beszel icon indicating copy to clipboard operation
beszel copied to clipboard
verified publisher icon henrygd

[Bug]: OIDC "email: cannot be blank"

Open e3ndr opened this issue 3 months ago • 6 comments

Component

Hub

Description

We're trying to integrate Cisco Duo as an OIDC provider in Beszel. Authentication fails with this error appearing in the Pocketbase logs:

{
  "email": "cannot be blank"
}

Expected Behavior

Using an OIDC tester application, it does appear that there is an email field available in the Token, though we haven't been able to verify if UserInfo contains an email field. Both types "Fetch user info from" types fail (UserInfo and ID Token). Other OIDC applications (such as Proxmox and Portainer) seem to be finding the email field fine.

Steps to Reproduce

  1. Configure an Application in Duo as "OIDC-enabled Relying Party"
  2. Add to Beszel, using either UserInfo or ID Token for "Fetch user info from".
  3. Attempt to login :p

Category

Authentication

Affected Metrics

Other

OS / Architecture

linux/amd64

Beszel version

0.15.4

Installation method

Docker

Configuration

If needed, we can stand up a test instance with DUO and provide you with credentials for accessing :)

Hub Logs

{
  "id": "glh96l60mkkxmq4",
  "created": "2025-11-08 08:39:21.959Z",
  "data": {
    "auth": "",
    "details": {
      "email": "cannot be blank"
    },
    "error": "Failed to create record.",
    "execTime": 534.313554,
    "method": "POST",
    "referer": ".........",
    "remoteIP": ".........",
    "status": 400,
    "type": "request",
    "url": "/api/collections/users/auth-with-oauth2",
    "userAgent": "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/142.0.0.0 Safari/537.36",
    "userIP": "............"
  },
  "message": "POST /api/collections/users/auth-with-oauth2",
  "level": 8
}

Agent Logs

e3ndr avatar Nov 08 '25 08:11 e3ndr

Does Duo have verified and unverified emails? If so, please make sure the user emails are verified on the Duo side.

The OAuth / OIDC functionality is native to PocketBase, so you might have luck searching their discussions and issues.

Otherwise I'll definitely take a further look if you can provide a test instance. My email is in my profile.

henrygd avatar Nov 08 '25 15:11 henrygd

Does Duo have verified and unverified emails? If so, please make sure the user emails are verified on the Duo side.

The OAuth / OIDC functionality is native to PocketBase, so you might have luck searching their discussions and issues.

Otherwise I'll definitely take a further look if you can provide a test instance. My email is in my profile.

I can confirm that DUO Security does not seem to have any "E-Mail Verified" as it's not typically self-serve. I will get an e-mail sent over and we can work on this together if you'd like.

Glitch3dPenguin avatar Nov 10 '25 06:11 Glitch3dPenguin

Any resolution to this issue? I am having the same problem when using Authentik as a provider.

mmims avatar Nov 21 '25 16:11 mmims

You can create a property mapping in authentik thats similar to the default email scope and set email verified to true and use that for your provider, then it works.

hypervtechnics avatar Nov 21 '25 17:11 hypervtechnics

@mmims We have a discussion on the Authentik problem here: https://github.com/henrygd/beszel/discussions/1376

There's a good summation of the issue with a solution here: https://github.com/audiobookshelf/audiobookshelf-web/issues/150#issue-3617760378

henrygd avatar Nov 21 '25 17:11 henrygd

Thanks for the advice @hypervtechnics and @henrygd! Creating a custom mapping with the verified email set to true is indeed working.

mmims avatar Nov 21 '25 18:11 mmims