listmonk icon indicating copy to clipboard operation
listmonk copied to clipboard
verified publisher icon knadh

Docs for OIDC

Open jtagcat opened this issue 1 year ago • 11 comments

https://listmonk.app/docs/configuration/ does not list OIDC support. I thought listmonk doesn't support it.

edit: unsubscribing since this turned in to a support ticket

jtagcat avatar Dec 15 '24 05:12 jtagcat

+1

I was trying to connect listmonk to keycloak and while I was getting some problems I decided to check the docs just to find out there's no docs related to OIDC :)

veesiom avatar Dec 16 '24 11:12 veesiom

Hi @jtagcat. That section only describes the limited TOML and env configuration. The rest of the settings are managed via the admin UI.

knadh avatar Dec 16 '24 16:12 knadh

I've also tried to configure OIDC via WebUI in listmonk v4.1.0 but it doesn't redirect to my keycloak instance during login.

So what exactly needs to be set as OIDC Provider-URL when using keycloak in the background?

I've tried

https://<keycloak-server>/auth/realms/<realm>/
https://<keycloak-server>/auth/realms/<realm>/.well-known/oidc-configuration

When clicking the login button there's no redirect of the browser appearing, but the following error is shown on the login page

error exchanging token: Post "": unsupported protocol scheme ""

The log states :

auth.go:97: error initializing OIDC OAuth provider: 404 Not Found: {"error":"Unable to find matching target resource method"}

EW1974 avatar Dec 18 '24 19:12 EW1974

I did a web search on "Unable to find matching target resource method" there were some hints. Perhaps there's a clue there?

https:///auth/realms//

Did a bit of digging and this would be the correct provider URL for KeyCloak.

However:

https:///auth/realms//.well-known/oidc-configuration

This should actually be openid-configuration, not oidc-configuration. Can you verify that in your setup, the former endpoint exists? This is not a URL that has to be plugged into listmonk though. It's automatically derived from the provider URL.

knadh avatar Dec 19 '24 05:12 knadh

I've also tried to configure OIDC via WebUI in listmonk v4.1.0 but it doesn't redirect to my keycloak instance during login.

So what exactly needs to be set as OIDC Provider-URL when using keycloak in the background?

I've tried

https://<keycloak-server>/auth/realms/<realm>/
https://<keycloak-server>/auth/realms/<realm>/.well-known/oidc-configuration

When clicking the login button there's no redirect of the browser appearing, but the following error is shown on the login page

error exchanging token: Post "": unsupported protocol scheme ""

The log states :

auth.go:97: error initializing OIDC OAuth provider: 404 Not Found: {"error":"Unable to find matching target resource method"}

I've faced "unsupported protocol scheme" error too. Then I've changed URL to https://<keycloakURL>/realms/<realmName>and it's redirecting now to my Keycloak auth page, but as soon as i authenticate i get error getting user from OIDC And currently I have no clue what it wants from me. Finally got sometime to dig deeper, so i'll update the post if i succeed

UPD: Finally got it to work. In my case Keycloak client was missing "email verified" token mapper, even though it had "email" mapper. As soon as i've added "email verified" mapper — it successfully logged me in.

veesiom avatar Dec 23 '24 14:12 veesiom

This issue has been marked 'stale' after 90 days of inactivity. If there is no further activity, it will be closed in 7 days.

github-actions[bot] avatar Mar 25 '25 02:03 github-actions[bot]

For people using Authentik, I found settings that work after a lot of struggling and hints from the above. The fields in the UI are misleading.

First in Authentik, make a new provider like you would for most OIDC providers, noting the client ID and secret to be used later in Listmonk's settings. However, be particularly careful about the following settings:

  • Copy the Redirect URI from the OIDC settings in Listmonk, described in the next section. It should not have a trailing slash.
  • For Signing Key, set it to "authentik Self-signed Certificate." Do not leave it blank, or the response is signed with an algorithm that Listmonk doesn't support.

When you create the Authentik application, associate it to the provider as usual. Note the slug will be used in the redirect URI. I just used listmonk as a slug.

Then, in the settings for Listmonk under Security:

  • Enable OIDC SSO: Enabled
  • Provider URL: https://authentik.example.com/application/o/listmonk/ where authentik.example.com is your Authentik domain and listmonk is the name of the application you created. This is not just your base Authentik URI; it's for your Listmonk application specifically! This is what tripped me up and resulted in nonsensical error messages.
  • Client ID and Client secret: copied from the Authentik provider settings
  • Redirect URL for oAuth provider: Autogenerated, but make sure it's the correct URL if you're reverse proxying. If it's localhost and needs to change, update it in Settings > General for Root URL.

Lastly, it looks like Listmonk doesn't autoprovision users. You will need a local user created in Listmonk with the same email used for the SSO user in Authentik.

skjdghsdjgsdj avatar Mar 25 '25 21:03 skjdghsdjgsdj

FYI for keycloak this link format works, note there is no ending slash

https://<keycloak-server>/realms/<realm>

msweetland avatar Mar 27 '25 05:03 msweetland

FYI for keycloak this link format works, note there is no ending slash

https://<keycloak-server>/realms/<realm>

yes the url works, login redirects to keycloak login page, but after successful login i get an error: error exchanging token: oauth2: "unauthorized_client" "Invalid client or Invalid client credentials" Anyone got it working with keycloak ? hints ?

kosti31 avatar Mar 28 '25 15:03 kosti31

I got it working @kosti31

In KeyCloak, create a new Client:

General settings

Client ID: Set client name

Access settings

Root URL: Auto generated from listmonk, should be: https://listmonk.example.com/auth/oidc Valid redirect URIs: Same as Root URL Valid post logout redirect URIs: *

Capability config

Client authentication: On Authorization: On Authentication Flow: ✅ Standard Flow ✅ Direct Access grants

Once created, go to the client and navigate to Credentials, copy Client Secret. Use this and Client ID to populate Listmonk settings.

rudolfjs avatar Apr 30 '25 04:04 rudolfjs

I've added docs with the information posted in this issue. Thanks to everyone who contributed !

If you wish to add information to the pull request, let met know !

nono-lqdn avatar May 23 '25 15:05 nono-lqdn

This issue has been marked 'stale' after 90 days of inactivity. If there is no further activity, it will be closed in 7 days.

github-actions[bot] avatar Aug 22 '25 02:08 github-actions[bot]