Issue on docs - SSO instructions do not seem to be working/fully documented

[progecon]

Path: /self-hosting/single-sign-on

I just followed the existing documentation and tried to implement SSO for Rallly using cosmos server Link to its OIDC documentation as OIDC provider.

I followed the instructions and added into my docker env variables:

• OIDC_NAME
• OIDC_DISCOVERY_URL
• OIDC_CLIENT_ID
  -OIDC_CLIENT_SECRET

After restarting the docker container, I do see the SSO button, pressing it opens my server's OIDC window. Pressing OpenID Loginbrings me back to the login screen, without being logged in.

Attached you can see the logs of the Rallly container. The error stays the same even when passing my email address scope during the SSO.

2024-03-12 10:15:58
Prisma schema loaded from prisma/schema.prisma
2024-03-12 10:15:58
Datasource "db": PostgreSQL database "db", schema "public" at "rallly_db:5432"
2024-03-12 10:15:58
2024-03-12 10:15:58
45 migrations found in prisma/migrations
2024-03-12 10:15:58
2024-03-12 10:15:58
2024-03-12 10:15:58
No pending migrations to apply.
2024-03-12 10:15:58
▲ Next.js 14.0.4
2024-03-12 10:15:58
- Local: http://localhost:3000
2024-03-12 10:15:58
- Network: http://0.0.0.0:3000
2024-03-12 10:15:58
2024-03-12 10:15:58
✓ Ready in 115ms
2024-03-12 10:16:22
[next-auth][error][adapter_error_createUser]
2024-03-12 10:16:22
https://next-auth.js.org/errors#adapter_error_createuser
2024-03-12 10:16:22
Invalid `prisma.user.create()` invocation:
2024-03-12 10:16:22
2024-03-12 10:16:22
{
2024-03-12 10:16:22
data: {
2024-03-12 10:16:22
email: undefined,
2024-03-12 10:16:22
emailVerified: null,
2024-03-12 10:16:22
+ name: String
2024-03-12 10:16:22
}
2024-03-12 10:16:22
}
2024-03-12 10:16:22
2024-03-12 10:16:22
Argument `name` is missing. {
2024-03-12 10:16:22
message: '\n' +
2024-03-12 10:16:22
'Invalid `prisma.user.create()` invocation:\n' +
2024-03-12 10:16:22
'\n' +
2024-03-12 10:16:22
'{\n' +
2024-03-12 10:16:22
' data: {\n' +
2024-03-12 10:16:22
' email: undefined,\n' +
2024-03-12 10:16:22
' emailVerified: null,\n' +
2024-03-12 10:16:22
'+ name: String\n' +
2024-03-12 10:16:22
' }\n' +
2024-03-12 10:16:22
'}\n' +
2024-03-12 10:16:22
'\n' +
2024-03-12 10:16:22
'Argument `name` is missing.',
2024-03-12 10:16:22
stack: 'PrismaClientValidationError: \n' +
2024-03-12 10:16:22
'Invalid `prisma.user.create()` invocation:\n' +
2024-03-12 10:16:22
'\n' +
2024-03-12 10:16:22
'{\n' +
2024-03-12 10:16:22
' data: {\n' +
2024-03-12 10:16:22
' email: undefined,\n' +
2024-03-12 10:16:22
' emailVerified: null,\n' +
2024-03-12 10:16:22
'+ name: String\n' +
2024-03-12 10:16:22
' }\n' +
2024-03-12 10:16:22
'}\n' +
2024-03-12 10:16:22
'\n' +
2024-03-12 10:16:22
'Argument `name` is missing.\n' +
2024-03-12 10:16:22
' at yn (/app/node_modules/@prisma/client/runtime/library.js:116:5852)\n' +
2024-03-12 10:16:22
' at wn.handleRequestError (/app/node_modules/@prisma/client/runtime/library.js:123:6429)\n' +
2024-03-12 10:16:22
' at wn.handleAndLogRequestError (/app/node_modules/@prisma/client/runtime/library.js:123:6119)\n' +
2024-03-12 10:16:22
' at wn.request (/app/node_modules/@prisma/client/runtime/library.js:123:5839)\n' +
2024-03-12 10:16:22
' at async l (/app/node_modules/@prisma/client/runtime/library.js:128:9763)',
2024-03-12 10:16:22
name: 'PrismaClientValidationError'
2024-03-12 10:16:22
}

[lukevella]

Thanks for reporting. It appears we need some additional configuration options to set the path of the name property (and likely other properties such as email, image and also scope). I'll try to address this asap.

[jirutka]

I just configured Rallly 3.7.0 with OIDC against Keycloak and it works without any problems.

[progecon]

Unfortunately, I wrote before that this problem was resolved. In fact, I answered in the wrong thread. This problem is still unsolved. :/

[lukevella]

If the structure returned by your identity provider does not have name and email in the root then you will need to set the claim paths.

Make sure you're running the latest version and check the OIDC configuration here:

https://support.rallly.co/self-hosting/single-sign-on

[progecon]

Thank you. I do bit know how I can find out the structure that is returned by my identity provider (cosmos cloud). The documentation regarding oidc is limited. Could you explain this to me, also his to adapt the claim paths following your example? This is missing in rally's documentation.

[inside-mo]

Having the same issue. Set the following variables in Entra (using Office365):

OIDC_CLIENT_ID: Application ID (Client), taken from Entra
OIDC_CLIENT_SECRET: Again, taken from Entra
OIDC_NAME_CLAIM_PATH: preferred_username
OIDC_EMAIL_CLAIM_PATH: email
OIDC_DISCOVERY_URL: https://login.microsoftonline.com/<tenant_id>/.well-known/openid-configuration
OIDC_NAME: OpenID Connect

I checked and re-checked every single value. The discovery URL gets me a JSON, so that seems to work. I set the right scopes in Entra (email, profile, name). I even recreated the client secret, just to be sure I didn't have an copy-paste-error there. The client ID is most definitely correct.

Still: I am not seeing an SSO button and have no clue why. I can only imagine that I need to configure some additional settings in Office365 that are not documented and I am thus not aware of. I tried using perplexity to figure it out and adjusted things like the token configuration ("name" is not listed in there, thus "preferred_username"), but nothing I did worked so far.

BTW: I am using Coolify to host Rallly.