kanidm 1.4 update failure: strict redirect verification not enabled

A picture of Vlad on a wedding day Vlad Petrov

Problem

kanidm fails to start after updating past 1.4 with the following error:

INFO     i [info]: Running in server configuration test mode ...
INFO     i [info]: Starting kanidm with TEST configuration: address: [redacted]:[redacted], domain: [redacter], ldap address: disabled, origin: [redacter] admin bind path: /run/kanidmd/sock, thread count: 1, dbpath: /var/lib/kanidm/kanidm.db, arcsize: AUTO, max request size: 262144b, trust X-Forwarded-For: false, with TLS: true, online_backup: enabled: true - schedule: 0 02 * * TUE versions: 10 path: /var/lib/kanidm/backups, integration mode: false, console output format: Text log_level: inforole: write replica, replication: disabled, otel_grpc_url: None
INFO     system_initialisation [ 143ms | 29.74% / 100.00% ]
INFO     ┝━ initialise_schema_core [ 87.6ms | 61.28% ]
WARN     ┝━ 🚧 [warn]: Domain level has been raised to 8
WARN     ┝━ 🚧 [warn]: Domain patch level has been raised to 1
INFO     ┕━ migrate_domain_7_to_8 [ 12.8ms | 8.98% ]
ERROR       ┝━ 🚨 [error]: Unable to proceed. Not all oauth2 clients have strict redirect verification enabled.
ERROR       ┝━ 🚨 [error]:  | missing_oauth2_strict_redirect_uri: example@[redacted]
ERROR       ┝━ 🚨 [error]:  | missing_oauth2_strict_redirect_uri: example-cloud@[redacted]
ERROR       ┝━ 🚨 [error]:  | missing_oauth2_strict_redirect_uri: example-git@[redacted]
ERROR       ┝━ 🚨 [error]:  | missing_oauth2_strict_redirect_uri: example-immich@[redacted]
ERROR       ┝━ 🚨 [error]:  | missing_oauth2_strict_redirect_uri: example-games@[redacted]
ERROR    🚨 [error]: Unable to setup query server or idm server -> MG0007Oauth2StrictConstraintsNotMet
Logging pipeline completed shutdown

Solutions

You need to enable-strict-redirect-url for clients mentioned in the error message. Unfortunately, you have to get kanidm service running first. 1.4.0+ versions are blocked from running by said config.

Luckily, kanidm developers thought about that and 1.4 migrations are not applied when there are clients with disabled strict redirect url. This means you Data Base is not changed, and you’re free to rollback to a pre 1.4 release. 1.3.3 is the latest suitable.

After a rollback you can enable strict redirect for clients mentioned in the error message:

kanidm system oauth2 enable-strict-redirect-url <name>

Explanation

OAuth2 strict redirect uri is a strict requirement since 1.4.0. Implementing more user-friendly upgrade process is a complex and error-prone endeavor. Thus, kanidm developers created safeguard rails in a form of new version not breaking incompatible configuration.

There is also a recommended upgrade procedure[^recommend] that implies running checks before an upgrade:

kanidmd domain upgrade-check

Since you’re here, it’s too late for being a proactive kanidm admin. I wasn’t proactive, this update slipped with other NixOS packages =]

The

Once again, thanks kanidm developers for not messing up my data. It’s so nice to have a clean rollback option.

Sources

https://kanidm.github.io/kanidm/stable/integrations/oauth2.html?highlight=strict#strict-redirect-urls