Need help: Incus OIDC with Zitadel

I am not sure how to set up Incus to authenticate against Zitadel (an OIDC provider). There are many different options PKCE etc so some help here would be appreciated.

Additionally, I originally set up Incus to auth against Dex, but I noticed that setting oidc.claim: email crashed incus SSO. It would seem to log in and then return to incus UI prompting to “sign in with sso”. Is there a bug there? Unfortunately Dex uses protobuf base64 encoded for the username which makes setting OpenFGA policies nonintuitive and manual.

I’ve not had issues with the email claim when using keycloak, but maybe there’s something else going on in your case.

Getting the stack trace of the crash would be useful.

There’s no stack trace because it isn’t incusd that is crashing but the web UI. Basically, after the OIDC login flow, the webui makes a request to /1.0 on the API which fails. It tries a few times, and then calls /logout and redirects back to that login screen. I managed to get Zitadel working, so if I have the time I may try Dex again and see why the email claim does not work with Dex as the idP.

To get Zitadel cloud working:

  1. Choose “Native” for the application type
  2. Set Response Type to Code
  3. Set Authentication Method to None, and Grant Types to “Authorization Code”, “Device Code”, and “Refresh Token”
    Set Authtoken Options to JWT (not Bearer) and Check “User Info inside ID Token”
  4. Ensure Redirect URI is set to /oidc/callback

It appears that setting oidc.claim does not cause Incus to request email information from the OIDC endpoint. So because the returned JWT does not have that info, Incus SSO is “crashing” and logging the user out everytime when oidc.claim: email is set.