Trouble setting up OIDC

[vzhong]

Hi, I'm trying to set up Docspell with Authentik OAuth. I have set it up through environment variable and it seems like

1. all containers are running without errors
2. the Authentik OIDC login button shows up on the web UI

When I try to log in, I get "Access denied" in the web UI. In the rest server logs I see:

2022.05.05 15:06:51:0000 [io-comp...] [INFO ] org.http4s.server.middleware.Logger - HTTP/1.1 GET /api/v1/open/auth/openid/authentik
2022.05.05 15:06:51:0001 [io-comp...] [INFO ] org.http4s.server.middleware.Logger - HTTP/1.1 302 Found
2022.05.05 15:06:51:0000 [io-comp...] [INFO ] org.http4s.server.middleware.Logger - HTTP/1.1 GET /sw.js
2022.05.05 15:06:51:0001 [io-comp...] [INFO ] org.http4s.server.middleware.Logger - HTTP/1.1 200 OK
2022.05.05 15:06:52:0000 [io-comp...] [INFO ] docspell.oidc.CodeFlowRoutes.userInfo:70 - Resume OAuth/OIDC flow for authentik
2022.05.05 15:06:52:0000 [io-comp...] [ERROR] docspell.oidc.CodeFlow.fetchAccessToken:121 - Error obtaining access token '301' / IO(...)
2022.05.05 15:06:52:0001 [io-comp...] [WARN ] docspell.oidc.CodeFlowRoutes.applyOrElse:95 - Error resuming code flow from 'authentik'
2022.05.05 15:06:52:0002 [io-comp...] [INFO ] org.http4s.server.middleware.Logger - HTTP/1.1 GET /api/v1/open/auth/openid/authentik/resume?code=55b02854db8e4eae979e7ff6f480eaec&state=
2022.05.05 15:06:52:0003 [io-comp...] [INFO ] org.http4s.server.middleware.Logger - HTTP/1.1 307 Temporary Redirect
2022.05.05 15:06:52:0000 [io-comp...] [INFO ] org.http4s.server.middleware.Logger - HTTP/1.1 GET /app/login?openid=1

Any ideas what's going on here?

[eikek]

Hi @vzhong ,

It says Error obtaining access token '301' / IO(...) - which looks like the client is not following redirects here :-/ You could try to resolve the redirects yourself and edit the settings incuding the final url. Maybe this helps.

Edit: It is the token-url in the config file.

[stale]

This issue has been automatically marked as stale because it has not had recent activity. It will be closed if no further activity occurs. This only applies to 'question' issues. Always feel free to reopen or create new issues. Thank you!

[mirisbowring]

How did you manage to use environment variables for oidc?
When i tried creating the config as json array and passing it to DOCSPELL_SERVER_OPENID= but the application argued about it beeing a string.

Directly referencing the neccessary fields is not possible also because it expects a Array, not object.

I am stuck currently.
~~@eikek ~~

Well, fixed above by using config file.
I still do not understand, what the problem with the token endpoint is :(

[eikek]

Hi @mirisbowring - it is true that env vars do not support arrays at this point. You need to use a config file.

I'm not sure about the endpoint problem - do you get the same error as described in this issue?

[mirisbowring]

Yep, i am getting the exact same error. unfortunately, trace log level does not provide any additional information.

Any Idea, what to test additionally?

[eikek]

I need to look later, from the top of my head: seeing the 301 response in the logs, a guess is that the url returns a redirect and that the client is not following it. This can be fixed ofc, but to test it quickly i would resolve the redirect manually and try the last url instead. But I don.t know the auth provider and more details - hard to say. maybe also a look in the docs of the IP could help

[eikek]

Looked at the code, and tbh I don't understand the error. It says receiving a 301 status code and afaics this is handled as success case.

docspell/modules/oidc/src/main/scala/docspell/oidc/CodeFlow.scala

Lines 108 to 123 in 6ae1775

	OptionT(c.run(req).use {
	case Status.Successful(r) =>
	for {
	token <- r.attemptAs[AccessToken].value
	_ <- token match {
	case Right(t) =>
	logger.trace(s"Got token response: $t")
	case Left(err) =>
	logger.error(err)(s"Error decoding access token: ${err.getMessage}")
	}
	} yield token.toOption
	case r =>
	logger
	.error(s"Error obtaining access token '${r.status.code}' / ${r.as[String]}")
	.map(_ => None)
	})

So currently no idea why it reaches the "Error obtaining access token" branch. Maybe a trace log could still be useful - if its possible to provide I would be curious.

If you can provide some steps or a docker/compose file (or something similar) so I could reproduce it here, that would be also great of course.

[akoyaxd]

I have the 301 issue as well. I use Authentik version 2022.6.3. I also got a similar issue in peertube, where it says, that there was no access token to be obtained.

Docspell logs

2022.07.02 15:30:32:0000 [io-comp...] [INFO ] docspell.oidc.CodeFlowRoutes.userInfo:70 - Resume OAuth/OIDC flow for koyax_id
2022.07.02 15:30:33:0001 [io-comp...] [INFO ] org.http4s.server.middleware.Logger - HTTP/1.1 200 OK
2022.07.02 15:30:33:0000 [io-comp...] [INFO ] org.http4s.server.middleware.Logger - HTTP/1.1 GET /app/login?openid=1
2022.07.02 15:30:33:0002 [io-comp...] [INFO ] org.http4s.server.middleware.Logger - HTTP/1.1 307 Temporary Redirect
2022.07.02 15:30:33:0001 [io-comp...] [INFO ] org.http4s.server.middleware.Logger - HTTP/1.1 GET /api/v1/open/auth/openid/koyax_id/resume?code=[REMOVED]&state=
2022.07.02 15:30:33:0000 [io-comp...] [WARN ] docspell.oidc.CodeFlowRoutes.applyOrElse:95 - Error resuming code flow from 'koyax_id'
2022.07.02 15:30:33:0000 [io-comp...] [ERROR] docspell.oidc.CodeFlow.fetchAccessToken:121 - Error obtaining access token '301' / IO(...)
2022.07.02 15:30:32:0001 [io-comp...] [INFO ] org.http4s.server.middleware.Logger - HTTP/1.1 200 OK
2022.07.02 15:30:32:0000 [io-comp...] [INFO ] org.http4s.server.middleware.Logger - HTTP/1.1 GET /sw.js
2022.07.02 15:30:31:0001 [io-comp...] [INFO ] org.http4s.server.middleware.Logger - HTTP/1.1 302 Found
2022.07.02 15:30:31:0000 [io-comp...] [INFO ] org.http4s.server.middleware.Logger - HTTP/1.1 GET /api/v1/open/auth/openid/koyax_id

Open ID Config

openid =
    [ { enabled = true,


        display = "Koyax ID"
        provider = {
          provider-id = "koyax_id",
          client-id = "[REMOVED]",
          client-secret = "[REMOVED]",
          scope = "profile",
          authorize-url = "https://account.koyax.org/application/o/authorize/",
          token-url = "https://account.koyax.org/application/o/token/",
          #User URL is not used when signature key is set.
          user-url = "https://account.koyax.org/application/o/userinfo/",
          sign-key = "b64:REMOVED"
          sig-algo = "RS512"
        },
        # The collective of the user is given in the access token as
        # property `docspell_collective`.
        collective-key = "lookup:preferred_username",
        # The username to use for the docspell account
        user-key = "preferred_username"
      }
    ]

Authentik Config

Authentik Tracelogs

I sent them to @eikek via gitter/matrix.