SSO with Forgejo "OpenID redirect failed. Validation error: unexpected issuer URI `https://openid.corp/` (expected `https://openid.corp`) (500)"

J

juju42

New Member
Nov 24, 2024
3
0
1
In OpenID provider (Forgejo/gitea):
Code: 
PROXY - - [18/Jan/2025:16:52:21 +0000] "GET https://openid.corp/.well-known/openid-configuration HTTP/1.1" 200 1190 "-" "ureq/2.10.0"

proxy is defined in /etc/environment with a no_proxy for internal domains, along apt options
/etc/pve/datacenter.cfg has only http_proxy like Web UI (Datacenter > Options > HTTP proxy). no no_proxy option.
On proxmox
Code: 
# pveum realm add {{ proxmox_realm }} --type openid --issuer-url {{ proxmox_realm_url }} --client-id {{ proxmox_realm_client_id }} --client-key {{ proxmox_realm_client_secret }} --username-claim {{ proxmox_realm_username_claim }}
# cat /etc/pve/domains.cfg  
pve: pve
    comment Proxmox VE authentication server

pam: pam
    comment Linux PAM standard authentication

openid: SSO-OpenID
    client-id CLIENT_ID
    issuer-url https://openid.corp
    autocreate 1
    client-key CLIENT_KEY
    default 0
    username-claim username
No failed login or error/warning in `journalctl -u pvedaemon --since today`
No match either in /var/log/pve*

Problem is not following as not using a subdir and config as no trailing slash
O

[SOLVED] Thread 'OpenID redirect failed. Validation error: unexpected issuer URI'

My workplace has used CAS for web SSO for many, many years now. In they last couple years they added OIDC, but they added the discovery URL down a couple levels from the top: /cas/oidc/.well-known/openid-configuration. I put https://cas.ucdavis.edu/cas/oidc in for the issuer URL, but I get the error below:
Code: 
OpenID redirect failed.
Validation error: unexpected issuer URI `https://cas.ucdavis.edu/` (expected `https://cas.ucdavis.edu/cas/oidc`) (500)

If I use pretty much anything else I get a HTTP status code 404. Our authentication expert is on vacation for a week, so I...
https://github.com/ramosbugs/openidconnect-rs/issues/38

Any advices where to look?

Thanks

Forgejo relevant doc: https://forgejo.org/docs/latest/user/oauth2-provider/
No algorithm option that could match https://forum.proxmox.com/threads/openid-connect-login-fails-with-keycloak.110452/

Tested on Proxmox 8.3.2/Debian 12 and Forgejo 9.0.3
 
You must log in or register to reply here.

About

The Proxmox community has been around for many years and offers help and support for Proxmox VE, Proxmox Backup Server, and Proxmox Mail Gateway.
We think our community is one of the best thanks to people like you!

Quick Navigation

Home Get Subscription Wiki Downloads Proxmox Customer Portal About

Get your subscription!

The Proxmox team works very hard to make sure you are running the best software and getting stable updates and security enhancements, as well as quick enterprise support. Tens of thousands of happy customers have a Proxmox subscription. Get yours easily in our online shop.

Buy now!
Community platform by XenForo® © 2010-2024 XenForo Ltd.
Top Bottom