setup social login

[samuelbarata]

What I want I'm trying to setup a login with an external oAuth source.

What I have done

1. In Federation and Social Login created the oAuth Source
2. In the default-authentication-identification added that source

What happens When I first click the button I'm redirected and I perform the login I get the error message from authentik:

Authentication failed: Could not determine id.

Relevant info I didn't create mappings since the JSON provided by the OAuth provider shares the same names as authentik:

{
  email*: email
  username*: string
  name*: string
  givenNames*: string
  familyNames*: string
  displayName*: string
[...]

Screenshots

Logs

{"cidr":"10.0.0.0/8","event":"Using remote IP from proxy protocol","level":"trace","remoteAddr":"10.2.128.79","timestamp":"2024-11-27T00:54:42Z"}
{"cidr":"10.0.0.0/8","event":"Setting proxy headers","level":"trace","remoteAddr":"10.2.128.79","timestamp":"2024-11-27T00:54:42Z"}
{"event":"tracing request to backend","headers":{"Accept":["text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8"],"Accept-Language":["en-US,en;q=0.5"],"Cookie":["authentik_session=<REDACTED_SESSION>"],"Priority":["u=0, i"],"Referer":["https://auth.example.com/if/flow/default-authentication-flow/"],"Sec-Fetch-Dest":["document"],"Sec-Fetch-Mode":["navigate"],"Sec-Fetch-Site":["same-origin"],"Sec-Fetch-User":["?1"],"Te":["trailers"],"Upgrade-Insecure-Requests":["1"],"User-Agent":["Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:132.0) Gecko/20100101 Firefox/132.0"],"X-Forwarded-For":["10.2.15.201"],"X-Forwarded-Proto":["https"]},"level":"trace","logger":"authentik.router","timestamp":"2024-11-27T00:54:42Z","url":"http://localhost:8000/source/oauth/login/fenix/"}
{"auth_via": "unauthenticated", "domain_url": "auth.example.com", "event": "dispatching OAuth2 request to", "host": "auth.example.com", "kind": "<RequestKind.REDIRECT: 'redirect'>", "level": "debug", "logger": "authentik.sources.oauth.views.dispatcher", "pid": 5668, "request_id": "c9caa414e63f420285df0168e977ea92", "schema_name": "public", "timestamp": "2024-11-27T00:54:42.532430", "view": "<class 'authentik.sources.oauth.types.oidc.OpenIDConnectOAuthRedirect'>"}
{"auth_via": "unauthenticated", "client": "<authentik.sources.oauth.clients.oauth2.OAuth2Client object at 0x77573a1819a0>", "domain_url": "auth.example.com", "event": "Using client for oauth request", "host": "auth.example.com", "level": "debug", "logger": "authentik.sources.oauth.views.base", "pid": 5668, "request_id": "c9caa414e63f420285df0168e977ea92", "schema_name": "public", "timestamp": "2024-11-27T00:54:42.557546"}
{"auth_via": "unauthenticated", "client_id": "1695915081466339", "domain_url": "auth.example.com", "event": "redirect args", "host": "auth.example.com", "level": "info", "logger": "authentik.sources.oauth.clients.base", "pid": 5668, "redirect_uri": "https://auth.example.com/source/oauth/callback/fenix/", "request_id": "c9caa414e63f420285df0168e977ea92", "response_type": "code", "schema_name": "public", "scope": "read:personal", "source": "fenix", "state": "5J8ei31S9rmNkEOAy3YgygnlRgeN43CT", "timestamp": "2024-11-27T00:54:42.562123"}
{"auth_via": "unauthenticated", "domain_url": "auth.example.com", "event": "/source/oauth/login/fenix/", "host": "auth.example.com", "level": "info", "logger": "authentik.asgi", "method": "GET", "pid": 5668, "remote": "10.2.15.201", "request_id": "c9caa414e63f420285df0168e977ea92", "runtime": 104, "schema_name": "public", "scheme": "https", "status": 302, "timestamp": "2024-11-27T00:54:42.582703", "user": "", "user_agent": "Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:132.0) Gecko/20100101 Firefox/132.0"}
