): And the config in Vikunja?

GiteaMirror commented 2026-04-20 16:16:11 -05:00

Author

Owner

Copy Link

@RichyHBM commented on GitHub (Aug 5, 2022):

service:
  # The URL of the frontend, used to send password reset emails.
  frontendurl: https://vikunja.example.com/

auth:
  # Local authentication will let users log in and register (if enabled) through the db.
  # This is the default auth mechanism and does not require any additional configuration.
  local:
    # Enable or disable local authentication
    enabled: true
  # OpenID configuration will allow users to authenticate through a third-party OpenID Connect compatible provider.<br/>
  # The provider needs to support the `openid`, `profile` and `email` scopes.<br/>
  # **Note:** Some openid providers (like gitlab) only make the email of the user available through openid claims if they have set it to be publicly visible.
  # If the email is not public in those cases, authenticating will fail.
  # **Note 2:** The frontend expects to be redirected after authentication by the third party
  # to <frontend-url>/auth/openid/<auth key>. Please make sure to configure the redirect url with your third party
  # auth service accordingy if you're using the default vikunja frontend.
  # Take a look at the [default config file](https://kolaente.dev/vikunja/api/src/branch/main/config.yml.sample) for more information about how to configure openid authentication.
  openid:
    # Enable or disable OpenID Connect authentication
    enabled: true
    # The url to redirect clients to. Defaults to the configured frontend url. If you're using Vikunja with the official
    # frontend, you don't need to change this value.
    redirecturl: https://vikunja.example.com/
    # A list of enabled providers
    providers:
      # The name of the provider as it will appear in the frontend.
      - name: Authelia
        # The auth url to send users to if they want to authenticate using OpenID Connect.
        authurl: https://authelia.example.com
        # The client ID used to authenticate Vikunja at the OpenID Connect provider.
        clientid: ******
        # The client secret used to authenticate Vikunja at the OpenID Connect provider.
        clientsecret: ******

My vikunja api is at: https://vikunja-api.example.com

<!-- gh-comment-id:1206510230 --> @RichyHBM commented on GitHub (Aug 5, 2022): ``` service: # The URL of the frontend, used to send password reset emails. frontendurl: https://vikunja.example.com/ auth: # Local authentication will let users log in and register (if enabled) through the db. # This is the default auth mechanism and does not require any additional configuration. local: # Enable or disable local authentication enabled: true # OpenID configuration will allow users to authenticate through a third-party OpenID Connect compatible provider.<br/> # The provider needs to support the `openid`, `profile` and `email` scopes.<br/> # **Note:** Some openid providers (like gitlab) only make the email of the user available through openid claims if they have set it to be publicly visible. # If the email is not public in those cases, authenticating will fail. # **Note 2:** The frontend expects to be redirected after authentication by the third party # to <frontend-url>/auth/openid/<auth key>. Please make sure to configure the redirect url with your third party # auth service accordingy if you're using the default vikunja frontend. # Take a look at the [default config file](https://kolaente.dev/vikunja/api/src/branch/main/config.yml.sample) for more information about how to configure openid authentication. openid: # Enable or disable OpenID Connect authentication enabled: true # The url to redirect clients to. Defaults to the configured frontend url. If you're using Vikunja with the official # frontend, you don't need to change this value. redirecturl: https://vikunja.example.com/ # A list of enabled providers providers: # The name of the provider as it will appear in the frontend. - name: Authelia # The auth url to send users to if they want to authenticate using OpenID Connect. authurl: https://authelia.example.com # The client ID used to authenticate Vikunja at the OpenID Connect provider. clientid: ****** # The client secret used to authenticate Vikunja at the OpenID Connect provider. clientsecret: ****** ``` My vikunja api is at: https://vikunja-api.example.com

GiteaMirror commented 2026-04-20 16:16:11 -05:00

Author

Owner

Copy Link

@kolaente commented on GitHub (Aug 8, 2022):

As far as I can tell the config looks fine. I'll try to set everything up and try to debug this properly but that'll take a while.

Cross-posting a related forum thread: https://community.vikunja.io/t/setting-up-sso-error-while-getting-openid-provider-not-found/625

<!-- gh-comment-id:1208005799 --> @kolaente commented on GitHub (Aug 8, 2022): As far as I can tell the config looks fine. I'll try to set everything up and try to debug this properly but that'll take a while. Cross-posting a related forum thread: https://community.vikunja.io/t/setting-up-sso-error-while-getting-openid-provider-not-found/625

GiteaMirror commented 2026-04-20 16:16:11 -05:00

Author

Owner

Copy Link

@philosowaffle commented on GitHub (Aug 8, 2022):

Following up on request from forum post for more data from the Network tab.

