-
-
Notifications
You must be signed in to change notification settings - Fork 456
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
OIDC Support - Attempt 2 #3746
base: develop
Are you sure you want to change the base?
OIDC Support - Attempt 2 #3746
Conversation
@sct Let's try this again, this should only include the OIDC changes now, plus some small bug fixes. |
Okay, addressed eslint and logging injection attack. Further, improved middleware logging to scrub sensitive data from log messages and sanitize against injection attacks. ES Lint output:
yarn build output:
|
@sct got eslint passing (for code I touched) and addressed log injection risk. |
This comment was marked as resolved.
This comment was marked as resolved.
Not stale @sct can we get someone to look at this? |
merged latest develop into the branch. |
I've just tested this fork with my Authelia setup, and it works; thank you, @lenaxia, for the docker image and for keeping this PR up to date. Some quick thoughts after using this:
@sct is there any reason why this PR isn't being accepted? [Edit: I realised you might be waiting for #3015 to be merged before accepting this one - thanks for your work on this cool project. I recognise you are doing this in your spare time, so please don't take my comment as an attempt to hassle you. More to understand the logic/sequence you had in mind.] |
Has this pull request stalled as well? |
This would be an amazing feature. Why does this keep getting ignored? |
Hello owner!!! Please review!!! |
@sct @samwiseg0 @OwsleyJr @danshilm @TheCatLady Please, help to merge. |
@lenaxia This branch is out-of-date with the base branch |
@lenaxia Will this still be updated? |
@sct This would be an awesome feature |
I can't get it working with Authelia. I click the "sign in with Authelia" option, I get the consent request popup, I accept, and it loads a blank page with error "{"message":"Unexpected token < in JSON at position 0"}" at the top. I've tried all sorts of changes to the Authelia config but nothing gets me any further than this. Could you share your Authelia client config for Overseerr? And I assume my OIDC domain in the Overseerr settings is just overseer.domain.com? |
Seconding this, @sct could we get some eyes/approval on this? |
|
I'm having exactly the same issue. My client setup in Authelia is basically identical to yours but I'm receiving the below error when trying to sign in on Overseerr.
|
feat: oidc 2 feat: oidc
…ing of reverse proxies.
… being disabled unecessarily
7a9b6ae
to
8216a60
Compare
Sounds like it's getting an html response instead of json. I see these with 401s in my work but getting a look at the underlying message would probably help pinpoint what is wrong |
Yeah my Authelia config is in a slightly different format than lenanxia's example but it matches closely (I'm confident my format is valid, it works with another application), and I'm still getting that error.
What do you mean by "the underlying message"? When I check the console the error it's returning is "Failed to load resource: the server responded with a status of 500 ()". The URL is "https://overseerr.mydomain.com/api/v1/auth/oidc-callback?code=authelia_ac_[REDACTED]&iss=https%3A%2F%2Fauth.mydomain.com&scope=openid+profile+email&state=[REDACTED]". |
I did a bit more digging on this today. As scoobydoofus mentions I'm also getting a 500 response from the https://overseerr.{MYDOMAIN}/api/v1/auth/oidc-login endpoint which is presumably what's causing the problem. Looking at the logs in authelia it seems it's not getting passed the correct information as all the logs are suggesting the requests are coming from a source that isn't authenticated with the correct credentials but I'm definitely logged into Authelia. The below is what I get in my Authelia logs whenever I try to login. "Access to https://overseer.{MYDOMAIN}.app/{...} (method GET) is not authorized to user , responding with status code 401" Unless there is something special about Overseerr, I don't think anything is off in my configuration, as it works fine for OIDC login to all my other services like Komga, Immich, etc. |
I tried using the
The logs from the docker container are:
So not super helpful, maybe we're doing something very wrong? |
I actually got it working, so for future reference this is how i got it working with Authentik: Some placeholders: Authentik
Overseerr
Save and enjoy! |
This feature seems to be highly anticipated. It would be a shame if it went stale or outdated on the main branch again. @sct |
Description
This PR rebases the oidc changes to the current Overseerr mainline (develop), and fixes some improper OIDC implementation. Because of this, it now works with authelia. Changes have also been revalidated to work with a basic configuration of Authentik. I have not tested this with other OIDC providers.
Fixes include:
aud
(audience) callback parameter being an array. the OIDC spec allowsaud
to be either a string, or an array of strings. Previous implementation here only allowed string when doing a oidc validation. This is now fixed to support both string and arrayinfo
if LOG_LEVEL env variable is not defined (previously was debug)Bug Fix:
Screenshot (if UI-related)
To-Dos
yarn build
yarn i18n:extract
Issues Fixed or Closed