teableio
How to configure the OIDC callback?
Is your feature request related to a problem? Please describe. When I configure the OIDCfor the CE version, my settings are as follows:
BACKEND_OIDC_CLIENT_ID=satoken
BACKEND_OIDC_CLIENT_SECRET=satoken
BACKEND_OIDC_CALLBACK_URL=http://localhost:3000/api/auth/oidc/callback
BACKEND_OIDC_USER_INFO_URL=http://localhost:8080/userinfo
BACKEND_OIDC_TOKEN_URL=http://localhost:8080/oauth2/token
BACKEND_OIDC_AUTHORIZATION_URL=http://localhost:8080/oauth2/authorize
BACKEND_OIDC_ISSUER=http://localhost:8080
BACKEND_OIDC_OTHER={"scope": ["email", "profile"]}
SOCIAL_AUTH_PROVIDERS=oidc
I'd like to know where the problem is.
Additional context
The server side of teable returns an error code of 500 this is log:
{"level":30,"time":1733964755950,"pid":7,"hostname":"f5157c07fb6d","name":"teable","req":{"id":"f5834e15eedf414bf71f9fd8aa67b567","method":"GET","url":"/api/auth/oidc/callback?code=Cff6e5buyynvaZ4cMeXTJREsJrg27fchDR9IJWdoJEMTLRDrW522hqxtgKYi&state=Um4PaMG1rr9ylain","query":{"code":"Cff6e5buyynvaZ4cMeXTJREsJrg27fchDR9IJWdoJEMTLRDrW522hqxtgKYi","state":"Um4PaMG1rr9ylain"},"params":{"0":"api/auth/oidc/callback"},"remoteAddress":"::ffff:172.18.0.1","remotePort":59442},"res":{"statusCode":500},"err":{"type":"Error","message":"failed with status code 500","stack":"Error: failed with status code 500\n at onResFinished (/app/node_modules/.pnpm/[email protected]/node_modules/pino-http/logger.js:114:39)\n at ServerResponse.onResponseComplete (/app/node_modules/.pnpm/[email protected]/node_modules/pino-http/logger.js:177:14)\n at /app/node_modules/.pnpm/@[email protected]_@[email protected]/node_modules/@opentelemetry/context-async-hooks/build/src/AbstractAsyncHooksContextManager.js:50:55\n at AsyncLocalStorage.run (node:async_hooks:335:14)\n at AsyncLocalStorageContextManager.with (/app/node_modules/.pnpm/@[email protected]_@[email protected]/node_modules/@opentelemetry/context-async-hooks/build/src/AsyncLocalStorageContextManager.js:33:40)\n at ServerResponse.contextWrapper (/app/node_modules/.pnpm/@[email protected]_@[email protected]/node_modules/@opentelemetry/context-async-hooks/build/src/AbstractAsyncHooksContextManager.js:50:32)\n at ServerResponse.emit (node:events:526:35)\n at ServerResponse.emit (node:domain:488:12)\n at onFinish (node:_http_outgoing:1005:10)\n at callback (node:internal/streams/writable:608:21)"},"responseTime":20,"spanId":"41be9ca0be867087","traceId":"f5834e15eedf414bf71f9fd8aa67b567","msg":"request errored"}
Cannot reproduce on latest community edition. I'm using a free, self-hosted Authentik instance as SSO provider:
BACKEND_OIDC_CLIENT_ID=
BACKEND_OIDC_CLIENT_SECRET=
BACKEND_OIDC_CALLBACK_URL=http://localhost:3000/api/auth/oidc/callback
BACKEND_OIDC_USER_INFO_URL=https://auth.example.com/application/o/userinfo/
BACKEND_OIDC_TOKEN_URL=https://auth.example.com/application/o/token/
BACKEND_OIDC_AUTHORIZATION_URL=https://auth.example.com/application/o/authorize/
BACKEND_OIDC_ISSUER=https://auth.example.com/application/o/teable/
BACKEND_OIDC_OTHER={"scope": ["openid", "email", "profile"]}
SOCIAL_AUTH_PROVIDERS=oidc
Reformatted error for someone to analyze:
{
"level": 30,
"time": 1733964755950,
"pid": 7,
"hostname": "f5157c07fb6d",
"name": "teable",
"req": {
"id": "f5834e15eedf414bf71f9fd8aa67b567",
"method": "GET",
"url": "/api/auth/oidc/callback?code=Cff6e5buyynvaZ4cMeXTJREsJrg27fchDR9IJWdoJEMTLRDrW522hqxtgKYi&state=Um4PaMG1rr9ylain",
"query": {
"code": "Cff6e5buyynvaZ4cMeXTJREsJrg27fchDR9IJWdoJEMTLRDrW522hqxtgKYi",
"state": "Um4PaMG1rr9ylain"
},
"params": {
"0": "api/auth/oidc/callback"
},
"remoteAddress": "::ffff:172.18.0.1",
"remotePort": 59442
},
"res": {
"statusCode": 500
},
"err": {
"type": "Error",
"message": "failed with status code 500",
"stack": ...