{"cidr":"10.0.0.0/8","event":"Setting proxy headers","level":"trace","remoteAddr":"10.2.128.79","timestamp":"2024-11-27T00:54:42Z"}
{"event":"tracing request to backend","headers":{"Accept":["*/*"],"Accept-Encoding":["gzip, deflate, br, zstd"],"Accept-Language":["en-US,en;q=0.5"],"Cache-Control":["no-cache"],"Connection":["upgrade"],"Cookie":["authentik_session=<REDACTED_SESSION>"],"Origin":["https://auth.example.com"],"Pragma":["no-cache"],"Sec-Fetch-Dest":["empty"],"Sec-Fetch-Mode":["websocket"],"Sec-Fetch-Site":["same-origin"],"Sec-Websocket-Extensions":["permessage-deflate"],"Sec-Websocket-Key":["<REDACTED_KEY>"],"Sec-Websocket-Version":["13"],"Upgrade":["websocket"],"User-Agent":["Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:132.0) Gecko/20100101 Firefox/132.0"],"X-Forwarded-For":["10.2.15.201"],"X-Forwarded-Proto":["https"]},"level":"trace","logger":"authentik.router","timestamp":"2024-11-27T00:54:42Z","url":"http://localhost:8000/ws/client/"}
{"domain_url": null, "event": "/ws/client/", "level": "info", "logger": "authentik.asgi", "pid": 5668, "remote": "10.2.15.201", "schema_name": "public", "scheme": "ws", "timestamp": "2024-11-27T00:54:42.655537", "user_agent": "Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:132.0) Gecko/20100101 Firefox/132.0"}
{"cidr":"10.0.0.0/8","event":"Using remote IP from proxy protocol","level":"trace","remoteAddr":"10.2.128.79","timestamp":"2024-11-27T00:54:42Z"}
{"cidr":"10.0.0.0/8","event":"Setting proxy headers","level":"trace","remoteAddr":"10.2.128.79","timestamp":"2024-11-27T00:54:42Z"}
{"event":"tracing request to backend","headers":{"Accept":["text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8"],"Accept-Language":["en-US,en;q=0.5"],"Cookie":["authentik_session=<REDACTED_SESSION>"],"Priority":["u=0, i"],"Sec-Fetch-Dest":["document"],"Sec-Fetch-Mode":["navigate"],"Sec-Fetch-Site":["cross-site"],"Sec-Fetch-User":["?1"],"Te":["trailers"],"Upgrade-Insecure-Requests":["1"],"User-Agent":["Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:132.0) Gecko/20100101 Firefox/132.0"],"X-Forwarded-For":["10.2.15.201"],"X-Forwarded-Proto":["https"]},"level":"trace","logger":"authentik.router","timestamp":"2024-11-27T00:54:42Z","url":"http://localhost:8000/source/oauth/callback/fenix/?code=<REDACTED_CODE>&state=5J8ei31S9rmNkEOAy3YgygnlRgeN43CT"}
{"auth_via": "unauthenticated", "domain_url": "auth.example.com", "event": "dispatching OAuth2 request to", "host": "auth.example.com", "kind": "<RequestKind.CALLBACK: 'callback'>", "level": "debug", "logger": "authentik.sources.oauth.views.dispatcher", "pid": 5668, "request_id": "edbf342a67224d2a9b95164181a674e7", "schema_name": "public", "timestamp": "2024-11-27T00:54:42.769607", "view": "<class 'authentik.sources.oauth.types.oidc.OpenIDConnectOAuth2Callback'>"}
{"auth_via": "unauthenticated", "domain_url": "auth.example.com", "event": "Authentication Failure", "host": "auth.example.com", "level": "warning", "logger": "authentik.sources.oauth.views.callback", "pid": 5668, "reason": "Could not determine id.", "request_id": "edbf342a67224d2a9b95164181a674e7", "schema_name": "public", "timestamp": "2024-11-27T00:54:42.924639"}
{"auth_via": "unauthenticated", "domain_url": "auth.example.com", "event": "/source/oauth/callback/fenix/?code=<REDACTED_CODE>&state=5J8ei31S9rmNkEOAy3YgygnlRgeN43CT", "host": "auth.example.com", "level": "info", "logger": "authentik.asgi", "method": "GET", "pid": 5668, "remote": "10.2.15.201", "request_id": "edbf342a67224d2a9b95164181a674e7", "runtime": 210, "schema_name": "public", "scheme": "https", "status": 302, "timestamp": "2024-11-27T00:54:42.939851", "user": "", "user_agent": "Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:132.0) Gecko/20100101 Firefox/132.0"}
