OAuth setup with Authentik

[nichwall]

This is an example of how to set up OIDC or OAuth for Mealie with Authentik. This guide was written in May 2024 and is provided as a way to get started but information will likely not be kept up to date (there will be edit notes if updates are made).

I recommend Cooptonian's excellent video on setting up OIDC to get started.

Mealie documentation on for OpenID Connect: https://docs.mealie.io/documentation/getting-started/authentication/oidc/
Mealie documentation for environment variables: https://docs.mealie.io/documentation/getting-started/installation/backend-config/#openid-connect-oidc

This post is just how I got it set up for my setup, I am not well versed in everything you can do so hopefully other people can help you in the comments if you have problems.

First, I set the Name field to something description. For this, I use Mealie Demo. Set the Authentication flow and Authorization flow as desired for your setup. Change the Protocol Settings to "Public", and set the Redirect URI/Origins as desired. For example, if your Mealie instance is located at https://mealie.cooldomain.com, you can use a Redirect as https://mealie.cooldomain.com/login.

In Advanced protocol settings I changed the Subject Mode to be "Based on User's Email" because that's how I set up my user accounts. Make sure you have all of the required scopes that the Mealie documentation mentions.

I then made an Application named Mealie Demo App and set the Provider to Mealie Demo. After setting the application for the provider, the information in the gray boxes should all fill out. You can then use this information to set environment variables for your Mealie installation. Most of the information can be gotten from the Provider details page. You can verify the client type is public at (A), get the Client ID at (B), verify the Redirect at (C), and get the OIDC Configuration URL at (D). At the time of writing, you only need B and D for the Mealie environment variables.

An example of the environment variables in a Docker compose is included below using information from the Provider detail page. I have two groups in Authentik, my_family for regular Mealie users and mealie Admins. These can be entered directly in the environment variables. You will need to change the OIDC variables according to your setup and based on updates to the Mealie documentation.

    environment:
      - ALLOW_SIGNUP=true
      - MAX_WORKERS=1
      - WEB_CONCURRENCY=1
      - BASE_URL=https://mealie.cooldomain.com
      - OIDC_AUTH_ENABLED=true
      - OIDC_SIGNUP_ENABLED=true
      - OIDC_CONFIGURATION_URL=https://authentik.cooldomain.com/application/o/mealie-demo-app/.well-known/openid-configuration
      - OIDC_CLIENT_ID=2iXRBBFGFfzwuZUfKIwmcIUAhoUrwSdMZzRJWW1L
      - OIDC_AUTO_REDIRECT=true
      - OIDC_REMEMBER_ME=true
      - OIDC_USER_GROUP=my_family
      - OIDC_ADMIN_GROUP=mealie Admins

[Siythrun]

as a point of note as Authentik uses a shared Redirect URI and Origins it is probably a good idea to add the BaseURL (no subpath) to that field as well.

It might also be good to point out I had trouble with configuring OIDC_AUTO_REDIRECT=true it wasn't until I set that and logged in for the first time that it worked (it might be related to weird browser caching issues) I would but toggling this value fixed any token issues I was having

Unsure if its required but should be highlighted

authorization_code:
This grant is used to convert an authorization code to an access token (and optionally refresh token). The authorization code is retrieved through the Authorization flow, and can only be used once, and expires quickly.

In authentik 2024.2 you will need to define offline_access scope to access this

[HashtagSky]

Thank you for sharing your setup. I tried to follow your steps. Sadly no SSO / Login Button appears and my instance seams not to be working. Can you share a Screenshot of how the result should look like?
I'm on mealie 1.3.2 and authentik 2024.2.2
Thanks!

[alexgac]

Same. I cannot get any SSO/Login button to appear. Looking at the "mealie" container logs in docker, I see all of the environment variables echo'd at startup, EXCEPT for the OIDC ones. I see LDAP_ environment variables listed (but they are not defined in my .env; I assume these are defaults), but none of the OIDC ones. Those are definitely in the same .env file as correctly loaded variables, and other variables from the .env are loaded as expected.

[cmintey]

OIDC is not in version 1.3.2, it is only available on nightly. It will be widely available in the next version. If you would like to use it now, you will need to switch to the nightly image

[zabrak]

I was able to get this working but have run into an issue with the Client_Id only accepting a set value. Is it expected that regardless of what you set the OIDC_CLIENT_ID value to in the environment variables that it will always default to the one you have set in this example.
To clarify I am setting e.g. 7jeJRBENetc..... in the docker compose and the payload of the web request to Authentik shows 2iXRBBFGFfzwuZUfKIwmcIUAhoUrwSdMZzRJWW1L causing it to fail. If I change my Authentik settings to use 2iXRBBFGFfzwuZUfKIwmcIUAhoUrwSdMZzRJWW1L it allows the authentication to work.

[cmintey]

This is likely due to caching. Once you change the environment variable, completely destroy and re-create the container. You may also need to clear the browser cache

[zabrak]

Thank you for the response.
I should have caught this before jumping on here.
I was using an incognito browsing session to avoid cache... but apparently had an extra window open in the background holding onto the cache... After fully closing out and trying again it sent the correct value. 🤦‍♂️

[cmintey]

No problem, glad it's working!

[LIRIKKER]

I set this up myself running the Postgres version of Nightly Mealie then ran into an issue when logging in, I get the following -

"GET /login/?code=d1615ae266154ffe849xxxxxxxxxxxxxxxxx&state=xxxxxxxxxxx HTTP/1.1" 200 OK
ERROR: 01-Apr-24 22:13:03 Incorrect username or password from 192.xxx.xxx.xxx
ERROR: 01-Apr-24 22:13:03 Incorrect username or password from 192.xxx.xxx.xxx
INFO: 192.xxx.xxx.xxx - "POST /api/auth/token HTTP/1.1" 401 Unauthorized

This is for a brand new account logging into Mealie via Authentik OAuth.

I then followed the instructions above and got the same issue where I get 401 Unauthorized after being redirected to Mealie.

The following is enabled so I'm not sure where to look.
"OIDC_SIGNUP_ENABLED": true,

Not really sure what to do next.

[LIRIKKER]

Hey Siythurn,

I followed the above but it looks like authentik is only submitting mealie-admins rather than mealie-users & mealie-admins.

DEBUG: 02-Apr-24 10:02:48 [OIDC] User does not have the required group. Found: ['pronto', 'mealie-admins'] - Required: mealie_users

thanks

[Siythrun]

Ahh after reading some more authentik support docs and threads is seems like this option doesn't do what I thought it did in OIDC context and only applies to internal authentik mappings sorry about the confusion, you will need to add to both groups for it to show up in the token tho its probably still a good idea to use the parent group option incase you have other workflows down the line

[LIRIKKER]

Well! Looks like adding to mealie_users doesn’t seem to work either

DEBUG: 02-Apr-24 10:40:11 [OIDC] User does not have the required group. Found: ['pronto', 'mealie-admins', 'mealie-users'] - Required: mealie_users

Env:
OIDC_SIGNUP_ENABLED=true
OIDC_CONFIGURATION_URL=https://authentik.url/application/o/mealie/.well-known/openid-configuration
OIDC_CLIENT_ID=xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
OIDC_USER_GROUP=mealie_users
OIDC_ADMIN_GROUP=mealie_admins
OIDC_AUTO_REDIRECT=true
OIDC_PROVIDER_NAME=Authentik
OIDC_AUTH_ENABLED=true
LOG_LEVEL=DEBUG

[Siythrun]

your group is set to _ while your authentik is -

[LIRIKKER]

Haha I can't believe I didn't see that :(

Thanks for your help Siythurn!

[InputObject2]

This seems like something that should be added to the documentation. I would never have guessed that admins are not allowed to log in!

Yep! USER_GROUP is required to log in, then ADMIN_GROUP will set users as admins

[cmintey]

It is in the documentation: https://docs.mealie.io/documentation/getting-started/authentication/oidc/#groups

OIDC_USER_GROUP: Users must be a part of this group (within your IdP) to be able to log in.

[LIRIKKER]

It's not 100% clear. I'd look to add all users (including admins)

[dasunsrule32]

Yep, this was biting me too. I only added my users to one group or the other, but in this app your admin users need to be in both. Thanks for pointing that you. 👍🏻

[Badlee2020]

I attempted to set up the openid with Authentik 2024.2 and somehow I get this error:
[auth] [openid connect] invalid configuration. value of scheme option acrvalues is not supported by acr_values_supported of by authorization server.
In the configuration url file for authentik I find the following section:
"acr_values_supported": [
"goauthentik.io/providers/oauth2/default"
],
I am guessing this is correct, but mealie keeps throwing the error

[steffenrapp]

Did you set up Mealie with your own domain and https? I had the same error before I did exactly that and now it's working fine.

