Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

How to configure the OIDC callback? #1159

Open
zblzbl1991 opened this issue Dec 12, 2024 · 3 comments
Open

How to configure the OIDC callback? #1159

zblzbl1991 opened this issue Dec 12, 2024 · 3 comments

Comments

@zblzbl1991
Copy link

Is your feature request related to a problem? Please describe.
When I configure the OIDCfor the CE version, my settings are as follows:

BACKEND_OIDC_CLIENT_ID=satoken
BACKEND_OIDC_CLIENT_SECRET=satoken

BACKEND_OIDC_CALLBACK_URL=http://localhost:3000/api/auth/oidc/callback

BACKEND_OIDC_USER_INFO_URL=http://localhost:8080/userinfo

BACKEND_OIDC_TOKEN_URL=http://localhost:8080/oauth2/token

BACKEND_OIDC_AUTHORIZATION_URL=http://localhost:8080/oauth2/authorize

BACKEND_OIDC_ISSUER=http://localhost:8080

BACKEND_OIDC_OTHER={"scope": ["email", "profile"]}

SOCIAL_AUTH_PROVIDERS=oidc

I'd like to know where the problem is.

Additional context
The server side of teable returns an error code of 500 this is log:
{"level":30,"time":1733964755950,"pid":7,"hostname":"f5157c07fb6d","name":"teable","req":{"id":"f5834e15eedf414bf71f9fd8aa67b567","method":"GET","url":"/api/auth/oidc/callback?code=Cff6e5buyynvaZ4cMeXTJREsJrg27fchDR9IJWdoJEMTLRDrW522hqxtgKYi&state=Um4PaMG1rr9ylain","query":{"code":"Cff6e5buyynvaZ4cMeXTJREsJrg27fchDR9IJWdoJEMTLRDrW522hqxtgKYi","state":"Um4PaMG1rr9ylain"},"params":{"0":"api/auth/oidc/callback"},"remoteAddress":"::ffff:172.18.0.1","remotePort":59442},"res":{"statusCode":500},"err":{"type":"Error","message":"failed with status code 500","stack":"Error: failed with status code 500\n at onResFinished (/app/node_modules/.pnpm/pino-http@9.0.0/node_modules/pino-http/logger.js:114:39)\n at ServerResponse.onResponseComplete (/app/node_modules/.pnpm/pino-http@9.0.0/node_modules/pino-http/logger.js:177:14)\n at /app/node_modules/.pnpm/@opentelemetry+context-async-hooks@1.27.0_@opentelemetry+api@1.9.0/node_modules/@opentelemetry/context-async-hooks/build/src/AbstractAsyncHooksContextManager.js:50:55\n at AsyncLocalStorage.run (node:async_hooks:335:14)\n at AsyncLocalStorageContextManager.with (/app/node_modules/.pnpm/@opentelemetry+context-async-hooks@1.27.0_@opentelemetry+api@1.9.0/node_modules/@opentelemetry/context-async-hooks/build/src/AsyncLocalStorageContextManager.js:33:40)\n at ServerResponse.contextWrapper (/app/node_modules/.pnpm/@opentelemetry+context-async-hooks@1.27.0_@opentelemetry+api@1.9.0/node_modules/@opentelemetry/context-async-hooks/build/src/AbstractAsyncHooksContextManager.js:50:32)\n at ServerResponse.emit (node:events:526:35)\n at ServerResponse.emit (node:domain:488:12)\n at onFinish (node:_http_outgoing:1005:10)\n at callback (node:internal/streams/writable:608:21)"},"responseTime":20,"spanId":"41be9ca0be867087","traceId":"f5834e15eedf414bf71f9fd8aa67b567","msg":"request errored"}

@kpodp0ra
Copy link
Collaborator

Cannot reproduce on latest community edition. I'm using a free, self-hosted Authentik instance as SSO provider:

BACKEND_OIDC_CLIENT_ID=
BACKEND_OIDC_CLIENT_SECRET=
BACKEND_OIDC_CALLBACK_URL=http://localhost:3000/api/auth/oidc/callback
BACKEND_OIDC_USER_INFO_URL=https://auth.example.com/application/o/userinfo/
BACKEND_OIDC_TOKEN_URL=https://auth.example.com/application/o/token/
BACKEND_OIDC_AUTHORIZATION_URL=https://auth.example.com/application/o/authorize/
BACKEND_OIDC_ISSUER=https://auth.example.com/application/o/teable/
BACKEND_OIDC_OTHER={"scope": ["openid", "email", "profile"]}
SOCIAL_AUTH_PROVIDERS=oidc

Reformatted error for someone to analyze:

{
  "level": 30,
  "time": 1733964755950,
  "pid": 7,
  "hostname": "f5157c07fb6d",
  "name": "teable",
  "req": {
    "id": "f5834e15eedf414bf71f9fd8aa67b567",
    "method": "GET",
    "url": "/api/auth/oidc/callback?code=Cff6e5buyynvaZ4cMeXTJREsJrg27fchDR9IJWdoJEMTLRDrW522hqxtgKYi&state=Um4PaMG1rr9ylain",
    "query": {
      "code": "Cff6e5buyynvaZ4cMeXTJREsJrg27fchDR9IJWdoJEMTLRDrW522hqxtgKYi",
      "state": "Um4PaMG1rr9ylain"
    },
    "params": {
      "0": "api/auth/oidc/callback"
    },
    "remoteAddress": "::ffff:172.18.0.1",
    "remotePort": 59442
  },
  "res": {
    "statusCode": 500
  },
  "err": {
    "type": "Error",
    "message": "failed with status code 500",
    "stack": ...
  },
  "responseTime": 20,
  "spanId": "41be9ca0be867087",
  "traceId": "f5834e15eedf414bf71f9fd8aa67b567",
  "msg": "request errored"
}
Error: failed with status code 500
    at onResFinished (/app/node_modules/.pnpm/pino-http@9.0.0/node_modules/pino-http/logger.js:114:39)
    at ServerResponse.onResponseComplete (/app/node_modules/.pnpm/pino-http@9.0.0/node_modules/pino-http/logger.js:177:14)
    at /app/node_modules/.pnpm/@opentelemetry+context-async-hooks@1.27.0_@opentelemetry+api@1.9.0/node_modules/@opentelemetry/context-async-hooks/build/src/AbstractAsyncHooksContextManager.js:50:55
    at AsyncLocalStorage.run (node:async_hooks:335:14)
    at AsyncLocalStorageContextManager.with (/app/node_modules/.pnpm/@opentelemetry+context-async-hooks@1.27.0_@opentelemetry+api@1.9.0/node_modules/@opentelemetry/context-async-hooks/build/src/AsyncLocalStorageContextManager.js:33:40)
    at ServerResponse.contextWrapper (/app/node_modules/.pnpm/@opentelemetry+context-async-hooks@1.27.0_@opentelemetry+api@1.9.0/node_modules/@opentelemetry/context-async-hooks/build/src/AbstractAsyncHooksContextManager.js:50:32)
    at ServerResponse.emit (node:events:526:35)
    at ServerResponse.emit (node:domain:488:12)
    at onFinish (node:_http_outgoing:1005:10)
    at callback (node:internal/streams/writable:608:21)

It's probably broken OIDC server.

@zblzbl1991
Copy link
Author

Cannot reproduce on latest community edition. I'm using a free, self-hosted Authentik instance as SSO provider:

BACKEND_OIDC_CLIENT_ID=
BACKEND_OIDC_CLIENT_SECRET=
BACKEND_OIDC_CALLBACK_URL=http://localhost:3000/api/auth/oidc/callback
BACKEND_OIDC_USER_INFO_URL=https://auth.example.com/application/o/userinfo/
BACKEND_OIDC_TOKEN_URL=https://auth.example.com/application/o/token/
BACKEND_OIDC_AUTHORIZATION_URL=https://auth.example.com/application/o/authorize/
BACKEND_OIDC_ISSUER=https://auth.example.com/application/o/teable/
BACKEND_OIDC_OTHER={"scope": ["openid", "email", "profile"]}
SOCIAL_AUTH_PROVIDERS=oidc

Reformatted error for someone to analyze:

