Hey, We use Zitadel for SSO and it works fine with our matrix synapse server already.
I created an additional application in zitadel and made the settings in seahub config file.
I keep getting the error:
[ERROR] seahub.oauth.views:154 oauth_callback (invalid_request) code_challenge required
Here the oauth part of my seahub_settings.py file:
ENABLE_OAUTH = True
OAUTH_CREATE_UNKNOWN_USER = True
OAUTH_ACTIVATE_USER_AFTER_CREATION = True
OAUTH_ENABLE_INSECURE_TRANSPORT = False
OAUTH_CLIENT_ID = "111111111111111111@project" #those are the ids from the zitadel app configuration
OAUTH_CLIENT_SECRET = "111111111111111111@project"
OAUTH_REDIRECT_URL = 'https://seafile.domain.tld/oauth/callback/'
OAUTH_PROVIDER_DOMAIN = 'seafile.domain.tld'
OAUTH_PROVIDER = 'seafile.domain.tld'
OAUTH_AUTHORIZATION_URL = 'https://sso1.domain.tld/oauth/v2/authorize'
OAUTH_TOKEN_URL = 'https://sso1.domain.tld/oauth/v2/token'
OAUTH_USER_INFO_URL = 'https://sso1.domain.tld/oidc/v1/userinfo'
OAUTH_SCOPE = ["openid", "profile", "email"]
OAUTH_ATTRIBUTE_MAP = {
"id": (False, "not used"),
"uid": (True, "uid"),
"name": (False, "full name"),
"email": (True, "email"),
}
DEBUG = True
I migrated to 11.0.9 and switched from sqlite to mariadb. This was a pain since the database migration script seems very outdated and I hat to put all the create tables in the right order… so Im not 100% sure if this might be a database issue.
Im also a bit puzzled about this part of the documentation:
manual seafile com/deploy/auth_switch/
Do I have to follow those steps?
I remember in my very first try there was a table missing (If I remember correctly it was social_auth_usersocialauth ) however it was created automatically and the second attempt lead me to the now accuring error.
I tried all variants in zitadel backend all leading into the error above or this one:
[ERROR] seahub.oauth.views:154 oauth_callback (invalid_client) invalid secret
How can I proceed?
1 Like
I got a huge step further.
I had to configure the App type in Zitadel as “Post” and not “PKCE”, with Application Type “Web”, response types: “Code”, Auth Method: “Post” and Grant types: “Authorization Code”.
The corresponding seahub config is now:
ENABLE_OAUTH = True
OAUTH_CREATE_UNKNOWN_USER = True
OAUTH_ACTIVATE_USER_AFTER_CREATION = True
OAUTH_ENABLE_INSECURE_TRANSPORT = False
OAUTH_CLIENT_ID = "111111111111111111@project"
OAUTH_CLIENT_SECRET = "The Secret came from the Action button in Zitadel -> regenerate"
OAUTH_REDIRECT_URL = 'https://seafile.domain.tld/oauth/callback/'
OAUTH_PROVIDER_DOMAIN = 'seafile.domain.tld'
OAUTH_PROVIDER = 'seafile.domain.tld'
OAUTH_AUTHORIZATION_URL = 'https://sso1.domain.tld/oauth/v2/authorize'
OAUTH_TOKEN_URL = 'https://sso1.domain.tld/oauth/v2/token'
OAUTH_USER_INFO_URL = 'https://sso1.domain.tld/oidc/v1/userinfo'
OAUTH_SCOPE = ["openid", "profile", "email"]
OAUTH_ATTRIBUTE_MAP = {
"sub": (True, "uid"),
"name": (True, "name"),
"email": (True, "contact_email")
}
When I login, I get a new user. My user with the according mail address already existed and all its libraries whre trashed. This is a bit strange. Also the newly created user has not the correct mail adress but a id@auth.local adress. I could add the correct mailadresses manually after everybody logged in first, but thats also not possible via the system settings panel.
Cant I log into the existing users with the mail adress as identifier? Its not clear to me.
Edit: Contact mail can be set via contact_email. Had to read the sourcecode for this, it seems its nowhere in the documentation. Still wondering about SSO to already existing users.
I started over with a freshly restored backup 
- moved all my libraries to a temporary account for testing to be safe this time.
I already migrated all our users libraries to new users (since also the mails domain has changed in the past), so all users are V11 style users with an @auth.local address and a contact email already.
If I login now via SSO with my user, I get an fresh one.
The bummer is now:
I cant login anymore with this account since the SSO account creation doesnt check if an account with this mail adress already exists. I think this is a Bug and created an issue on github: Multiple accounts with the same mail via SSO prevent login (MultipleObjectsReturned at /accounts/login/) · Issue #2788 · haiwen/seafile · GitHub