Authentik logs an “Application authorized” event that looks like it accepts the credentials but I’m not sure if it’s logging success or just an attempt.
Here is the event object:
For Grist logs, I meant its console output, which (if running directly with docker) you could see with docker logs. For example, if I sign in with Authentik, I see these messages there:
2022-03-19 15:31:40.448 localhost:8484 GET /o/docs/signin?next=http%3A%2F%2Flocalhost%3A8484%2Fo%2Fdocs%2F 302 24.802 ms - 3006
2022-03-19 15:31:46.077 - info: SamlConfig: got SAML response for paul@getgrist.com () redirecting to http://localhost:8484/o/docs/
2022-03-19 15:31:46.085 localhost:8484 POST /saml/assert 302 58.638 ms - 102
2022-03-19 15:31:46.142 - debug: Auth[GET]: id 6 email paul@getgrist.com host localhost:8484 path / org docs
2022-03-19 15:31:46.142 - debug: welcoming user: paul
I’m wondering if you see anything around the time the 400 error is reported. However, I expect there won’t be anything useful.
I noticed your GRIST_SAML_IDP_LOGIN ends in /binding/init/ rather than /binding/redirect/. Can you try it with redirect? If I replace redirect with init in a test, I can replicate the error you see.
With GRIST_SAML_IDP_LOGIN changed from /binding/init/ to /binding/redirect/
I get an identical load of the Grist welcome screen.
I click [sign in] at Grist.
Instead of getting a log showing the POST and the 400 bad request status returned, the POST isn’t even attempted according to the Grist log in the console.
Instead, a GET request is logged in the browser and an error page from Athentik URL:
ht tp://auth.mydomain.com/application/saml/grist/sso/binding/redirect/?SAMLRequest=[REQUEST_STRING]
The message is:
Bad Request. Provider does not have a Validation Certificate configured. [Go to home]
So I’ll revisit the certificate setup and try again with /binding/redirect/ and let you know the results.
Details below if you want to view them
Thank you.
// NAVIGATE TO grist.mydomain.com
// BEGIN LOAD OF GRIST WELCOME SCREEN
2022-03-19 23:08:54.737 - debug: Auth[GET]: id 1 email anon@getgrist.com host grist.mydomain.com path / org
2022-03-19 23:08:54.740 - debug: Redirecting anonymous user to: http://grist.mydomain.com/o/docs/
2022-03-19 23:08:54.797 grist.mydomain.com GET / 302 19.911 ms - 122
2022-03-19 23:08:54.814 - debug: Auth[GET]: id 1 email anon@getgrist.com host grist.mydomain.com path / org docs
2022-03-19 23:08:54.860 grist.mydomain.com GET /o/docs/ 200 8.149 ms - 3381
2022-03-19 23:08:55.150 grist.mydomain.com GET /v/unknown/jqueryui/themes/smoothness/jquery-ui.css 200 8.282 ms - 36536
2022-03-19 23:08:55.208 grist.mydomain.com GET /v/unknown/bootstrap-datepicker/dist/css/bootstrap-datepicker3.min.css 200 11.304 ms - 21100
2022-03-19 23:08:55.218 grist.mydomain.com GET /v/unknown/jqueryui/jquery-ui.min.js 200 8.276 ms - 253669
2022-03-19 23:08:55.219 grist.mydomain.com GET /v/unknown/bootstrap/dist/css/bootstrap.min.css 200 15.006 ms - 122540
2022-03-19 23:08:55.223 grist.mydomain.com GET /v/unknown/bundle.css 200 14.195 ms - 75789
2022-03-19 23:08:55.224 grist.mydomain.com GET /v/unknown/icons/icons.css 200 14.618 ms - 165797
2022-03-19 23:08:55.225 grist.mydomain.com GET /v/unknown/jquery/dist/jquery.min.js 200 16.892 ms - 85630
2022-03-19 23:08:55.231 grist.mydomain.com GET /v/unknown/hljs.default.css 200 0.898 ms - 1159
2022-03-19 23:08:55.249 grist.mydomain.com GET /v/unknown/bootstrap/dist/js/bootstrap.min.js 200 0.847 ms - 36816
2022-03-19 23:08:55.274 grist.mydomain.com GET /v/unknown/bootstrap-datepicker/dist/js/bootstrap-datepicker.min.js 200 1.188 ms - 33693
2022-03-19 23:08:55.286 grist.mydomain.com GET /v/unknown/browser-check.js 200 1.740 ms - 113780
2022-03-19 23:08:55.318 grist.mydomain.com GET /v/unknown/main.bundle.js 200 0.835 ms - 3348481
2022-03-19 23:08:55.777 grist.mydomain.com GET /v/unknown/img/gplaypattern.png 200 0.918 ms - 12047
2022-03-19 23:08:56.483 - debug: Auth[OPTIONS]: id 1 email anon@getgrist.com host grist.mydomain.com:8484 path /session/access/active org docs
2022-03-19 23:08:56.491 - debug: Auth[OPTIONS]: id 1 email anon@getgrist.com host grist.mydomain.com:8484 path /session/access/all org docs
2022-03-19 23:08:56.541 grist.mydomain.com:8484 OPTIONS /o/docs/api/session/access/active 200 5.454 ms - 2
2022-03-19 23:08:56.591 grist.mydomain.com:8484 OPTIONS /o/docs/api/session/access/all 200 2.532 ms - 2
2022-03-19 23:08:56.624 grist.mydomain.com GET /v/unknown/icons/favicon.png 200 1.119 ms - 15365
2022-03-19 23:08:56.716 - debug: Auth[GET]: id 1 email anon@getgrist.com host grist.mydomain.com:8484 path /session/access/active org docs
2022-03-19 23:08:56.729 grist.mydomain.com:8484 GET /o/docs/api/session/access/active 200 13.976 ms - 523
2022-03-19 23:08:56.730 - debug: Auth[GET]: id 1 email anon@getgrist.com host grist.mydomain.com:8484 path /session/access/all org docs
2022-03-19 23:08:56.752 grist.mydomain.com:8484 GET /o/docs/api/session/access/all 200 26.556 ms - 109
2022-03-19 23:08:57.142 - debug: Auth[OPTIONS]: id 1 email anon@getgrist.com host grist.mydomain.com:8484 path /orgs/0/workspaces org docs
2022-03-19 23:08:57.146 - debug: Auth[OPTIONS]: id 1 email anon@getgrist.com host grist.mydomain.com:8484 path /templates org docs
2022-03-19 23:08:57.197 grist.mydomain.com:8484 OPTIONS /o/docs/api/orgs/0/workspaces?includeSupport=1 200 3.274 ms - 2
2022-03-19 23:08:57.291 grist.mydomain.com:8484 OPTIONS /o/docs/api/templates?onlyFeatured=1 200 2.214 ms - 2
2022-03-19 23:08:57.292 - debug: Auth[GET]: id 1 email anon@getgrist.com host grist.mydomain.com:8484 path /orgs/0/workspaces org docs
2022-03-19 23:08:57.342 - debug: Auth[GET]: id 1 email anon@getgrist.com host grist.mydomain.com:8484 path /templates org docs
2022-03-19 23:08:57.365 grist.mydomain.com:8484 GET /o/docs/api/orgs/0/workspaces?includeSupport=1 200 204.735 ms - 2
2022-03-19 23:08:57.367 grist.mydomain.com:8484 GET /o/docs/api/templates?onlyFeatured=1 404 158.348 ms - 34
// END LOAD OF GRIST WELCOME SCREEN WITH 404 ^^^
// CLICK [SIGN-IN] ON WELCOME SCREEN MENU
// NAVIGATES TO URL
2022-03-19 23:09:41.771 grist.mydomain.com GET /o/docs/signin?next=http%3A%2F%2Fgrist.mydomain.com%2Fo%2Fdocs%2F 302 30.617 ms - 3072
// HERE IS WHERE THE RESULTS DIFFER
++ WITH GRIST_SAML_IDP_LOGIN = /binding/redirect/
++ NO FURTHER GRIST LOGS -- NO POST OR RETURN IS LOGGED
++ GET REQUEST TO URL ht tp://auth.mydomain.com/application/saml/grist/sso/binding/redirect/?SAMLRequest=[REQUEST_STRING]
++ ERROR PAGE FROM Athentik URL DISPLAYED
-- WITH GRIST_SAML_IDP_LOGIN = /binding/init/
-- Authentik SPLASH SCREEN WITH PROMT AND [continue] PROPERLY DISPLAYED
-- // CLICK [CONTINUE] ON Authentik PROMT TO POST - ** 400 BAD REQUEST ERROR HERE **
-- 2022-03-19 23:10:25.015 grist.mydomain.com POST /saml/assert 400 25.101 ms - 685
-- // REDIRECTS TO GRIST ERROR SCREEN
-- 2022-03-19 23:10:25.256 grist.mydomain.com GET /v/unknown/icons/icons.css 200 1.758 ms - 165797
-- 2022-03-19 23:10:25.297 grist.mydomain.com GET /v/unknown/errorPages.bundle.js 200 8.574 ms - 3246312
-- 2022-03-19 23:10:26.133 - debug: Auth[OPTIONS]: id 1 email anon@getgrist.com host grist.mydomain.com:8484 path /session/access/active org
