OIDC not redirecting back to XO

maxcerny

Still haven't been able to get it working... Any suggestions?

olivierlambert

XO works well with a reverse proxy, so I would ask Authelia community I think. I don't see any reason it shouldn't work

maxcerny

@olivierlambert I got a bit further, but now I'm getting an internal server error when I get redirected back.

sluflyer06

@maxcerny maybe post the config you are using? I use OIDC with Google for XO and it worked right out of the gate.

maxcerny

@sluflyer06
authelia client config:

XO OIDC config:

maxcerny

Not really sure which scopes I should be using tho. might be the issue.

olivierlambert

Have you asked Authelia community? Sounds like more a configuration tuning than anything else

maxcerny

@olivierlambert I haven't, but considering the issue is only with xen orchestra, which has 0 documentation on the oidc plugin I don't think they will be of much help.

olivierlambert

Our OIDC plugin is very standard, as far OIDC is. We detailed how to use it with Keycloak (with screenshots), if you can have people from Authelia with some knowledge on what fields to fill, that would be wonderful. Keep us posted, we'll be happy to have your steps in our documentation

maxcerny

@olivierlambert I was able to get some logs from xen orchestra.

Expected values to be strictly equal:
+ actual - expected

+ 'undefined'
- 'string'

But no additional information.

olivierlambert

Ah! That's interesting

Ping @julien-f

maxcerny

@olivierlambert could you point me in the keycloak configuration direction?

olivierlambert

See https://xen-orchestra.com/blog/xen-orchestra-5-80/

julien-f

@maxcerny I believe the username field is incorrect, it should be one of displayName, username or email).

Make sure your plugin is up-to-date because it is documented.

maxcerny

@julien-f tried it, no dice

Also according to the authelia docs: https://www.authelia.com/integration/openid-connect/introduction/#profile

the claim is preferred_username

julien-f

@maxcerny username is preferred_username in XO.

We weren't explicitly using the profile scope, please test the oidc-scope-profile branch.

maxcerny

@julien-f yes, this branch works.
guess it was a scoping issue then.

When about can I expect an update to the master branch? I'm currently running xo in docker and don't really want to glue together different plugin versions.

maxcerny

@julien-f just a clarification, it works with username, not preferred username

julien-f

@maxcerny I've made some changes to make scopes configurable, if you could test it to make sure it works, that would be great. (same branch, commit da14bab)

julien-f

@maxcerny Have you been able to test the latest version?