{"cidr":"10.0.0.0/8","event":"Setting proxy headers","level":"trace","remoteAddr":"10.2.128.79","timestamp":"2024-11-27T00:54:42Z"}
{"event":"tracing request to backend","headers":{"Accept":["text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8"],"Accept-Language":["en-US,en;q=0.5"],"Cookie":["authentik_session=<REDACTED_SESSION>"],"Priority":["u=0, i"],"Sec-Fetch-Dest":["document"],"Sec-Fetch-Mode":["navigate"],"Sec-Fetch-Site":["none"],"Sec-Fetch-User":["?1"],"Te":["trailers"],"Upgrade-Insecure-Requests":["1"],"User-Agent":["Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:132.0) Gecko/20100101 Firefox/132.0"],"X-Forwarded-For":["10.2.15.201"],"X-Forwarded-Proto":["https"]},"level":"trace","logger":"authentik.router","timestamp":"2024-11-27T00:54:42Z","url":"http://localhost:8000/flows/-/default/authentication/"}
{"auth_via": "unauthenticated", "domain_url": "auth.example.com", "event": "/flows/-/default/authentication/", "host": "auth.example.com", "level": "info", "logger": "authentik.asgi", "method": "GET", "pid": 5668, "remote": "10.2.15.201", "request_id": "aeef6b0bc77246f5ba7ae14730b425b5", "runtime": 47, "schema_name": "public", "scheme": "https", "status": 302, "timestamp": "2024-11-27T00:54:43.035765", "user": "", "user_agent": "Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:132.0) Gecko/20100101 Firefox/132.0"}
{"cidr":"10.0.0.0/8","event":"Setting proxy headers","level":"trace","remoteAddr":"10.2.128.79","timestamp":"2024-11-27T00:54:43Z"}
{"event":"tracing request to backend","headers":{"Accept":["text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8"],"Accept-Language":["en-US,en;q=0.5"],"Cookie":["authentik_session=<REDACTED_SESSION>"],"Priority":["u=0, i"],"Sec-Fetch-Dest":["document"],"Sec-Fetch-Mode":["navigate"],"Sec-Fetch-Site":["none"],"Sec-Fetch-User":["?1"],"Te":["trailers"],"Upgrade-Insecure-Requests":["1"],"User-Agent":["Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:132.0) Gecko/20100101 Firefox/132.0"],"X-Forwarded-For":["10.2.15.201"],"X-Forwarded-Proto":["https"]},"level":"trace","logger":"authentik.router","timestamp":"2024-11-27T00:54:43Z","url":"http://localhost:8000/if/flow/default-authentication-flow/"}
{"auth_via": "unauthenticated", "domain_url": "auth.example.com", "event": "/if/flow/default-authentication-flow/", "host": "auth.example.com", "level": "info", "logger": "authentik.asgi", "method": "GET", "pid": 5668, "remote": "10.2.15.201", "request_id": "d1c4c173342742c8a9e5041211636cc1", "runtime": 96, "schema_name": "public", "scheme": "https", "status": 200, "timestamp": "2024-11-27T00:54:43.210308", "user": "", "user_agent": "Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:132.0) Gecko/20100101 Firefox/132.0"}
{"cidr":"10.0.0.0/8","event":"Setting proxy headers","level":"trace","remoteAddr":"10.2.128.79","timestamp":"2024-11-27T00:54:43Z"}
{"event":"tracing request to backend","headers":{"Accept":["*/*"],"Accept-Language":["en-US,en;q=0.5"],"Cookie":["authentik_session=<REDACTED_SESSION>"],"Priority":["u=4"],"Referer":["https://auth.example.com/if/flow/default-authentication-flow/"],"Sec-Fetch-Dest":["empty"],"Sec-Fetch-Mode":["cors"],"Sec-Fetch-Site":["same-origin"],"Sentry-Trace":["70eea5e3985a45b59855fb7b55771438-91ec42daa998443e-0"],"Te":["trailers"],"User-Agent":["Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:132.0) Gecko/20100101 Firefox/132.0"],"X-Authentik-Csrf":[""],"X-Forwarded-For":["10.2.15.201"],"X-Forwarded-Proto":["https"]},"level":"trace","logger":"authentik.router","timestamp":"2024-11-27T00:54:43Z","url":"http://localhost:8000/api/v3/core/brands/current/"}
