Authentication protocol is not compatible with authorization driver

Incus
1

Hi, since enabling SSO on the Incus Web UI, I’m seeing quite a few of these messages in the incusd.log log file. Can anyone tell me what it means and (I know it’s only a warning) whether I should be worried, or at least whether there are any implications I should be aware of?

...
time="2025-05-31T16:25:58+01:00" level=warning msg="Authentication protocol is not compatible with authorization driver" driver=tls protocol=oidc
time="2025-05-31T16:25:58+01:00" level=warning msg="Authentication protocol is not compatible with authorization driver" driver=tls protocol=oidc
time="2025-05-31T16:25:58+01:00" level=warning msg="Authentication protocol is not compatible with authorization driver" driver=tls protocol=oidc
time="2025-05-31T16:25:58+01:00" level=warning msg="Authentication protocol is not compatible with authorization driver" driver=tls protocol=oidc
time="2025-05-31T16:25:58+01:00" level=warning msg="Authentication protocol is not compatible with authorization driver" driver=tls protocol=oidc
time="2025-05-31T16:25:58+01:00" level=warning msg="Authentication protocol is not compatible with authorization driver" driver=tls protocol=oidc
...
2

Are you using one of the authorizers (openfga or authorization scriptlet)?

3

Hi, I’m afraid I went into it as a “user” without really understanding ‘all’ the options. I followed the instructions here using an account with “Auth0”. (so I don’t think I’m using openfga, and I’m not sure what an authorization scriptlet is?)

Essentially I signed up for a free Auth0 account, then pasted the details in to the Incus UI.

4

Okay, so you’re in a situation where you have external authentication (OIDC) but no authorizer that can handle it. The warnings can be safely ignored, it’s basically just a reminder (a bit of a noisy one) that everyone with a valid account in your OIDC provider is getting full admin privileges on Incus.

5

Ok, so in my case the Incus UI isn’t publicly visible (VPN only), but if it was, presumably the “disable signups” I also have set would prevent anyone else from obtaining an account … I’ve just spotted the authorizer docs, will go have a read, sounds like I should probably add this too … :slight_smile: