Incus OIDC with selfhosted authelia - random string as username

Incus
1

I had success login to incus web-UI with OIDC, but I get a random string as username which matches de ‘sub’ attribute.

Screenshot at 2026-04-19 22-33-48
Screenshot at 2026-04-19 22-33-48250×271 4.31 KB

To change the username I set oidc.claim to prefferred_username but after the change when authenticated in authelia it sends me back to login screen. If I set it back to ‘sub’ (or delete) the login process success!!

config:
  core.https_address: :8443
  oidc.audience: https://server.local:8443
  oidc.claim: preferred_username  #works fine with sub
  oidc.client.id: incus
  oidc.issuer: https://authelia.local:9091
  oidc.scopes: openid,email,profile,groups

Checking the logs, I get the following warning message

level=warning msg=“Rejecting request from untrusted client” ip="10.0.10.100:4924

I paste the authelia config file relevant sectión.

 - client_id: 'incus'
   client_name: 'Incus'
   public: true
   authorization_policy: 'one_factor'
   require_pkce: false
   pkce_challenge_method: ''
   redirect_uris:
     - 'https://server.local/oidc/callback'
     - 'https://server.local:8443/oidc/callback'
   audience:
     - 'https://server.ies.grao:8443'
     - 'https://server.ies.grao'
   scopes:
     - 'openid'
     - 'offline_access'
     - 'profile'
     - 'email'
     - 'groups'
   response_types:
     - 'code'
   grant_types:
     - 'authorization_code'
     - 'refresh_token'
   access_token_signed_response_alg: 'RS256'
   userinfo_signed_response_alg: 'none'
   token_endpoint_auth_method: 'none'
   consent_mode: 'auto'
   pre_configured_consent_duration: '1 week'

Thanks in advanced.

2

Also try the nickname and email claims.

I had a similar issue, a while ago, where nickname and preferred_username wouldn’t work when authenticating with the Incus cli (although the webui worked fine), giving me that same error. Only email would work.

It was went away after I had reinstalled my system, though, and I never figured out why it happened in the first place. I currently use preferred_username with Authentik.

3

I’m not familiar with authelia but on some platforms, the content of the ID token can be a bit limited so you may need to setup some configuration on the IdP side to include more fields in the ID token itself as opposed to just available through a userprofile query after the fact (which Incus can’t do).