I spent the entire afternoon setting up Authentik with Grist. For now it’s at least working. But I still find it a bit weird that your Authentik account and Grist account are the same thing. You login as A into Authentik and you can login as A into Grist. You must log out of Authentik to switch accounts. IDK if it’s by design or something is wrong with my setup.
One thing is for sure broken though. I cannot sign up or add new user. When I click the ‘sign up’ button I will just be redirected to the sign in page, as if I already have an account. I had to manually add an account via Authentik, and then log into Grist. Is this the way it should be?
Also there’s no add site option since I implemented Authentik.
Sorry for the deluge of questions, but SSO for Grist really is barely documented.
We have what we have.
Authentik and Grist credentials are matched by Email.
You need to create an Authentik account separately.
To log out you need to log out in Authentik.
Have you tried container omnibus?
And I’m seeing these errors immediately on running:
2023/08/17 01:29:39 Starting up on port 17102
INFO[0000] Configuration loaded from flags.
No /custom/dex.yaml
Checking dex... at https://10.191.133.250:4438/dex/.well-known/openid-configuration
not ready: FetchError: request to https://10.191.133.250:4438/dex/.well-known/openid-configuration failed, reason: Client network socket disconnected before secure TLS connection was established
time="2023-08-17T01:29:39Z" level=info msg="Dex Version: v2.33.1-dirty, Go Version: go1.18.4, Go OS/ARCH: linux amd64"
time="2023-08-17T01:29:39Z" level=info msg="config using log level: debug"
time="2023-08-17T01:29:39Z" level=info msg="config issuer: https://10.191.133.250:4438/dex"
time="2023-08-17T01:29:39Z" level=info msg="config storage: sqlite3"
time="2023-08-17T01:29:39Z" level=info msg="config static client: Grist"
time="2023-08-17T01:29:39Z" level=info msg="config connector: google"
time="2023-08-17T01:29:39Z" level=info msg="config connector: microsoft"
time="2023-08-17T01:29:39Z" level=info msg="config connector: local passwords enabled"
time="2023-08-17T01:29:39Z" level=info msg="config skipping approval screen"
time="2023-08-17T01:29:39Z" level=info msg="config refresh tokens rotation enabled: true"
Checking dex... at https://10.191.133.250:4438/dex/.well-known/openid-configuration
not ready: FetchError: request to https://10.191.133.250:4438/dex/.well-known/openid-configuration failed, reason: Client network socket disconnected before secure TLS connection was established
time="2023-08-17T01:29:39Z" level=info msg="listening (http) on 0.0.0.0:9999"
Checking dex... at https://10.191.133.250:4438/dex/.well-known/openid-configuration
got: 404
Checking dex... at https://10.191.133.250:4438/dex/.well-known/openid-configuration
got: 404
Checking dex... at https://10.191.133.250:4438/dex/.well-known/openid-configuration
got: 200
Happy with dex
Starting traefik-forward-auth
time="2023-08-17T01:29:39Z" level=fatal msg="Get https://10.191.133.250:4438/dex/.well-known/openid-configuration: x509: cannot validate certificate for 10.191.133.250 because it doesn't contain any IP SANs"
Welcome to Grist.
In quiet mode, see http://localhost:17100 to use.
For full logs, re-run with DEBUG=1
I think everything has started up now
Listening internally on 80/443, externally at https://10.191.133.250:4438
ERRO[2023-08-17T01:29:40Z] Unable to obtain ACME certificate for domains "10.191.133.250": unable to generate a certificate for the domains [10.191.133.250]: acme: error: 400 :: POST :: https://acme-v02.api.letsencrypt.org/acme/new-order :: urn:ietf:params:acme:error:rejectedIdentifier :: Error creating new order :: Cannot issue for "10.191.133.250": The ACME server can not issue a certificate for an IP address routerName=https-route-grist-auth@file providerName=letsencrypt.acme ACME CA="https://acme-v02.api.letsencrypt.org/directory" rule="Host(`10.191.133.250`) && PathPrefix(`/_oauth`)"
To use HTTPS, you need an actual publicly accessible hostname. If you remove -e HTTPS=auto, to run with plain HTTP (if it’s on an internal network only), then it should work with just an IP address.
However, grist-omnibus does not actually allow sign-ups. It uses Dex, which makes it easy to integrate with other identity providers (like Google or Microsoft), but doesn’t provide user registration (it used to, but that got removed). So if you want to use it without connecting to any external service, it’ll work only for users you hard-code using EMAIL, PASSWORD, EMAIL2, PASSWORD2, etc. environment variables.
I tried removing -e HTTPS=auto and got this error:
Error: HTTPS environment variable must be set to: auto, external, or manual.
at prepareCertificateSettings (/grist/run.js:329:13)
at main (/grist/run.js:20:3)
at Object.<anonymous> (/grist/run.js:45:1)
at Module._compile (internal/modules/cjs/loader.js:1114:14)
at Object.Module._extensions..js (internal/modules/cjs/loader.js:1143:10)
at Module.load (internal/modules/cjs/loader.js:979:32)
at Function.Module._load (internal/modules/cjs/loader.js:819:12)
at Function.executeUserEntryPoint [as runMain] (internal/modules/run_main.js:75:12)
at internal/main/run_main_module.js:17:47