[danbracey]

Hey how did you manage to resolve this? I'm getting the same error
I'm using Tailscale SSL + Their tailnet FQDN

[BoKKeR]

Same issue, I am also seeing the following from /token endpoint

{
    "error": "invalid_client",
    "error_description": "Client authentication failed (e.g., unknown client, no client authentication included, or unsupported authentication method)"
}

The values are right, and the redirect has the code. It somehow fails afterwards. I am using a confidential client

[jchap0182]

Unfortunately, same issue for me as well. I've tried using the nightly build to use a client secret, but that fails with a 500 error immediately when attempting to call the OIDC URL. Without the secret on the latest build, I'm getting the invalid client error.

[ffidan61]

Anyone got Authentik and Mealie working and willing to share their config? Somehow I get a 404 page error.

[InputObject2]

I have it working well, I can take screenshots of my configs in a bit, I'll edit this comment when I get around to it.

So Mealie (with image ghcr.io/mealie-recipes/mealie:v1.5.1) environment variables:

BASE_URL: mealie.mydomain.com
# OIDC with Authentik
OIDC_AUTH_ENABLED: true
OIDC_SIGNUP_ENABLED: true
OIDC_CONFIGURATION_URL: "https://sts.mydomain.com/application/o/mealie/.well-known/openid-configuration"
OIDC_CLIENT_ID: ${mealie_oidc_client_id}
OIDC_USER_GROUP: "Mealie-Users"
OIDC_ADMIN_GROUP: "Mealie-Admins"
OIDC_AUTO_REDIRECT: false
OIDC_PROVIDER_NAME: Authentik
OIDC_REMEMBER_ME: true

Then in Authentik (v2024.2.2):

Provider (not actually yaml but I wanted the formatting:

  Authentication flow: default authentication flow
  Authorization flow: default implicit consent
  Client type: public
  client ID: <autogenerated one>  # this one is random and I replace it in the environment variables
  Redirect URIs:
  - https://mealie.mydomain.com/login
  - https://mealie.mydomain.com/login?direct=1
  - https://mealie.mydomain.com/login*
  
  Signing key: self-signed certificate
  Advanced scopes: email, offline_access, openid, profile
  Subject mode: Base on user's email
  Include claims in id_token: true  # (checked)

Application:

Slug: mealie  # this needs to match the one in the openid url in the mealie env variables.
Policy engine mode: any  # pretty sure this is default

Make sure the case matches exactly for the groups and make sure you have the admin users also in the user group since they won't be able to login without it. I'm half confident that OIDC_AUTO_REDIRECT set to true just infinite loops but I don't want to mess with this again since it's working now.

[saschabrockel]

Set it up the same way as you and still have an infinite redirecting loop and saw this in the browser:

[InputObject2]

Try in an incognito window, maybe your browser has something cached.

[saschabrockel]

It was incognito already... I mean I have groups named different but the error does not seem to be related to group names anyway.

[saschabrockel]

I only got that far that I actually get redirected to Authentik, log in, and then be redirected to Mealie in a loop with error 500 and the site reloads every second. No logs about error 500 in Mealie... the LOG_LEVEL variable does btw not seem to work. I've set it to DEBUG but there are no debug logs.

I use it as a button to login with Authentik and not as a redirect for Mealie.

[ToshY]

While I haven't figured it out yet, I've enabled the logging (set to DEBUG), which actually logged for me the following errors:

mealie-1  | 2024-05-01T20:32:12.894385622Z INFO     2024-05-01T22:32:12 - [123.456.789.10:0] 307 Temporary Redirect "GET /login?code=27466b21e34910b1eed74033f654c413&state=QWGFaARfts HTTP/1.1"
mealie-1  | 2024-05-01T20:32:12.967705454Z INFO     2024-05-01T22:32:12 - [123.456.789.10:0] 200 OK "GET /login/?code=27466b21e34910b1eed74033f654c413&state=QWGFaARfts HTTP/1.1"
mealie-1  | 2024-05-01T20:32:17.173433363Z ERROR    2024-05-01T22:32:17 - Incorrect username or password from 123.456.789.10
mealie-1  | 2024-05-01T20:32:17.173776222Z ERROR    2024-05-01T22:32:17 - Incorrect username or password from 123.456.789.10
mealie-1  | 2024-05-01T20:32:17.177647849Z INFO     2024-05-01T22:32:17 - [123.456.789.10:0] 401 Unauthorized "POST /api/auth/token HTTP/1.1"
mealie-1  | 2024-05-01T20:32:17.257344075Z INFO     2024-05-01T22:32:17 - [123.456.789.10:0] 401 Unauthorized "GET /api/users/self HTTP/1.1"
mealie-1  | 2024-05-01T20:32:17.259456024Z INFO     2024-05-01T22:32:17 - [123.456.789.10:0] 307 Temporary Redirect "GET /login?direct=1 HTTP/1.1"
mealie-1  | 2024-05-01T20:32:17.322114701Z INFO     2024-05-01T22:32:17 - [123.456.789.10:0] 200 OK "GET /login/?direct=1 HTTP/1.1"
mealie-1  | 2024-05-01T20:32:17.399624636Z INFO     2024-05-01T22:32:17 - [123.456.789.10:0] 200 OK "GET /api/app/about HTTP/1.1"
mealie-1  | 2024-05-01T20:32:17.400656327Z INFO     2024-05-01T22:32:17 - [123.456.789.10:0] 200 OK "GET /api/app/about HTTP/1.1"
mealie-1  | 2024-05-01T20:32:18.226753484Z ERROR    2024-05-01T22:32:18 - Incorrect username or password from 123.456.789.10
mealie-1  | 2024-05-01T20:32:18.227550862Z ERROR    2024-05-01T22:32:18 - Incorrect username or password from 123.456.789.10
mealie-1  | 2024-05-01T20:32:18.229843000Z INFO     2024-05-01T22:32:18 - [123.456.789.10:0] 401 Unauthorized "POST /api/auth/token HTTP/1.1"
mealie-1  | 2024-05-01T20:32:18.305191992Z INFO     2024-05-01T22:32:18 - [123.456.789.10:0] 401 Unauthorized "GET /api/users/self HTTP/1.1"
mealie-1  | 2024-05-01T20:32:18.315121515Z INFO     2024-05-01T22:32:18 - [123.456.789.10:0] 307 Temporary Redirect "GET /login?direct=1 HTTP/1.1"
mealie-1  | 2024-05-01T20:32:18.440509920Z INFO     2024-05-01T22:32:18 - [123.456.789.10:0] 200 OK "GET /api/app/about/startup-info HTTP/1.1"
mealie-1  | 2024-05-01T20:32:18.475715466Z INFO     2024-05-01T22:32:18 - [123.456.789.10:0] 200 OK "GET /api/app/about HTTP/1.1"
mealie-1  | 2024-05-01T20:32:18.481172276Z INFO     2024-05-01T22:32:18 - [123.456.789.10:0] 200 OK "GET /api/app/about HTTP/1.1"
mealie-1  | 2024-05-01T20:32:19.720638038Z ERROR    2024-05-01T22:32:19 - Incorrect username or password from 123.456.789.10
mealie-1  | 2024-05-01T20:32:19.722192637Z ERROR    2024-05-01T22:32:19 - Incorrect username or password from 123.456.789.10

So 2 things:

1. Not sure why it says Incorrect username or password from ... even though I logged-in with Authentik succesfully and got redirected to Mealie, but that would probably explain the infinite redirect loop.
2. For now I've noticed this only happens for me when the logged-in user has an "admin" group (set with OIDC_ADMIN_GROUP); users that have the "user" group (set with OIDC_USER_GROUP) do not have this redirect problem for some reason 🤔

[cmintey]

For now I've noticed this only happens for me when the logged-in user has an "admin" group (set with OIDC_ADMIN_GROUP); users that have the "user" group (set with OIDC_USER_GROUP) do not have this redirect problem for some reason

Does your admin user also have the users group? The users group is required for any user login, the admin group just assigns the user as an admin once logged in

[saschabrockel]

It's different for you then. I cannot log in as anybody. I have the groups user and admin in Authentik. The corresponding users are assigned to this group (multiple groups but I hope that shouldn't be a problem). And in Mealie I even named the groups the same according to these groups. Okay debug logs now really work. I have a different error:

sqlalchemy.exc.IntegrityError: (sqlite3.IntegrityError) NOT NULL constraint failed: users.group_id
[SQL: INSERT INTO users (id, full_name, username, email, password, auth_method, admin, advanced, group_id, cache_key, login_attemps, locked_at, can_manage, can_invite, can_organize, owned_recipes_id, created_at, update_at) VALUES (?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?)]
[parameters: ('ID', 'User Name', 'user', 'user@gmail.com', 'OIDC', 'OIDC', 0, 0, None, '1234', 0, None, 0, 0, 0, None, '2024-05-02 04:14:48.145311', '2024-05-02 04:14:48.145313')]

[cmintey]

That error is because there is a DEFAULT_GROUP environment variable that you need to set. This group is the group name in mealie that new users will be put into on account creation.

