oss-apps
Feature Request: OIDC Support
Instead of having to use just Google, it would be nice to use Authentik, Authlia, etc
I second this feature request. 2024 has been the year where I've seen global adoption of OIDC and most of the apps I'm using are now supporting OIDC.
I'm using Authelia and I'd like instructions how to set it up. It's possible with next-auth but it's complicated and undocumented.
In the meantime it would be really nice to get instructions to make it work with next-auth/ldap so that my user would use the same credentials everywhere. Not a huge deal with SplitPro since it works with a passwordless magic link to login.
I would like this so I am opening a draft PR. It's not tested yet - nor does it have any tests written. I'll try to clean it up and validate it over the next couple of days.
I can't speak for Authelia, but v1.3.4 works with Authentik. I had to:
- Pass in the following environment variables:
-
AUTHENTIK_ID(client ID from Authentik) -
AUTHENTIK_SECRET(client secret from Authentik) -
AUTHENTIK_ISSUER(OpenID Configuration Issuer from Authentik).
-
- Set the ~callback URL~ redirect URI to
https://yoursplitpro.domain/api/auth/callback/authentikin Authentik
Did you pass in the authentik provider to the list of providers?
Edit: oh, authentik provider is included https://github.com/oss-apps/split-pro/blob/main/src/server/auth.ts#L172
So that's expected. This issue is intended to be supporting oidc in general, right
I have just gotten Authelia 4.38.7 to work with the Authentik option. Int this example, auth.example.com is authelia, and split.example.com is Split-Pro. This is also running via nginx-proxy-manager, so the docker compose file needs a slight adjustment too. The login option on the webgui does still say Authentik though
docker-compose.yaml
...
ports:
- 8009:${PORT:-3000}
environment:
- PORT=${PORT:-3000}
...
.env config
PORT=443
NEXTAUTH_URL="https://split.example.com"
AUTHENTIK_ID=split-pro
AUTHENTIK_SECRET=<jwt secret goes here>
AUTHENTIK_ISSUER=https://auth.example.com
Authelia OIDC config
- client_id: 'split-pro'
client_name: 'Split-Pro'
client_secret: '<jwt digest goes here>'
public: false
authorization_policy: 'two_factor'
redirect_uris:
- 'https://split.example.com/api/auth/callback/authentik'
scopes:
- 'openid'
- 'profile'
- 'email'
userinfo_signed_response_alg: 'none'
I can confirm Pocket-ID works with Authentik option out of the box. I just wish to have a general multi OIDC option so I could use both Authentik as a primary login and Pocket-ID as a fallback option.
There is a Docker image tag for evaluating the OIDC PR. Can you check if that would solve your use case? ossapps/splitpro:feat-148-oidc-eval
I tried to fresh install ossapps/splitpro:feat-148-oidc-eval and ran into this issue, similar to #229
i think this bug is also present in the latest v1.5.0 release.
Deploying prisma migrations
+ echo 'Deploying prisma migrations'
+ pnpx prisma@6 migrate deploy --schema ./prisma/schema.prisma
Progress: resolved 1, reused 0, downloaded 0, added 0
Progress: resolved 2, reused 0, downloaded 0, added 0
Starting web server
Killed
+ echo 'Starting web server'
+ node server.js
▲ Next.js 15.3.3
- Local: http://73ee96dbb423:3000
- Network: http://73ee96dbb423:3000
✓ Starting...
Registering instrumentation
Validating auth env
✓ Ready in 2.8s
prisma:error
Invalid `prisma.account.findUnique()` invocation:
The table `public.Account` does not exist in the current database.
[next-auth][error][adapter_error_getUserByAccount]
https://next-auth.js.org/errors#adapter_error_getuserbyaccount
Invalid `prisma.account.findUnique()` invocation:
The table `public.Account` does not exist in the current database. {
message: '\n' +
'Invalid `prisma.account.findUnique()` invocation:\n' +
'\n' +
'\n' +
'The table `public.Account` does not exist in the current database.',
stack: 'PrismaClientKnownRequestError: \n' +
'Invalid `prisma.account.findUnique()` invocation:\n' +
'\n' +
'\n' +
'The table `public.Account` does not exist in the current database.\n' +
' at Zn.handleRequestError (/app/node_modules/.pnpm/@[email protected][email protected][email protected][email protected]/node_modules/@prisma/client/runtime/library.js:121:7459)\n' +
' at Zn.handleAndLogRequestError (/app/node_modules/.pnpm/@[email protected][email protected][email protected][email protected]/node_modules/@prisma/client/runtime/library.js:121:6784)\n' +
' at Zn.request (/app/node_modules/.pnpm/@[email protected][email protected][email protected][email protected]/node_modules/@prisma/client/runtime/library.js:121:6491)\n' +
' at async l (/app/node_modules/.pnpm/@[email protected][email protected][email protected][email protected]/node_modules/@prisma/client/runtime/library.js:130:9778)\n' +
' at async getUserByAccount (/app/node_modules/.pnpm/@[email protected]_@[email protected][email protected][email protected]__typ_36ba5e755bef4405db1d622103759220/node_modules/@next-auth/prisma-adapter/dist/index.js:211:29)',
name: 'PrismaClientKnownRequestError'
}
[next-auth][error][OAUTH_CALLBACK_HANDLER_ERROR]
https://next-auth.js.org/errors#oauth_callback_handler_error
Invalid `prisma.account.findUnique()` invocation:
The table `public.Account` does not exist in the current database. [Error [GetUserByAccountError]:
Invalid `prisma.account.findUnique()` invocation:
The table `public.Account` does not exist in the current database.] {
code: 'P2021'
}
@mrg358 I can't do much about it without reproduction steps. Can you try if the issue happens with a clean db?
@mrg358 I can't do much about it without reproduction steps. Can you try if the issue happens with a clean db?
Issue was on my end, caused by resource restriction in my compose file. Sorry for creating confusion.
Test image ossapps/splitpro:feat-148-oidc-eval works as expected. Authentik and Pocket-ID (OIDC) works OK.
A small UX issue maybe only the error msg which pops up after a successfull logout.
An error occurred while signing in: SessionRequired