Authentik setup with EJBCA

[AlbMor]

Describe the Bug

Hi

I have just started to use EJBCA CE in a docker container setup.

We are using the IdP Authentik. When I am dtrying to setup the OAuth in EJBCA and Authentik to be able to have login to EJBCA using Authentick I get error

"The request fails due to a missing, invalid, or mismatching redirection URI (redirect_uri)."

The EJBCA settings for OAuth are :

The Authentik setup is with Redirect URL:

https://<my_ip_address>/ejbca/adminweb/oidc-callback

and if I use in the browser i get

"404
Unable to find the requested resource"

Maybe this is wrong or EJBCA does not play well with Authentik I don´t know

Can You help me to figure out what is wrong or if Authentik cannot be used with EJBCA?

Expected Behavior

Login to EJBCA with Authentik

Product Deployment

Please complete the following information:

• Deployment format: container
• Version 9.3.7

Desktop

Please complete the following information:

• OS: Ubuntu 24.04
• BrowserChrome
• Version 143.0.7499.192

[primetomas]

You can find documentation about OAuth setup here. It lists tested providers. Where did you get that oidc-callback url from? I can't find that in the documentation.

[AlbMor]

Hi @primetomas

I looked to the documentation from the list of setup you mentioned.

I have used the

https://<my_ip_address>/ejbca/adminweb/oidc-callback

since I am using it to integrate Authentik with others Application and it is working.

I have also tried with

https://<my_ip_address>/ejbca/adminweb/

but still have the following error

Authentik setup is as follow

Authentik is working fine with others Application with OIDC

CAn you suggest some changes I need to do?

Thanks for your time and help

[primetomas]

There are full examples for Keycloak, Okta and Azure AD in the documentation. Authentik we have not tested as far as I know, but if it works with those + Ping, can redirect_url really be different in Authentik?

[AlbMor]

Hi @primetomas

Thanks for your reply.

I got the redirect to work with the

https://ipaddress:443/ejbca/adminweb/

Note the :433 missing before

But now I get the error

"Authorization Denied
Cause: Authentication failed for bearer token with no access: 766f6821cba56983e3a3322a41c53f3a336e88bcf240a"

It seems the Membersin the Admin Role I have added is not correct

Do you know which value do I need to put in the sub ? Right now I just set the user name "akadmin"

OR do I need to choose another match

[AlbMor]

Hi @primetomas

I got the Authentik and EJBCA to work together

Here the setups for both if you are interested I have attached a doc with all the setting that are working.

You can close the issue and thanks for the help.

Regards
Alberto

Authentik_EJBCA_CE_Setup.docx

[primetomas]

Awesome thank you. Will take a look at your documentation. Thanks for the contribution!