Frontend Version: 0.19.0
API Version: v0.19.0

Vikunja OpenId Config:

openid:
    enabled: true
    redirecturl: https://vikunja.mydomain.com/auth/openid
    providers:
      - name: Authelia
        authurl: https://login.mydomain.com
        clientid: <vikunja-id>
        clientsecret: <vikunja secret>

Authelia Config

- id: <vikunja-id>
        description: Vikunja
        secret: <vikunja secret>
        redirect_uris:
          - https://vikunja.mydomain.com/auth/openid/
          - https://vikunja.mydomain.com/auth/openid/authelia
          - https://vikunja.mydomain.com/api/oidc/authorization
        scopes:
          - openid
          - email
          - profile

Network trace from Browser

GET https://<authelia>.com/api/oidc/authorization?client_id=vikunja&redirect_uri=https://<vikunja>.com/auth/openid/authelia&response_type=code&scope=openid%20email%20profile&state=1qlce18mvuij
Status: 200 - Redirect to authelia

GET https://<vikunja>.com/auth/openid/authelia?code=eM9WlXuOK4h1iFZ6qH92hHfG_8GAcVGMCVJpHB4ot4M.FM5A23ED7lw4HvdbWmECwR0rz_Xgih97U6SKwhQjpNo&scope=openid+email+profile&state=1qlce18mvuij
Status: 200 - Redirected back to vikunja

POST https://vikunja.bbelvis.com/api/v1/auth/openid/authelia/callback
{
   "code": "eM9WlXuOK4h1iFZ6qH92hHfG_8GAcVGMCVJpHB4ot4M.FM5A23ED7lw4HvdbWmECwR0rz_Xgih97U6SKwhQjpNo"
}

Status: 400

Traefik logs:

 [08/Aug/2022:12:12:08 +0000] "POST /api/oidc/token HTTP/2.0" 400 373 "-" "-" 426783 "authelia@docker" "http://192.168.16.2:9091" 1ms
[08/Aug/2022:12:12:04 +0000]"POST /api/oidc/token HTTP/2.0" 400 373 "-" "-" 426784 "authelia@docker" "http://192.168.16.2:9091" 1ms
[08/Aug/2022:12:12:04 +0000]"POST /api/v1/auth/openid/authelia/callback HTTP/2.0" 400 442 "-" "-" 426779 "vikunja-api@docker" "http://192.168.176.4:3456" 4121ms

Vikunja logs:

2022-08-08 07:12:08 | Response: {"error":"invalid_grant","error_description":"The provided authorization grant (e.g., authorization code, resource owner credentials) or refresh token is invalid, expired, revoked, does not match the redirection URI used in the authorization request, or was issued to another client. The 'redirect_uri' from this request does not match the one from the authorize request."}
2022-08-08 07:12:08 | 2022-08-08T07:12:08.948781555-05:00: ERROR	▶ openid/HandleCallback 1d59 oauth2: cannot fetch token: 400 Bad Request

Authelia logs:

 {"filename":"/var/authelialogs/authelia.log","ip_address":"192.168.1.1","msg":"Access Request failed with error: The provided authorization grant (e.g., authorization code, resource owner credentials) or refresh token is invalid, expired, revoked, does not match the redirection URI used in the authorization request, or was issued to another client. The 'redirect_uri' from this request does not match the one from the authorize request.","_entry":"{\"level\":\"error\",\"method\":\"POST\",\"msg\":\"Access Request failed with error: The provided authorization grant (e.g., authorization code, resource owner credentials) or refresh token is invalid, expired, revoked, does not match the redirection URI used in the authorization request, or was issued to another client. The 'redirect_uri' from this request does not match the one from the authorize request.\",\"path\":\"/api/oidc/token\",\"remote_ip\":\"192.168.1.1\",\"stack\":[{\"File\":\"github.com/authelia/authelia/v4/internal/handlers/handler_oidc_token.go\",\"Line\":27,\"Name\":\"OpenIDConnectTokenPOST\"},{\"File\":\"github.com/authelia/authelia/v4/internal/middlewares/http_to_authelia_handler_adaptor.go\",\"Line\":113,\"Name\":\"NewHTTPToAutheliaHandlerAdaptor.func1\"},{\"File\":\"github.com/authelia/authelia/v4/internal/middlewares/bridge.go\",\"Line\":54,\"Name\":\"(*BridgeBuilder).Build.func1.1\"},{\"File\":\"github.com/authelia/authelia/v4/internal/middlewares/headers.go\",\"Line\":35,\"Name\":\"SecurityHeadersNoStore.func1\"},{\"File\":\"github.com/authelia/authelia/v4/internal/middlewares/headers.go\",\"Line\":25,\"Name\":\"SecurityHeadersCSPNone.func1\"},{\"File\":\"github.com/authelia/authelia/v4/internal/middlewares/headers.go\",\"Line\":16,\"Name\":\"SecurityHeaders.func1\"},{\"File\":\"github.com/authelia/authelia/v4/internal/middlewares/cors.go\",\"Line\":216,\"Name\":\"CORSPolicy.Middleware.func1\"},{\"File\":\"github.com/fasthttp/router@v1.4.10/router.go\",\"Line\":414,\"Name\":\"(*Router).Handler\"},{\"File\":\"github.com/valyala/fasthttp@v1.38.0/http.go\",\"Line\":153,\"Name\":\"(*Response).StatusCode\"},{\"File\":\"github.com/valyala/fasthttp@v1.38.0/server.go\",\"Line\":2308,\"Name\":\"(*Server).serveConn\"},{\"File\":\"github.com/valyala/fasthttp@v1.38.0/workerpool.go\",\"Line\":224,\"Name\":\"(*workerPool).workerFunc\"},{\"File\":\"github.com/valyala/fasthttp@v1.38.0/workerpool.go\",\"Line\":196,\"Name\":\"(*workerPool).getCh.func1\"},{\"File\":\"runtime/asm_amd64.s\",\"Line\":1571,\"Name\":\"goexit\"}],\"time\":\"2022-08-08T07:12:08-05:00\"}"}