{"cidr":"10.0.0.0/8","event":"Using remote IP from proxy protocol","level":"trace","remoteAddr":"10.2.128.79","timestamp":"2024-11-27T00:54:43Z"}
{"cidr":"10.0.0.0/8","event":"Setting proxy headers","level":"trace","remoteAddr":"10.2.128.79","timestamp":"2024-11-27T00:54:43Z"}
{"event":"tracing request to backend","headers":{"Accept":["*/*"],"Accept-Language":["en-US,en;q=0.5"],"Cookie":["authentik_session=<REDACTED_SESSION>"],"Priority":["u=4"],"Referer":["https://auth.example.com/if/flow/default-authentication-flow/"],"Sec-Fetch-Dest":["empty"],"Sec-Fetch-Mode":["cors"],"Sec-Fetch-Site":["same-origin"],"Sentry-Trace":["70eea5e3985a45b59855fb7b55771438-91ec42daa998443e-0"],"Te":["trailers"],"User-Agent":["Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:132.0) Gecko/20100101 Firefox/132.0"],"X-Authentik-Csrf":[""],"X-Forwarded-For":["10.2.15.201"],"X-Forwarded-Proto":["https"]},"level":"trace","logger":"authentik.router","timestamp":"2024-11-27T00:54:43Z","url":"http://localhost:8000/api/v3/root/config/"}
{"cidr":"10.0.0.0/8","event":"Using remote IP from proxy protocol","level":"trace","remoteAddr":"10.2.128.79","timestamp":"2024-11-27T00:54:43Z"}
{"cidr":"10.0.0.0/8","event":"Setting proxy headers","level":"trace","remoteAddr":"10.2.128.79","timestamp":"2024-11-27T00:54:43Z"}
{"event":"tracing request to backend","headers":{"Accept":["*/*"],"Accept-Encoding":["gzip, deflate, br, zstd"],"Accept-Language":["en-US,en;q=0.5"],"Cache-Control":["no-cache"],"Connection":["upgrade"],"Cookie":["authentik_session=<REDACTED_SESSION>"],"Origin":["https://auth.example.com"],"Pragma":["no-cache"],"Sec-Fetch-Dest":["empty"],"Sec-Fetch-Mode":["websocket"],"Sec-Fetch-Site":["same-origin"],"Sec-Websocket-Extensions":["permessage-deflate"],"Sec-Websocket-Key":["<REDACTED_KEY>"],"Sec-Websocket-Version":["13"],"Upgrade":["websocket"],"User-Agent":["Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:132.0) Gecko/20100101 Firefox/132.0"],"X-Forwarded-For":["10.2.15.201"],"X-Forwarded-Proto":["https"]},"level":"trace","logger":"authentik.router","timestamp":"2024-11-27T00:54:43Z","url":"http://localhost:8000/ws/client/"}
{"cidr":"10.0.0.0/8","event":"Using remote IP from proxy protocol","level":"trace","remoteAddr":"10.2.128.79","timestamp":"2024-11-27T00:54:43Z"}
{"cidr":"10.0.0.0/8","event":"Setting proxy headers","level":"trace","remoteAddr":"10.2.128.79","timestamp":"2024-11-27T00:54:43Z"}
{"cidr":"10.0.0.0/8","event":"Using remote IP from proxy protocol","level":"trace","remoteAddr":"10.2.128.79","timestamp":"2024-11-27T00:54:43Z"}
{"cidr":"10.0.0.0/8","event":"Setting proxy headers","level":"trace","remoteAddr":"10.2.128.79","timestamp":"2024-11-27T00:54:43Z"}
{"event":"tracing request to backend","headers":{"Accept":["*/*"],"Accept-Language":["en-US,en;q=0.5"],"Cookie":["authentik_session=<REDACTED_SESSION>"],"Priority":["u=4"],"Referer":["https://auth.example.com/if/flow/default-authentication-flow/"],"Sec-Fetch-Dest":["empty"],"Sec-Fetch-Mode":["cors"],"Sec-Fetch-Site":["same-origin"],"Sentry-Trace":["70eea5e3985a45b59855fb7b55771438-91ec42daa998443e-0"],"Te":["trailers"],"User-Agent":["Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:132.0) Gecko/20100101 Firefox/132.0"],"X-Authentik-Csrf":[""],"X-Forwarded-For":["10.2.15.201"],"X-Forwarded-Proto":["https"]},"level":"trace","logger":"authentik.router","timestamp":"2024-11-27T00:54:43Z","url":"http://localhost:8000/api/v3/core/brands/current/"}
{"domain_url": null, "event": "/ws/client/", "level": "info", "logger": "authentik.asgi", "pid": 58, "remote": "10.2.15.201", "schema_name": "public", "scheme": "ws", "timestamp": "2024-11-27T00:54:43.338372", "user_agent": "Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:132.0) Gecko/20100101 Firefox/132.0"}
