Incus UI and Authentik - Redirecting to Login

I’m just wondering if anyone is able to offer any advice getting SSO with Incus working with Authentik.

What I’ve done so far:

I’ve setup the Incus UI through the traefik referse proxy just by forwarding to the 8443:

    router_incus:
      rule: "Host(`incus.<domain>`)"
      service: service_incus
      entryPoints:
        - websecure
      tls:
        certResolver: letsEncrypt

    service_incus:
      loadBalancer:
        servers:
          - url: "https://192.168.1.70:8443"
        serversTransport: ignore_ca

This seems to load the page up correctly and takes me to https://incus./ui/login

From here I set within the UI > Settings > oidc:

oidc.audience: https://incus.
oidc.clain: email
oidc.client.id:
oidc.issuer: https://auth./application/o/incus/
oidc.scopes: openid,profile,email

Then within Authentik, I’ve setup a new application tied to a new OAuth2/OpenID provider.

The provider has the Client ID which s entered into Incus, Redirect URIs is set to:
strict: https://incus./oidc/callback

When I go to the home page and click on the “Login with SSO” button, it takes me to Authentik. The scopes requested seem to match and it requries the Email address and General Profile, I click on continue and it redirects me to the /ui page which then says it can’t find the default project and returns me to the /ui/login page.

I’m using version 6.10.1-ui-0.15 from the Zipply repo, on an Ubuntu 24.04 server.

Can see some logs in the /var/log/incus but none when this occurs and more to do with container/VM stuff.

Any help gratefully received and if more info required please let me know and I’ll provide.

Did you try with the CLI, maybe that will provide a clearer error?

incus remote add test https://incus --auth-type=oidc

Curious, so if I do:

incus remote add test https://incus.:443 --auth-type=oidc

That then gives me the device workflow with Authentik:

URL: https://auth./device?code=
Code:

That then gives me the fingerprint:

Certificate fingerprint: b155f05
ok (y/n/[fingerprint])? y

Then it gives me:

URL: https://auth./device?code=
Code:

Error: Failed to authenticate: Provided OIDC token doesn’t allow the configured audience

Don’t suppose there’s a log of the audiences it’s expecting?

Okay, so the error seems audience related. Did you try without the audience set?

We’ve generally only see Auth0 really depend on the audience, most other providers don’t seem to use it, or at least not by default.

That’s got it! Removing the audience worked! Thanks for your help!

I doing the same thing, but I keep getting this error

failed to exchange token: oauth2: “invalid_client” “Client authentication failed (e.g., unknown client, no client authentication included, or unsupported authentication method)”

Never mind, setting client type to public in Authentik fixed it.