SSO with Forgejo "OpenID redirect failed. Validation error: unexpected issuer URI `https://openid.corp/` (expected `https://openid.corp`) (500)"

[juju42]

In OpenID provider (Forgejo/gitea):

PROXY - - [18/Jan/2025:16:52:21 +0000] "GET https://openid.corp/.well-known/openid-configuration HTTP/1.1" 200 1190 "-" "ureq/2.10.0"

proxy is defined in /etc/environment with a no_proxy for internal domains, along apt options
/etc/pve/datacenter.cfg has only http_proxy like Web UI (Datacenter > Options > HTTP proxy). no no_proxy option.
On proxmox

# pveum realm add {{ proxmox_realm }} --type openid --issuer-url {{ proxmox_realm_url }} --client-id {{ proxmox_realm_client_id }} --client-key {{ proxmox_realm_client_secret }} --username-claim {{ proxmox_realm_username_claim }}
# cat /etc/pve/domains.cfg  
pve: pve
    comment Proxmox VE authentication server

pam: pam
    comment Linux PAM standard authentication

openid: SSO-OpenID
    client-id CLIENT_ID
    issuer-url https://openid.corp
    autocreate 1
    client-key CLIENT_KEY
    default 0
    username-claim username

No failed login or error/warning in `journalctl -u pvedaemon --since today`
No match either in /var/log/pve*

Problem is not following as not using a subdir and config as no trailing slash

O

[SOLVED] Thread 'OpenID redirect failed. Validation error: unexpected issuer URI'

Jul 13, 2021

My workplace has used CAS for web SSO for many, many years now. In they last couple years they added OIDC, but they added the discovery URL down a couple levels from the top: /cas/oidc/.well-known/openid-configuration. I put https://cas.ucdavis.edu/cas/oidc in for the issuer URL, but I get the error below:

OpenID redirect failed.
Validation error: unexpected issuer URI `https://cas.ucdavis.edu/` (expected `https://cas.ucdavis.edu/cas/oidc`) (500)

If I use pretty much anything else I get a HTTP status code 404. Our authentication expert is on vacation for a week, so I...

• omen
• openid
• Replies: 11
• Forum: Proxmox VE: Installation and configuration

https://github.com/ramosbugs/openidconnect-rs/issues/38

Any advices where to look?

Thanks

Forgejo relevant doc: https://forgejo.org/docs/latest/user/oauth2-provider/
No algorithm option that could match https://forum.proxmox.com/threads/openid-connect-login-fails-with-keycloak.110452/

Tested on Proxmox 8.3.2/Debian 12 and Forgejo 9.0.3