},
"responseTime": 20,
"spanId": "41be9ca0be867087",
"traceId": "f5834e15eedf414bf71f9fd8aa67b567",
"msg": "request errored"
}
Error: failed with status code 500
at onResFinished (/app/node_modules/.pnpm/[email protected]/node_modules/pino-http/logger.js:114:39)
at ServerResponse.onResponseComplete (/app/node_modules/.pnpm/[email protected]/node_modules/pino-http/logger.js:177:14)
at /app/node_modules/.pnpm/@[email protected]_@[email protected]/node_modules/@opentelemetry/context-async-hooks/build/src/AbstractAsyncHooksContextManager.js:50:55
at AsyncLocalStorage.run (node:async_hooks:335:14)
at AsyncLocalStorageContextManager.with (/app/node_modules/.pnpm/@[email protected]_@[email protected]/node_modules/@opentelemetry/context-async-hooks/build/src/AsyncLocalStorageContextManager.js:33:40)
at ServerResponse.contextWrapper (/app/node_modules/.pnpm/@[email protected]_@[email protected]/node_modules/@opentelemetry/context-async-hooks/build/src/AbstractAsyncHooksContextManager.js:50:32)
at ServerResponse.emit (node:events:526:35)
at ServerResponse.emit (node:domain:488:12)
at onFinish (node:_http_outgoing:1005:10)
at callback (node:internal/streams/writable:608:21)
It's probably broken OIDC server.
Cannot reproduce on latest community edition. I'm using a free, self-hosted Authentik instance as SSO provider:
BACKEND_OIDC_CLIENT_ID= BACKEND_OIDC_CLIENT_SECRET= BACKEND_OIDC_CALLBACK_URL=http://localhost:3000/api/auth/oidc/callback BACKEND_OIDC_USER_INFO_URL=https://auth.example.com/application/o/userinfo/ BACKEND_OIDC_TOKEN_URL=https://auth.example.com/application/o/token/ BACKEND_OIDC_AUTHORIZATION_URL=https://auth.example.com/application/o/authorize/ BACKEND_OIDC_ISSUER=https://auth.example.com/application/o/teable/ BACKEND_OIDC_OTHER={"scope": ["openid", "email", "profile"]} SOCIAL_AUTH_PROVIDERS=oidcReformatted error for someone to analyze:
{ "level": 30, "time": 1733964755950, "pid": 7, "hostname": "f5157c07fb6d", "name": "teable", "req": { "id": "f5834e15eedf414bf71f9fd8aa67b567", "method": "GET", "url": "/api/auth/oidc/callback?code=Cff6e5buyynvaZ4cMeXTJREsJrg27fchDR9IJWdoJEMTLRDrW522hqxtgKYi&state=Um4PaMG1rr9ylain", "query": { "code": "Cff6e5buyynvaZ4cMeXTJREsJrg27fchDR9IJWdoJEMTLRDrW522hqxtgKYi", "state": "Um4PaMG1rr9ylain" }, "params": { "0": "api/auth/oidc/callback" }, "remoteAddress": "::ffff:172.18.0.1", "remotePort": 59442 }, "res": { "statusCode": 500 }, "err": { "type": "Error", "message": "failed with status code 500", "stack": ... }, "responseTime": 20, "spanId": "41be9ca0be867087", "traceId": "f5834e15eedf414bf71f9fd8aa67b567", "msg": "request errored" }Error: failed with status code 500 at onResFinished (/app/node_modules/.pnpm/[email protected]/node_modules/pino-http/logger.js:114:39) at ServerResponse.onResponseComplete (/app/node_modules/.pnpm/[email protected]/node_modules/pino-http/logger.js:177:14) at /app/node_modules/.pnpm/@[email protected]_@[email protected]/node_modules/@opentelemetry/context-async-hooks/build/src/AbstractAsyncHooksContextManager.js:50:55 