{"event":"tracing request to backend","headers":{"Accept":["*/*"],"Accept-Language":["en-US,en;q=0.5"],"Cookie":["authentik_session=<REDACTED_SESSION>"],"Priority":["u=4"],"Referer":["https://auth.example.com/if/flow/default-authentication-flow/"],"Sec-Fetch-Dest":["empty"],"Sec-Fetch-Mode":["cors"],"Sec-Fetch-Site":["same-origin"],"Sentry-Trace":["70eea5e3985a45b59855fb7b55771438-91ec42daa998443e-0"],"Te":["trailers"],"User-Agent":["Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:132.0) Gecko/20100101 Firefox/132.0"],"X-Authentik-Csrf":[""],"X-Forwarded-For":["10.2.15.201"],"X-Forwarded-Proto":["https"]},"level":"trace","logger":"authentik.router","timestamp":"2024-11-27T00:54:43Z","url":"http://localhost:8000/api/v3/flows/executor/default-authentication-flow/?query="}
{"cidr":"10.0.0.0/8","event":"Using remote IP from proxy protocol","level":"trace","remoteAddr":"10.2.128.79","timestamp":"2024-11-27T00:54:43Z"}
{"cidr":"10.0.0.0/8","event":"Setting proxy headers","level":"trace","remoteAddr":"10.2.128.79","timestamp":"2024-11-27T00:54:43Z"}
{"event":"tracing request to backend","headers":{"Accept":["*/*"],"Accept-Language":["en-US,en;q=0.5"],"Cookie":["authentik_session=<REDACTED_SESSION>"],"Priority":["u=4"],"Referer":["https://auth.example.com/if/flow/default-authentication-flow/"],"Sec-Fetch-Dest":["empty"],"Sec-Fetch-Mode":["cors"],"Sec-Fetch-Site":["same-origin"],"Sentry-Trace":["70eea5e3985a45b59855fb7b55771438-91ec42daa998443e-0"],"Te":["trailers"],"User-Agent":["Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:132.0) Gecko/20100101 Firefox/132.0"],"X-Authentik-Csrf":[""],"X-Forwarded-For":["10.2.15.201"],"X-Forwarded-Proto":["https"]},"level":"trace","logger":"authentik.router","timestamp":"2024-11-27T00:54:43Z","url":"http://localhost:8000/api/v3/root/config/"}
{"auth_via": "unauthenticated", "domain_url": "auth.example.com", "event": "/api/v3/root/config/", "host": "auth.example.com", "level": "info", "logger": "authentik.asgi", "method": "GET", "pid": 58, "remote": "10.2.15.201", "request_id": "e73e1818ea924d73a726bdd0abe86f82", "runtime": 88, "schema_name": "public", "scheme": "https", "status": 200, "timestamp": "2024-11-27T00:54:43.483152", "user": "", "user_agent": "Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:132.0) Gecko/20100101 Firefox/132.0"}
{"auth_via": "unauthenticated", "domain_url": "auth.example.com", "event": "/api/v3/core/brands/current/", "host": "auth.example.com", "level": "info", "logger": "authentik.asgi", "method": "GET", "pid": 5668, "remote": "10.2.15.201", "request_id": "8c0656398a5046a8b8d00b8dcda5b19b", "runtime": 127, "schema_name": "public", "scheme": "https", "status": 200, "timestamp": "2024-11-27T00:54:43.497451", "user": "", "user_agent": "Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:132.0) Gecko/20100101 Firefox/132.0"}
{"auth_via": "unauthenticated", "domain_url": "auth.example.com", "event": "f(exec): Continuing existing plan", "flow_slug": "default-authentication-flow", "host": "auth.example.com", "level": "debug", "logger": "authentik.flows.views.executor", "pid": 58, "request_id": "99fb570e2fd4487a809ca754cdd790a1", "schema_name": "public", "timestamp": "2024-11-27T00:54:43.547669"}
{"auth_via": "unauthenticated", "binding": "<FlowStageBinding: Flow-stage binding #10 to db5cbf32-7188-429d-b3e0-b6c9acbbf0a6>", "domain_url": "auth.example.com", "event": "f(plan_inst): stage has marker", "host": "auth.example.com", "level": "debug", "logger": "authentik.flows.planner", "marker": "ReevaluateMarker(binding=<FlowStageBinding: Flow-stage binding #10 to db5cbf32-7188-429d-b3e0-b6c9acbbf0a6>)", "pid": 58, "request_id": "99fb570e2fd4487a809ca754cdd790a1", "schema_name": "public", "timestamp": "2024-11-27T00:54:43.549562"}