If that group is set but the group doesn't exist in Mealie then this can cause the error too

[ToshY]

Does your admin user also have the users group? The users group is required for any user login, the admin group just assigns the user as an admin once logged in

@cmintey Thanks that's it 👍 . The misconception on my part is that in Authentik you can assign a "parent" to a group, which is what I did, so I gave the admin the parent user and thinking that would be enough for Mealie to work with. After assigning the user group as well to the admin, it works.

[saschabrockel]

That error is because there is a DEFAULT_GROUP environment variable that you need to set. This group is the group name in mealie that new users will be put into on account creation.

Nope. I have set it to user too and still the error occurs...

[cmintey]

Can you share your full environment variables, redacting any sensitive info?

[saschabrockel]

Here are my env variables:

            - TZ=Europe/Berlin
            - ALLOW_SIGNUP'='false
            - DEFAULT_EMAIL'='xyz@tld.de
            - SMTP_FROM_EMAIL'='xyz@tld.de
            - SMTP_HOST'='ssl.xyz.net
            - SMTP_USER'='xyz@tld.de
            - SMTP_PASSWORD'='xyz
            - SMTP_PORT'='587
            - BASE_URL'='mealie.tld.xyz
            - MAX_WORKERS'='1
            - AUTO_BACKUP_ENABLED'='true
            - LDAP_AUTH_ENABLED'='true
            - LDAP_SERVER_URL'='ldap://192.168.178.57
            - LDAP_TLS_INSECURE'='true
            - LDAP_ENABLE_STARTTLS'='false
            - LDAP_BASE_DN'='ou=users,dc=tld,dc=xyz
            - LDAP_QUERY_BIND'='cn=admin,dc=tld,dc=xyz
            - LDAP_QUERY_PASSWORD'='xyz
            - LDAP_USER_FILTER'='(&(|(objectclass=inetOrgPerson)))
            - LDAP_ADMIN_FILTER'='(memberOf=cn=admin,ou=groups,dc=tld,dc=xyz)
            - LDAP_ID_ATTRIBUTE'='uid
            - LDAP_NAME_ATTRIBUTE'='cn
            - LDAP_MAIL_ATTRIBUTE'='mail
            - OIDC_AUTH_ENABLED'='true
            - OIDC_SIGNUP_ENABLED'='true
            - OIDC_CONFIGURATION_URL'='https://authentik.tld.xyz/application/o/mealie/.well-known/openid-configuration
            - OIDC_CLIENT_ID'='ID
            - OIDC_AUTO_REDIRECT'='false
            - OIDC_REMEMBER_ME'='true
            - OIDC_ADMIN_GROUP'='admin
            - OIDC_PROVIDER_NAME'='Authentik
            - DEFAULT_GROUP'='user
            - API_DOCS'='false
            - LOG_LEVEL'='debug
            - OIDC_USER_GROUP'='user
            - DEFAULT_GROUP'='user
            - PUID'='99
            - PGID'='100
            - WEB_CONCURRENCY'='1

I realized I had DEFAULT_GROUP defined multiple times... but now it is still weird. I can login but the user sees absolutely nothing. And I don't know why he has rights to change other users permissions but not his own:

But the user was created or better said switched from LDAP to OIDC because I'm sure he existed before as LDAP user. Maybe this killed something?

Ah and somehow the mainpage is now https://mealie.tld.xyz/g/user instead of the normal login page when I call the main page https://mealie.tld.xyz

Okay while reading I found out that I misunderstood something I guess. Users can only see recipes and stuff of their own group. But that does not make much sense for me. I'm the admin with admin group and everybody else is just a user and I want to share the stuff with them of course out of the box but it is not possible right? So you should have a mealie internal admin account and my own account should be just user too?

[cmintey]

Your user in Mealie does not need to be part of a "user" group in Mealie. You can have the group be named whatever you want within Mealie. The OIDC_USER_GROUP looks at your groups from Authentik and allows you to login. OIDC_ADMIN_GROUP does the same thing except it assigns you as an admin.

The OIDC_USER_GROUP has no correlation to groups in Mealie, it's just like your LDAP_USER_FILTER.

So you as an admin can be in the same Mealie group as everyone else so you can access the same recipes.

Also, I would suggest setting your users Auth method to LDAP if you want them to be able to use LDAP Auth as a fallback of OIDC fails. If the Auth method is OIDC, then that's the only way they can login

[saschabrockel]

Okay got it but what the hell is this auto redirect? I just realized that all recipes are public now. It redirects from the main page directly to https://meal.tld.xyz/g/ and of course they can see all recipes but I thought there is a mechanism that checks if they are logged in. The login button is available and I can confirm there are no previous cookies as it is an incognito tab.

[cmintey]

That's a separate feature that was introduced a while back that if your default group is public, then it will show a public recipe browser. Unauthenticated users can view recipes but can't modify or create them. You can change this behavior by setting your group to private. Info can be found here: https://docs.mealie.io/documentation/getting-started/usage/permissions-and-public-access/

[ianr2]

Despite all my other applications working with Authentik, I cannot get Mealie to work with OIDC. In the console it is being blocked by CORS policy "The 'Access-Control-Allow-Origin' header contains multiple values" however, the domain does not have multiple values. I have upgraded to 1.7.0 but cannot incorporate Authentik

[cmintey]

Do you have a proxy in front of Authentik? If so, what is it? Caddy, Nginx, Apache? I cannot reproduce this and the only reason for this that I can find online is that your reverse proxy is adding the '*' to the 'Access-Control-Allow-Origin' header

[ianr2]

Hi, After a lot of testing, changing the headers I have found the issue. Mealie and Authentik are behind a Nginx reverse proxy which was adding a header to the Authentik block. I removed this line in the Authentik server configuration: "add_header 'Access-Control-Allow-Origin' '$http_origin' always;". This only appeared to be affecting Mealie and I am not certain why other services were working with this line present.

If others are experiencing the same, check the reverse proxy configuration for the oauth provider and if access control headers are being added

[Badlee2020]

How do you fix that in Authentik?

[ianr2]

The fix had to be made in the reverse proxy not Authentik. The server block in Nginx was adding another access control allow origin header which was causing the CORS policy to fail for Mealie. Once removed, it worked as expected. Check your configuration of the reverse proxy

[Badlee2020]

Is that in the Authentik docker Image? I tried a connection without a proxy and I was still getting that error.

[joeyven]

Can anyone help me with Traefik -> Authentik -> Mealie I can't figure out the middleware

[zmweske]

I don't think you should need a specific middleware for mealie if you are using OAuth/OIDC with authentik. The middleware you would for sure need set up properly is one that correctly routes stuff to Authentik

[se7entynine]

I tried everything in the whole thread (again) after an update crashed my working mealie setup and now I only get an 404 error page when I try to login with Authentik.
The site also has the CORS error "CORS Missing Allow Origin" and "NS_ERROR_DOM_BAD_URI". Example response url is https://mealie.domain/null?protocol=oauth2&response_type=code&access_type&client_id=....

Trying for a long time to fix it and tried everything from the traefik documentation but it wont send the Access Control Allow Origin Header.
My current non working setup is in this pastebin: https://pastebin.com/5Ej8nhvv
Basically it's Mealie → Traefik → Crowdsec → Cloudflare → Authentik → 404 Mealie

Does anyone has a working Mealie website with traefik and authentik or know what's wrong with my current one?
Thanks in advance for any help!

[zmweske]

I looked over it a bit, and everything looks to be good that I can tell. The part I'm less familiar with is the Traefik middleware. Do you have other OIDC connections set up with Authentik? I would also try with a cleared cache (incognito mode) and see what happens.