-- 2022-03-19 23:10:26.151 - debug: Auth[OPTIONS]: id 1 email anon@getgrist.com host grist.mydomain.com:8484 path /session/access/all org
-- 2022-03-19 23:10:26.279 grist.mydomain.com:8484 OPTIONS /api/session/access/active 200 2.968 ms - 2
-- 2022-03-19 23:10:26.543 grist.mydomain.com GET /v/unknown/icons/favicon.png 200 0.858 ms - 15365
-- 2022-03-19 23:10:27.175 grist.mydomain.com:8484 OPTIONS /api/session/access/all 200 2.164 ms - 2
-- 2022-03-19 23:10:27.177 - debug: Auth[GET]: id 1 email anon@getgrist.com host grist.mydomain.com:8484 path /session/access/active org
-- 2022-03-19 23:10:27.195 - debug: Auth[GET]: id 1 email anon@getgrist.com host grist.mydomain.com:8484 path /session/access/all org
-- 2022-03-19 23:10:27.227 grist.mydomain.com:8484 GET /api/session/access/all 200 1022.262 ms - 109
-- 2022-03-19 23:10:27.235 grist.mydomain.com:8484 GET /api/session/access/active 200 1034.314 ms - 107
Before I saw this I had already deleted the certificate that was causing the error. I did have my created certificate selected in the verification certificate dropdown, but the cert was incorrect due to me completely misunderstanding the process in creating it.
I created the certificate correctly and I’m in!
And yes, if I change that setting to remove the verification cert selection from the SAML provider I reproduce the error.
Thank you very much for your help. I hope this thread comes in handy to someone else.
To limit what guests can do: you could change GRIST_SINGLE_ORG=docs to anything else but docs such as bibo. When set to docs, Grist will work like docs.getgrist.com and allow people to try out Grist anonymously, which I agree doesn’t make sense for your server. When set to something else, such as bibo, Grist will create a bibo “team site” and grant access to the user with email GRIST_DEFAULT_EMAIL. That user can then grant access to others, including optionally the general public (but the public won’t have access by default).
Before changing GRIST_SINGLE_ORG, be aware that you afterwards you won’t be able to find any existing docs via the website. One option is to download them first, then re-upload afterwards.
Not sure why your container crashed, everything in the log you pasted is innocuous looking GETs.
The default worked for me. If you’re having trouble: generally, Grist identifies users by email.
Thank you @paul-grist
I’m redoing today authentik (I have no idea how you dealt with him with such documentation, I admire you).
To rebuild Grist I use gristlabs/grist:latest image.
We have a chance with this image to use team sites in path
GRIST_ORG_IN_PATH=true
without
GRIST_SINGLE_ORG=some_org
?
BCS if I delete env variable GRIST_SINGLE_ORG
I can’t access to https://my.grist.app
When I run https://my.grist.app i redirect to http://docs.grist.app/ no chanses access to https://my.grist.app 2022-04-04 14:42:35.260 - debug: Redirecting anonymous user to: http://docs.grist.app/
@paul-grist I must apologize for distracting you from your work.
How I admire your work, this is exactly what MS Access Online should look like, simple, understandable and as close as possible to MS Excel.
I use reverse proxy https://my.grist.app to port 8484 redirecting to http://my.grist.app/o/myorg/ stdout
Console log:
Mixed Content: The page at 'https://my.grist.app/o/myorg/' was loaded over HTTPS, but requested an insecure resource 'http://my.grist.app:8484/o/myorg/api/session/access/all'. This request has been blocked; the content must be served over HTTPS.