<!-- gh-comment-id:1208054790 --> @philosowaffle commented on GitHub (Aug 8, 2022): Following up on request from forum post for more data from the Network tab. Frontend Version: 0.19.0 API Version: v0.19.0 Vikunja OpenId Config: ``` openid: enabled: true redirecturl: https://vikunja.mydomain.com/auth/openid providers: - name: Authelia authurl: https://login.mydomain.com clientid: <vikunja-id> clientsecret: <vikunja secret> ``` Authelia Config ``` - id: <vikunja-id> description: Vikunja secret: <vikunja secret> redirect_uris: - https://vikunja.mydomain.com/auth/openid/ - https://vikunja.mydomain.com/auth/openid/authelia - https://vikunja.mydomain.com/api/oidc/authorization scopes: - openid - email - profile ``` Network trace from Browser ``` GET https://<authelia>.com/api/oidc/authorization?client_id=vikunja&redirect_uri=https://<vikunja>.com/auth/openid/authelia&response_type=code&scope=openid%20email%20profile&state=1qlce18mvuij Status: 200 - Redirect to authelia GET https://<vikunja>.com/auth/openid/authelia?code=eM9WlXuOK4h1iFZ6qH92hHfG_8GAcVGMCVJpHB4ot4M.FM5A23ED7lw4HvdbWmECwR0rz_Xgih97U6SKwhQjpNo&scope=openid+email+profile&state=1qlce18mvuij Status: 200 - Redirected back to vikunja POST https://vikunja.bbelvis.com/api/v1/auth/openid/authelia/callback { "code": "eM9WlXuOK4h1iFZ6qH92hHfG_8GAcVGMCVJpHB4ot4M.FM5A23ED7lw4HvdbWmECwR0rz_Xgih97U6SKwhQjpNo" } Status: 400 ``` Traefik logs: ``` [08/Aug/2022:12:12:08 +0000] "POST /api/oidc/token HTTP/2.0" 400 373 "-" "-" 426783 "authelia@docker" "http://192.168.16.2:9091" 1ms [08/Aug/2022:12:12:04 +0000]"POST /api/oidc/token HTTP/2.0" 400 373 "-" "-" 426784 "authelia@docker" "http://192.168.16.2:9091" 1ms [08/Aug/2022:12:12:04 +0000]"POST /api/v1/auth/openid/authelia/callback HTTP/2.0" 400 442 "-" "-" 426779 "vikunja-api@docker" "http://192.168.176.4:3456" 4121ms ``` Vikunja logs: ``` 2022-08-08 07:12:08 | Response: {"error":"invalid_grant","error_description":"The provided authorization grant (e.g., authorization code, resource owner credentials) or refresh token is invalid, expired, revoked, does not match the redirection URI used in the authorization request, or was issued to another client. The 'redirect_uri' from this request does not match the one from the authorize request."} 2022-08-08 07:12:08 | 2022-08-08T07:12:08.948781555-05:00: ERROR ▶ openid/HandleCallback 1d59 oauth2: cannot fetch token: 400 Bad Request ``` Authelia logs: ``` {"filename":"/var/authelialogs/authelia.log","ip_address":"192.168.1.1","msg":"Access Request failed with error: The provided authorization grant (e.g., authorization code, resource owner credentials) or refresh token is invalid, expired, revoked, does not match the redirection URI used in the authorization request, or was issued to another client. The 'redirect_uri' from this request does not match the one from the authorize request.","_entry":"{\"level\":\"error\",\"method\":\"POST\",\"msg\":\"Access Request failed with error: The provided authorization grant (e.g., authorization code, resource owner credentials) or refresh token is invalid, expired, revoked, does not match the redirection URI used in the authorization request, or was issued to another client. The 'redirect_uri' from this request does not match the one from the authorize request.\",\"path\":\"/api/oidc/token\",\"remote_ip\":\"192.168.1.1\",\"stack\":[{\"File\":\"github.com/authelia/authelia/v4/internal/handlers/handler_oidc_token.go\",\"Line\":27,\"Name\":\"OpenIDConnectTokenPOST\"},{\"File\":\"github.com/authelia/authelia/v4/internal/middlewares/http_to_authelia_handler_adaptor.go\",\"Line\":113,\"Name\":\"NewHTTPToAutheliaHandlerAdaptor.func1\"},{\"File\":\"github.com/authelia/authelia/v4/internal/middlewares/bridge.go\",\"Line\":54,\"Name\":\"(*BridgeBuilder).Build.func1.1\"},{\"File\":\"github.com/authelia/authelia/v4/internal/middlewares/headers.go\",\"Line\":35,\"Name\":\"SecurityHeadersNoStore.func1\"},{\"File\":\"github.com/authelia/authelia/v4/internal/middlewares/headers.go\",\"Line\":25,\"Name\":\"SecurityHeadersCSPNone.func1\"},{\"File\":\"github.com/authelia/authelia/v4/internal/middlewares/headers.go\",\"Line\":16,\"Name\":\"SecurityHeaders.func1\"},{\"File\":\"github.com/authelia/authelia/v4/internal/middlewares/cors.go\",\"Line\":216,\"Name\":\"CORSPolicy.Middleware.func1\"},{\"File\":\"github.com/fasthttp/router@v1.4.10/router.go\",\"Line\":414,\"Name\":\"(*Router).Handler\"},{\"File\":\"github.com/valyala/fasthttp@v1.38.0/http.go\",\"Line\":153,\"Name\":\"(*Response).StatusCode\"},{\"File\":\"github.com/valyala/fasthttp@v1.38.0/server.go\",\"Line\":2308,\"Name\":\"(*Server).serveConn\"},{\"File\":\"github.com/valyala/fasthttp@v1.38.0/workerpool.go\",\"Line\":224,\"Name\":\"(*workerPool).workerFunc\"},{\"File\":\"github.com/valyala/fasthttp@v1.38.0/workerpool.go\",\"Line\":196,\"Name\":\"(*workerPool).getCh.func1\"},{\"File\":\"runtime/asm_amd64.s\",\"Line\":1571,\"Name\":\"goexit\"}],\"time\":\"2022-08-08T07:12:08-05:00\"}"} ```

GiteaMirror commented 2026-04-20 16:16:12 -05:00

Author

Owner

Copy Link

@cbusoft commented on GitHub (Aug 8, 2022):

I think the redirecturl under the openid section in your vikunja config is wrong.
instead of:

redirecturl: https://vikunja.example.com/

it should probably be:

redirecturl: https://vikunja.example.com/auth/openid/

I faced the same problem with keycloak, but in my keycloak logs I saw that 2 requests were made. The underlying oauth2 library makes the first request with basic authorization for the client credentials, and if an error occurs it tries again with the client credentials in the body of the request. source code
In my case the first request got rejected by keycloak because I did not set the redirecturl but did not remove the line:

# The url to redirect clients to. Defaults to the configured frontend url. If you're using Vikunja with the official
# frontend, you don't need to change this value.
redirecturl: <frontend url>

This caused the redirect_uri param in the token request from the api to be <frontend url>nameofmyprovider.
This got rejected because the redirect_uri should be the same as in the token request (oidc spec) which would be https://{frontend-url}/auth/openid/{nameofmyprovider}
The oauth2 library tried again with the client credentials in the body instead of the authorization header, which got rejected by keycloak because the code was used in the previous request and is therefore no longer considered valid. oidc spec

Problem with this was, that the api got the error invalid_code, when the real error was sent with the previous request.
Vikunja log

ERROR	▶ openid/HandleCallback 094 oauth2: cannot fetch token: 400 Bad Request
Response: {"error":"invalid_grant","error_description":"Code not valid"}

First error from keycloak to the api, which the oauth2 library discarded:
400 Bad request
{"error":"invalid_grant","error_description":"Incorrect redirect_uri"}

second error from keycloak to the api, which vikunja got from the oauth2 library
400 Bad request
{"error":"invalid_grant","error_description":"Code not valid"}

Hope that this helps.

