-
-
Notifications
You must be signed in to change notification settings - Fork 455
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
feat: oidc support #2792
feat: oidc support #2792
Conversation
This comment was marked as spam.
This comment was marked as spam.
Well, this is functional. It needs to be reviewed is all. |
This comment was marked as spam.
This comment was marked as spam.
I just pulled this and tested it with OIDC from Authentik. It works as intended after a few changes:
|
Thanks! I'll make the changes when I have the time. |
This comment was marked as spam.
This comment was marked as spam.
Thanks! I'm going to have to switch to this branch to test with Authentik as well. I currently have a policy that when a user goes to Overseerr, authentik pulls their plex_token and passes it to Overseerr. This "works" as long as the user has already associated their account with their Plex account. However, if they do not have a plex account, this doesn't work. @ayazgoff outside of the code changes you referenced, was there anything special on the Authentik side you had to do? |
feat: oidc 2 feat: oidc
Fixed review comments and rebased the branch |
@lenaxia Thanks, my bad i did not see it. Configuring now and i will report back |
@lenaxia I have the same issue as @b3n3w. In my case i use Authentik as an proxy for Azure AD authentication. My Flow:
Here some screenshots of my config on overseer and authentik as well the login steps: Sorry about the language soup. I'm brazilian that lives in Québec, so i speek portuguese an my PC is in French, so i have a mix bag of Portuguese, French and English on my systems. Maybe the error are on the configs or in Overseerr side or at Authentik. I had a hard time finding the right configs for OIDC domain on Overseerr and Redirect URL on authentik. Thanks |
Thanks for the screencaps. Can you please rerun your container with LOG_LEVEL=debug env variable and then post the log contents from your container? Specifically you can search for 'oidc-callback', and 'oidc-login'. The callback one is likely the issue. If you can also provide the authentik logs would likely be helpful too. Having the login screen reappear after logging in is normal. I see that with authelia too. |
Authentik Container or Overseer Container? |
Overseerr container. |
overseerr-5674884db8-6tljd_overseerr.log |
@lenaxia maybe an important information is that i use kubernetes and not Docker, so if you see anything that is not common on docker maybe thats why |
I run kubernetes too, so no worries there https://github.com/lenaxia/home-ops-prod/blob/main/cluster/apps/media/mediarequests/overseerr/helm-release.yaml Looks like your client ID and secret may not be matching.
I will spin up my own instance of authentik (won't have azure AD though), and see if I can get it working. |
After your testing please validate the domain url on orverseerr if it's the one I pasted here on my config and the callback url as well on authentik. It seems kinda odd the values that I placed on those fields |
I just tested with a basic Authentik implementation and it works. So it may have to do with your AD configuration. The error is pretty clear If you want to compare, is here the helm release I am using: https://github.com/lenaxia/home-ops-prod/blob/2f3342b9b324d937f7c0c5b309cd687c38ec88a0/cluster/apps/networking/authentik/app/helm-release.yaml, can you try with a non AD version of Authentik first to establish a baseline for what work and what doesn,t? @b3n3w @obsidiangroup Have either of you had a chance to test? You will see the overseerr UI show up briefly in the pop up before it closes itself |
@lenaxia can you confirm the CallBack URL? I mean the Redirect URIs/Origins (RegEx) on authentik |
Yeah oidc definitely has a learning curve (less than kubernetes though 😆). Your callback url should point to your overseer instance, so it should be something like https://overseerr.domain.com/api/v1/auth/oidc-callback. |
I opened a PR to @ankarhem 's fork but happy to just open one directly here too if I dont hear from them. |
After changing the redirect URL to |
@b3n3w gonna strongly discourage use of a wildcard like that for oidc. That means that after logging in, a user could be directed to any site, including a malicious one. Please see if you can format your callback url to something like this: |
Opened a PR to this repo as I hadn't heard back from @ankarhem, code is rebased and works with Authelia and Authentik. |
I left this with no intention on pursuing it further, as I tried over like 1,5 years keeping it up to date and working to get it merged. I didn't get the impression it was going anywhere so I left it, in case someone like youself would pick it up. |
Absolutely happy to pick up the torch. And just want to say how much I appreciate the work to get started. First time getting my hands dirty in OIDC code for me, so this was a great learning experience for me, and I'm hoping to implement it in other projects now too. |
Highly appreciate your explanation! |
Hello, I am setting this up with Authentik and I'm getting the same
|
This is what I'm getting when trying this with Authentik. Any clues why this is failing? When I click on the OAuth option it goes through Authentik and goes back to the same Overseer login screen.
|
Description
This works when I test it with auth0 but would be nice to get some additional testing with other providers. Appreciate if I could get help setting up oidc on authelia if someone has this, or if someone could test it.
Screenshot (if UI-related)
To-Dos
Add api docs
Clean up the code
Refactor out popup handling stuff from plex and use that for a oidc class instead of redirecting the whole page
Test with other providers
Add validation (all fields required, domain is a domain etc.) to the oidc settings in settings page
- [ ] Revocation logic?Create account if it doesn't exist?
Successful build
yarn build
Translation keys
yarn i18n:extract
- [] Database migration (if required)Other considerations
I considered saving the token and refresh_token and add token handling / validating it for requests, but since other login methods considers you logged in as long as you have the user id in the session I didn't.
Issues Fixed or Closed