OpenID SSO with Authelia

art · June 23, 2022, 9:41am

Hello.
I’m trying to setup SSO with Authelia OSS SSO solution that has OpenID Connect as a beta feature.

The provider appears to support everything that is mentioned here and configured accordingly

The client is macOS 12.4 1.10 (M1) machine. It is getting Consent Page of Authelia, provider logs indicate success, but ZT callback page is outputting this SSO Exchange Error: error from central endpoint
This does not give me much to work with. Is there a way to get more verbose output from ZT?

zt-grant · June 23, 2022, 3:36pm

Hello there,

Just looking at the documentation and want to ensure you have enforce_pkce set. Without that, things definitely won’t work. Also try leaving & re-joining the network (you may need to open a terminal to do this on an unauth’d sso network using sudo zerotier-cli leave $networkID and sudo zerotier-cli join $networkID.

Aside from that, I’m going to set up authelia today to see if I can reproduce your issue & find a solution

zt-grant · June 23, 2022, 4:47pm

Still working on bootstrapping Authelia on a VM. I just noticed something for the client configuration in Authelia that could be a point of confusion.

In the client block, you’ll likely want to set the field secret: "" (a blank string), and also ensure public: true is set. ZeroTier uses PKCE, and is a public client to the OIDC provider.

zt-grant · June 24, 2022, 12:30am

OK I tracked down what’s happeming. And unfortunately, unless I’m missing a setting in Authelia, this is going to take a 1.10.1 release of ZeroTier to get this working for you.

To get down to technical details, it appears that the JWT tokens generated by Authelia use the “Registered Claims” format instead of the “Standard Claims”, which is what we were expecting. The difference between the two being, that the aud field in Standard Claims can only be a string. In Registered Claims, it can be a string or an array of strings. This is what is causing the issue.

I have a change queued for https://my.zerotier.com that fixes this, but unfortunately that’s only half the problem. The JWT handling code in ZeroTier One itself also has the same issue. I’m working on a patch for that now. Then we can spin up & release a new version that should fix this all for you. I’ll also be adding some docs to show the settings I used to get Authelia up and running.

art · June 24, 2022, 11:02am

Hey Grant.
That was quick Thanks a lot for this. You guys rock

zt-grant · June 29, 2022, 7:55pm

Hey @art,

We released version 1.10.1 today and it contains a fix for your issue. There’s also a client configuration template for Authelia on our SSO documentation page.

art · June 30, 2022, 9:43am

Hey Grant,
It works now! Thanks a lot for this. A useful feature I can now use

One small bug I discovered by accident. If the provider is unavailable (my nginx proxy was throwing 503), when you try to open SSO page from ZT menubar item on Mac you get Finder opening instead, and no other feedback from this action.

system · July 30, 2022, 9:44am

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.