OAuth setup with Authentik #3334
Replies: 25 comments 73 replies
-
as a point of note as Authentik uses a shared Redirect URI and Origins it is probably a good idea to add the BaseURL (no subpath) to that field as well. It might also be good to point out I had trouble with configuring OIDC_AUTO_REDIRECT=true it wasn't until I set that and logged in for the first time that it worked (it might be related to weird browser caching issues) I would but toggling this value fixed any token issues I was having Unsure if its required but should be highlighted authorization_code: In authentik 2024.2 you will need to define offline_access scope to access this |
Beta Was this translation helpful? Give feedback.
-
Thank you for sharing your setup. I tried to follow your steps. Sadly no SSO / Login Button appears and my instance seams not to be working. Can you share a Screenshot of how the result should look like? |
Beta Was this translation helpful? Give feedback.
-
I was able to get this working but have run into an issue with the Client_Id only accepting a set value. Is it expected that regardless of what you set the OIDC_CLIENT_ID value to in the environment variables that it will always default to the one you have set in this example. |
Beta Was this translation helpful? Give feedback.
-
I set this up myself running the Postgres version of Nightly Mealie then ran into an issue when logging in, I get the following - "GET /login/?code=d1615ae266154ffe849xxxxxxxxxxxxxxxxx&state=xxxxxxxxxxx HTTP/1.1" 200 OK This is for a brand new account logging into Mealie via Authentik OAuth. I then followed the instructions above and got the same issue where I get 401 Unauthorized after being redirected to Mealie. The following is enabled so I'm not sure where to look. Not really sure what to do next. |
Beta Was this translation helpful? Give feedback.
-
This seems like something that should be added to the documentation. I would never have guessed that admins are not allowed to log in!
|
Beta Was this translation helpful? Give feedback.
-
I attempted to set up the openid with Authentik 2024.2 and somehow I get this error: |
Beta Was this translation helpful? Give feedback.
-
Anyone got Authentik and Mealie working and willing to share their config? Somehow I get a 404 page error. |
Beta Was this translation helpful? Give feedback.
-
I only got that far that I actually get redirected to Authentik, log in, and then be redirected to Mealie in a loop with error 500 and the site reloads every second. No logs about error 500 in Mealie... the LOG_LEVEL variable does btw not seem to work. I've set it to DEBUG but there are no debug logs. I use it as a button to login with Authentik and not as a redirect for Mealie. |
Beta Was this translation helpful? Give feedback.
-
Nope. I have set it to user too and still the error occurs... |
Beta Was this translation helpful? Give feedback.
-
Despite all my other applications working with Authentik, I cannot get Mealie to work with OIDC. In the console it is being blocked by CORS policy "The 'Access-Control-Allow-Origin' header contains multiple values" however, the domain does not have multiple values. I have upgraded to 1.7.0 but cannot incorporate Authentik |
Beta Was this translation helpful? Give feedback.
-
Can anyone help me with Traefik -> Authentik -> Mealie I can't figure out the middleware |
Beta Was this translation helpful? Give feedback.
-
I tried everything in the whole thread (again) after an update crashed my working mealie setup and now I only get an 404 error page when I try to login with Authentik. Trying for a long time to fix it and tried everything from the traefik documentation but it wont send the Access Control Allow Origin Header. Does anyone has a working Mealie website with traefik and authentik or know what's wrong with my current one? |
Beta Was this translation helpful? Give feedback.
-
I have been having a hell of a time getting this to work. I'll attach my config, along with the error I've been seeing in the log. Hopefully someone can give me some guidance.
And here is the error in the log:
|
Beta Was this translation helpful? Give feedback.
-
Ok, new issue.... I replaced my ssl certs for my home lab. Now I'm seeing the following error when I attempt to authenticate.
Looks like rebuilding and restoring a backup returns the issue. Any advise hopefully short of blowing everything away? |
Beta Was this translation helpful? Give feedback.
-
It seems setting up OIDC for Mealie with Authentik has sent quite a few of us to our wit's end, and you can add me to that list. Both Mealie and Authentik are running in containers connected to the same network sitting behind NGINX (which is also running in a container). I've set up everything OIDC related as suggested by @nichwall, I get the "Login with OAuth" button and go through the login process in Authentik as expected. The problems start at that point with a spinning loading "bar" and then getting dropped at the Mealie login screen. Looking at Mealie's logs, it looks like Mealie cannot connect to Authentik via my public DNS/IP. I have confirmed by dropping into a shell in the Mealie container that it can resolve the DNS name into my public IP, but all connections to that IP time out. I don't see anything in the NGINX logs, and the Authentik logs say everything worked out fine. The only thing I can think of at this point is a firewall issue, but that doesn't seem right as plenty of other people seem to have gotten this working and my setup can't be that odd. Does anyone have any ideas what I might have wrong or what I should look into? |
Beta Was this translation helpful? Give feedback.