<!-- gh-comment-id:1208204814 --> @cbusoft commented on GitHub (Aug 8, 2022): I think the redirecturl under the openid section in your vikunja config is wrong. instead of: ``` redirecturl: https://vikunja.example.com/ ``` it should probably be: ``` redirecturl: https://vikunja.example.com/auth/openid/ ``` I faced the same problem with keycloak, but in my keycloak logs I saw that 2 requests were made. The underlying oauth2 library makes the first request with basic authorization for the client credentials, and if an error occurs it tries again with the client credentials in the body of the request. [source code](https://cs.opensource.google/go/x/oauth2/+/128564f6:internal/token.go;l=203;drc=128564f6959c37ca252833d402ac1cf2de5296ec) In my case the first request got rejected by keycloak because I did not set the redirecturl but did not remove the line: ``` # The url to redirect clients to. Defaults to the configured frontend url. If you're using Vikunja with the official # frontend, you don't need to change this value. redirecturl: <frontend url> ``` This caused the `redirect_uri` param in the token request from the api to be `<frontend url>nameofmyprovider`. This got rejected because the redirect_uri should be the same as in the token request ([oidc spec](https://openid.net/specs/openid-connect-core-1_0.html#TokenRequestValidation)) which would be `https://{frontend-url}/auth/openid/{nameofmyprovider}` The oauth2 library tried again with the client credentials in the body instead of the authorization header, which got rejected by keycloak because the code was used in the previous request and is therefore no longer considered valid. [oidc spec](https://openid.net/specs/openid-connect-core-1_0.html#TokenRequestValidation) Problem with this was, that the api got the error invalid_code, when the real error was sent with the previous request. Vikunja log ``` ERROR ▶ openid/HandleCallback 094 oauth2: cannot fetch token: 400 Bad Request Response: {"error":"invalid_grant","error_description":"Code not valid"} ``` ``` First error from keycloak to the api, which the oauth2 library discarded: 400 Bad request {"error":"invalid_grant","error_description":"Incorrect redirect_uri"} second error from keycloak to the api, which vikunja got from the oauth2 library 400 Bad request {"error":"invalid_grant","error_description":"Code not valid"} ``` Hope that this helps.

GiteaMirror commented 2026-04-20 16:16:13 -05:00

Author

Owner

Copy Link

@philosowaffle commented on GitHub (Aug 8, 2022):

In my case, I have already provided the correct redirecturl in my config:

openid:
    enabled: true
    redirecturl: https://vikunja.mydomain.com/auth/openid
    providers:
      - name: Authelia
        authurl: https://login.mydomain.com
        clientid: <vikunja-id>
        clientsecret: <vikunja secret>

edit: updated my original comment so its more complete with this information

<!-- gh-comment-id:1208239176 --> @philosowaffle commented on GitHub (Aug 8, 2022): In my case, I have already provided the correct `redirecturl` in my config: ``` openid: enabled: true redirecturl: https://vikunja.mydomain.com/auth/openid providers: - name: Authelia authurl: https://login.mydomain.com clientid: <vikunja-id> clientsecret: <vikunja secret> ``` edit: updated my original comment so its more complete with this information

GiteaMirror commented 2026-04-20 16:16:13 -05:00

Author

Owner

Copy Link

@philosowaffle commented on GitHub (Aug 8, 2022):

Got it working! And I feel silly, this was a case of a missing /. Full working config below:

Vikunja Config

openid:
    enabled: true
    redirecturl: https://vikunja.mydomain.com/auth/openid/  <---- slash at the end is important
    providers:
      - name: Authelia
        authurl: https://login.mydomain.com
        clientid: <vikunja-id>
        clientsecret: <vikunja secret>

Authelia Config

- id: <vikunja-id>
        description: Vikunja
        secret: <vikunja secret>
        redirect_uris:
          - https://vikunja.mydomain.com/auth/openid/    <----- Matching slash at the end
          - https://vikunja.mydomain.com/auth/openid/authelia
          - https://vikunja.mydomain.com/api/oidc/authorization
        scopes:
          - openid
          - email
          - profile

So I guess I have a follow up issue. My OIDC username is different than the username I initially created on Vikunja. Not a huge deal, I'll just export from UserA, delete that account, then import to the OIDC user. But it seems that you have to have an email provider configured to do an export :(

Is there any other way to quickly export the namespaces/lists?

