Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[Bug] "Email is not verified" error with Synology SSO (OIDC) configuration #1446

Open
Erwan-loot opened this issue Jan 8, 2025 · 0 comments
Open

[Bug] "Email is not verified" error with Synology SSO (OIDC) configuration #1446

Erwan-loot opened this issue Jan 8, 2025 · 0 comments
Assignees
@adamantike
Labels
bug Something isn't working

Comments

@Erwan-loot
Copy link

Erwan-loot commented Jan 8, 2025
edited
Loading

RomM version
Docker 3.7.0

Describe the bug
When setting up RomM (version 3.7.0) for OpenID Connect (OIDC) authentication via Synology SSO, the error {"detail":"Email is not verified."} appears, preventing successful login. The email address used in Synology SSO is the same as the one configured for the local RomM user.

The following steps have been attempted:

Creating a new RomM user with the same email address used in Synology.
Verifying the client ID, client secret, redirect URL, and OIDC provider URL.
Confirming that the well-known configuration is fetched from https://<my_domain>/webman/sso/SSOOauth.cgi.
Despite these efforts, the error persists:

ERROR:      [RomM][base_handler][2025-01-05 14:45:27] Email is not verified.
192.168.0.1:0 - "GET /api/oauth/openid?code=XXX&state=XXX HTTP/1.0" 400

To Reproduce
Below is an excerpt from the docker-compose.yml file:

version: "3"
services:
  romm:
    image: rommapp/romm:3.7.0
    container_name: ROMM
    restart: unless-stopped
    mem_limit: 1g
    cpu_shares: 768
    security_opt:
      - no-new-privileges:true
    environment:
      - DB_HOST=ROMM-DB
      - DB_NAME=romm
      - DB_USER=romm-user
      - DB_PASSWD=passworddb
      - DB_PORT=3306
      - ROMM_HOST=https://romm.domain
      - ROMM_AUTH_ENABLED=true
      - ROMM_AUTH_SECRET_KEY=secret  # Generate a key with `openssl rand -hex 32`
      - ROMM_AUTH_USERNAME=admin
      - ROMM_AUTH_PASSWORD=password
      - ENABLE_RESCAN_ON_FILESYSTEM_CHANGE=true
      - RESCAN_ON_FILESYSTEM_CHANGE_DELAY=5
      - OIDC_ENABLED=true
      - OIDC_PROVIDER=Synology
      - OIDC_CREATE_USER=true
      - OIDC_CLIENT_ID=b14b845cd84dfe28a6b025871fdba63e
      - OIDC_CLIENT_SECRET=secret
      - OIDC_REDIRECT_URI=https://romm.domain/api/oauth/openid
      - OIDC_SERVER_APPLICATION_URL=https://dsm.domain/webman/sso
    volumes:
      - /volume1/Jeux/ROMS:/romm/library
      - /volume1/docker/romm/resources:/romm/resources  # Optional location for covers
      - /volume1/docker/romm/assets:/romm/assets
      - /volume1/docker/romm/config.yml:/romm/config.yml  # Optional configuration file location
      - /volume1/docker/romm/logs:/romm/logs  # Optional logs location
    ports:
      - 5968:8080
    depends_on:
      - romm_db

  romm_db:
    image: mariadb:latest
    container_name: ROMM-DB
    mem_limit: 1g
    cpu_shares: 768
    security_opt:
      - no-new-privileges:true
    environment:
      - MYSQL_ROOT_PASSWORD=passworddb
      - MYSQL_DATABASE=romm
      - MYSQL_USER=romm-user
      - MYSQL_PASSWORD=passworddb
    volumes:
      - /volume1/docker/romm/database:/var/lib/mysql
    restart: unless-stopped

Provider Configuration (Synology SSO)

{
   "claims_supported" : [ "aud", "email", "exp", "groups", "iat", "iss", "sub", "username" ],
   "code_challenge_methods_supported" : [ "S256", "plain" ],
   "grant_types_supported" : [ "authorization_code", "implicit" ],
   "id_token_signing_alg_values_supported" : [ "RS256" ],
   "response_types_supported" : [ "code", "code id_token", "id_token", "id_token token" ],
   "scopes_supported" : [ "email", "groups", "openid" ],
   "subject_types_supported" : [ "public" ],
   "token_endpoint_auth_methods_supported" : [ "client_secret_basic", "client_secret_post" ],
}

Any advice or troubleshooting ideas on how to resolve the “Email is not verified” error would be greatly appreciated.
@Erwan-loot Erwan-loot added the bug Something isn't working label Jan 8, 2025
@adamantike adamantike self-assigned this Jan 9, 2025
adamantike added a commit that referenced this issue Jan 9, 2025
@adamantike
fix: Improve OIDC email verified check
7fedaca 
The OIDC email verified check now fails if the email is explicitly
unverified, or if the `email_verified` claim is supported and the email
is not explicitly verified.

Previously, the OIDC implementation failed for any OIDC provider that
did not include the `email_verified` claim in the userinfo response.
Providers like Synology do not include this claim, so the check always
failed with error "Email is not verified."

I haven't found a formal specification for the `email_verified` claim,
and how it should be handled, but this implementation should be more
robust and work with more OIDC providers.

Fixes #1446.
@adamantike adamantike mentioned this issue Jan 9, 2025
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@adamantike adamantike

Labels
bug Something isn't working
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@adamantike @Erwan-loot