Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[FEATURE] Allow OIDC Login with Zitadel #2592

Open
meinrecht opened this issue Jul 26, 2024 · 2 comments
Open

[FEATURE] Allow OIDC Login with Zitadel #2592

meinrecht opened this issue Jul 26, 2024 · 2 comments

Comments

@meinrecht
Copy link

OIDC does not work with Zitadel
Zitadel is an OIDC provider that allows to use the methods "PKCE" and "Code" by the client application.

When I configure my self-hosted Leantime-instance with the docker environment variables, that I tried to deduce from other configurations described, I am not able to authenticate with zitadel.
Those are:

LEAN_OIDC_ENABLE=true
LEAN_OIDC_PROVIDER_URL=https://zitadel.example.tld
LEAN_OIDC_AUTH_URL_OVERRIDE=https://zitadel.example.tld/oauth/v2/authorize
LEAN_OIDC_TOKEN_URL_OVERRIDE=https://zitadel.example.tld/oauth/v2/token
LEAN_OIDC_USERINFO_URL_OVERRIDE=https://zitadel.example.tld/oidc/v1/userinfo
LEAN_OIDC_JWKS_URL_OVERRIDE=https://zitadel.example.tld/oauth/v2/keys
LEAN_OIDC_CREATE_USER=true
LEAN_OIDC_SCOPES="openid profile email"
LEAN_OIDC_FIELD_EMAIL=Email
LEAN_OIDC_CLIENT_ID=id
# this one should not be needed with PKCE
LEAN_OIDC_CLIENT_SECRET=secret

In Zitadel the "redirect URL" is set to: https://leantime.example.tld/oidc/callback

When using "OIDC Login" on leantime, after being redirected to my zitadel-instance and giving my credentials, I am not redirected back. When I reopen the page, where leantime sits, again, I can see an error message, that depends on the above mentioned method that zitadel should use for this client:

  1. with "PKCE":

Client error: POST https://zitadel.example.tld/oauth/v2/token
resulted in a 400 Bad Request
response: {"error":"invalid_request","error_description":"code_challenge required"}

So this looks, like PKCE is not supported at all.

  1. with "Code":

Das benutzte Format für den öffentlichen Schlüssel wird noch nicht
unterstützt. Bitte prüfen Sie, ob Ihr provider alternative JWKS-Endpunkte
unterstützt. Für Google nutzen Sie:
https://www.googleapis.com/oauth2/v1/certs
(which means: the given format for the public key is not yet supported...)

There is no error message on the Zitadel side in this case.

I would like to be able to use Zitadel as OIDC provider for leantime, be it with PKCE or Code.

If that is not achievable it would at least be helpful to specify in the documentation what exactly is required from the OIDC provider for the integration to work.

Additional context

I am aware that Zitadel is not one of the most common IAM providers, but it seems others have similar problems, like in #2088 (gitlab). I also read #2009, but could not find anything helpful.
@jgardner-qha
Copy link

I seem to be having exactly the same problem, except with Amazon Cognito. I've set up a large number of various OAuth client applications on multiple providers, including Authentik, Keycloak, Microsoft, and Amazon Cognito, and I've never come across this frustrating problem before. What is missing in Leantime that is causing this?

@marcelfolaron
Copy link
Contributor

PKCE is currently not supported. We are in the midst of switching some of the authentication layers and I'll take another look at that.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@marcelfolaron @meinrecht @jgardner-qha