<!-- gh-comment-id:1208723347 --> @philosowaffle commented on GitHub (Aug 8, 2022): Got it working! And I feel silly, this was a case of a missing `/`. Full working config below: Vikunja Config ``` openid: enabled: true redirecturl: https://vikunja.mydomain.com/auth/openid/ <---- slash at the end is important providers: - name: Authelia authurl: https://login.mydomain.com clientid: <vikunja-id> clientsecret: <vikunja secret> ``` Authelia Config ``` - id: <vikunja-id> description: Vikunja secret: <vikunja secret> redirect_uris: - https://vikunja.mydomain.com/auth/openid/ <----- Matching slash at the end - https://vikunja.mydomain.com/auth/openid/authelia - https://vikunja.mydomain.com/api/oidc/authorization scopes: - openid - email - profile ``` So I guess I have a follow up issue. My OIDC username is different than the username I initially created on Vikunja. Not a huge deal, I'll just export from UserA, delete that account, then import to the OIDC user. But it seems that you have to have an email provider configured to do an export :( Is there any other way to quickly export the namespaces/lists?

GiteaMirror commented 2026-04-20 16:16:14 -05:00

Author

Owner

Copy Link

@kolaente commented on GitHub (Aug 9, 2022):

but did not remove the line:

@cbusoft Vikunja will only use the service.frontendurl if you didn't configure the redirect url at all. In your case the redirect url was the literal string <frontend url> (as you already figured out).

@philosowaffle Great you got it working! I'll add something to the docs to make this more clear.

So I guess I have a follow up issue. My OIDC username is different than the username I initially created on Vikunja. Not a huge deal, I'll just export from UserA, delete that account, then import to the OIDC user. But it seems that you have to have an email provider configured to do an export :(

Right now the only other way to export data would be with a Vikunja dump but that will export everything from all users. A quick and dirty way to solve this might be to use mailhog as a temporary mail server.

<!-- gh-comment-id:1209086565 --> @kolaente commented on GitHub (Aug 9, 2022): > but did not remove the line: @cbusoft Vikunja will only use the `service.frontendurl` if you didn't configure the redirect url at all. In your case the redirect url was the literal string `<frontend url>` (as you already figured out). @philosowaffle Great you got it working! I'll add something to the docs to make this more clear. > So I guess I have a follow up issue. My OIDC username is different than the username I initially created on Vikunja. Not a huge deal, I'll just export from UserA, delete that account, then import to the OIDC user. But it seems that you have to have an email provider configured to do an export :( Right now the only other way to export data would be with a Vikunja dump but that will export everything from all users. A quick and dirty way to solve this might be to use [mailhog](https://github.com/mailhog/MailHog) as a temporary mail server.

GiteaMirror commented 2026-04-20 16:16:15 -05:00

Author

Owner

Copy Link

@fresh2dev commented on GitHub (Aug 15, 2022):

I was able to make this work. However, I noticed that if I clicked 'Logout', I had no way of logging back in. 🤷

<!-- gh-comment-id:1215895129 --> @fresh2dev commented on GitHub (Aug 15, 2022): I was able to make this work. However, I noticed that if I clicked 'Logout', I had no way of logging back in. :shrug:

GiteaMirror commented 2026-04-20 16:16:15 -05:00

Author

Owner

Copy Link

@kolaente commented on GitHub (Aug 15, 2022):

@fresh2dev You mean it didn't log you back in? Any error message? Whats in the logs?

<!-- gh-comment-id:1215900992 --> @kolaente commented on GitHub (Aug 15, 2022): @fresh2dev You mean it didn't log you back in? Any error message? Whats in the logs?

GiteaMirror commented 2026-04-20 16:16:16 -05:00

Author

Owner

Copy Link

@fresh2dev commented on GitHub (Aug 15, 2022):

Correct, it did not log me back in. I just started tinkering with this again (since the latest update). No errors in the front-end. I have local-auth disabled, and OIDC enabled with Authelia. If I manually 'Logout', I land at the 'Login' screen, with no way to enter credentials. I manually log out of Authelia, expecting to re-authenticate, but Vikunja remains at the 'Login' screen with no way in. Just replicated this on both my Chrome browser and Safari on iOS.