{"auth_via": "unauthenticated", "binding": "<FlowStageBinding: Flow-stage binding #10 to db5cbf32-7188-429d-b3e0-b6c9acbbf0a6>", "domain_url": "auth.example.com", "event": "f(plan_inst): running re-evaluation", "host": "auth.example.com", "level": "debug", "logger": "authentik.flows.markers", "marker": "ReevaluateMarker", "pid": 58, "policy_binding": "<FlowStageBinding: Flow-stage binding #10 to db5cbf32-7188-429d-b3e0-b6c9acbbf0a6>", "request_id": "99fb570e2fd4487a809ca754cdd790a1", "schema_name": "public", "timestamp": "2024-11-27T00:54:43.551347"}
{"auth_via": "unauthenticated", "domain_url": "auth.example.com", "event": "/api/v3/core/brands/current/", "host": "auth.example.com", "level": "info", "logger": "authentik.asgi", "method": "GET", "pid": 5668, "remote": "10.2.15.201", "request_id": "658e8c994d844fbfa88bd4e44552929a", "runtime": 121, "schema_name": "public", "scheme": "https", "status": 200, "timestamp": "2024-11-27T00:54:43.559446", "user": "", "user_agent": "Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:132.0) Gecko/20100101 Firefox/132.0"}
{"auth_via": "unauthenticated", "domain_url": "auth.example.com", "event": "/api/v3/root/config/", "host": "auth.example.com", "level": "info", "logger": "authentik.asgi", "method": "GET", "pid": 58, "remote": "10.2.15.201", "request_id": "34e437db5e4148f69488b4ca60d426c6", "runtime": 132, "schema_name": "public", "scheme": "https", "status": 200, "timestamp": "2024-11-27T00:54:43.576195", "user": "", "user_agent": "Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:132.0) Gecko/20100101 Firefox/132.0"}
{"auth_via": "unauthenticated", "current_stage": "<IdentificationStage: Stage default-authentication-identification>", "domain_url": "auth.example.com", "event": "f(exec): Current stage", "flow_slug": "default-authentication-flow", "host": "auth.example.com", "level": "debug", "logger": "authentik.flows.views.executor", "pid": 58, "request_id": "99fb570e2fd4487a809ca754cdd790a1", "schema_name": "public", "timestamp": "2024-11-27T00:54:43.595183"}
{"auth_via": "unauthenticated", "domain_url": "auth.example.com", "event": "f(exec): Passing GET", "flow_slug": "default-authentication-flow", "host": "auth.example.com", "level": "debug", "logger": "authentik.flows.views.executor", "pid": 58, "request_id": "99fb570e2fd4487a809ca754cdd790a1", "schema_name": "public", "stage": "<IdentificationStage: Stage default-authentication-identification>", "timestamp": "2024-11-27T00:54:43.600208", "view_class": "authentik.stages.identification.stage.IdentificationStageView"}
{"auth_via": "unauthenticated", "domain_url": "auth.example.com", "errors": {"captcha_stage": ["This field may not be null."]}, "event": "f(ch): Invalid challenge", "host": "auth.example.com", "level": "warning", "logger": "authentik.flows.stage", "pid": 58, "request_id": "99fb570e2fd4487a809ca754cdd790a1", "schema_name": "public", "stage": "default-authentication-identification", "stage_view": "authentik.stages.identification.stage.IdentificationStageView", "timestamp": "2024-11-27T00:54:45.915743"}
{"auth_via": "unauthenticated", "domain_url": "auth.example.com", "event": "/api/v3/flows/executor/default-authentication-flow/?query=", "host": "auth.example.com", "level": "info", "logger": "authentik.asgi", "method": "GET", "pid": 58, "remote": "10.2.15.201", "request_id": "99fb570e2fd4487a809ca754cdd790a1", "runtime": 2480, "schema_name": "public", "scheme": "https", "status": 200, "timestamp": "2024-11-27T00:54:45.922678", "user": "", "user_agent": "Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:132.0) Gecko/20100101 Firefox/132.0"}

