Configure SSO on Synology

What is your URL for DSM, and do you have SSO application alias?
Post screenshots or a description of your settings, unfortunately I have not yet developed telepathy skills… :smile:

The URL for my DSM is https://[my_server]
All the other settings I’ve been trying to use are pretty much as per the posts above - for reference, my server and Grist are internally accessible only (I have a local DNS record pointing the host and domain name to the internal IP of my server).

Settings for Grist

GRIST_OIDC_IDP_ISSUER: https://[my_server]
GRIST_OIDC_IDP_CLIENT_ID: [my_client_id]
GRIST_OIDC_IDP_CLIENT_SECRET: [my_client_secret]
GRIST_OIDC_SP_HOST: http://[server_ip]:8484
APP_HOME_URL: http://[server_ip]:8484

Synology SSO app settings for Grist:

Redirect URL: http://[server_ip]:8484/oauth2/callback
Application ID: [my_client_id]
Application secret: [my_client_secret]

When I go to the app home URL, I get referred to the Synology sign in page, but once I’ve authenticated (and the Synology logs confirm successful login) I just get a page that said “OIDC callback failed”

  • The server URL cannot be an IP address. This must be a domain name that can be accessed over HTTPS and that has a valid TLS certificate.
  • Server URL does not support Synology QuickConnect.
  • If you make any changes to the server URL, please update the IdP information in the applications.

See Server URL

And I think the main problem is

That all makes sense - I don’t use Synology QuickConnect, so I’ll make the suggested changes to the URL.

Thanks for your help.

Unfortunately that’s not worked. Steps I’ve now taken:

  • I’ve added a reverse proxy via my Synology DSM to handle SSL which is configured with a valid certificate - so there’s now an entry pointing httpx://grist.[my_server] to the local server IP and Grist port (8484)
    • FYI the URL is actually https, but I’ve had to put httpx in this post to stop it converting to a link which apparently I can’t post yet :laughing:
  • The Synology SSO redirect URL is now httpx://grist.[my_server]
  • I’ve updated the GRIST_OIDC_SP_HOST and APP_HOME_URL variables to that same reverse proxy address (httpx://grist.[my_server]
  • Deleted all related browser cookies

I can get to the application OK using the reverse proxy https address. When I click the login button I go as expected to the Synology login page, but then after logging in I get the same “OIDC callback failed” error.

I’ve checked the Synology SSO logs and the authentication is working, but the logs for the Grist container are showing at least one error:

at async OIDCConfig.handleCallback (/grist/_build/app/server/lib/OIDCConfig.js:131:30)
at async Client.callback (/grist/node_modules/openid-client/lib/client.js:493:24)
at process.processTicksAndRejections (node:internal/process/task_queues:95:5)
at Client.grant (/grist/node_modules/openid-client/lib/client.js:1354:22)
at processResponse (/grist/node_modules/openid-client/lib/helpers/process_response.js:38:13)
2024-07-12 07:52:17.332 - [31merror[39m: OIDC callback failed: OPError: server_error
2024-07-12 07:52:14.016 - [34mdebug[39m: Auth[GET]: [grist.mydomain] /orgs/0/workspaces customHostSession=, method=GET, host=[grist.mydomain], path=/orgs/0/workspaces, org=docs,, userId=1, altSessionId=[session_id]
2024-07-12 07:52:13.975 - [34mdebug[39m: Auth[GET]: [grist.mydomain] /session/access/active customHostSession=, method=GET, host=[grist.mydomain], path=/session/access/active, org=docs,, userId=1, altSessionId=[session_id]
2024-07-12 07:52:13.973 - [34mdebug[39m: Auth[GET]: [grist.mydomain] /session/access/all customHostSession=, method=GET, host=[grist.mydomain], path=/session/access/all, org=docs,, userId=1, altSessionId=[session_id]
2024-07-12 07:52:13.311 - [34mdebug[39m: Auth[GET]: [grist.mydomain] / customHostSession=, method=GET, host=[grist.mydomain], path=/, org=docs,, userId=1, altSessionId=[session_id]
2024-07-12 07:52:12.466 - [34mdebug[39m: Redirecting anonymous user to: https://[grist.mydomain]/o/docs/

I’m not sure I understand the references to an anonymous user, but maybe that’s just a red herring?

Quick update - I managed to find some logs on the Synology that gave a little extra info, and basically there was one small typo in the client secret :man_facepalming:

I’ve corrected that, but I’m still getting the callback failed error, but now with this in the logs:

OIDC callback failed: TypeError: id_token not present in TokenSet

I’ve got what I believe is the related variable set as follows:

GRIST_OIDC_IDP_SCOPES: “openid email”

Any ideas what I’m missing?