{
  "level": 30,
  "time": 1733964755950,
  "pid": 7,
  "hostname": "f5157c07fb6d",
  "name": "teable",
  "req": {
    "id": "f5834e15eedf414bf71f9fd8aa67b567",
    "method": "GET",
    "url": "/api/auth/oidc/callback?code=Cff6e5buyynvaZ4cMeXTJREsJrg27fchDR9IJWdoJEMTLRDrW522hqxtgKYi&state=Um4PaMG1rr9ylain",
    "query": {
      "code": "Cff6e5buyynvaZ4cMeXTJREsJrg27fchDR9IJWdoJEMTLRDrW522hqxtgKYi",
      "state": "Um4PaMG1rr9ylain"
    },
    "params": {
      "0": "api/auth/oidc/callback"
    },
    "remoteAddress": "::ffff:172.18.0.1",
    "remotePort": 59442
  },
  "res": {
    "statusCode": 500
  },
  "err": {
    "type": "Error",
    "message": "failed with status code 500",
    "stack": ...
  },
  "responseTime": 20,
  "spanId": "41be9ca0be867087",
  "traceId": "f5834e15eedf414bf71f9fd8aa67b567",
  "msg": "request errored"
}
Error: failed with status code 500
    at onResFinished (/app/node_modules/.pnpm/pino-http@9.0.0/node_modules/pino-http/logger.js:114:39)
    at ServerResponse.onResponseComplete (/app/node_modules/.pnpm/pino-http@9.0.0/node_modules/pino-http/logger.js:177:14)
    at /app/node_modules/.pnpm/@opentelemetry+context-async-hooks@1.27.0_@opentelemetry+api@1.9.0/node_modules/@opentelemetry/context-async-hooks/build/src/AbstractAsyncHooksContextManager.js:50:55
    at AsyncLocalStorage.run (node:async_hooks:335:14)
    at AsyncLocalStorageContextManager.with (/app/node_modules/.pnpm/@opentelemetry+context-async-hooks@1.27.0_@opentelemetry+api@1.9.0/node_modules/@opentelemetry/context-async-hooks/build/src/AsyncLocalStorageContextManager.js:33:40)
    at ServerResponse.contextWrapper (/app/node_modules/.pnpm/@opentelemetry+context-async-hooks@1.27.0_@opentelemetry+api@1.9.0/node_modules/@opentelemetry/context-async-hooks/build/src/AbstractAsyncHooksContextManager.js:50:32)
    at ServerResponse.emit (node:events:526:35)
    at ServerResponse.emit (node:domain:488:12)
    at onFinish (node:_http_outgoing:1005:10)
    at callback (node:internal/streams/writable:608:21)

It's probably broken OIDC server.

i found problem,but how to set the username that is returned after OIDC (OpenID Connect) login? Currently, after authorized login, the email prefix is displayed in Tableau. How can I customize this username?

@kpodp0ra
Copy link
Collaborator

OIDC server should return a response similar to this:

{
    "iss": "https://auth.example.com/application/o/teable/",
    "sub": [REDACTED],
    "aud": [REDACTED],
    "exp": [REDACTED],
    "iat": [REDACTED],
    "auth_time": [REDACTED],
    "acr": "goauthentik.io/providers/oauth2/default",
    "amr": [
        "pwd"
    ],
    "email": "user+mail@example.com",
    "email_verified": true,
    "name": "John Smith",
    "given_name": "John Smith",
    "preferred_username": "john",
    "nickname": "john",
    "groups": [
        "clients",
        "teable"
    ]
}

Teable only reads name property for the display name, email for email, and it theoretically should also save user avatar, but passport-openidconnect has no support for that. 1 2

Your OIDC server probably sends email in the 'name' filed, check out OIDC server configuration for "property mappings".

Footnotes

  1. https://github.com/teableio/teable/blob/a5898a5be4dbfac8dd6e350864fb3e8d5345d764/apps/nestjs-backend/src/features/auth/strategies/oidc.strategy.ts#L34-L41

  2. https://github.com/jaredhanson/passport-openidconnect/blob/c69c2137c5b49534e93008aa0645a00aba1f7f0b/lib/profile.js#L11-L19

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

No branches or pull requests

2 participants