[se7entynine]

@zmweske Sorry for the late reply!
I tried the incognito approach but it also didn't work. I also noticed that the redirection url from mealie has some weird spaces in the link:
.../null?protocol=...&scope=openid profile email groups&state=...
I don't think there should be spaces between the scope options.

All my other OIDC and LDAP connections work flawlessly with authentik, for example Proxmox, Portainer, Immich, etc.

There is always the option to just have a authentik proxy in front of mealie, but I have to deal with a double login in that case ...

[zmweske]

Dang, I would say try to start from scratch but you've already done that. I think what I had trouble with initially was the confidential vs public in authentik, maybe something with trailing slashes, and be sure to copy the config urls directly from the authentik provider- some stuff got mixed up when I used the templated example. Sorry if none of that helps!

[se7entynine]

I found the solution!
I had no clue about the CORS topic, but checked the headers with:

curl -v -X OPTIONS -H "Origin: https://mealie.domain.com" -H "Access-Control-Request-Method: GET" https://authentik.domain.com

and saw that even with the correct CORS headers in mealie it didnt work.
I tried to change them on authentiks side and voilá!

The missing Access-Control-Allow-Origin header ( here: accessControlAllowOriginList: "*" ) was missing in my authentik setup. If I understood it correctly you can only change it "null" or "*" - I placed the website in it, because that was the origin lol
My working authentik headers look like this in Traefik:

http:
  middlewares:
    authentik-headers:
      headers:
        accessControlAllowMethods: ["GET", "OPTIONS", "PUT"]
        accessControlMaxAge: 100
        accessControlAllowHeaders: [ "Accept", "Authorization", "Content-Type", "Origin" ]
        accessControlAllowOriginList: "*"
        hostsProxyHeaders: ["X-Forwarded-Host"]
        stsSeconds: 63072000
        stsIncludeSubdomains: true
        stsPreload: true
        forceSTSHeader: true
        customFrameOptionsValue: "allow-from https://domain.com" #CSP takes care of this but may be needed 
        contentTypeNosniff: true 
        browserXssFilter: true 
        referrerPolicy: "same-origin" 
        contentsecuritypolicy: " default-src 'none'; style-src 'self'; script-src 'self' blob:; worker-src 'self' blob:; connect-src 'self'; object-src 'none'; frame-ancestors 'self';form-action 'none';img-src 'self' data:;base-uri 'self';font-src 'self'"
        featurePolicy: "camera 'none'; geolocation 'none'; microphone 'none'; payment 'none'; usb 'none'; vr 'none';" 
        customResponseHeaders:
          X-Robots-Tag: "none,noarchive,nosnippet,notranslate,noimageindex,noindex,nofollow"
          server: ""

and that little * solved my CORS issue and OIDC is working flawlessly.

[NCVito]

I have been having a hell of a time getting this to work. I'll attach my config, along with the error I've been seeing in the log. Hopefully someone can give me some guidance.

- OIDC_AUTH_ENABLED=true
      - OIDC_SIGNUP_ENABLED=true
      - OIDC_CONFIGURATION_URL=https://authentik.tld.xyz/application/o/mealie/.well-known/openid-configuration
      - OIDC_CLIENT_ID=xxx
      - OIDC_AUTO_REDIRECT=false
      - OIDC_REMEMBER_ME=true
      - OIDC_USER_CLAIM=email
      - OIDC_PROVIDER_NAME=Authentik
      - OIDC_USER_GROUP=mealie-users
      - OIDC_ADMIN_GROUP=Admin
      - DEFAULT_GROUP=mealie-users
      - OIDC_SIGNING_ALGORITHM=RS256

And here is the error in the log:

sqlalchemy.exc.IntegrityError: (sqlite3.IntegrityError) NOT NULL constraint failed: users.group_id

[SQL: INSERT INTO users (id, full_name, username, email, password, auth_method, admin, advanced, group_id, cache_key, login_attemps, locked_at, can_manage, can_invite, can_organize, owned_recipes_id, created_at, update_at) VALUES (?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?)]

[parameters: ('xxxxxxxxxxxxxxxxxxxxxxxxxxx', 'nick', 'nick', 'xxx@xxxx, 'OIDC', 'OIDC', 1, 1, None, '1234', 0, None, 1, 1, 1, None, '2024-07-08 18:02:22.179425', '2024-07-08 18:02:22.179427')]

[cmintey]

The DEFAULT_GROUP must be a group name which is defined in Mealie. It is not related to OIDC, but rather which group a new user gets put in within Mealie. Default group name in Mealie is "Home", unless you've changed it

[NCVito]

Ok, I found my mistake as soon as you gave some direction. And I'm embarrassed and humbled to say that it was just a dash vs an underscore....

Seems to be great now! Thank you!

[NCVito]

Ok, new issue.... I replaced my ssl certs for my home lab. Now I'm seeing the following error when I attempt to authenticate.

requests.exceptions.SSLError: HTTPSConnectionPool(host='auth.xxxxxxx.com', port=443): Max retries exceeded with url: /application/o/meals/.well-known/openid-configuration (Caused by SSLError(SSLCertVerificationError(1, '[SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed: unable to get local issuer certificate (_ssl.c:1007)')))

Looks like rebuilding and restoring a backup returns the issue. Any advise hopefully short of blowing everything away?

[yodaldevoid]

It seems setting up OIDC for Mealie with Authentik has sent quite a few of us to our wit's end, and you can add me to that list.

Both Mealie and Authentik are running in containers connected to the same network sitting behind NGINX (which is also running in a container). I've set up everything OIDC related as suggested by @nichwall, I get the "Login with OAuth" button and go through the login process in Authentik as expected. The problems start at that point with a spinning loading "bar" and then getting dropped at the Mealie login screen.

Looking at Mealie's logs, it looks like Mealie cannot connect to Authentik via my public DNS/IP. I have confirmed by dropping into a shell in the Mealie container that it can resolve the DNS name into my public IP, but all connections to that IP time out. I don't see anything in the NGINX logs, and the Authentik logs say everything worked out fine. The only thing I can think of at this point is a firewall issue, but that doesn't seem right as plenty of other people seem to have gotten this working and my setup can't be that odd.

Does anyone have any ideas what I might have wrong or what I should look into?

[yodaldevoid]

I finally figured out my issue. It eventually came down to a firewall issue.

[pandaboy6621]

I tried to login with my Oauth ID and Mealie says invalid credentials. Here are my mealie env variables. Do I set the user groups in Mealie or Authentik?

environment:
# Set Backend ENV Variables Here
  - ALLOW_SIGNUP=false
  - PUID=1000
  - PGID=1000
  - TZ=America/Los_Angeles
  - MAX_WORKERS=1
  - WEB_CONCURRENCY=1
  - SMTP_AUTH_STRATEGY=TLS
  - SMTP_FROM_EMAIL=
  - SMTP_FROM_NAME=Mealie
  - SMTP_HOST=smtp.gmail.com
  - SMTP_PASSWORD=
  - SMTP_PORT=587
  - SMTP_USER=
  - OPENAI_API_KEY=
  - BASE_URL=http://192.168.1.XX
  - OIDC_AUTH_ENABLED=true
  - OIDC_SIGNUP_ENABLED=true
  - OIDC_CONFIGURATION_URL=http://192.168.1.XX:7000/application/o/mealie/.well-known/openid-configuration
  - OIDC_CLIENT_ID=
  - OIDC_AUTO_REDIRECT=false
  - OIDC_PROVIDER_NAME=mealie
  - OIDC_REMEMBER_ME=true
  - OIDC_USER_GROUP="Mealie-Users"
  - OIDC_ADMIN_GROUP="Mealie-Admins"

[NigelVanHattum]

Hi @pandaboy6621 ,

You setup the groups in Authentik. You could test it without setting up the groups, that way Mealie will always accept users (you can always delete them :)). This can help you make sure OIDC onboarding is working, after that start testing the groups

[pandaboy6621]

I removed the two lines for the group setup. When I go to log in with my Authentik Credentials, it still says invalid login. When I log in with my existing account, it says that OIDC variables are set correctly.

[NigelVanHattum]

Can you find anything in the logs? Otherwise, hit me up on the Discord (Deadwalker09)

[mgrimace]

Ok I got this to work thanks to the OP and this post above: #3334 (reply in thread). Thank you both!

