portainer: Unauthorized with SSO Custom OAuth

Bug description Hello! I am having an issue getting my custom OAuth provider to successfully authenticate with Portainer. Currently when I attempt to click the Login button, it does forward me to my OAuth provider. But when I enter my credentials (which are valid), it sends me back to Portainer and then gives an unauthorized error (see logs below).

Expected behavior I can login with SSO using my custom OAuth provider.

Portainer Logs There are no relevant logs when I check docker logs.

Here is the error from Chrome:

{
    "data": {
        "message": "Unable to authenticate through OAuth",
        "details": "Unauthorized"
    },
    "status": 500,
    "config": {
        "method": "POST",
        "transformRequest": [
            null
        ],
        "transformResponse": [
            null
        ],
        "jsonpCallbackParam": "callback",
        "ignoreLoadingBar": true,
        "data": {
            "code": "de6d660187cc43c5ae6260d1f9b9821a"
        },
        "url": "api/auth/oauth/validate",
        "headers": {
            "Accept": "application/json, text/plain, */*",
            "Content-Type": "application/json"
        }
    },
    "statusText": "",
    "xhrStatus": "complete",
    "resource": {
        "code": "de6d660187cc43c5ae6260d1f9b9821a"
    }
}

Steps to reproduce the issue:

  1. Setup a custom OAuth provider
  2. Attempt to login.

Technical details:

  • Portainer version: Portainer CE 2.16.2
  • Docker version (managed by Portainer): Docker version 20.10.22, build 3a2c30
  • Platform (windows/linux): Linux
  • Command used to start Portainer (docker run -p 9443:9443 portainer/portainer): Compose File:
portainer:
    image: portainer/portainer-ce:2.16.2-alpine
    environment:
      - PGID=1000
      - PUID=1000
    volumes:
      - /var/run/docker.sock:/var/run/docker.sock
      - /docker/portainer:/data
      - /etc/ssl/certs:/etc/ssl/certs # Used to pass in custom CA
    deploy:
      restart_policy:
        condition: any
    networks:
      - default
  • Browser: Chrome 108.0.5359.124 (Official Build) (x86_64)
  • Have you reviewed our technical documentation and knowledge base? Yes

Additional context

Here is my OAuth configuration in Portainer:

I do have one more question, what should my callback url be in my OAuth provider? Currently I just used the url of my Portainer instance (e.g. https://my-portainer-url.my-domain.tld reference above in the Redirect URL). Is this correct?

Hopefully someone can provide some help, as I am stumped. I have used this OAuth provider with other applications and not run into this problem, so it seems to either be a configuration with Portainer that I have wrong, or something wrong on the OAuth side like the callback URL.

About this issue

  • Original URL
  • State: closed
  • Created a year ago
  • Reactions: 1
  • Comments: 16

Most upvoted comments

For someone using Keycloak

If using keycloak, make sure that “Client Authentication” in client settings is enabled. This way you will be able to get a “Client Secret” from the “Credentials” tab in client settings that will be needed later in Portainer.

Use the following settings:

  1. Client ID: your-client-id
  2. Client secret: your-secret
  3. Authorization URL: https://`your-keycloak-url`:port/realms/your-realm/protocol/openid-connect/auth
  4. Access token URL: https://`your-keycloak-url`:port/realms/your-realm/protocol/openid-connect/token
  5. Resource URL: https://`your-keycloak-url`:port/realms/your-realm/protocol/openid-connect/userinfo
  6. Redirect URL: https://`your-portainer-url`
  7. Logout URL: https://`your-keycloak-url`:port/realms/your-realm/protocol/openid-connect/logout?redirect_uri=your-portainer-url-encoded
  8. User identifier: email
  9. Scopes: openid profile email
+8
prasannjeet on Apr 18, 2023

Ok I now have this working. Using the undocumented DEBUG log level and a hint that it was certificate related from this issue, I was able to find out that it is giving me an X509 error. This is because the cert for my OIDC provider has been signed by a custom CA.

So my solution is two fold:

  1. I had to mount in my custom CA using a volume.
  2. I had to set the GO Lang environment variable SSL_CERT_FILE to point to my custom CA.

SSO now works perfectly.

@xpac1985 I am not sure if this is the same problem you are having. If this doesn’t solve your issue you may want to open a new ticket.

+5
joe-eklund on Jan 19, 2023

Hello @joe-eklund

I also think, that the Scope and User Identifier is not configured properly. I am pretty sure that “username” is invalid as User Identifier. Please take a look at the Keycloak documentation.

OpenID Connect ID Token attribute to populate the UserPrincipal name with. If token attribute is null, defaults to sub. Possible values are sub, preferred_username, email, name, nickname, given_name, family_name. https://www.keycloak.org/docs/latest/securing_apps/

Please try the following:

  • User identifier: email
  • Scope: openid profile email

If this works then you can start playing around with the user identifier.

+2
itobi1 on Jan 14, 2023
Read more comments on GitHub
← portainer: Unable to tag image - "invalid reference format"
portainer: `Update the stack` fails with 500 `open /data/compose/27/v1/applications/<appname>/docker-compose.yml: no such file or directory` →