-
I tried to login with my Oauth ID and Mealie says invalid credentials. Here are my mealie env variables. Do I set the user groups in Mealie or Authentik?
|
Beta Was this translation helpful? Give feedback.
-
Hi @pandaboy6621 , You setup the groups in Authentik. You could test it without setting up the groups, that way Mealie will always accept users (you can always delete them :)). This can help you make sure OIDC onboarding is working, after that start testing the groups |
Beta Was this translation helpful? Give feedback.
-
Ok I got this to work thanks to the OP and this post above: #3334 (reply in thread). Thank you both! Small problem with NPM: when I enable Authentik also as a ForwardAuth for Mealie, when I use OIDC, after authenticating it redirects to # Increase buffer size for large headers
# This is needed only if you get 'upstream sent too big header while reading response
# header from upstream' error when trying to access an application protected by goauthentik
proxy_buffers 8 16k;
proxy_buffer_size 32k;
# Make sure not to redirect traffic to a port 4443
port_in_redirect off;
location / {
# Put your proxy_pass to your application here
proxy_pass $forward_scheme://$server:$port;
# Set any other headers your application might need
# proxy_set_header Host $host;
# proxy_set_header ...
##############################
# authentik-specific config
##############################
auth_request /outpost.goauthentik.io/auth/nginx;
error_page 401 = @goauthentik_proxy_signin;
auth_request_set $auth_cookie $upstream_http_set_cookie;
add_header Set-Cookie $auth_cookie;
# translate headers from the outposts back to the actual upstream
auth_request_set $authentik_username $upstream_http_x_authentik_username;
auth_request_set $authentik_groups $upstream_http_x_authentik_groups;
auth_request_set $authentik_email $upstream_http_x_authentik_email;
auth_request_set $authentik_name $upstream_http_x_authentik_name;
auth_request_set $authentik_uid $upstream_http_x_authentik_uid;
proxy_set_header X-authentik-username $authentik_username;
proxy_set_header X-authentik-groups $authentik_groups;
proxy_set_header X-authentik-email $authentik_email;
proxy_set_header X-authentik-name $authentik_name;
proxy_set_header X-authentik-uid $authentik_uid;
}
# all requests to /outpost.goauthentik.io must be accessible without authentication
location /outpost.goauthentik.io {
proxy_pass http://authentik-server:9000/outpost.goauthentik.io;
# ensure the host of this vserver matches your external URL you've configured
# in authentik
proxy_set_header Host $host;
proxy_set_header X-Original-URL $scheme://$http_host$request_uri;
add_header Set-Cookie $auth_cookie;
auth_request_set $auth_cookie $upstream_http_set_cookie;
proxy_pass_request_body off;
proxy_set_header Content-Length "";
}
# Special location for when the /auth endpoint returns a 401,
# redirect to the /start URL which initiates SSO
location @goauthentik_proxy_signin {
internal;
add_header Set-Cookie $auth_cookie;
return 302 /outpost.goauthentik.io/start?rd=$request_uri;
# For domain level, use the below error_page to redirect to your authentik server with the full redirect path
# return 302 https://authentik.company/outpost.goauthentik.io/start?rd=$scheme://$http_host$request_uri;
} |
Beta Was this translation helpful? Give feedback.
-
#4254 breaking changes just so everyone knows |
Beta Was this translation helpful? Give feedback.
-
see here https://docs.mealie.io/documentation/getting-started/authentication/oidc-v2/ |
Beta Was this translation helpful? Give feedback.
-
Thanks @jaspermayone for the heads up. I use Authentik, and changed the provider to However, now when I select 'login with authentik' it redirects to authentik to login (as expected), then back to Mealie, but never actually moves past the Mealie login screen. Basically just brings me back to Mealie login without actually moving forward. Anything I'm missing here? |
Beta Was this translation helpful? Give feedback.
-
I'm struggling with getting OIDC working correctly with Authentik. I have other hosted services (Paperless/Linkwarden) that use OAuth2 successfully, but not mealie. I hope someone can help point me in the right direction. Note that the Mealie Bug Report shows OIDC Ready: No, but I believe I have all the required variables set. Mealie and Authentik are running on the same docker network Note: The actual domain name changed for privacy ------- Mealie Bug Report ------- Checks ------- Docker Settings ------- Repository: ghcr.io/mealie-recipes/mealie:latest ------- Authentik Settings ------- Client type: Confidential Selected scopes: Subject mode: Based on the User's Email URL's |
Beta Was this translation helpful? Give feedback.