Small problem with NPM: when I enable Authentik also as a ForwardAuth for Mealie, when I use OIDC, after authenticating it redirects to https://mealie:9000/login/?code=xxx and not my FQDN (which is the internal Docker location set in NPM), which I believe is an NPM issue, but wondering if anyone has any advice, here is my advanced config.

# Increase buffer size for large headers
# This is needed only if you get 'upstream sent too big header while reading response
# header from upstream' error when trying to access an application protected by goauthentik
proxy_buffers 8 16k;
proxy_buffer_size 32k;

# Make sure not to redirect traffic to a port 4443
port_in_redirect off;

location / {
    # Put your proxy_pass to your application here
    proxy_pass          $forward_scheme://$server:$port;
    # Set any other headers your application might need
    # proxy_set_header Host $host;
    # proxy_set_header ...

    ##############################
    # authentik-specific config
    ##############################
    auth_request     /outpost.goauthentik.io/auth/nginx;
    error_page       401 = @goauthentik_proxy_signin;
    auth_request_set $auth_cookie $upstream_http_set_cookie;
    add_header       Set-Cookie $auth_cookie;

    # translate headers from the outposts back to the actual upstream
    auth_request_set $authentik_username $upstream_http_x_authentik_username;
    auth_request_set $authentik_groups $upstream_http_x_authentik_groups;
    auth_request_set $authentik_email $upstream_http_x_authentik_email;
    auth_request_set $authentik_name $upstream_http_x_authentik_name;
    auth_request_set $authentik_uid $upstream_http_x_authentik_uid;

    proxy_set_header X-authentik-username $authentik_username;
    proxy_set_header X-authentik-groups $authentik_groups;
    proxy_set_header X-authentik-email $authentik_email;
    proxy_set_header X-authentik-name $authentik_name;
    proxy_set_header X-authentik-uid $authentik_uid;
}

# all requests to /outpost.goauthentik.io must be accessible without authentication
location /outpost.goauthentik.io {
    proxy_pass              http://authentik-server:9000/outpost.goauthentik.io;
    # ensure the host of this vserver matches your external URL you've configured
    # in authentik
    proxy_set_header        Host $host;
    proxy_set_header        X-Original-URL $scheme://$http_host$request_uri;
    add_header              Set-Cookie $auth_cookie;
    auth_request_set        $auth_cookie $upstream_http_set_cookie;
    proxy_pass_request_body off;
    proxy_set_header        Content-Length "";
}

# Special location for when the /auth endpoint returns a 401,
# redirect to the /start URL which initiates SSO
location @goauthentik_proxy_signin {
    internal;
    add_header Set-Cookie $auth_cookie;
    return 302 /outpost.goauthentik.io/start?rd=$request_uri;
    # For domain level, use the below error_page to redirect to your authentik server with the full redirect path
    # return 302 https://authentik.company/outpost.goauthentik.io/start?rd=$scheme://$http_host$request_uri;
}

[SantiagoSotoC]

I have the same problem, but with cloudflare tunnel, it redirects me to localhost:9000

[mclancer99]

Same issue as well. It redirects me back to authentik since it has port 9000 allocated.

[jaspermayone]

#4254 breaking changes just so everyone knows

[jaspermayone]

see here https://docs.mealie.io/documentation/getting-started/authentication/oidc-v2/

[dasunsrule32]

One fix in the docs for clarity:

OIDC_ADMIN_GROUP: Users that are in this group (within your IdP) will be made an admin in Mealie. Users in this group do not **_also_** need to be in the OIDC_USER_GROUP

to:

OIDC_ADMIN_GROUP: Users that are in this group (within your IdP) will be made an admin in Mealie. Users in this group do not need to be in the OIDC_USER_GROUP

[dasunsrule32]

Also update:

You must change the Mealie client in your IdP to be private. The option is different for every provider, but you need to obtain a client secret.

to:

You must change the Mealie client in your IdP to be confidential. The option is different for every provider, but you need to obtain a client secret.

Basically it's either confidential or public in the OIDC world.

[cmintey]

Doc changes make sense to me. Can you open a PR with those changes?

[dasunsrule32]

Done. #4347

[mgrimace]

Thanks @jaspermayone for the heads up. I use Authentik, and changed the provider to confidential which generated a client secret. I added that secret to my .env and to my compose as OIDC_CLIENT_SECRET: "${OIDC_CLIENT_SECRET}". Recreated the container.

However, now when I select 'login with authentik' it redirects to authentik to login (as expected), then back to Mealie, but never actually moves past the Mealie login screen. Basically just brings me back to Mealie login without actually moving forward. Anything I'm missing here?

[dasunsrule32]

Did you upgrade to the nightly? This is implemented in v2.x.

[mgrimace]

Thanks, my bad, I didn’t catch that it was in the nightly vs latest. Updated to nightly and its working as expected. Thank you!

[jchap0182]

Ah, that's what I was doing wrong! Does anyone know if this will work properly behind Cloudflare Tunnel? I would love to expose it publicly, but love having the tunnel in place so I don't have to open any ports on my server and the advantage of an extra firewall and rules out on the CDN.

I will admit I have not tested it yet, but will do so soon if someone else hasn't already.

[dasunsrule32]

I use Cloudflare to expose the services I want, mealie included.

[CitizenStile]

I'm struggling with getting OIDC working correctly with Authentik. I have other hosted services (Paperless/Linkwarden) that use OAuth2 successfully, but not mealie. I hope someone can help point me in the right direction.

Note that the Mealie Bug Report shows OIDC Ready: No, but I believe I have all the required variables set.

Mealie and Authentik are running on the same docker network

Note: The actual domain name changed for privacy

------- Mealie Bug Report -------
Details
Version: v2.0.0
Build: a7c8b33
Application Mode: Production
Demo Status: Not Demo
API Port: 9000
API Docs: Enabled
Database Type: sqlite
Default Household: Family
Recipe Scraper Version: 15.2.1

Checks
Secure Site: Yes
Server Side Base URL: Yes
LDAP Ready: No
OIDC Ready: No
OpenAI Ready: No
Email Configured: Yes

------- Docker Settings -------

Repository: ghcr.io/mealie-recipes/mealie:latest
Variables:
OIDC_AUTH_ENABLED: true
OIDC_CONFIGURATION_URL: https://auth.selfhost.com/application/o/mealie/.well-known/openid-configuration
OIDC_CLIENT_ID: ***** Confirmed to match Authentik Client ID *****
OIDC_CLIENT_SECRET: ***** Confirmed to match Authentik Client Secret *****
OIDC_AUTO_REDIRECT: false
OIDC_PROVIDER_NAME: Authentik
OIDC_REMEMBER_ME: true
OIDC_ADMIN_GROUP: Mealie Admins
OIDC_USER_GROUP: Mealie Users
OIDC_SIGNUP_ENABLED: true
OIDC_USER_CLAIM: email
OIDC_GROUPS_CLAIM: groups

------- Authentik Settings -------
OAuth2 Provider
Authentication flow: default-authentication-flow (Welcome to authentik!)
Authorization flow: default-provider-authorization-implicit-consent (Authorize Application)

Client type: Confidential
Redirect URIs/Origins:
https://recipe.selfhost.com/login
https://recipe.selfhost.com/login?direct=1
https://recipe.selfhost.com/login*
Signing Key: authentik Self-signed Certificate

Selected scopes:
OpenID 'email'
OpenID 'openid'
OpenID 'profile'

Subject mode: Based on the User's Email
Include claims in id_token (checked)
Issuer Mode: Each provider has a different issuer, based on the application slug

URL's
OpenID Configuration URL:
https://auth.selfhost.com/application/o/mealie/.well-known/openid-configuration

[CitizenStile]

went and set the OIDC_CLIENT_ID to 'mealie' and OIDC_CLIENT_SECRET to 'mealie123' but its the same result.
OIDC Ready: No

[cmintey]

Okay final thing to try. Set only the bare minimum required fields for OIDC to work:

OIDC_AUTH_ENABLED: true
OIDC_CONFIGURATION_URL: <your url>
OIDC_CLIENT_ID: <your client id>
OIDC_CLIENT_SECRET: <your client secret>

Don't add any additional OIDC env vars, they are optional.

Restart Mealie, clear cache in your browser and see if it works. If it still doesn't, then I have no idea and we'll have to add some more logs to really dig in on what is missing.

