OK, digging through the console a bit, that URL sequence is happening correctly, but we fall over here:
Failed to load resource: the server responded with a status of 401 ()
with an api.auth response of:
{"ok":false,"error":"authentication_required","status":401,"message":"Authentication required"}
I’m getting a fair payload of js & html, viewable in the sources list and I can see the 200 responses in the network panel, including the welcome collection assets, but not getting authed. Mysterious!
- /opt/yunohost/dex/config.yaml
root@domain:/opt/yunohost/dex# cat config.yaml
# LDAP connector + Yunohost setup + staticClient as per manifest.json
issuer: https://auth.domain.tld/
storage:
type: sqlite3
config:
file: dex.db
web:
http: 127.0.0.1:5556
frontend:
issuer: dex
logoURL: theme/logo.png
dir: web/
theme: light
connectors:
- type: ldap
name: OpenLDAP
id: ldap
config:
host: localhost:389
# No TLS for this setup.
insecureNoSSL: true
insecureSkipVerify: true
usernamePrompt: Username
userSearch:
baseDN: ou=users,dc=yunohost,dc=org
filter: "(objectClass=InetOrgPerson)"
username: uid
idAttr: uid
emailAttr: mail
nameAttr: displayName
groupSearch:
baseDN: ou=groups,dc=yunohost,dc=org
filter: "(objectClass=posixGroup)"
userMatchers:
- userAttr: uid
groupAttr: memberUid
nameAttr: cn
# Unfortunately the api is too complex to be used here
# As a consequence we have to setup client as staticClient, which means we will need one Dex instance per client app
staticClients:
- id: Outline
redirectURIs:
- https://wiki.domain.tld/auth/oidc.callback
name: Outline
secret: blahblahblahblah
root@domain:/var/www/outline# cat .env
# –––––––––––––––– REQUIRED ––––––––––––––––
# Generate a hex-encoded 32-byte random key. You should use `openssl rand -hex 32`
# in your terminal to generate a random value.
SECRET_KEY=blahblahblah
# Generate a unique random key. The format is not important but you could still use
# `openssl rand -hex 32` in your terminal to produce this.
UTILS_SECRET=blahblahblah
# For production point these at your databases, in development the default
# should work out of the box.
DATABASE_URL=postgres://outline:blahblahblah@localhost:5432/outline
DATABASE_URL_TEST=postgres://user:pass@localhost:5532/outline-test
# Uncomment this to disable SSL for connecting to Postgres
PGSSLMODE=disable
REDIS_URL=redis://localhost:6379
# URL should point to the fully qualified, publicly accessible URL. If using a
# proxy the port in URL and PORT may be different.
URL=https://wiki.domain.tld
PORT=2410
# See [documentation](docs/SERVICES.md) on running a separate collaboration
# server, for normal operation this does not need to be set.
COLLABORATION_URL=
# To support uploading of images for avatars and document attachments an
# s3-compatible storage must be provided. AWS S3 is recommended for redundency
# however if you want to keep all file storage local an alternative such as
# minio (https://github.com/minio/minio) can be used.
# A more detailed guide on setting up S3 is available here:
# => https://wiki.generaloutline.com/share/125de1cc-9ff6-424b-8415-0d58c809a40f
#
AWS_ACCESS_KEY_ID=sam
AWS_SECRET_ACCESS_KEY=blahblahblah
AWS_REGION=fr-ynh-1
AWS_S3_UPLOAD_BUCKET_URL=https://bucket.domain.tld
AWS_S3_UPLOAD_BUCKET_NAME=outlinestorage
AWS_S3_UPLOAD_MAX_SIZE=26214400
AWS_S3_FORCE_PATH_STYLE=true
AWS_S3_ACL=private
# –––––––––––––– AUTHENTICATION ––––––––––––––
# Third party signin credentials, at least ONE OF EITHER Google, Slack,
# or Microsoft is required for a working installation or you'll have no sign-in
# options.
# To configure Slack auth, you'll need to create an Application at
# => https://api.slack.com/apps
#
# When configuring the Client ID, add a redirect URL under "OAuth & Permissions":
# https://<URL>/auth/slack.callback
SLACK_KEY=
SLACK_SECRET=
# To configure Google auth, you'll need to create an OAuth Client ID at
# => https://console.cloud.google.com/apis/credentials
#
# When configuring the Client ID, add an Authorized redirect URI:
# https://<URL>/auth/google.callback
GOOGLE_CLIENT_ID=
GOOGLE_CLIENT_SECRET=
# To configure Microsoft/Azure auth, you'll need to create an OAuth Client. See
# the guide for details on setting up your Azure App:
# => https://wiki.generaloutline.com/share/dfa77e56-d4d2-4b51-8ff8-84ea6608faa4
AZURE_CLIENT_ID=
AZURE_CLIENT_SECRET=
AZURE_RESOURCE_APP_ID=
# To configure generic OIDC auth, you'll need some kind of identity provider.
# See documentation for whichever IdP you use to acquire the following info:
# Redirect URI is https://<URL>/auth/oidc.callback
OIDC_CLIENT_ID=Outline
OIDC_CLIENT_SECRET=blahblahblahblah
OIDC_AUTH_URI=https://auth.domain.tld/auth
OIDC_TOKEN_URI=https://auth.domain.tld/token
OIDC_USERINFO_URI=https://auth.domain.tld/userinfo
# Specify which claims to derive user information from
# Supports any valid JSON path with the JWT payload
OIDC_USERNAME_CLAIM=preferred_username
# Display name for OIDC authentication
OIDC_DISPLAY_NAME=Yunohost
# Space separated auth scopes.
OIDC_SCOPES="openid profile email"
# –––––––––––––––– OPTIONAL ––––––––––––––––
# Base64 encoded private key and certificate for HTTPS termination. This is only
# required if you do not use an external reverse proxy. See documentation:
# https://wiki.generaloutline.com/share/1c922644-40d8-41fe-98f9-df2b67239d45
SSL_KEY=
SSL_CERT=
# Base64 encoded private key and certificate for HTTPS termination. This is only
# required if you do not use an external reverse proxy. See documentation:
# https://wiki.generaloutline.com/share/1c922644-40d8-41fe-98f9-df2b67239d45
SSL_KEY=
SSL_CERT=
# If using a Cloudfront/Cloudflare distribution or similar it can be set below.
# This will cause paths to javascript, stylesheets, and images to be updated to
# the hostname defined in CDN_URL. In your CDN configuration the origin server
# should be set to the same as URL.
CDN_URL=
# Auto-redirect to https in production. The default is true but you may set to
# false if you can be sure that SSL is terminated at an external loadbalancer.
FORCE_HTTPS=true
# Have the installation check for updates by sending anonymized statistics to
# the maintainers
ENABLE_UPDATES=true
# How many processes should be spawned. As a reasonable rule divide your servers
# available memory by 512 for a rough estimate
WEB_CONCURRENCY=1
# Override the maxium size of document imports, could be required if you have
# especially large Word documents with embedded imagery
MAXIMUM_IMPORT_SIZE=5120000
# You can remove this line if your reverse proxy already logs incoming http
# requests and this ends up being duplicative
DEBUG=cache,presenters,events,emails,mailer,utils,http,server,processors
# Comma separated list of domains to be allowed to signin to the wiki. If not
# set, all domains are allowed by default when using Google OAuth to signin
ALLOWED_DOMAINS=
# For a complete Slack integration with search and posting to channels the
# following configs are also needed, some more details
# => https://wiki.generaloutline.com/share/be25efd1-b3ef-4450-b8e5-c4a4fc11e02a
#
SLACK_VERIFICATION_TOKEN=your_token
SLACK_APP_ID=A0XXXXXXX
SLACK_MESSAGE_ACTIONS=true
# Optionally enable google analytics to track pageviews in the knowledge base
GOOGLE_ANALYTICS_ID=
# Optionally enable Sentry (sentry.io) to track errors and performance
SENTRY_DSN=
# To support sending outgoing transactional emails such as "document updated" or
# "you've been invited" you'll need to provide authentication for an SMTP server
SMTP_HOST='localhost'
SMTP_PORT='25'
SMTP_USERNAME=''
SMTP_PASSWORD=''
SMTP_FROM_EMAIL='outline@wiki.domain.tld'
SMTP_REPLY_EMAIL='webmaster@wiki.domain.tld'
SMTP_TLS_CIPHERS=
SMTP_SECURE='false'
# Custom logo that displays on the authentication screen, scaled to height: 60px
# TEAM_LOGO=https://example.com/images/logo.png
# The default interface language. See translate.getoutline.com for a list of
# available language codes and their rough percentage translated.
DEFAULT_LANGUAGE=en_US
Hopefully there is some hint in there! Thanks again for your help 