<!-- gh-comment-id:1215928690 --> @fresh2dev commented on GitHub (Aug 15, 2022): Correct, it did not log me back in. I just started tinkering with this again (since the latest update). No errors in the front-end. I have local-auth disabled, and OIDC enabled with Authelia. If I manually 'Logout', I land at the 'Login' screen, with no way to enter credentials. I manually log out of Authelia, expecting to re-authenticate, but Vikunja remains at the 'Login' screen with no way in. Just replicated this on both my Chrome browser and Safari on iOS.

GiteaMirror commented 2026-04-20 16:16:17 -05:00

Author

Owner

Copy Link

@kolaente commented on GitHub (Aug 15, 2022):

Can you share a screenshot? There should be a button which would take you to Authentik.

<!-- gh-comment-id:1215929713 --> @kolaente commented on GitHub (Aug 15, 2022): Can you share a screenshot? There should be a button which would take you to Authentik.

GiteaMirror commented 2026-04-20 16:16:19 -05:00

Author

Owner

Copy Link

@fresh2dev commented on GitHub (Aug 15, 2022):

This is when configured, as prescribed, for Authelia.

<!-- gh-comment-id:1215935742 --> @fresh2dev commented on GitHub (Aug 15, 2022):  This is when configured, [as prescribed](https://github.com/go-vikunja/api/commit/dbb0f5473269fb29c4a484cd233a5b76484c4ca7), for *Authelia*.

GiteaMirror commented 2026-04-20 16:16:21 -05:00

Author

Owner

Copy Link

@fresh2dev commented on GitHub (Aug 15, 2022):

LMK if you'd like me to file a new issue for this.

<!-- gh-comment-id:1215995137 --> @fresh2dev commented on GitHub (Aug 15, 2022): LMK if you'd like me to file a new issue for this.

GiteaMirror commented 2026-04-20 16:16:22 -05:00

Author

Owner

Copy Link

@kolaente commented on GitHub (Aug 16, 2022):

Whats the output of a request to /api/v1/info on your vikunja instance?

Anything in the logs? Maybe there is a relevant message when you restart the service and make the request to /api/v1/info again.

<!-- gh-comment-id:1217188225 --> @kolaente commented on GitHub (Aug 16, 2022): Whats the output of a request to `/api/v1/info` on your vikunja instance? Anything in the logs? Maybe there is a relevant message when you restart the service and make the request to `/api/v1/info` again.

GiteaMirror commented 2026-04-20 16:16:23 -05:00

Author

Owner

Copy Link

@fresh2dev commented on GitHub (Aug 23, 2022):

This was my mistake. I searched the logs to find:

vikunja_api.1.u6jx7dv15kv9@vm-backend-01.example.net    | 2022-08-23T16:40:11.320460444Z: ERROR       ▶ openid/GetAllProviders 0a6 Error while getting openid provider Authelia: oidc: issuer did not match the issuer returned by provider, expected "https://auth.example.net/" got "https://auth.example.net"

Once I removed the trailing slash, everything works as expected.

<!-- gh-comment-id:1224416057 --> @fresh2dev commented on GitHub (Aug 23, 2022): This was my mistake. I searched the logs to find: ``` vikunja_api.1.u6jx7dv15kv9@vm-backend-01.example.net | 2022-08-23T16:40:11.320460444Z: ERROR ▶ openid/GetAllProviders 0a6 Error while getting openid provider Authelia: oidc: issuer did not match the issuer returned by provider, expected "https://auth.example.net/" got "https://auth.example.net" ``` Once I removed the trailing slash, everything works as expected.

Sign in to join this conversation.