[Sn4tz]

Hi there,
I'm having the same problem with the same settings. Also tried everything @cmintey suggested so far and can't get it to work. The logs aren't helping (me) either (Debug level).
It says "OIDC Ready: No" and there is no OAuth Login Button.
I'm gonna post my logs below:

DEBUG 2024-11-01T11:24:07 - Daily job: purge_group_data_exports DEBUG 2024-11-01T11:24:07 - Daily job: create_mealplan_timeline_events DEBUG 2024-11-01T11:24:07 - Daily job: delete_old_checked_list_items DEBUG 2024-11-01T11:24:07 - Hourly job: locked_user_reset DEBUG 2024-11-01T11:24:07 - Minutely job: post_group_webhooks INFO 2024-11-01T11:24:07 - -----SYSTEM STARTUP----- INFO 2024-11-01T11:24:07 - ------APP SETTINGS------ INFO 2024-11-01T11:24:07 - { "TESTING": false, "PRODUCTION": true, "LOG_CONFIG_OVERRIDE": null, "LOG_LEVEL": "debug", "theme": { "light_primary": "#E58325", "light_accent": "#007A99", "light_secondary": "#973542", "light_success": "#43A047", "light_info": "#1976D2", "light_warning": "#FF6D00", "light_error": "#EF5350", "dark_primary": "#E58325", "dark_accent": "#007A99", "dark_secondary": "#973542", "dark_success": "#43A047", "dark_info": "#1976D2", "dark_warning": "#FF6D00", "dark_error": "#EF5350" }, "BASE_URL": "https://mealie.myDomain.tld", "STATIC_FILES": "/spa/static", "IS_DEMO": false, "HOST_IP": "*", "API_HOST": "0.0.0.0", "API_PORT": 9000, "API_DOCS": true, "TOKEN_TIME": 48, "GIT_COMMIT_HASH": "08fe2d32b094ddd163aedf85ca6ecfd035bedcba", "ALLOW_SIGNUP": false, "DAILY_SCHEDULE_TIME": "23:45", "SECURITY_MAX_LOGIN_ATTEMPTS": 5, "SECURITY_USER_LOCKOUT_TIME": 24, "DB_ENGINE": "sqlite", "DEFAULT_GROUP": "Home", "DEFAULT_HOUSEHOLD": "Family", "SMTP_HOST": "SMTP_HOST", "SMTP_PORT": "587", "SMTP_FROM_NAME": "Mealie", "SMTP_FROM_EMAIL": "E_MAIL", "SMTP_AUTH_STRATEGY": "TLS", "LDAP_AUTH_ENABLED": false, "LDAP_SERVER_URL": null, "LDAP_TLS_INSECURE": false, "LDAP_TLS_CACERTFILE": null, "LDAP_ENABLE_STARTTLS": false, "LDAP_BASE_DN": null, "LDAP_QUERY_BIND": null, "LDAP_USER_FILTER": null, "LDAP_ADMIN_FILTER": null, "LDAP_ID_ATTRIBUTE": "uid", "LDAP_MAIL_ATTRIBUTE": "mail", "LDAP_NAME_ATTRIBUTE": "name", "OIDC_AUTH_ENABLED": true, "OIDC_CLIENT_ID": "mealie", "OIDC_CONFIGURATION_URL": "https://auth.myDomain.tls/application/o/mealie/.well-known/openid-configuration", "OIDC_SIGNUP_ENABLED": true, "OIDC_USER_GROUP": null, "OIDC_ADMIN_GROUP": null, "OIDC_AUTO_REDIRECT": false, "OIDC_PROVIDER_NAME": "OAuth", "OIDC_REMEMBER_ME": false, "OIDC_USER_CLAIM": "email", "OIDC_GROUPS_CLAIM": "groups", "OIDC_TLS_CACERTFILE": null, "OPENAI_BASE_URL": null, "OPENAI_MODEL": "gpt-4o", "OPENAI_CUSTOM_HEADERS": {}, "OPENAI_CUSTOM_PARAMS": {}, "OPENAI_ENABLE_IMAGE_SERVICES": true, "OPENAI_WORKERS": 2, "OPENAI_SEND_DATABASE_DATA": true, "OPENAI_REQUEST_TIMEOUT": 60, "WORKER_PER_CORE": 1, "UVICORN_WORKERS": 1 } DEBUG 2024-11-01T11:24:07 - Local time: 23:45 | UTC time: 22:45 DEBUG 2024-11-01T11:24:07 - Current time is 2024-11-01 10:24:07.065647+00:00 and DAILY_SCHEDULE_TIME (in UTC) is ScheduleTime(hour=22, minute=45) DEBUG 2024-11-01T11:24:07 - Time left: 12:20:53 INFO 2024-11-01T11:24:07 - Daily tasks scheduled for 2024-11-01 22:45:00+00:00 INFO 2024-11-01T11:24:07 - Application startup complete. INFO 2024-11-01T11:24:07 - Uvicorn running on http://0.0.0.0:9000 (Press CTRL+C to quit)

[CitizenStile]

Okay final thing to try. Set only the bare minimum required fields for OIDC to work:

OIDC_AUTH_ENABLED: true
OIDC_CONFIGURATION_URL: <your url>
OIDC_CLIENT_ID: <your client id>
OIDC_CLIENT_SECRET: <your client secret>

Don't add any additional OIDC env vars, they are optional.

Restart Mealie, clear cache in your browser and see if it works. If it still doesn't, then I have no idea and we'll have to add some more logs to really dig in on what is missing.

I completed all of these but still have the same issue.

[CitizenStile]

This is the bug report/log of settings after I used the 4 fields OIDC_AUTH_ENABLED/OIDC_CONFIGURATION_URL/OIDC_CLIENT_ID/OIDC_CLIENT_SECRET

Details
Version: v2.1.0
Build: 53a566d
Application Mode: Production
Demo Status: Not Demo
API Port: 9000
API Docs: Enabled
Database Type: postgres
Default Household: Family
Recipe Scraper Version: 15.2.1

Checks
Secure Site: Yes
Server Side Base URL: Yes
LDAP Ready: No
OIDC Ready: No
OpenAI Ready: No
Email Configured: Yes

-----Logs-----
INFO 2024-11-02T23:06:43 - {
"TESTING": false,
"PRODUCTION": true,
"LOG_CONFIG_OVERRIDE": null,
"LOG_LEVEL": "debug",
"theme": {
"light_primary": "#E58325",
"light_accent": "#007A99",
"light_secondary": "#973542",
"light_success": "#43A047",
"light_info": "#1976D2",
"light_warning": "#FF6D00",
"light_error": "#EF5350",
"dark_primary": "#E58325",
"dark_accent": "#007A99",
"dark_secondary": "#973542",
"dark_success": "#43A047",
"dark_info": "#1976D2",
"dark_warning": "#FF6D00",
"dark_error": "#EF5350"
},
"BASE_URL": "https://recipe.selfhost.com",
"STATIC_FILES": "/spa/static",
"IS_DEMO": false,
"HOST_IP": "*",
"API_HOST": "0.0.0.0",
"API_PORT": 9000,
"API_DOCS": true,
"TOKEN_TIME": 48,
"GIT_COMMIT_HASH": "53a566d08ab5b639671ee8abe1ad5a45dfdccc5a",
"ALLOW_SIGNUP": false,
"DAILY_SCHEDULE_TIME": "23:45",
"SECURITY_MAX_LOGIN_ATTEMPTS": 5,
"SECURITY_USER_LOCKOUT_TIME": 24,
"DB_ENGINE": "postgres",
"DEFAULT_GROUP": "home",
"DEFAULT_HOUSEHOLD": "Family",
"SMTP_HOST": "smtp.gmail.com",
"SMTP_PORT": "587",
"SMTP_FROM_NAME": "Mealie",
"SMTP_FROM_EMAIL": "changeme@gmail.com",
"SMTP_AUTH_STRATEGY": "TLS",
"LDAP_AUTH_ENABLED": false,
"LDAP_SERVER_URL": null,
"LDAP_TLS_INSECURE": false,
"LDAP_TLS_CACERTFILE": null,
"LDAP_ENABLE_STARTTLS": false,
"LDAP_BASE_DN": null,
"LDAP_QUERY_BIND": null,
"LDAP_USER_FILTER": null,
"LDAP_ADMIN_FILTER": null,
"LDAP_ID_ATTRIBUTE": "uid",
"LDAP_MAIL_ATTRIBUTE": "mail",
"LDAP_NAME_ATTRIBUTE": "name",
"OIDC_AUTH_ENABLED": true,
"OIDC_CLIENT_ID": "mealie",
"OIDC_CONFIGURATION_URL": "https://auth.selfhost.com/application/o/mealie/.well-known/openid-configuration",
"OIDC_SIGNUP_ENABLED": true,
"OIDC_USER_GROUP": null,
"OIDC_ADMIN_GROUP": null,
"OIDC_AUTO_REDIRECT": false,
"OIDC_PROVIDER_NAME": "OAuth",
"OIDC_REMEMBER_ME": false,
"OIDC_USER_CLAIM": "email",
"OIDC_GROUPS_CLAIM": "groups",
"OIDC_TLS_CACERTFILE": null,
"OPENAI_BASE_URL": null,
"OPENAI_MODEL": "gpt-4o",
"OPENAI_CUSTOM_HEADERS": {},
"OPENAI_CUSTOM_PARAMS": {},
"OPENAI_ENABLE_IMAGE_SERVICES": true,
"OPENAI_WORKERS": 2,
"OPENAI_SEND_DATABASE_DATA": true,
"OPENAI_REQUEST_TIMEOUT": 60,
"WORKER_PER_CORE": 1,
"UVICORN_WORKERS": 1
}

