Skip to content

feat: add Kanidm OIDC support with PKCE and ID token algo config #682

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Open
mikimandoki wants to merge 3 commits into
base: main
Choose a base branch
from
+25 −19
Open

feat: add Kanidm OIDC support with PKCE and ID token algo config #682

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
3 commits
Select commit Hold shift + click to select a range
54ed6ba
feat: add Kanidm OIDC support with PKCE and ID token algo config
mikimandoki Jun 17, 2026
6fdef87
docs: remove Kanidm
mikimandoki Jun 22, 2026
568966d
Merge remote-tracking branch 'origin/main' into feat/kanidm-support
mikimandoki Jun 28, 2026
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
6 changes: 6 additions & 0 deletions .env.example
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -113,6 +113,12 @@ OIDC_WELL_KNOWN_URL=
# Required for some providers to link with existing accounts, make sure you trust your provider to properly verify email addresses
# OIDC_ALLOW_DANGEROUS_EMAIL_LINKING=1

# Enable PKCE (Proof Key for Code Exchange) for the OIDC provider
# OIDC_PKCE_ENABLED=1

# Set the ID token signed response algorithm if your provider requires a specific algorithm (e.g. ES256, RS256)
# OIDC_ID_TOKEN_SIGNED_RESPONSE_ALG=

# Push notification, Web Push: https://www.npmjs.com/package/web-push
# generate web push keys using this command: npx web-push generate-vapid-keys --json
# or use the online tool: https://vapidkeys.com/
Expand Down
2 changes: 2 additions & 0 deletions docs/CONFIGURATION.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -91,6 +91,8 @@ Used for magic-link login and invites.
- `OIDC_CLIENT_SECRET`
- `OIDC_WELL_KNOWN_URL`: OpenID well-known discovery URL.
- `OIDC_ALLOW_DANGEROUS_EMAIL_LINKING`: Optional flag to allow email-based account linking.
- `OIDC_PKCE_ENABLED`: Optional flag to enable PKCE (Proof Key for Code Exchange).
- `OIDC_ID_TOKEN_SIGNED_RESPONSE_ALG`: Optional ID token signed response algorithm (e.g. `ES256`, `RS256`).

### Web push notifications

Expand Down
4 changes: 4 additions & 0 deletions src/env.ts
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -71,6 +71,8 @@ export const env = createEnv({
OIDC_CLIENT_SECRET: z.string().optional(),
OIDC_WELL_KNOWN_URL: z.string().optional(),
OIDC_ALLOW_DANGEROUS_EMAIL_LINKING: z.boolean().optional(),
OIDC_PKCE_ENABLED: z.boolean().optional().default(false),
OIDC_ID_TOKEN_SIGNED_RESPONSE_ALG: z.string().optional(),
UPLOAD_MAX_FILE_SIZE_MB: z.coerce.number().int().positive().default(10),
},

Expand Down Expand Up @@ -140,6 +142,8 @@ export const env = createEnv({
OIDC_CLIENT_SECRET: process.env.OIDC_CLIENT_SECRET,
OIDC_WELL_KNOWN_URL: process.env.OIDC_WELL_KNOWN_URL,
OIDC_ALLOW_DANGEROUS_EMAIL_LINKING: Boolean(process.env.OIDC_ALLOW_DANGEROUS_EMAIL_LINKING),
OIDC_PKCE_ENABLED: Boolean(process.env.OIDC_PKCE_ENABLED),
OIDC_ID_TOKEN_SIGNED_RESPONSE_ALG: process.env.OIDC_ID_TOKEN_SIGNED_RESPONSE_ALG,
UPLOAD_MAX_FILE_SIZE_MB: process.env.UPLOAD_MAX_FILE_SIZE_MB
? Number(process.env.UPLOAD_MAX_FILE_SIZE_MB)
: 10,
Expand Down
32 changes: 13 additions & 19 deletions src/server/auth.ts
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,4 +1,5 @@
import { PrismaAdapter } from '@next-auth/prisma-adapter';
import { Prisma } from '@prisma/client';
import { type GetServerSidePropsContext } from 'next';
import { type DefaultSession, type NextAuthOptions, type User, getServerSession } from 'next-auth';
import { type Adapter, type AdapterAccount, type AdapterUser } from 'next-auth/adapters';
Expand Down Expand Up @@ -71,32 +72,21 @@ const SplitProPrismaAdapter = (...args: Parameters<typeof PrismaAdapter>): Adapt
return prismaCreateUser(user);
},
linkAccount: async (account: AdapterAccount) => {
// oxlint-disable-next-line typescript/no-unsafe-assignment
const originalLinkAccount = prismaAdapter.linkAccount;

if (!originalLinkAccount) {
throw new Error('Adapter is missing the linkAccount method.');
}