(anonymous) @ VM47:1
(anonymous) @ BaseAPI.ts:118
(anonymous) @ main.bundle.js:12
r @ main.bundle.js:12
request @ main.bundle.js:12
(anonymous) @ BaseAPI.ts:36
(anonymous) @ main.bundle.js:12
r @ main.bundle.js:12
i.value @ main.bundle.js:12
(anonymous) @ BaseAPI.ts:133
(anonymous) @ main.bundle.js:12
r @ main.bundle.js:12
requestJson @ main.bundle.js:12
(anonymous) @ BaseAPI.ts:36
(anonymous) @ main.bundle.js:12
r @ main.bundle.js:12
i.value @ main.bundle.js:12
(anonymous) @ UserAPI.ts:421
(anonymous) @ main.bundle.js:6
i @ main.bundle.js:6
getSessionAll @ main.bundle.js:6
(anonymous) @ AppModel.ts:164
(anonymous) @ main.bundle.js:6
i @ main.bundle.js:6
_fetchUsersAndOrgs @ main.bundle.js:6
v @ AppModel.ts:100
create @ dispose.ts:136
C @ App.ts:75
create @ dispose.ts:136
(anonymous) @ app.js:31
i @ jquery.min.js:2
fireWith @ jquery.min.js:2
ready @ jquery.min.js:2
J @ jquery.min.js:2
Show 4 more frames
GristWSConnection.ts:94 GristWSConnection not activating for hosted grist page with no document present
AppModel.ts:157 getSessionActive() failed: TypeError: Failed to fetch
errors.ts:82 ERROR: TypeError: Failed to fetch
at <anonymous>:1:876
at u.<anonymous> (BaseAPI.ts:118:29)
at Generator.next (<anonymous>)
at main.bundle.js:12:562303
at new Promise (<anonymous>)
at r (main.bundle.js:12:562048)
at u.request (main.bundle.js:12:563823)
at u.<anonymous> (BaseAPI.ts:36:57)
at Generator.next (<anonymous>)
at main.bundle.js:12:562303
at new Promise (<anonymous>)
at r (main.bundle.js:12:562048)
at u.i.value (main.bundle.js:12:563017)
at u.<anonymous> (BaseAPI.ts:133:24)
at Generator.next (<anonymous>)
at main.bundle.js:12:562303
f @ errors.ts:82
Promise.catch (async)
v @ AppModel.ts:100
create @ dispose.ts:136
C @ App.ts:75
create @ dispose.ts:136
(anonymous) @ app.js:31
i @ jquery.min.js:2
fireWith @ jquery.min.js:2
ready @ jquery.min.js:2
J @ jquery.min.js:2
...
Looks like the page, after loading, is requesting something at the wrong port and with the wrong url. Can you try setting APP_HOME_URL=https://my.grist.app?
Thanks, it helped and everything worked, but in vain, when I try to create a team site, I go to the page Loading... - Grist
Thank you for the help, hope has died now.
GRIST_ORG_IN_PATH=true
without
GRIST_SINGLE_ORG=some_org
Doesn’t make sense.
When you use GRIST_SINGLE_ORG=some_org, it will create that team for you and set you up as an owner of it. You can repeat with several GRIST_SINGLE_ORGs, and then switch to GRIST_ORG_IN_PATH to access the teams you have created. Not user-friendly, but it should work.
Team site creation is being reworked, it should get easier in future.
@paul-grist Thank you.
I could not even think that GRIST_SINGLE_ORG can be used several times. I went to try.
Try:
GRIST_SINGLE_ORG=org1
GRIST_SINGLE_ORG=org2
GRIST_ORG_IN_PATH=true
Not working
GET https://my.grist.app/o/org1/api/templates?onlyFeatured=1 404
Have access only for org1
Thanks to this thread, I’ve successfully deployed grist and authentik to my VPS using reverse proxy. Everything has worked fine until now, though I encounter a small issue with the GRIST_SINGLE_ORG, it doesn’t present in the url.
It looks like https://my.example.com/kLzquuZKrbrG/data while it should be https://my.example.com/o/myorganization/data