Authentik (oauth) Configuration fails

atomique · October 25, 2023, 10:38pm

Hi,

I already used Seafile with oidc (keycloak) and had no problems with it. I wanted to switch to authentik for some reasons and cant get it working. I have found three topics in the forums none of them working.

Error: [ERROR] seahub.oauth.views:152 oauth_callback (missing_token) Missing access token parameter.

`

seahub_settings.py

OAUTH

ENABLE_OAUTH = True
OAUTH_ENABLE_INSECURE_TRANSPORT = True

OAUTH_CREATE_UNKNOWN_USER = True
OAUTH_ACTIVATE_USER_AFTER_CREATION = True

OAUTH_CLIENT_ID = “”
OAUTH_CLIENT_SECRET = “”
OAUTH_REDIRECT_URL = ‘https://seafile.domain.tld/oauth/callback/’

OAUTH_PROVIDER_DOMAIN = ‘auth.domain.tld’
OAUTH_AUTHORIZATION_URL = ‘https://auth.domain.tld/application/o/authorize’
OAUTH_TOKEN_URL = ‘https://auth.domain.tld/application/o/token’
OAUTH_USER_INFO_URL = ‘https://auth.domain.tld/application/o/userinfo’
OAUTH_SCOPE = [
“profile”,
“email”,
“name”,
]
OAUTH_ATTRIBUTE_MAP = {
“email”: (True, “email”),
“id”: (False, “email”),
“name”: (False, “name”),
}`

It seems that it can authenticate against authentik, but I get an error after login (reach out to your admin) and the message posted above.

Can someone please help me out with this and possibly explain whats my error? It seems that I dont get a token here.

Thansk a lot
Atomique

SecureCPU · November 20, 2023, 4:17pm

Hey,
So I used this post to help me figure it out:

But here are my settings. Hope it helps you. (If you do not want Authentik to override seafile user’s Profile Name, then # the line in “OAUTH_ATTRIBUTE_MAP” that says "name": (False, "name"),)

Here is my settings that I added to “seahub_settings.py”

It’s alos possbile to use the normal mode. You can basically use the configuration from the Authelia documentation:

ENABLE_OAUTH = True

# If create new user when he/she logs in Seafile for the first time, defalut `True`.
OAUTH_CREATE_UNKNOWN_USER = True

# If active new user when he/she logs in Seafile for the first time, defalut `True`.
OAUTH_ACTIVATE_USER_AFTER_CREATION = True

# Usually OAuth works through SSL layer. If your server is not parametrized to allow HTTPS, some method will raise an "oauthlib.oauth2.rfc6749.errors.InsecureTransportError". Set >
OAUTH_ENABLE_INSECURE_TRANSPORT = True

# Client id/secret generated by authorization server when you register your client application.
OAUTH_CLIENT_ID = "client_id"
OAUTH_CLIENT_SECRET = "client_secret"

# Callback url when user authentication succeeded. Note, the redirect url you input when you register your client application MUST be exactly the same as this value.
OAUTH_REDIRECT_URL = 'https://seafile_drive.tld/oauth/callback/'

# The following should NOT be changed if you are using Github as OAuth provider.
OAUTH_PROVIDER_DOMAIN = 'authentik.tld'
OAUTH_AUTHORIZATION_URL = 'https://authentik.tld/application/o/authorize/'
OAUTH_TOKEN_URL = 'https://authentik.tld/application/o/token/'
OAUTH_USER_INFO_URL = 'https://authentik.tld/application/o/userinfo/'
OAUTH_SCOPE = [ "openid", "profile", "email",]
OAUTH_ATTRIBUTE_MAP = {
    "email": (True, "email"),  # Please keep the 'email' option unchanged to be compatible with the login of users of version 11.0 and earlier.
    "name": (False, "name"),
    #"email": (False, "contact_email"),
    "id": (False, "not used"),   # Since 11.0 version, Seafile use 'uid' as the external unique identifier of the user.
                            # Different OAuth systems have different attributes, which may be: 'uid' or 'username', etc.
                            # If there is no 'uid' attribute, do not configure this option and keep the 'email' option unchanged,
                            # to be compatible with the login of users of version 11.0 and earlier.
}