-
I'm having a very odd error ever since upgrading to version 2 and using the client secret. Immediately on clicking the OIDC Login button on the login screen, I get an "Internal Server Error" shown on the screen and cannot seem to get past this happening. Logs show an interesting 403 error for the openid-configuration URL, although that is never shown in the browser at all. I have been trying to follow the new flow of the OIDC process, but not sure exactly what it's trying to do or how the 403 is occurring. I did at least login to the docker container and validated that I was able to successfully reach the Authentik server both via IP and URL using a PING request, GET request, and CURL - all without error. The logs I'm seeing are:
The current docker-compose I'm using is:
With the following ENV (obviously redacted):
Since the only real error I'm seeing is the 403, I'm stuck as to why that would be the case, considering that even from inside the docker container I can hit that URL and obtain the full JSON response without issue from the command line. Any thoughts from anyone is greatly appreciated. |
Beta Was this translation helpful? Give feedback.
-
I have Authentik working with mealie, the following is a config example. Mealie version: v2.2.0 BASE_URL: "mealie.mydomain.com"
# OIDC with Authentik
OIDC_AUTH_ENABLED: "true"
OIDC_PROVIDER_NAME: "Authentik"
OIDC_CLIENT_ID: "<authentik_client_id>"
OIDC_CLIENT_SECRET: "<authentik_client_secret>"
OIDC_CONFIGURATION_URL: "https://authentik.mydomain.com/application/o/mealie/.well-known/openid-configuration"
OIDC_REMEMBER_ME: "true" Authentik version: v2024.10.1 Providers: Name: Mealie
Authorization flow: default-authorization-implicit-consent
Protocol settings
Client type: confidential
Client ID: <autogenerated> # Put this in the OIDC_CLIENT_ID environment field
Client secret: <autogenerated> # Put this in the OIDC_CLIENT_SECRET environment field
Redirect URIs: https://mealie.mydomain.com/login
Signing key: Authentik self-signed certificate
Advanced Protocol Settings
Advanced scopes: email. openid, profile
Subject mode: Base on user's email
Include claims in id_token: true # (checked) Application Name: Mealie
Slug: mealie
Provider: Mealie
Policy engine mode: any |
Beta Was this translation helpful? Give feedback.
-
Mealie had issues until I changed:
to
I haven't had to do this for other SPs but it looks like everyone else is doing it here already?? Did I miss a step in the docs?? Also, I'm happily using Mealie with Traefik + Authentik for anyone else in the same boat. |
Beta Was this translation helpful? Give feedback.
-
This is an example of how to set up OIDC or OAuth for Mealie with Authentik. This guide was written in May 2024 and is provided as a way to get started but information will likely not be kept up to date (there will be edit notes if updates are made).
I recommend Cooptonian's excellent video on setting up OIDC to get started.
Mealie documentation on for OpenID Connect: https://docs.mealie.io/documentation/getting-started/authentication/oidc/
Mealie documentation for environment variables: https://docs.mealie.io/documentation/getting-started/installation/backend-config/#openid-connect-oidc
This post is just how I got it set up for my setup, I am not well versed in everything you can do so hopefully other people can help you in the comments if you have problems.
First, I set the
Name
field to something description. For this, I useMealie Demo
. Set theAuthentication flow
andAuthorization flow
as desired for your setup. Change theProtocol Settings
to "Public", and set theRedirect URI/Origins
as desired. For example, if your Mealie instance is located athttps://mealie.cooldomain.com
, you can use a Redirect ashttps://mealie.cooldomain.com/login
.In
Advanced protocol settings
I changed theSubject Mode
to be "Based on User's Email" because that's how I set up my user accounts. Make sure you have all of the required scopes that the Mealie documentation mentions.I then made an Application named
Mealie Demo App
and set the Provider toMealie Demo
. After setting the application for the provider, the information in the gray boxes should all fill out. You can then use this information to set environment variables for your Mealie installation. Most of the information can be gotten from the Provider details page. You can verify the client type is public at(A)
, get the Client ID at(B)
, verify the Redirect at(C)
, and get the OIDC Configuration URL at(D)
. At the time of writing, you only needB
andD
for the Mealie environment variables.An example of the environment variables in a Docker compose is included below using information from the Provider detail page. I have two groups in Authentik,
my_family
for regular Mealie users andmealie Admins
. These can be entered directly in the environment variables. You will need to change the OIDC variables according to your setup and based on updates to the Mealie documentation.Beta Was this translation helpful? Give feedback.
All reactions