[jchap0182]

I'm having a very odd error ever since upgrading to version 2 and using the client secret. Immediately on clicking the OIDC Login button on the login screen, I get an "Internal Server Error" shown on the screen and cannot seem to get past this happening. Logs show an interesting 403 error for the openid-configuration URL, although that is never shown in the browser at all. I have been trying to follow the new flow of the OIDC process, but not sure exactly what it's trying to do or how the 403 is occurring. I did at least login to the docker container and validated that I was able to successfully reach the Authentik server both via IP and URL using a PING request, GET request, and CURL - all without error.

The logs I'm seeing are:

INFO     2024-11-10T06:07:38 - [IPv6 Address] 500 Internal Server Error "GET /api/auth/oauth HTTP/1.1"
ERROR    2024-11-10T06:07:38 - Exception in ASGI application
Traceback (most recent call last):
  File "/opt/pysetup/.venv/lib/python3.10/site-packages/uvicorn/protocols/http/httptools_impl.py", line 401, in run_asgi
    result = await app(  # type: ignore[func-returns-value]
  File "/opt/pysetup/.venv/lib/python3.10/site-packages/uvicorn/middleware/proxy_headers.py", line 60, in __call__
    return await self.app(scope, receive, send)
  File "/opt/pysetup/.venv/lib/python3.10/site-packages/fastapi/applications.py", line 1054, in __call__
    await super().__call__(scope, receive, send)
  File "/opt/pysetup/.venv/lib/python3.10/site-packages/starlette/applications.py", line 113, in __call__
    await self.middleware_stack(scope, receive, send)
  File "/opt/pysetup/.venv/lib/python3.10/site-packages/starlette/middleware/errors.py", line 187, in __call__
    raise exc
  File "/opt/pysetup/.venv/lib/python3.10/site-packages/starlette/middleware/errors.py", line 165, in __call__
    await self.app(scope, receive, _send)
  File "/opt/pysetup/.venv/lib/python3.10/site-packages/starlette/middleware/sessions.py", line 85, in __call__
    await self.app(scope, receive, send_wrapper)
  File "/opt/pysetup/.venv/lib/python3.10/site-packages/starlette/middleware/gzip.py", line 20, in __call__
    await responder(scope, receive, send)
  File "/opt/pysetup/.venv/lib/python3.10/site-packages/starlette/middleware/gzip.py", line 39, in __call__
    await self.app(scope, receive, self.send_with_gzip)
  File "/opt/pysetup/.venv/lib/python3.10/site-packages/starlette/middleware/exceptions.py", line 62, in __call__
    await wrap_app_handling_exceptions(self.app, conn)(scope, receive, send)
  File "/opt/pysetup/.venv/lib/python3.10/site-packages/starlette/_exception_handler.py", line 53, in wrapped_app
    raise exc
  File "/opt/pysetup/.venv/lib/python3.10/site-packages/starlette/_exception_handler.py", line 42, in wrapped_app
    await app(scope, receive, sender)
  File "/opt/pysetup/.venv/lib/python3.10/site-packages/starlette/routing.py", line 715, in __call__
    await self.middleware_stack(scope, receive, send)
  File "/opt/pysetup/.venv/lib/python3.10/site-packages/starlette/routing.py", line 735, in app
    await route.handle(scope, receive, send)
  File "/opt/pysetup/.venv/lib/python3.10/site-packages/starlette/routing.py", line 288, in handle
    await self.app(scope, receive, send)
  File "/opt/pysetup/.venv/lib/python3.10/site-packages/starlette/routing.py", line 76, in app
    await wrap_app_handling_exceptions(app, request)(scope, receive, send)
  File "/opt/pysetup/.venv/lib/python3.10/site-packages/starlette/_exception_handler.py", line 53, in wrapped_app
    raise exc
  File "/opt/pysetup/.venv/lib/python3.10/site-packages/starlette/_exception_handler.py", line 42, in wrapped_app
    await app(scope, receive, sender)
  File "/opt/pysetup/.venv/lib/python3.10/site-packages/starlette/routing.py", line 73, in app
    response = await f(request)
  File "/opt/pysetup/.venv/lib/python3.10/site-packages/fastapi/routing.py", line 301, in app
    raw_response = await run_endpoint_function(
  File "/opt/pysetup/.venv/lib/python3.10/site-packages/fastapi/routing.py", line 212, in run_endpoint_function
    return await dependant.call(**values)
  File "/app/mealie/routes/auth/auth.py", line 112, in oauth_login
    response: RedirectResponse = await client.authorize_redirect(request, redirect_url)
  File "/opt/pysetup/.venv/lib/python3.10/site-packages/authlib/integrations/starlette_client/apps.py", line 34, in authorize_redirect
    rv = await self.create_authorization_url(redirect_uri, **kwargs)
  File "/opt/pysetup/.venv/lib/python3.10/site-packages/authlib/integrations/base_client/async_app.py", line 95, in create_authorization_url
    metadata = await self.load_server_metadata()
  File "/opt/pysetup/.venv/lib/python3.10/site-packages/authlib/integrations/base_client/async_app.py", line 77, in load_server_metadata
    resp.raise_for_status()
  File "/opt/pysetup/.venv/lib/python3.10/site-packages/httpx/_models.py", line 763, in raise_for_status
    raise HTTPStatusError(message, request=request, response=self)
httpx.HTTPStatusError: Client error '403 Forbidden' for url 'https://login.mydomain.com/application/o/recipes/.well-known/openid-configuration'
For more information check: https://developer.mozilla.org/en-US/docs/Web/HTTP/Status/403
ERROR    2024-11-10T06:07:38 - Exception in ASGI application
Traceback (most recent call last):
  File "/opt/pysetup/.venv/lib/python3.10/site-packages/uvicorn/protocols/http/httptools_impl.py", line 401, in run_asgi
    result = await app(  # type: ignore[func-returns-value]
  File "/opt/pysetup/.venv/lib/python3.10/site-packages/uvicorn/middleware/proxy_headers.py", line 60, in __call__
    return await self.app(scope, receive, send)
  File "/opt/pysetup/.venv/lib/python3.10/site-packages/fastapi/applications.py", line 1054, in __call__
    await super().__call__(scope, receive, send)
  File "/opt/pysetup/.venv/lib/python3.10/site-packages/starlette/applications.py", line 113, in __call__
    await self.middleware_stack(scope, receive, send)
  File "/opt/pysetup/.venv/lib/python3.10/site-packages/starlette/middleware/errors.py", line 187, in __call__
    raise exc
  File "/opt/pysetup/.venv/lib/python3.10/site-packages/starlette/middleware/errors.py", line 165, in __call__
    await self.app(scope, receive, _send)
  File "/opt/pysetup/.venv/lib/python3.10/site-packages/starlette/middleware/sessions.py", line 85, in __call__
    await self.app(scope, receive, send_wrapper)
  File "/opt/pysetup/.venv/lib/python3.10/site-packages/starlette/middleware/gzip.py", line 20, in __call__
    await responder(scope, receive, send)
  File "/opt/pysetup/.venv/lib/python3.10/site-packages/starlette/middleware/gzip.py", line 39, in __call__
    await self.app(scope, receive, self.send_with_gzip)
  File "/opt/pysetup/.venv/lib/python3.10/site-packages/starlette/middleware/exceptions.py", line 62, in __call__
    await wrap_app_handling_exceptions(self.app, conn)(scope, receive, send)
  File "/opt/pysetup/.venv/lib/python3.10/site-packages/starlette/_exception_handler.py", line 53, in wrapped_app
    raise exc
  File "/opt/pysetup/.venv/lib/python3.10/site-packages/starlette/_exception_handler.py", line 42, in wrapped_app
    await app(scope, receive, sender)
  File "/opt/pysetup/.venv/lib/python3.10/site-packages/starlette/routing.py", line 715, in __call__
    await self.middleware_stack(scope, receive, send)
  File "/opt/pysetup/.venv/lib/python3.10/site-packages/starlette/routing.py", line 735, in app
    await route.handle(scope, receive, send)
  File "/opt/pysetup/.venv/lib/python3.10/site-packages/starlette/routing.py", line 288, in handle
    await self.app(scope, receive, send)
  File "/opt/pysetup/.venv/lib/python3.10/site-packages/starlette/routing.py", line 76, in app
    await wrap_app_handling_exceptions(app, request)(scope, receive, send)
  File "/opt/pysetup/.venv/lib/python3.10/site-packages/starlette/_exception_handler.py", line 53, in wrapped_app
    raise exc
  File "/opt/pysetup/.venv/lib/python3.10/site-packages/starlette/_exception_handler.py", line 42, in wrapped_app
    await app(scope, receive, sender)
  File "/opt/pysetup/.venv/lib/python3.10/site-packages/starlette/routing.py", line 73, in app
    response = await f(request)
  File "/opt/pysetup/.venv/lib/python3.10/site-packages/fastapi/routing.py", line 301, in app
    raw_response = await run_endpoint_function(
  File "/opt/pysetup/.venv/lib/python3.10/site-packages/fastapi/routing.py", line 212, in run_endpoint_function
    return await dependant.call(**values)
  File "/app/mealie/routes/auth/auth.py", line 112, in oauth_login
    response: RedirectResponse = await client.authorize_redirect(request, redirect_url)
  File "/opt/pysetup/.venv/lib/python3.10/site-packages/authlib/integrations/starlette_client/apps.py", line 34, in authorize_redirect
    rv = await self.create_authorization_url(redirect_uri, **kwargs)
  File "/opt/pysetup/.venv/lib/python3.10/site-packages/authlib/integrations/base_client/async_app.py", line 95, in create_authorization_url
    metadata = await self.load_server_metadata()
  File "/opt/pysetup/.venv/lib/python3.10/site-packages/authlib/integrations/base_client/async_app.py", line 77, in load_server_metadata
    resp.raise_for_status()
  File "/opt/pysetup/.venv/lib/python3.10/site-packages/httpx/_models.py", line 763, in raise_for_status
    raise HTTPStatusError(message, request=request, response=self)
httpx.HTTPStatusError: Client error '403 Forbidden' for url 'https://login.mydomain.com/application/o/recipes/.well-known/openid-configuration'
For more information check: https://developer.mozilla.org/en-US/docs/Web/HTTP/Status/403

