Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

OIDC configuration problems for Synology SSO Server #5404

Closed
2 tasks done
tomo2403 opened this issue Jan 12, 2025 · 3 comments
Closed
2 tasks done

OIDC configuration problems for Synology SSO Server #5404

tomo2403 opened this issue Jan 12, 2025 · 3 comments
Labels
🐕 Support

Comments

@tomo2403
Copy link

tomo2403 commented Jan 12, 2025
edited
Loading

Attempted Debugging

  • I have read the debugging page

Searched GitHub Issues

  • I have searched GitHub for the issue.

Describe the Scenario

I've configured authentication with OIDC. The IDP is Synology SSO Server. After login, I receive this error:

Caution

ID token validation failed with error: Missing or non-matching token issuer value

This is a part of my config:

AUTH_METHOD=oidc
AUTH_AUTO_INITIATE=false
OIDC_NAME=SSO
OIDC_DISPLAY_NAME_CLAIMS=username
OIDC_CLIENT_ID="..."
OIDC_CLIENT_SECRET="..."
OIDC_ISSUER=https://mydomain.com/webman/sso/
OIDC_END_SESSION_ENDPOINT=false
OIDC_ISSUER_DISCOVER=false
OIDC_PUBLIC_KEY=file:///config/idp-public-key.pem
OIDC_AUTH_ENDPOINT=https://mydomain.com/webman/sso/SSOOauth.cgi
OIDC_TOKEN_ENDPOINT=https://mydomain.com/webman/sso/SSOAccessToken.cgi
OIDC_USERINFO_ENDPOINT=https://mydomain.com/webman/sso/SSOUserInfo.cgi

# Enable OIDC group sync.
OIDC_USER_TO_GROUPS=true
OIDC_GROUPS_CLAIM=groups
OIDC_ADDITIONAL_SCOPES=groups
OIDC_REMOVE_FROM_GROUPS=true

Note

I'm currently unable to use auto-discover due to DNS problems in my home network. mydomain.com is anonymized and only available in my home network.

Exact BookStack Version

v24.12.1

Log Content

Output after login at Idp and OIDC_DUMP_USER_DETAILS=true

{
  "aud": "1dbb77dba088b05c27fd9b8e5484cdd3",
  "auth_time": 1736689934,
  "email": "[email protected]",
  "exp": 1736690114,
  "groups": [
    "docker",
    "users",
    "administrators"
  ],
  "iat": 1736689934,
  "iss": "http://mydomain.com/webman/sso",
  "sub": "myuser",
  "username": "myuser"
}

Note

iss is different from OIDC_ISSUER. Changing https to http or/and removing the trailing slash in OIDC_ISSUER throws an unexpected error.

Hosting Environment

PHP 8.3.15 inside Docker (Image: https://github.com/linuxserver/docker-bookstack) on Synology NAS (DSM 7.2.2)
@ssddanbrown
Copy link
Member

Hi @tomo2403,
The defined Issuer must match the iss value exactly, and both must start with https://.

If the OIDC auth system is returning an iss value not starting with https://, that indicates a configuration issue on the auth system side of things.

@tomo2403
Copy link
Author

Hello @ssddanbrown,
thank you for the clarification. Does iss also need to end with a trailing slash?

@ssddanbrown
Copy link
Member

@tomo2403 That totally depends on whether the auth system is configured to have a trailing slash. It's neither required or prohobited by the spec. The OIDC_ISSUER just needs to match whether or not your auth system is using a trailing slash (the iss value observed).

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
🐕 Support
Milestone
No milestone
Development

No branches or pull requests
2 participants
@ssddanbrown @tomo2403