I'm trying to set up single sign-on with Discourse, distrust, Element Web, and Tuwunel.
When I press sign-in on Element Web, I get back the following response:
{"error":"invalid_request","error_description":"The request is missing a required parameter, includes an invalid parameter value, includes a parameter more than once, or is otherwise malformed. The 'redirect_uri' parameter is required when using OpenID Connect 1.0."}I wasn't sure what this meant, so I tried to find similar issues online. I found authelia/authelia#5074 which mentions:
As this issue is about accepting the
redirect_uriparameter, and we do accept it, we just do not accept when that value does not match (using standard string comparison) any of the registered redirect uri values as per the spec; I'm marking this as invalid. In fact the error you're receiving is a clear indication we're supporting theredirect_urivalue here.
My request:
GET https://forum.tsuki.games/oauth2/auth?client_id=matrix&state=<state>&scope=openid+email+profile&response_type=code&access_type=online&code_challenge_method=S256&code_challenge=<challenge>The distrust config:
# elided
clients:
matrix:
secret: '<secret>'
redirectURIs:
- 'https://matrix.tsuki.games/_matrix/client/unstable/login/sso/callback/matrix'
# elidedThe tuwunel config:
[[global.identity_provider]]
brand = "Discourse"
client_id = "matrix"
client_secret = "<secret>"
issuer_url = "https://forum.tsuki.games/oauth2"
base_path = "oauth2"It appears that I never specified the
callback_url, because I assumed that
tuwunel would generate it automatically. Setting
it...
[[global.identity_provider]]
brand = "Discourse"
client_id = "matrix"
client_secret = "<secret>"
issuer_url = "https://forum.tsuki.games/oauth2"
+callback_url = "https://matrix.tsuki.games/_matrix/client/unstable/login/sso/callback/matrix"
base_path = "oauth2"Now, SSO in Element Web works!