How to configure OIDC with external server?

[whisperdancer]

The last update added support for external OIDC server. I can't locate much documentation on how to get this setup. I added several new environment vars and trilium shows the proper Login with PocketID button, but redirects to google instead of my server. Perhaps I'm using the wrong var names. It seems a misconfiguration issue. Seeking assistance to get this setup. Thank you.

I added and set accordingly:

TRILIUM_OAUTH_BASE_URL=<my server OIDC discovery url>
TRILIUM_OAUTH_CLIENT_ID=<my client id>
TRILIUM_OAUTH_CLIENT_SECRET=<my client secret>
TRILIUM_OAUTH_ISSUER_NAME=PocketID

[dosubot[bot]]

You need to set the environment variable TRILIUM_OAUTH_ISSUER_BASE_URL to your external OIDC server's issuer/discovery URL. If this variable isn't set, Trilium defaults to Google's OIDC endpoints, which is why you're being redirected there even though the login button shows your provider's name.

Here's the full set of required variables for external OIDC:

• TRILIUM_OAUTH_BASE_URL (your app's base URL)
• TRILIUM_OAUTH_CLIENT_ID (your client ID)
• TRILIUM_OAUTH_CLIENT_SECRET (your client secret)
• TRILIUM_OAUTH_ISSUER_BASE_URL (your OIDC server's issuer/discovery URL, e.g., https://your-oidc-server/.well-known/openid-configuration)
• TRILIUM_OAUTH_ISSUER_NAME (display name for the login button, e.g., PocketID)

Make sure all of these are set. If it still doesn't work, check the logs for missing variable warnings or errors—Trilium checks for all required variables and will list any that are missing or empty.

There isn't official documentation for this setup yet, but the code confirms these are the correct variables and explains the fallback to Google if the issuer URL is missing.
See code reference

To reply, just mention @dosu.

---

^{How did I do? Good | Irrelevant | Incorrect | Verbose | Hallucination | Report 🐛 | Other}   

[whisperdancer]

Thanks for the quick response. With your guidance I got it working, but there is an issue. My auth server doesn't use RSA256. It uses EdDSA. Please consider adding an environment variable to set the Alg used. Thank you.

"unexpected JWT alg received, expected RS256, got: EdDSA"

Note, immich has a field to set the Alg, but nextcloud OIDC app does not, but still works out of the box.

So for now, I have to set it back to using TOTP codes. :(

[fandert-git]

@whisperdancer I am using PocketID, but struggling with the Callback URL configuration. Do you have a hint for the URL format? TIA!

[whisperdancer]

I never got this far as trilium returned an error ""unexpected JWT alg received, expected RS256, got: EdDSA" Apparently trilium does not support the more modern, smaller, faster and more secure algs at this time. I'm hopeful they add this support very soon.

[raftilu]

@whisperdancer I am using PocketID, but struggling with the Callback URL configuration. Do you have a hint for the URL format? TIA!

After trial and error it worked using "https://trilium.domain.tld/callback" as Callback URL. Hope it helps <3

[whisperdancer]

@raftilu what alg are you using with pocketID? RSA256?

[fandert-git]

@whisperdancer I am using PocketID, but struggling with the Callback URL configuration. Do you have a hint for the URL format? TIA!

After trial and error it worked using "https://trilium.domain.tld/callback" as Callback URL. Hope it helps <3

Appreciate your response <3

Was experiencing:

{ "message": "id_token not present in TokenSet" }

Edit: After fixing my NPM config, see this error now

{ "message": "checks.state argument is missing" }

[brhahlen]

I'm trying to set this up as well (and Trilium itself), but am stuck, as the ENV variables are not propagated to the config.ini.
I've described my issue in #6258 , maybe one of you has an idea for me?
Thanks in advance!

[whisperdancer]

I got it working, but unfortunately trilium only supports a weaker legacy alg rsa256. I'm hopeful the devs will add support for additional algs like EdDSA, which is much smaller footprint, faster and significantly more secure.

[themadcodger]

Did you use trilium.server.tld/callback for the callback url? I'm also trying to set it up with pocket id and it says that's invalid.

[whisperdancer]

I set callback to https://mydomain.com/callback. It broke due to it's lack of support for EdDSA.

[truncsphere]

Just ran into this myself.
Temporarily solved this by using TinyAuth with my SWAG reverse proxy.

One downside is that I'm not able to sync with my server from a remote machine.