No Branch/Tag Specified

Branches Tags

main

claude/analyze-beans-project-9VxoS

renovate/dev-dependencies

feat-huma-api-v2-migration

feat-v2-foundation

spike-huma-openapi3

claude/investigate-swagger3-support-nyyUa

feat-list-view-buckets

ci-mysql-8-test

codex/analyze-codebase-for-email-task-feature

feat-project-templates

csv-import-feature

claude/email-reply-comments-wpdcQ

fix-oidc-pkce-support

fix/overview-subtasks-expand

feat/bucket-select-task-detail

feat-soft-delete-projects

claude/review-bot-design-plan-cf5C3

claude/project-scoped-api-tokens-KTqR3

claude/explore-openclaw-integration-KQEzg

claude/project-scoped-api-tokens-yv5KS

fix-duplicate-close-button

feat-list-view-sorting

feat/official-vite-sentry-plugin

feat/highlight-overdue-tasks

feat/add-enter-key-form-submission-handling

feat/TipTap-nits

feat/update-caldavtimetotimestamp-parsing

feat-phosphor-icons

wip-plans

claude/investigate-issue-2173-llKme

fix-description-text-drag

feat-custom-keyboard-shortcuts

pr-1845-ci

codex/fix-drag-and-drop-behavior-inconsistency

copilot/add-clickable-labels-for-filtering

copilot/fix-issue-1786

playwright-migration

fix-kanban-repeating-wip

copilot/fix-1498

feature/replace-axios

codex/upgrade-to-tailwind-4.1.8-using-pnpm

codex/add-cypress-test-for-avatar-types

feature/biome

feature/oxc

codex/update-flexsearch-to-0.8.205

4r6ni9-codex/fix-deprecated-sass-@import-usage

codex/fix-deprecated-sass-@import-usage

codex/add-cypress-test-for-task-list-refresh-fix

codex/fix-quick-add-magic-not-adding-tasks

codex/fix-all-type-errors

codex/fix-mimetype-for-docs.json

feature/caldav-from-scratch

feature/gh-actions-hetzner

fix-ci

feat/new-logger

jyte-better-dev-config

feat/add-team-member-with-enter

fix/button-and-icon-types

fix/notifications-component-name-collision

feature/null-time

renovate/tailwindcss-4.x

feature/unplugin-vue-router

fix/deprecated-import

feature/zod-schema

renovate/golangci-golangci-lint-1.x

fix/tiptap-editor-reactive-destructuring

release/0.24

feat/improve-add-task

fix/saved-filter-search

feat/webp-and-avif-attachment-previews

feature/migrate-back-to-bulma

fix/sass-add-missing-list-import

feature/sticky-demo-bar

fix/gantt-view-switch

feature/typesense-position-join

feature/focus-visible

dependencies/golangci-lint

feature/better-filter-syntax

fix/tiptap-task-list

renovate/github.com-golang-jwt-jwt-v4-5.x

feature/hide-forbidden-related-tasks

renovate/golang-1.x

release/0.20

release/0.17

release/0.16

release/0.15

release/0.14

v2.3.0

v2.2.2

v2.2.1

v2.2.0

v2.1.0

v2.0.0

v1.1.0

v1.0.0

v1.0.0-rc4

v1.0.0-rc3

v1.0.0-rc2

v1.0.0-rc1

v1.0.0-rc0

v0.24.6

v0.24.5

v0.24.4

v0.24.3

v0.24.2

v0.24.1

v0.24.0

v0.23.0

v0.22.1

v0.22.0

0.21.0

v0.21.0

v0.20.4

v0.20.5

v0.20.3

v0.20.2

v0.20.1

v0.20.0

v0.19.2

v0.19.1

v0.19.0

vue3

v0.18.1

v0.18.0

v0.17.1

v0.17.0

v0.16.1

v0.16.0

v0.15.1

v0.15.0

v0.14.1

v0.14.0

v0.13.1

v0.13

v0.12

v0.11

v0.10

v0.9

v0.8

v0.7

v0.6

v0.5

v0.4

v0.3

v0.2

v0.1

Labels

Clear labels

area/api

area/attachments

area/auth

area/avatars

area/backup-restore

area/caldav

area/calendar-view

area/comments

area/config

area/database

area/desktop

area/docker

area/email

area/favorites

area/filters

area/frontend

area/gantt

area/i18n

area/import-export

area/internal-code

area/kanban

area/labels

area/list-view

area/mobile

area/notifications

area/permissions

area/projects

area/pwa

area/recurring-tasks

area/reminders

area/search

area/shortcuts

area/subtasks

area/sync

area/table-view

area/task-editor

area/task-metadata

area/task-relations

area/teams

area/theming

area/time-tracking

area/typesense

area/views

area/webhooks

bug

changes requested

concern/accessibility

concern/performance

concern/regression

concern/ux

confirmed

db/mysql

dependencies

enhancement

good first issue

help wanted

integration/inbound

integration/outbound

kind/bug

kind/feature

needs reproduction

pull-request

Mirrored from GitHub Pull Request

question

security

support

upstream issue

waiting for reply

wontfix

No Label

Milestone

No items

No Milestone

Projects

Clear projects

No project

Assignees

Clear assignees

GiteaMirror ninjasurge

No Assignees

1 Participants

Notifications

Subscribe

Due Date

No due date set.

Dependencies

No dependencies set.

Reference: github-starred/vikunja#5868