Help with OIDC Authentik configuration

[Loigzorn]

Hello everyone,

with the help of Answer of xfact-joseph-p on Issue 1434 I was able to setup oicd configuration, using oicd together with Authentik.
The Authentik side is working properly as far as I can see.

• OS: Debian 12 (bookworm)
• Running Semaphore within Docker
• Semaphore v2.9.37
• Using Nginx Proxy Manager as a reverse proxy

On the way back from Authentik to Semaphore using the redirect link an error gets thrown in the logs:

time="2023-12-02T13:18:24Z" level=error msg="claim 'email' missing from id_token or not a string"

This is the config of the config.json:

        "oidc_providers": {
            "authentik": {
                "display_name": "Sign in with SSO",
                "provider_url": "https://auth.example.com/application/o/semaphore/",
                "client_id": "<<Client_ID>>",
                "client_secret": "<<Secret>>",
                "redirect_url": "https://semaphore.example.com/api/auth/oidc/authentik/redirect",
                "scopes": ["email", "openid", "profile"],
                "username_claim": "preferred_username",
                "name_claim": "preferred_username"
            }
        },

Authentik is providing the 'email', 'openid' and 'profile':

The redirect_url provided by Semaphore and expected from Authentik checks out.

Has someone a clue what I am missing in the setup?
Your help is appreciated!

[Loigzorn]

Hello together,

Well for what it's worth, I have a working setup now.

Let me write down the working config, so it might help someone else:

The oidc_providers of config.json for Semaphore:

"oidc_providers": {
            "authentik": {
                "display_name": "Sign in with SSO",
                "provider_url": "https://auth.authentik.com/application/o/semaphore/",
                "client_id": "<<Client_ID>>",
                "client_secret": "<<Client_Secret>>",
                "redirect_url": "https://semaphore.example.com/api/auth/oidc/authentik/redirect/",
                "scopes": ["email", "openid", "profile"],
                "username_claim": "preferred_username",
                "name_claim": "preferred_username"
            }
        },

Authentik side:
Use the OAuth2/OpenID Provider option as a provider

Redirect URIs/Origins (RegEx): https://semaphore.example.com/api/auth/oidc/authentik/redirect/
Scopes: email, openid, profile
Subject mode: Based on the User's hashed ID
Check the box Include claims in id_token

Use the default settings for the Application

Using this settings semaphore is able to create a user based on the scopes provided by Authentik.
For the user name created inside Semaphore be aware that it will look something like this:
Authentik Email : [email protected]
Semaphore User: user.name_fljfXdkdEdd

Let me know if someone else could get the OIDC setup working for them.

Regards