at AsyncLocalStorage.run (node:async_hooks:335:14) at AsyncLocalStorageContextManager.with (/app/node_modules/.pnpm/@[email protected]_@[email protected]/node_modules/@opentelemetry/context-async-hooks/build/src/AsyncLocalStorageContextManager.js:33:40) at ServerResponse.contextWrapper (/app/node_modules/.pnpm/@[email protected]_@[email protected]/node_modules/@opentelemetry/context-async-hooks/build/src/AbstractAsyncHooksContextManager.js:50:32) at ServerResponse.emit (node:events:526:35) at ServerResponse.emit (node:domain:488:12) at onFinish (node:_http_outgoing:1005:10) at callback (node:internal/streams/writable:608:21)It's probably broken OIDC server.
i found problem,but how to set the username that is returned after OIDC (OpenID Connect) login? Currently, after authorized login, the email prefix is displayed in Tableau. How can I customize this username?
OIDC server should return a response similar to this:
{
"iss": "https://auth.example.com/application/o/teable/",
"sub": [REDACTED],
"aud": [REDACTED],
"exp": [REDACTED],
"iat": [REDACTED],
"auth_time": [REDACTED],
"acr": "goauthentik.io/providers/oauth2/default",
"amr": [
"pwd"
],
"email": "[email protected]",
"email_verified": true,
"name": "John Smith",
"given_name": "John Smith",
"preferred_username": "john",
"nickname": "john",
"groups": [
"clients",
"teable"
]
}
Teable only reads name property for the display name, email for email, and it theoretically should also save user avatar, but passport-openidconnect has no support for that. ^1 ^2
Your OIDC server probably sends email in the 'name' filed, check out OIDC server configuration for "property mappings".
How to proceed here when the OIDC Server is not giving back an email claim in Access Tokens like Microsoft Entra ID? Could we have a fallback to a different claim for that, like upn or unique_name (see https://learn.microsoft.com/en-au/answers/questions/2122133/how-can-i-include-an-email-claim-in-an-open-id-tok)
How to proceed here when the OIDC Server is not giving back an email claim in Access Tokens like Microsoft Entra ID? Could we have a fallback to a different claim for that, like upn or unique_name (see https://learn.microsoft.com/en-au/answers/questions/2122133/how-can-i-include-an-email-claim-in-an-open-id-tok)当 OIDC 服务器没有像 Microsoft Entra ID 那样在访问令牌中返回电子邮件声明时,该怎么办?我们能否回退到其他声明,例如 upn 或 unique_name (请参阅 https://learn.microsoft.com/en-au/answers/questions/2122133/how-can-i-include-an-email-claim-in-an-open-id-tok )
Thank you for raising this interesting case. At present, we're focusing on standard OIDC implementations where email claims are provided in Access Tokens. While we understand the specific scenario with Microsoft Entra ID, supporting alternative claims like upn or unique_name is not in our immediate roadmap. We recommend using standard OIDC configurations that include email claims for the best compatibility with our current implementation. Let us know if you need any assistance with the standard OIDC setup.
