OpenID OAuth redirects to a wrong URL

[kestr31]

Hello, thank you for the great work you made.
This project is really helpful for me for running a task management system.

However, I think there is a problem in the desktop app when using OAuth.
Status and problem that I am now experiencing as following:

---

Release specifications

• OS: Windows 11
• Verion: 0.20.3
• Session Type: Docker, Selfhosted, Reverse Proxy(NGINX)
• Source: Vikunja Downloads, Desktop 0.20.3

Issue

• I have set my Vikunja instance using docker on my server with OpenID OAuth.
• I am able to login to my server using GitLab Oauth set, through the web frontend.
  • Settings I used is the same as the example google OAuth settings except exact values used.
• However, I cannot login with the desktop application showing following error:

An error has occurred
The redirect URI included is not valid.

Guess of the cause

• At the first start, the api URL was shown as localhost.
• I think that mismatch in AUTH_OPENID_REDIRECTURL is causing a problem.

---

Again, thank you for the work and I hope this can help improving the project.

[kolaente]

Thanks for the kind words 🙂

The Vikunja Desktop app spins up its own local server to serve the frontend files, precisely to make redirects from an openid provider work. Because of that, you need to allow redirects back to http://localhost domains.

Does it work with the web frontend?

[verymilan]

I did whitelist the localhost url and then got stranded at POST 400 /api/v1/auth/openid/tchncsauth/callback 🤔

[kolaente]

Anything in the api logs?

[verymilan]

Hmm only Response: {"error":"invalid_grant","error_description":"redirect_uri does not correspond"} but the allowed redirect url is the same as with the frontend except http://127.0.0.1:45735 (http://localhost:45.. is allowed too, but the application makes a request containing &redirect_uri=http://127.0.0.1:45735/auth/openid/...) instead of the domain... unless the "developer mode" setting in the Zitadel server for allowing http:// connections is broken, i don't know what could differ right now.
Zitadel lets me go through the login routine and back on the frontend i get the 400.

I failed to mention that this is the manual macOS build, however I can reproduce on Fedora with the official .rpm package. At least now, yesterday it failed to assemple the url? Strange.^^

[kolaente]

Does Zitadel have an error message in their logs?

[verymilan]

Sadly even with debug loglevel there isn't anything to see about this problem. Its nginx shows a POST /oauth/v2/token HTTP/2.0" 400

[kolaente]

the allowed redirect url is the same as with the frontend except http://127.0.0.1:45735

Do you have http://127.0.0.1:45735 as an allowed redirect url? Or only the localhost one?

Does it work with the web frontend in a browser?

I don't know anything about Zitadel, maybe you need to allow the full url in Zitadel, so something like http://127.0.0.1:45735/auth/openid/<auth key> instead of the domain only.

[verymilan]

Does it work with the web frontend in a browser?

Yes, it works fine in the browser. Right now allowed redirect urls are:

• https://todo.tchncs.de/auth/openid/tchncsauth
• http://127.0.0.1:45735/auth/openid/tchncsauth
• http://localhost:45735/auth/openid/tchncsauth

Just in case i have added http://ip/localhost:port as additional origin but it does not change...

[kolaente]

Huh that's strange. I've never seen this happen with other providers. Does Zitadel have an option to allow any redirect URL?

[verymilan]

Sadly not that i am aware of... but the redirect_uri in the request is quite clear on the other hand: redirect_uri=http://127.0.0.1:45735/auth/openid/tchncsauth&response_type[...] 302 71 "http://127.0.0.1:45735/"

I think that additional origin feature might not be of help:

If you want to add additional Origins to your app which is not used as a redirect you can do that here.

However when i added it with the / at the end, Zitadel complained about it being invalid.
Edit: doesn't matter, it uses the / on the frontend domain as well and it works fine