// Keycloak and Gitlab provide some non-standard fields that do not exist in the prisma schema.
// OIDC providers can provide non-standard fields that do not exist in the prisma schema.
// We strip them out before passing them on to the original adapter.
if (account.provider === 'keycloak') {
const {
'not-before-policy': _notBeforePolicy,
refresh_expires_in: _refresh_expires_in,
...standardAccountData
} = account as AdapterAccount & Record<string, unknown>;
const knownAccountFields = new Set<string>(Object.values(Prisma.AccountScalarFieldEnum));
Comment thread
krokosik marked this conversation as resolved.

return originalLinkAccount(standardAccountData as AdapterAccount);
} else if (account.provider === 'gitlab') {
const { created_at: _createdAt, ...standardAccountData } = account as AdapterAccount &
Record<string, unknown>;

return originalLinkAccount(standardAccountData as AdapterAccount);
}
const sanitised = Object.fromEntries(
Object.entries(account as Record<string, unknown>).filter(([k]) =>
knownAccountFields.has(k),
),
) as AdapterAccount;

// Default: proceed directly
return originalLinkAccount(account);
return originalLinkAccount(sanitised);
},
} as Adapter;
};
Expand Down Expand Up @@ -253,6 +243,10 @@ function getProviders() {
type: 'oauth',
wellKnown: env.OIDC_WELL_KNOWN_URL,
authorization: { params: { scope: 'openid email profile' } },
checks: env.OIDC_PKCE_ENABLED ? ['pkce'] : [],

@krokosik krokosik Jun 21, 2026

Copy link
Copy Markdown
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

As far as I understand OIDC, the encryption configs should be provided from the well known url endpoint. I am against opening up the env var config to the whole breadth of OAuth2 options as this would just continue increasing and be a bad incentive for AI agents.

I am not familiar with Kandim, but please double check it's not an issue on their end or with your configuration, as setting these options by hand should not be required.

@mikimandoki mikimandoki Jun 22, 2026
edited
Loading

Copy link
Copy Markdown
Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thanks for the feedback. I'm no OIDC expert myself. Here's what I could find out:

Kanidm correctly advertises ES256 and its PKCE requirements in the .well-known files. These are the defaults Kanidm ships with. Disabling them is possible but the commands are along the lines of "enable legacy crypto" etc., highly suggesting that users should only mess with this if necessary.

wget -qO- https://kanidm:8443/oauth2/openid/splitpro/.well-known/openid-configuration 2>/dev/null 

"id_token_signing_alg_values_supported":["ES256"],
"code_challenge_methods_supported":["S256"]

The issue appears to lie in openid-client NextAuth v4 ships.

openid-client defaults to RS256 and intentionally ignores id_token_signing_alg_values_supported from discovery. The expectation per spec is that the OP signs tokens with whatever alg the client was registered with. Since SplitPro passes credentials directly to openid-client with no additional configuration, and Kanidm defaults to ES256, the mismatch has to be resolved on the client side via id_token_signed_response_alg. The maintainer has expressed this as well: panva/openid-client#115 (comment)

As far as I can tell adding in the checks and client params is the intended way to deal with this, however, I have come across a different implementation as well:
danny-avila/LibreChat#5348 reads the discovered value and passes that on to the client. Happy to give this approach shot if it is more desirable.

@krokosik krokosik Jun 29, 2026
edited
Loading

Copy link
Copy Markdown
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Yes, I like this approach, thanks for digging into this!

client: env.OIDC_ID_TOKEN_SIGNED_RESPONSE_ALG
? { id_token_signed_response_alg: env.OIDC_ID_TOKEN_SIGNED_RESPONSE_ALG }
: undefined,
allowDangerousEmailAccountLinking: env.OIDC_ALLOW_DANGEROUS_EMAIL_LINKING,
idToken: true,
profile(profile) {
Expand Down