Kanidm: What does endpoint belongs to different authority
actually mean?
#156
-
When attempting to use Kanidm as an identity provider for jellyfin (via OIDC), it throws an I believe it relates to the API path on the IdP used by the resource server (jellyfin). The Kanidm documentation says:
For reference, here's my jellyfin/kanidm configuration: And the {
"issuer": "https://auth.domain.tld/oauth2/openid/jellyfin-aer",
"authorization_endpoint": "https://auth.domain.tld/ui/oauth2",
"token_endpoint": "https://auth.domain.tld/oauth2/token",
"userinfo_endpoint": "https://auth.domain.tld/oauth2/openid/jellyfin-aer/userinfo",
"jwks_uri": "https://auth.domain.tld/oauth2/openid/jellyfin-aer/public_key.jwk",
"scopes_supported": [
"openid",
"profile"
],
"response_types_supported": [
"code"
],
"response_modes_supported": [
"query"
],
"grant_types_supported": [
"authorization_code"
],
"subject_types_supported": [
"public"
],
"id_token_signing_alg_values_supported": [
"ES256"
],
"token_endpoint_auth_methods_supported": [
"client_secret_basic",
"client_secret_post"
],
"display_values_supported": [
"page"
],
"claim_types_supported": [
"normal"
],
"service_documentation": "https://kanidm.github.io/kanidm/master/integrations/oauth2.html",
"claims_parameter_supported": false,
"request_parameter_supported": true,
"request_uri_parameter_supported": false,
"require_request_uri_registration": false
} |
Beta Was this translation helpful? Give feedback.
Replies: 2 comments 16 replies
-
Try pressing the checkbox "Do Not Validate OpenID Endpoints (Insecure)" |
Beta Was this translation helpful? Give feedback.
-
Ran into the same issue, but my kanidm instance is not behind traefik TLS stuff, so it probably is unrelated from traefik ? (I do still use it to route tcp with tls pass-trough) Kanidm does work with mastodon but I also wouldn't call their current implementation a perfect example. |
Beta Was this translation helpful? Give feedback.
The problem is that the validation is validating "too much". It's validation to enforce that it's the same URI origin is good, but the fact that it expects all the URI to be relative to issuer is the problem here. But if you disable that check (to allow non-relative to issuer URI) you also disable the URI origin verification.
So you could change that in documentation, but I would advise and prefer to see that the validation only check the URI origin is consistent, and not that URI's are relative to issuer. Else a potentially useful security feature is then off by default.