OIDC-Setup with Zitadel

[sthiel-mpi]

Hi all,

I am currently trying to setup OIDC for Semaphore using https://zitadel.com/ but I am having issues with accessing claims, especially the email claim which is required.

My current Semaphore configuration:

	"oidc_providers": {
		"zitadel": {
			"display_name": "Sign in via Zitadel",
			"color": "orange",
			"icon": "login",
			"provider_url": "https://zitadel.domain.de",
			"client_id": "****",
			"client_secret": "***",
			"redirect_url": "https://semaphore.domain.de/api/auth/oidc/zitadel/redirect",
			"endpoint": {
				"auth": "https://zitadel.domain.de/oauth/v2/authorize",
				"token": "https://zitadel.domain.de/oauth/v2/token",
				"userinfo": "https://zitadel.domain.de/oidc/v1/userinfo"
			},
			"scopes": ["openid", "profile" ,"email"],
		}

Using it like this performs correct redirections but ends with the error

level=error msg="claim 'email' missing or has bad format"

One can circumvent that by specifying

 "{% raw %}email | {{ .username }}@your-domain.com{% endraw %}"

within the config. This however shows that really email is not existent as the expression after | is executed.
The {{ .username }} in this case evaluates to <None> as it apparently is also not available.

Zitadel is configured to Code flow, with a Code response type using basic authentication.

My guess is that I am misunderstanding some of the configuration options available, but as far as I understand https://zitadel.com/docs/apis/openidoauth/claims , the /userinfo endpoint (which is provided to semaphore) should contain the email claim if requested, which it is.

Did anyone happen to make Semaphore OIDC work with Zitadel or has a few pointers I could try to proceed?
Thanks in advance!

On a sidenote: It seems that also preferred_username is unavailable as I always end up with a random username and Anonymous as display name, although setting the name_claim and name to preferred_username. This might be connected but is not my main concern.

[ilbarone87]

hi @sthiel-mpi,
have you managed to solve this issue?

[sthiel-mpi]

@ilbarone87 Not yet. But I actually did not try further. Will have to revisit the problem this week though. Will let you know about the outcome.

[ilbarone87]

I solved it actually! In zitadel you need to enable the ID token to contain the scopes in order to let the client to be able to retrieve the info attributes. It's a just a box to tick in your application project in zitadel gui.

[sthiel-mpi]

Awesome! That indeed did the trick, thank you very much :)

[ilbarone87]

Can you please flag that as "answer" so will help others with the same problem.

[sthiel-mpi]

I apparently cannot, because this discussion is not within the Q&A category (my bad when creating it), but will close. Fortunately its not too much to scan through:

I solved it actually! In zitadel you need to enable the ID token to contain the scopes in order to let the client to be able to retrieve the info attributes. It's a just a box to tick in your application project in zitadel gui.