[MANUAL] Integration Redmine with Authelia

[arbdevml]

Hello. Added a pull request to the integration with Authelia.

https://www.authelia.com/
Authelia is an open-source authentication and authorization server and portal fulfilling the identity and access management (IAM) role of information security in providing multi-factor authentication and single sign-on (SSO) for your applications via a web portal. It acts as a companion for common reverse proxies.

Authelia configuration.yml
Add into the section of "clients"

      - id: redmine
        description: Redmine
        secret: '$plaintext$redmine_client_secret'
        public: false
        authorization_policy: one_factor
        redirect_uris:
           - https://redmine.example.com/oic/local_login
        scopes:
           - openid
           - profile
           - groups
           - email
        userinfo_signing_algorithm: none

Redmine plugin openID Connect configuration:
Client ID: redmine
OpenID Connect server url: https://authelia.example.com
Client Secret: redmine_client_secret
OpenID Connect scopes (comma-separated): openid,profile,groups,email

Admins group (members of this group are treated as admin): admins

Disable Ssl Validation: yes
Login Selector: yes
Create user if not exists: yes

[ezhiryakov]

Hello.
Thanks for this manual.
But I have a question.

When I add this parameter:
Admins group (members of this group are treated as admin): admins

I got error:

[2023-06-15T18:22:27.752803 #14725] FATAL -- : [957e3e50-7269-4a05-81bb-c117dc09b691]   
[957e3e50-7269-4a05-81bb-c117dc09b691] JSON::ParserError (783: unexpected token at 'P�Ӄj��9)�+�x�������k��'):

In Authelia's users database user have two groups:

    groups:
      - admins
      - dev

What maybe wrong?

[ezhiryakov]

I found place with problem:

    if (access_token? && access_token.exclude?('authelia')) # keycloak way...
      @user = JSON::parse(Base64::decode64(access_token.split('.')[1]))
    else
      @user = JSON::parse(Base64::decode64(id_token.split('.')[1]))

Parser works in keycloak way instead of authelia way.
How can I switch to authelia way?

Temporary I changed access_token.split to id_token.split
But it wrong way.

[sskokorin]

The plugin does not work if I fill in the fields "Authorized group" or "Admins group". I get error 500. If I leave them empty, then everything works as it should. What are the requirements for filling in these fields?
For authorization, LDAP based on FreeIPA is used.

[sskokorin]

Hello. Thanks for this manual. But I have a question.

When I add this parameter: Admins group (members of this group are treated as admin): admins

I got error:

[2023-06-15T18:22:27.752803 #14725] FATAL -- : [957e3e50-7269-4a05-81bb-c117dc09b691]   
[957e3e50-7269-4a05-81bb-c117dc09b691] JSON::ParserError (783: unexpected token at 'P�Ӄj��9)�+�x�������k��'):

In Authelia's users database user have two groups:

    groups:
      - admins
      - dev

What maybe wrong?

Hi! Were you able to resolve this issue?

[ezhiryakov]

Hi! Were you able to resolve this issue?

Hi! Yes, I wrote about solution in this post: #79 (comment)

You need two things:

1. Get file from PR Added integration with OpenID Connect Authelia #78 and replace in plugin dir
2. Change if statement in file app/models/oic_session.rb

From this:

if (access_token? && access_token.exclude?('authelia')) # keycloak way...
      @user = JSON::parse(Base64::decode64(access_token.split('.')[1]))
    else
      @user = JSON::parse(Base64::decode64(id_token.split('.')[1]))

To this:

if (access_token? && access_token.exclude?('authelia')) # keycloak way...
      @user = JSON::parse(Base64::decode64(id_token.split('.')[1]))

[arbdevml]

Hello.
@ezhiryakov
In file app/models/oic_session.rb, did you update from this:

  def user
    if (access_token? && access_token.exclude?('authelia')) # keycloak way...
      @user = JSON::parse(Base64::decode64(access_token.split('.')[1]))
    else
      @user = JSON::parse(Base64::decode64(id_token.split('.')[1]))
    end
    return @user
  end

To this:

  def user
    if (access_token? && access_token.exclude?('authelia')) # keycloak way...
      @user = JSON::parse(Base64::decode64(id_token.split('.')[1]))
    end
    return @user
  end

Would you like to explain, please?

[ezhiryakov]

@arbdevml
Yes I did it.

So as I understand, I removed KeyCloak supoport.
But I don`t need KeyCloack, I just wanted make integration with Authelia works.
And now it works fine.

[arbdevml]

So as I understand, I removed KeyCloak supoport. But I don`t need KeyCloack, I just wanted make integration with Authelia works. And now it works fine.

It is wrong, this plugin has to support OpenID providers as many as possible.

Can you provide the data of your access_token.
Let try to investigate and permanently fix it.

[sskokorin]

Hi! Were you able to resolve this issue?

Hi! Yes, I wrote about solution in this post: #79 (comment)

You need two things:

1. Get file from PR Added integration with OpenID Connect Authelia #78 and replace in plugin dir
2. Change if statement in file app/models/oic_session.rb

From this:

if (access_token? && access_token.exclude?('authelia')) # keycloak way...
      @user = JSON::parse(Base64::decode64(access_token.split('.')[1]))
    else
      @user = JSON::parse(Base64::decode64(id_token.split('.')[1]))

To this:

if (access_token? && access_token.exclude?('authelia')) # keycloak way...
      @user = JSON::parse(Base64::decode64(id_token.split('.')[1]))

So, this works perfectly if Authelia uses a JSON file to identify users. But if LDAP is used, then it stops working and Redmine gives a 500 error. Have you encountered a similar problem?