Question

OpenID with Authnetik

  • 14 April 2024
  • 5 replies
  • 66 views

Badge +1

Hi,

We’re trying to setup OpenID authentication using our Authentik service.

I followed the Centreon documentation but I can’t manage to make it work.

This is our Centreon conf :


This is our Authentik conf :


When I click on OpenID button, it send a request to :

https://$AUTHENTIK_FQDN/application/o/centreon/authorize?client_id=$CLIENTID&response_type=code&redirect_uri=https%3A%2F%2F$CENTREON_FQDN%2Foauth%2Fcallback%2Fcentreon%2Fauthentication%2Fproviders%2Fconfigurations%2Fopenid&state=661c20069eb46&scope=openid%20email%20profile

that fail on Authentik with a 404 code.

Any idea how to fix this ?
 


5 replies

Userlevel 6
Badge +19

Hi @MOAR , Redirect URL must be the url to be redirected from your IdP to Centreon, so Centreon URL.

You must define nothing or your Centreon URL like: https://docs.centreon.com/docs/connect/openid/#step-7-configure-your-identity-provider-idp

Badge +1

Hi @MOAR , Redirect URL must be the url to be redirected from your IdP to Centreon, so Centreon URL.

You must define nothing or your Centreon URL like: https://docs.centreon.com/docs/connect/openid/#step-7-configure-your-identity-provider-idp

Seems to be a proxy error...
When I removed the Redirect URL on Centreon, I still got an error but with this request :
 

https://$AUTHENTIK_FQDN/application/o/centreon/authorize?client_id=$CLIENT_ID&response_type=code&redirect_uri=https%3A%2F%2Flocalhost%2Fcentreon%2Fauthentication%2Fproviders%2Fconfigurations%2Fopenid&state=661ed02274594&scope=email%20openid%20profile


We’re using Teleport to access the ui.
Do we still need to put a reverse proxy on localhost and access it using Teleport ?

Badge

Hi @MOAR ,

I believe you’ll find two separate issues. First is that Authentik doesn’t need the application to be part of the URL:

Authorization Endpoint should be https://$AUTHENTIK_FQDN/application/o/authorize/ not https://$AUTHENTIK_FQDN/application/o/centreon/authorize .

This is the same for the other URLs.

Secondly, Centreon strips the final ‘/’ from the URL by the looks of it. Authentik expects a ‘/’ at the end of the URL. You’ll get a 404 error because “application/o/authorize” isn’t a URL. “application/o/authorize/” is a URL that Authentik works with though. You can even see this by inserting the “/” when you get a 404.

@Laurent - Should I raise a GitHub issue for this?

Badge +1

I edited the URLs, still not working.

The openid button redirect to  :

https://AUTHENTIK_FQDN/application/o/authorize?client_id=x0MMgXurhZ8ZaOiR1tDQX0RUllbqQnIvohLFJgTo&response_type=code&redirect_uri=https%3A%2F%2FCENTREON_FQDN%2Fapplication%2Fo%2Fcentreon%2Fauthentication%2Fproviders%2Fconfigurations%2Fopenid&state=6638c5dcbd2c3&scope=email%20openid%20profile


And I still get a Not found on authentik.

Badge

Hi @MOAR ,

This is what I was talking about in the second part of the post. When you edit the URL in the interface, Centreon strips the trailing slash off the path.

https://AUTHENTIK_FQDN/application/o/authorize/ becomes https://AUTHENTIK_FQDN/application/o/authorize and that won’t work. You can see it by following the login link and then, on the Authentik 404 page, put a slash in the URL like this:

https://AUTHENTIK_FQDN/application/o/authorize/?client_id=x0MMgXurhZ8ZaOiR1tDQX0RUllbqQnIvohLFJgTo&response_type=code&redirect_uri=https%3A%2F%2FCENTREON_FQDN%2Fapplication%2Fo%2Fcentreon%2Fauthentication%2Fproviders%2Fconfigurations%2Fopenid&state=6638c5dcbd2c3&scope=email%20openid%20profile

See the added slash in “authorize/?client_id” - That is what is missing. It specifically needs to be there. If you add that slash and hit enter, you’ll get forwarded back to Centreon, but then Centreon complains that the URLs don’t match (because it has “authorize?client_id” in the database) and so it won’t authorize the login.

SAML does work for Centreon though, so you could use SAML. It’s not too complex to set up either. 

Reply