OIDC with FortiAuthenticator

[nicedevil007]

Hey guys, I'm trying to get OIDC working with our FortiAuthenticator.
Unfortunately I can't get anything up and running.

My planka systemd service stops with the following message:

Apr 08 12:00:56 planka npm[2627]: > start
Apr 08 12:00:56 planka npm[2627]: > nodemon
Apr 08 12:00:56 planka npm[2639]: [nodemon] 3.0.1
Apr 08 12:00:56 planka npm[2639]: [nodemon] to restart at any time, enter `rs`
Apr 08 12:00:56 planka npm[2639]: [nodemon] watching path(s): *.*
Apr 08 12:00:56 planka npm[2639]: [nodemon] watching extensions: js,mjs,cjs,json
Apr 08 12:00:56 planka npm[2639]: [nodemon] starting `node app.js`
Apr 08 12:00:57 planka npm[2652]: 2024-04-08 12:00:57 [E] A hook (`oidc`) failed to load!
Apr 08 12:00:57 planka npm[2652]: 2024-04-08 12:00:57 [E] Failed to lift app: expected 200 OK, got: 301 Moved Permanently
Apr 08 12:00:57 planka npm[2639]: [nodemon] clean exit - waiting for changes before restart

Here is my config:

## Required

BASE_URL=https://planka.mydomain.org
DATABASE_URL=postgresql://planka:<SECRET>@localhost/planka
SECRET_KEY=<SECRET>

## Optional

TRUST_PROXY=1
#TOKEN_EXPIRES_IN=14 # In days

# related: https://github.com/knex/knex/issues/2354
# As knex does not pass query parameters from the connection string we
# have to use environment variables in order to pass the desired values, e.g.
# PGSSLMODE=<value>

# Configure knex to accept SSL certificates
# KNEX_REJECT_UNAUTHORIZED_SSL_CERTIFICATE=false

#DEFAULT_ADMIN_EMAIL=demo@demo.demo # Do not remove if you want to prevent this user from being edited/deleted
#DEFAULT_ADMIN_PASSWORD=demo
#DEFAULT_ADMIN_NAME=Demo Demo
#DEFAULT_ADMIN_USERNAME=demo

# Email Notifications (https://nodemailer.com/smtp/)
SMTP_HOST=my.mydomain.org
SMTP_PORT=465
SMTP_SECURE=true
#SMTP_USER=
#SMTP_PASSWORD=
SMTP_FROM="Planka" <noreply@email.server>

OIDC_ISSUER=https://auth.mydomain.org/api/v1/oauth
OIDC_CLIENT_ID=<SECRET>
OIDC_CLIENT_SECRET=<SECRET>
OIDC_SCOPES=openid email profile
# OIDC_ADMIN_ROLES=admin
#OIDC_EMAIL_ATTRIBUTE=email
#OIDC_NAME_ATTRIBUTE=name
#OIDC_USERNAME_ATTRIBUTE=preferred_username
#OIDC_ROLES_ATTRIBUTE=groups
# OIDC_IGNORE_USERNAME=true
# OIDC_IGNORE_ROLES=true
# OIDC_ENFORCED=true

## Do not edit this

TZ=UTC

So here a quick overview of the network that is all this in:

Network A: planka is hosted on seperate Ubuntu VM (it is installed with manual install method)
Network B: Nginx Proxy Manager that forwards traffic going to https://planka.email.server to the Network A VM with Planka running on it
Network C: FortiAuthenticator

Ofc: All firewall rules to reach the one or other Network are up and running and nothing is blocked so far (at least this is what my logs tell me ;D)

If I disable all OIDC env variables it is working with local logins.

[meltyshev]

Hi! It looks like openid-client can't discover the issuer by the provided URL:

const issuer = await openidClient.Issuer.discover(sails.config.custom.oidcIssuer);

Please try to navigate to the address of your issuer https://auth.mydomain.org/api/v1/oauth in a browser and see where you will be redirected to and specify the final address. It's also possible that you need to put a slash at the end of https://auth.mydomain.org/api/v1/oauth/ (but it's just a guess why redirection is done).

[nicedevil007]

Ok I tested this with / and without.
Not working at all.

This is what I have available as URL on my FortiAuthenticator.

{
    "issuer": "https://auth.mydomain.org/api/v1/oauth",
    "authorization_endpoint": "https://auth.mydomain.org/api/v1/oauth/authorize/",
    "token_endpoint": "https://auth.mydomain.org/api/v1/oauth/token/",
    "userinfo_endpoint": "https://auth.mydomain.org/api/v1/oauth/userinfo/",
    "jwks_uri": "https://auth.mydomain.org/api/v1/oauth/.well-known/keys/",
    "response_types_supported": [
        "code",
        "token",
        "id_token",
        "id_token token",
        "code token",
        "code id_token",
        "code id_token token"
    ],
    "subject_types_supported": [
        "public"
    ],
    "id_token_signing_alg_values_supported": [
        "RS256"
    ],
    "token_endpoint_auth_methods_supported": [
        "client_secret_post",
        "client_secret_basic"
    ]
}

So what should I take from these ones?

[meltyshev]

The response looks correct. It's very hard to say why this might be happening. We'll try to test with FortiAuthenticator sometime or maybe someone has already encountered this and can tell us how to solve it.