Version and Deployment:

• authentik version: 2024.10.4
• Deployment: docker-compose

Additional context AUTHENTIK_LOG_LEVEL=trace

[j-z10]

What's the type of external OAuth source you use? If it's a standard OpenID OAuth, there should be a sub in its token data, if not, you might need to create a OAuth Source Property Mapping to set its sub attribute.

[samuelbarata]

@j-z10 the token url simply provides the token for the Profile URL to get the user information

{"access_token": "BBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBB", "refresh_token": "AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA", "token_type": "Bearer", "expires_in": 21600}

From the Profile URL I get the username, name and email

What should I map to the sub property? username? What other properties do I need to map?

Current property mapping is:

return {
  "sub": data.get("username"),
  "exp": data.get("expires_in"),
  "email_verified": True,
  "uid": data.get("username"),
  "username": data.get("username"),
  "email": data.get("email"),
  "name": data.get("name"),
  "given_name": data.get("givenNames"),
  "preferred_username": data.get("username"),
  "nickname": data.get("givenNames"),
}

And I still get the same error:

Authentication failed: Could not determine id.

[j-z10]

sorry it's my mistake, the OAuth source mapping only works after the source connection is successfully created. As you can see here, the info is the user's profile, which is the response data from your source.profile_url. if there isn't a sub in its original profile data, then it might not be a valid OpenID OAuth Source.

[Awesomefreeman]

@samuelbarata I have the same problem with my social network VK.com. Did you solve this problem? VK doesn't support OIDC, only OAUTH2 https://id.vk.com/about/business/go/docs/en/vkid/latest/oauth/oauth-mail/index

[samuelbarata]

@Awesomefreeman I did not

I think the only solution is to make some sort of middleware that implements OAuth and provides OpenID (probably something like this already exists)

If you manage to do it please share your solution

[samuelbarata]

@Awesomefreeman, I solved it Dex is a middleware that can interact with an OAuth provider and convert it to OIDC

[choigawoon]

i found the code what happen in authentik, authentik/sources/oauth/views/callback.py

    def get_user_id(self, info: dict[str, Any]) -> str | None:
        """Return unique identifier from the profile info."""
        if "id" in info:
            return info["id"]
        return None

you can fix by just adding your key here, and then build docker image and use it.

edited. oidc is here.

class OpenIDConnectOAuth2Callback(OAuthCallback):
    """OpenIDConnect OAuth2 Callback"""

    client_class = OpenIDConnectClient

    def get_user_id(self, info: dict[str, str]) -> str:
        return info.get("sub", None)

[borissavelev]

You can override any attribute with mapping:

resource "authentik_property_mapping_source_oauth" "username_from_email" {
  name       = "OAuth Username from Email"
  expression = <<-EOT
    # Access email from OAuth provider's response (info dictionary)
    email = info.get('email', '')
    return {
        "username": email.split('@')[0]
    }
  EOT
}