fix(openid): use the calculated redirect url when authenticating with openid providers

config.yml.sample

@@ -292,17 +292,14 @@ auth:
   # **Note:** Some openid providers (like gitlab) only make the email of the user available through openid claims if they have set it to be publicly visible.
   # If the email is not public in those cases, authenticating will fail.
   # **Note 2:** The frontend expects to be redirected after authentication by the third party
-  # to <frontend-url>/auth/openid/<auth key>. Please make sure to configure the redirect url with your third party
+  # to <frontend-url>/auth/openid/<auth key>. Please make sure to configure the redirect url in your third party
   # auth service accordingly if you're using the default vikunja frontend.
+  # The frontend will automatically provide the api with the redirect url, composed from the current url where it's hosted.
+  # If you want to use the desktop client with openid, make sure to allow redirects to `127.0.0.1`.
   # Take a look at the [default config file](https://kolaente.dev/vikunja/api/src/branch/main/config.yml.sample) for more information about how to configure openid authentication.
   openid:
     # Enable or disable OpenID Connect authentication
     enabled: false
-    # The url to redirect clients to. Defaults to the configured frontend url. If you're using Vikunja with the official
-    # frontend, you don't need to change this value.
-    # **Note:** The redirect url must exactly match the configured redirect url with the third party provider.
-    # This includes all slashes at the end or protocols.
-    redirecturl: <frontend url>
     # A list of enabled providers
     providers:
       # The name of the provider as it will appear in the frontend.

pkg/config/config.go

@@ -65,10 +65,9 @@ const (
 	ServiceEnableUserDeletion    Key = `service.enableuserdeletion`
 	ServiceMaxAvatarSize         Key = `service.maxavatarsize`
 
-	AuthLocalEnabled      Key = `auth.local.enabled`
+	AuthLocalEnabled    Key = `auth.local.enabled`
-	AuthOpenIDEnabled     Key = `auth.openid.enabled`
+	AuthOpenIDEnabled   Key = `auth.openid.enabled`
-	AuthOpenIDRedirectURL Key = `auth.openid.redirecturl`
+	AuthOpenIDProviders Key = `auth.openid.providers`
-	AuthOpenIDProviders   Key = `auth.openid.providers`
 
 	LegalImprintURL Key = `legal.imprinturl`
 	LegalPrivacyURL Key = `legal.privacyurl`
@@ -451,10 +450,6 @@ func InitConfig() {
 		ServiceFrontendurl.Set(ServiceFrontendurl.GetString() + "/")
 	}
 
-	if AuthOpenIDRedirectURL.GetString() == "" {
-		AuthOpenIDRedirectURL.Set(ServiceFrontendurl.GetString() + "auth/openid/")
-	}
-
 	if MigrationTodoistRedirectURL.GetString() == "" {
 		MigrationTodoistRedirectURL.Set(ServiceFrontendurl.GetString() + "migrate/todoist")
 	}

pkg/modules/auth/openid/openid.go

@@ -40,8 +40,9 @@ import (
 
 // Callback contains the callback after an auth request was made and redirected
 type Callback struct {
-	Code  string `query:"code" json:"code"`
+	Code        string `query:"code" json:"code"`
-	Scope string `query:"scop" json:"scope"`
+	Scope       string `query:"scop" json:"scope"`
+	RedirectUrl string `json:"redirect_url"`
 }
 
 // Provider is the structure of an OpenID Connect provider
@@ -103,6 +104,8 @@ func HandleCallback(c echo.Context) error {
 		return c.JSON(http.StatusBadRequest, models.Message{Message: "Provider does not exist"})
 	}
 
+	provider.Oauth2Config.RedirectURL = cb.RedirectUrl
+
 	// Parse the access & ID token
 	oauth2Token, err := provider.Oauth2Config.Exchange(context.Background(), cb.Code)
 	if err != nil {

pkg/modules/auth/openid/providers.go

@@ -149,7 +149,6 @@ func getProviderFromMap(pi map[string]interface{}) (provider *Provider, err erro
 	provider.Oauth2Config = &oauth2.Config{
 		ClientID:     provider.ClientID,
 		ClientSecret: provider.ClientSecret,
-		RedirectURL:  config.AuthOpenIDRedirectURL.GetString() + k,
 		// Discovery returns the OAuth2 endpoints.
 		Endpoint: provider.openIDProvider.Endpoint(),
 

pkg/routes/api/v1/info.go

@@ -63,9 +63,8 @@ type localAuthInfo struct {
 }
 
 type openIDAuthInfo struct {
-	Enabled     bool               `json:"enabled"`
+	Enabled   bool               `json:"enabled"`
-	RedirectURL string             `json:"redirect_url"`
+	Providers []*openid.Provider `json:"providers"`
-	Providers   []*openid.Provider `json:"providers"`
 }
 
 type legalInfo struct {
@@ -109,8 +108,7 @@ func Info(c echo.Context) error {
 				Enabled: config.AuthLocalEnabled.GetBool(),
 			},
 			OpenIDConnect: openIDAuthInfo{
-				Enabled:     config.AuthOpenIDEnabled.GetBool(),
+				Enabled: config.AuthOpenIDEnabled.GetBool(),
-				RedirectURL: config.AuthOpenIDRedirectURL.GetString(),
 			},
 		},
 	}