Configure SSO on Synology

What is your URL for DSM, and do you have SSO application alias?
Post screenshots or a description of your settings, unfortunately I have not yet developed telepathy skills… :smile:

The URL for my DSM is https://[my_server].dscloud.me:5001
All the other settings I’ve been trying to use are pretty much as per the posts above - for reference, my server and Grist are internally accessible only (I have a local DNS record pointing the host and domain name to the internal IP of my server).

Settings for Grist

GRIST_OIDC_IDP_ISSUER: https://[my_server].dscloud.me:5001/webman/sso/.well-known/openid-configuration
GRIST_OIDC_IDP_CLIENT_ID: [my_client_id]
GRIST_OIDC_IDP_CLIENT_SECRET: [my_client_secret]
GRIST_OIDC_IDP_SKIP_END_SESSION_ENDPOINT: true
GRIST_OIDC_SP_HOST: http://[server_ip]:8484
GRIST_OIDC_SP_IGNORE_EMAIL_VERIFIED: true
APP_HOME_URL: http://[server_ip]:8484

Synology SSO app settings for Grist:

Redirect URL: http://[server_ip]:8484/oauth2/callback
Application ID: [my_client_id]
Application secret: [my_client_secret]

When I go to the app home URL, I get referred to the Synology sign in page, but once I’ve authenticated (and the Synology logs confirm successful login) I just get a page that said “OIDC callback failed”

  • The server URL cannot be an IP address. This must be a domain name that can be accessed over HTTPS and that has a valid TLS certificate.
  • Server URL does not support Synology QuickConnect.
  • If you make any changes to the server URL, please update the IdP information in the applications.

See Server URL

And I think the main problem is
GRIST_OIDC_SP_HOST and APP_HOME_URL is not HTTPS

That all makes sense - I don’t use Synology QuickConnect, so I’ll make the suggested changes to the URL.

Thanks for your help.

Unfortunately that’s not worked. Steps I’ve now taken:

  • I’ve added a reverse proxy via my Synology DSM to handle SSL which is configured with a valid certificate - so there’s now an entry pointing httpx://grist.[my_server].dscloud.me to the local server IP and Grist port (8484)
    • FYI the URL is actually https, but I’ve had to put httpx in this post to stop it converting to a link which apparently I can’t post yet :laughing:
  • The Synology SSO redirect URL is now httpx://grist.[my_server].dscloud.me/oauth2/callback
  • I’ve updated the GRIST_OIDC_SP_HOST and APP_HOME_URL variables to that same reverse proxy address (httpx://grist.[my_server].dscloud.me)
  • Deleted all related browser cookies

I can get to the application OK using the reverse proxy https address. When I click the login button I go as expected to the Synology login page, but then after logging in I get the same “OIDC callback failed” error.

I’ve checked the Synology SSO logs and the authentication is working, but the logs for the Grist container are showing at least one error:

at async OIDCConfig.handleCallback (/grist/_build/app/server/lib/OIDCConfig.js:131:30)
at async Client.callback (/grist/node_modules/openid-client/lib/client.js:493:24)
at process.processTicksAndRejections (node:internal/process/task_queues:95:5)
at Client.grant (/grist/node_modules/openid-client/lib/client.js:1354:22)
at processResponse (/grist/node_modules/openid-client/lib/helpers/process_response.js:38:13)
2024-07-12 07:52:17.332 - [31merror[39m: OIDC callback failed: OPError: server_error
2024-07-12 07:52:14.016 - [34mdebug[39m: Auth[GET]: [grist.mydomain] /orgs/0/workspaces customHostSession=, method=GET, host=[grist.mydomain], path=/orgs/0/workspaces, org=docs, email=anon@getgrist.com, userId=1, altSessionId=[session_id]
2024-07-12 07:52:13.975 - [34mdebug[39m: Auth[GET]: [grist.mydomain] /session/access/active customHostSession=, method=GET, host=[grist.mydomain], path=/session/access/active, org=docs, email=anon@getgrist.com, userId=1, altSessionId=[session_id]
2024-07-12 07:52:13.973 - [34mdebug[39m: Auth[GET]: [grist.mydomain] /session/access/all customHostSession=, method=GET, host=[grist.mydomain], path=/session/access/all, org=docs, email=anon@getgrist.com, userId=1, altSessionId=[session_id]
2024-07-12 07:52:13.311 - [34mdebug[39m: Auth[GET]: [grist.mydomain] / customHostSession=, method=GET, host=[grist.mydomain], path=/, org=docs, email=anon@getgrist.com, userId=1, altSessionId=[session_id]
2024-07-12 07:52:12.466 - [34mdebug[39m: Redirecting anonymous user to: https://[grist.mydomain]/o/docs/

I’m not sure I understand the references to an anonymous user, but maybe that’s just a red herring?

Quick update - I managed to find some logs on the Synology that gave a little extra info, and basically there was one small typo in the client secret :man_facepalming:

I’ve corrected that, but I’m still getting the callback failed error, but now with this in the logs:

OIDC callback failed: TypeError: id_token not present in TokenSet

I’ve got what I believe is the related variable set as follows:

GRIST_OIDC_IDP_SCOPES: “openid email”

Any ideas what I’m missing?

I make new Grist setup with OIDС
In the process of OIDС debugging i set
GRIST_OIDC_SP_HOST = https://<grist-domain>
and again get on callback OIDC callback failed.
Clear browser page cash and hard reset did not produce results.
But if go to Chrome Incognito mode everything works perfect.

Need to Clear Cookies for Specific Websites in Chrome

1 Like

David,

I’m not sure if you’re using local/LDAP/Domain users or not, but Grist does it’s user management under e-mail address. Try changing scopes to:

GRIST_OIDC_IDP_SCOPES: “email openid profile”

This way, it first checks for the associated e-mail of the user logging into Synology SSO, and checks that is matches a user Grist is expecting. Have you added users w/ e-mails to Grist? Do your users have a matching e-mail address associated to their NAS account?

Thanks for the suggestions Darin.

I thought I’d posted an update but obviously forgot :man_facepalming:

The source of the problem was having the quotation marks around the GRIST_OIDC_IDP_SCOPES variable - once I’d removed them leaving just the text openid email it all worked!

I think I stumbled across that fix in a thread in a forum for a completely different application, but glad I got it sorted and am now happily using Grist along with several other users now :grinning:

1 Like