Help with OIDC Authentik configuration

[Loigzorn]

Hello everyone,

with the help of Answer of xfact-joseph-p on Issue 1434 I was able to setup oicd configuration, using oicd together with Authentik.
The Authentik side is working properly as far as I can see.

• OS: Debian 12 (bookworm)
• Running Semaphore within Docker
• Semaphore v2.9.37
• Using Nginx Proxy Manager as a reverse proxy

On the way back from Authentik to Semaphore using the redirect link an error gets thrown in the logs:

time="2023-12-02T13:18:24Z" level=error msg="claim 'email' missing from id_token or not a string"

This is the config of the config.json:

        "oidc_providers": {
            "authentik": {
                "display_name": "Sign in with SSO",
                "provider_url": "https://auth.example.com/application/o/semaphore/",
                "client_id": "<<Client_ID>>",
                "client_secret": "<<Secret>>",
                "redirect_url": "https://semaphore.example.com/api/auth/oidc/authentik/redirect",
                "scopes": ["email", "openid", "profile"],
                "username_claim": "preferred_username",
                "name_claim": "preferred_username"
            }
        },

Authentik is providing the 'email', 'openid' and 'profile':

The redirect_url provided by Semaphore and expected from Authentik checks out.

Has someone a clue what I am missing in the setup?
Your help is appreciated!

[Loigzorn]

Hello together,

Well for what it's worth, I have a working setup now.

Let me write down the working config, so it might help someone else:

The oidc_providers of config.json for Semaphore:

"oidc_providers": {
            "authentik": {
                "display_name": "Sign in with SSO",
                "provider_url": "https://auth.authentik.com/application/o/semaphore/",
                "client_id": "<<Client_ID>>",
                "client_secret": "<<Client_Secret>>",
                "redirect_url": "https://semaphore.example.com/api/auth/oidc/authentik/redirect/",
                "scopes": ["email", "openid", "profile"],
                "username_claim": "preferred_username",
                "name_claim": "preferred_username"
            }
        },

Authentik side:
Use the OAuth2/OpenID Provider option as a provider

Redirect URIs/Origins (RegEx): https://semaphore.example.com/api/auth/oidc/authentik/redirect/
Scopes: email, openid, profile
Subject mode: Based on the User's hashed ID
Check the box Include claims in id_token

Use the default settings for the Application

Using this settings semaphore is able to create a user based on the scopes provided by Authentik.
For the user name created inside Semaphore be aware that it will look something like this:
Authentik Email : [email protected]
Semaphore User: user.name_fljfXdkdEdd

Let me know if someone else could get the OIDC setup working for them.

Regards

[anuneo]

Thanks! Maybe it is a stupid question, but I am a beginner with semaphore ui. Where can I find the config.yaml in case I am using the docker compose?

I am using this compose file: https://docs.semaphoreui.com/administration-guide/installation#docker

[Loigzorn]

Not at all,
I added this line to the stack:

volumes:
      - /opt/semaphore:/etc/semaphore

This mapping exposes the /etc/semaphore directory to the host system of the path /opt/semaphore. While I have chosen to use the path mapping, this can be a docker volume as well.
Under this path you will find the exposes config.yaml, within you can configure the oicd_provider.

Hope this helps :)

[anuneo]

Thank you. It helped, the config file is now present in the folder. But the file is created under the user 1001. It would be great if I can specify the owner of the file in the docker compose, e.g. for my other docker containers, I am able to specify "user: :". Due to this, all files created in the mounted volumes are created with specified ownership. When I do this for semaphore, then I get the following error messages:

semaphore-1 | /usr/local/bin/server-wrapper: line 124: can't create /tmp/semaphore/config.stdin: Permission denied

Is there an environment variable which I can specify, which tells semaphore to use the specified uid and gid?

[Loigzorn]

In the docs there is no mention an user environment variable that can be specified.

This is a common error that occurs when the file is not present at the time of the container startup. The container than tries to create the file itself but fails due to the missing permission.

Try to create the config-file yourself and add the required input. After the creation of the config the container should be able to start without the error message of the missing permission and should be able to read the config as well

[anuneo]

Thank you @Loigzorn, that helped! Thanks for all your help. 😃