[BUG] - OIDC with Zitadel - Error 404 about mealie HOT 14 CLOSED

see it has just been added 19 hours ago in nightly

Haha yeah, I added it after I read about the roles in Zitadel. And it has come up in other cases as well, so it just offers more flexibility. Thanks for making the tutorial post!

from mealie.

I was hoping on creating a new tutorial on how to configure OIDC with Zitadel but I'll have to wait a bit

from mealie.

When you changed the configuration from Authentik to Zitadel, did you reset your browser cache or try in a private window? Did you set up your Zitadel client as a SPA?

from mealie.

When you changed the configuration from Authentik to Zitadel, did you reset your browser cache or try in a private window?

Yes I used a private window

Did you set up your Zitadel client as a SPA?

What do you mean by SPA ? If the question is "Do I have setup a new app for mealie in Zitadel?" The answer is yes
Here is a screenshot of the configuration

from mealie.

I took a look at the docs for Zitadel and there is supposedly an option for a Single Page Application type, which is what you need for Mealie. Looks like from your screenshot you selected a Web application. https://zitadel.com/docs/guides/integrate/login/oidc/login-users

from mealie.

I took a look at the docs for Zitadel and there is supposedly an option for a Single Page Application type, which is what you need for Mealie. Looks like from your screenshot you selected a Web application. https://zitadel.com/docs/guides/integrate/login/oidc/login-users

Perfect thank you !
Had an issue with [OIDC] Required claims not present. Expected: {'name', 'preferred_username', 'email'} Actual: dict_keys(['iss', 'sub', 'aud', 'exp', 'iat', 'auth_time', 'amr', 'azp', 'client_id', 'at_hash', 'c_hash']) but I got it working, I might do the tutorial

Do you know why for mealie it must be a SPA and not web ?

And 2nd question, might open an other issue for this, do you know how to go from nightly image to latest ? I have this error: alembic.util.exc.CommandError: Can't locate revision identified by '7788478a0338' (SQLite)

Thank you !

from mealie.

Great! Mealie's architecture is a little weird where we have a backend which serves the front end as a SPA, so the OIDC authentication happens only in the browser, which is why it needs to be a SPA type (other IdPs will have an option for "public" which is the same concept).

You can't revert to a numbered release because there have been some database migrations since the last numbered release. If you had a database backup before you switched to nightly, then you could restore that backup and go back to the numbered release.

Nightly is pretty stable so don't worry too much about it, you should be able to get back to the regular release cycle on the next version if you like

from mealie.

Okay thank you for the explanation

Nightly is pretty stable so don't worry too much about it, you should be able to get back to the regular release cycle on the next version if you like

Okay so I juste have to wait for the next latest release ?

from mealie.

Okay so I juste have to wait for the next latest release ?

Yep! Once the next tagged release is available, you can switch over to it and shouldn't have any issues

from mealie.

Okay thank you !

Tutorial has been made : #3557

from mealie.

Great! Mealie's architecture is a little weird where we have a backend which serves the front end as a SPA, so the OIDC authentication happens only in the browser, which is why it needs to be a SPA type (other IdPs will have an option for "public" which is the same concept).

You can't revert to a numbered release because there have been some database migrations since the last numbered release. If you had a database backup before you switched to nightly, then you could restore that backup and go back to the numbered release.

Nightly is pretty stable so don't worry too much about it, you should be able to get back to the regular release cycle on the next version if you like

Update,

I get an infinite redirect, and the logs in mealie say:
File "/opt/pysetup/.venv/lib/python3.10/site-packages/authlib/jose/rfc7517/key_set.py", line 29, in find_by_kid raise ValueError('Invalid JSON Web Key Set')
ValueError: Invalid JSON Web Key Set
INFO 2024-05-04T00:20:32 - [192.168.0.20:0] 307 Temporary Redirect "GET /login?direct=1 HTTP/1.1"
INFO 2024-05-04T00:20:32 - [192.168.0.20:0] 401 Unauthorized "GET /api/users/self HTTP/1.1"
INFO 2024-05-04T00:20:33 - [192.168.0.20:0] 500 Internal Server Error "POST /api/auth/token HTTP/1.1"
ERROR 2024-05-04T00:20:33 - Exception in ASGI application

from mealie.

Okay fast update, got it fixed somehow by updating to the last nightly tag and deleting old mealie apps in Zitadel.

My issue now is that I lose the admin role even if I configured the admin role in Zitadel, any idea on this?

from mealie.

If the OIDC_ADMIN_GROUP is set, then Mealie pulls the groups claim (this is now configurable with OIDC_GROUPS_CLAIM in nightly) and looks to see if your groups contain the specified admin group. If it doesn't, then it will revoke your admin status.

So what is probably happening is your groups are not coming back in the groups claim. And your admin status is getting reset. I think I read in the Zitadel docs that there is a claim for "roles" that you might need to specify in Mealie. (OIDC_GROUPS_CLAIM=urn:zitadel:iam:org:project:roles)

from mealie.

If the OIDC_ADMIN_GROUP is set, then Mealie pulls the groups claim (this is now configurable with OIDC_GROUPS_CLAIM in nightly) and looks to see if your groups contain the specified admin group. If it doesn't, then it will revoke your admin status.

So what is probably happening is your groups are not coming back in the groups claim. And your admin status is getting reset. I think I read in the Zitadel docs that there is a claim for "roles" that you might need to specify in Mealie. (OIDC_GROUPS_CLAIM=urn:zitadel:iam:org:project:roles)

Absolutely perfect. I was missing that OIDC_GROUPS_CLAIM env variable. I see it has just been added 19 hours ago in nightly lol

Updating the tutorial as there are some more tweaks to do in Zitadel for the urn:zitadel:iam:org:project:roles (or urn:zitadel:iam:org:project:{projectId}:roles) to appear in the response.

Thank you very much

from mealie.