The current docker-compose I'm using is:

services:
  mealie:
    image: ghcr.io/mealie-recipes/mealie:v2.1.0 
    container_name: mealie
    restart: always
    ports:
        - "9925:9000" # 
    deploy:
      resources:
        limits:
          memory: 1000M # 
    volumes:
      - ${DOCKERDIR}/services/mealie/data:/app/data/
    environment:
      # Set Backend ENV Variables Here
      ALLOW_SIGNUP: false
      PUID: 1000
      PGID: 1000
      TZ: UTC
      MAX_WORKERS: 1
      WEB_CONCURRENCY: 1
      BASE_URL: https://recipes.mydomain.com
      SMTP_HOST: ${EMAIL_HOST}
      SMTP_PORT: ${EMAIL_PORT}
      SMTP_FROM_NAME: MyDomain Recipes
      SMTP_AUTH_STRATEGY: TLS
      SMTP_FROM_EMAIL: no-reply@mydomain.com
      SMTP_USER: ${EMAIL_USERNAME}
      SMTP_PASSWORD: ${EMAIL_PASSWORD}
      # Database Settings
      DB_ENGINE: postgres
      POSTGRES_USER: ${DB_USERNAME}
      POSTGRES_PASSWORD: ${DB_PASSWORD}
      POSTGRES_SERVER: ${PGDB}
      POSTGRES_PORT: ${PGDB_PORT}
      POSTGRES_DB: mealie
      OIDC_AUTH_ENABLED: True
      OIDC_SIGNUP_ENABLED: True
      OIDC_CONFIGURATION_URL: ${AUTH_CONFIG_URL}
      OIDC_CLIENT_ID: ${CLIENT_ID}
      OIDC_CLIENT_SECRET: ${CLIENT_SECRET}
      OIDC_ADMIN_GROUP: ${ADMIN_GROUP}
      OIDC_USER_GROUP: ${USER_GROUP}
      OIDC_PROVIDER_NAME: ${OIDC_PROVIDER_NAME}
      OIDC_REMEMBER_ME: True
      OIDC_USER_CLAIM: ${OIDC_USER_CLAIM}
      OIDC_GROUPS_CLAIM: ${OIDC_GROUPS_CLAIM}
      # OIDC_AUTO_REDIRECT: false
      OPENAI_API_KEY: ${OPENAI_KEY}
      THEME_LIGHT_PRIMARY: #4085D4
      THEME_LIGHT_ACCENT: #007A99
      THEME_LIGHT_SECONDARY: #FBC784
      THEME_LIGHT_SUCCESS: #4EE4D3
      THEME_LIGHT_INFO: #282858
      THEME_LIGHT_WARNING: #FBC784
      THEME_LIGHT_ERROR: #BF3B60
      THEME_DARK_PRIMARY: #FBC784
      THEME_DARK_ACCENT: #4085D4
      THEME_DARK_SECONDARY: #282858
      THEME_DARK_SUCCESS: #4EE4D3
      THEME_DARK_INFO: #4EE4D3
      THEME_DARK_WARNING: #BF3B60
      THEME_DARK_ERROR: #BF3B60

With the following ENV (obviously redacted):

DOCKERDIR=/home/debian/docker/mealie
DB_USERNAME=mealie
DB_PASSWORD=[REDACTED]
PGDB=10.40.1.2
PGDB_PORT=5432
EMAIL_HOST=[REDACTED]
EMAIL_PORT=587
EMAIL_USERNAME=[REDACTED]
EMAIL_PASSWORD=[REDACTED]
AUTH_CONFIG_URL=https://login.mydomain.com/application/o/recipes/.well-known/openid-configuration
CLIENT_ID='[REDACTED]'
ADMIN_GROUP=app-admins
OIDC_PROVIDER_NAME=[REDACTED]
OIDC_USER_CLAIM=email
OIDC_GROUPS_CLAIM=groups
USER_GROUP=app-users
CLIENT_SECRET=[REDACTED]
OPENAI_KEY=[REDACTED]

Since the only real error I'm seeing is the 403, I'm stuck as to why that would be the case, considering that even from inside the docker container I can hit that URL and obtain the full JSON response without issue from the command line. Any thoughts from anyone is greatly appreciated.

[Shourai]

I have Authentik working with mealie, the following is a config example.
Maybe this helps someone setting it up.
Following @InputObject2's #3334 (reply in thread) formatting.

Mealie version: v2.2.0

BASE_URL: "mealie.mydomain.com"
# OIDC with Authentik
OIDC_AUTH_ENABLED: "true"
OIDC_PROVIDER_NAME: "Authentik"
OIDC_CLIENT_ID: "<authentik_client_id>"
OIDC_CLIENT_SECRET: "<authentik_client_secret>"
OIDC_CONFIGURATION_URL: "https://authentik.mydomain.com/application/o/mealie/.well-known/openid-configuration"
OIDC_REMEMBER_ME: "true"

Authentik version: v2024.10.1
Configuration isn't in yaml but following the yaml format:

Providers:

  Name: Mealie
  Authorization flow: default-authorization-implicit-consent
Protocol settings
  Client type: confidential
  Client ID: <autogenerated> # Put this in the OIDC_CLIENT_ID environment field
  Client secret: <autogenerated> # Put this in the OIDC_CLIENT_SECRET environment field
  Redirect URIs: https://mealie.mydomain.com/login
  Signing key: Authentik self-signed certificate
Advanced Protocol Settings
  Advanced scopes: email. openid, profile
  Subject mode: Base on user's email
  Include claims in id_token: true  # (checked)

Application

  Name: Mealie
  Slug: mealie
  Provider: Mealie
  Policy engine mode: any