OpenID connect auth (registration?) does not work

[RarogCmex]

Description of the issue

I have set up login with openid-connect via environment variables:
OPENID_CLIENT_ID=fe16398962548a0113ba
OPENID_CLIENT_SECRET=secret
OPENID_ISSUER=https://identity.a-star.org.ru/.well-known/openid-configuration
ACCOUNTS_URL=https://a-star.org.ru/_accounts
When I perform login by pressing 'Continue with openid' button on /login page, it succesfully redirects to casdoor (identity.a-star.org.ru), I sign in, then it redirects to https://a-star.org.ru/_accounts/auth/openid/callback?code=a067ce35231b327acd7b&state=%7B%7D, then it redirects to /login without actual session.
I recorded video:
https://github.com/user-attachments/assets/b4048389-409b-41ad-8ca2-d705a828c6a4

Your environment

• v0.6.377, docker version
• Browser: Chrome, Firefox
• Linux, MacOS, Windows
• Auth Provider: Casdoor

Steps to reproduce

1. login by pressing 'Continue with openid' button on /login page
2. it succesfully redirects to casdoor (identity.a-star.org.ru)
3. sign in via casdoor
4. it redirects to https://a-star.org.ru/_accounts/auth/openid/callback?code=a067ce35231b327acd7b&state=%7B%7D
5. it redirects to /login without actual login session

Logs from docker

account-1       | {"issuer":{"authorization_endpoint":"https://identity.a-star.org.ru/login/oauth/authorize","claim_types_supported":["normal"],"claims_parameter_supported":false,"claims_supported":["iss","ver","sub","aud","iat","exp","id","type","displayName","avatar","permanentAvatar","email","phone","location","affiliation","title","homepage","bio","tag","region","language","score","ranking","isOnline","isAdmin","isForbidden","signupApplication","ldap"],"end_session_endpoint":"https://identity.a-star.org.ru/api/logout","grant_types_supported":["password","authorization_code"],"id_token_signing_alg_values_supported":["RS256","RS512","ES256","ES384","ES512"],"introspection_endpoint":"https://identity.a-star.org.ru/api/login/oauth/introspect","introspection_endpoint_auth_methods_supported":["client_secret_basic"],"issuer":"https://identity.a-star.org.ru","jwks_uri":"https://identity.a-star.org.ru/.well-known/jwks","request_object_signing_alg_values_supported":["HS256","HS384","HS512"],"request_parameter_supported":true,"request_uri_parameter_supported":true,"require_request_uri_registration":false,"response_modes_supported":["query","fragment","login","code","link"],"response_types_supported":["code","token","id_token","code token","code id_token","token id_token","code token id_token","none"],"scopes_supported":["openid","email","profile","address","phone","offline_access"],"subject_types_supported":["public"],"token_endpoint":"https://identity.a-star.org.ru/api/login/oauth/access_token","token_endpoint_auth_methods_supported":["client_secret_basic"],"userinfo_endpoint":"https://identity.a-star.org.ru/api/userinfo"},"level":"info","message":"Discovered issuer","timestamp":"2024-12-09T08:32:50.561Z"}
account-1       | {"level":"info","message":"Created OIDC client","timestamp":"2024-12-09T08:32:50.563Z"}
account-1       | {"level":"info","message":"Registered OIDC strategy","timestamp":"2024-12-09T08:32:50.564Z"}
account-1       | {"level":"info","message":"try auth via","provider":"openid","timestamp":"2024-12-09T08:42:33.075Z"}

Complete logs:
logs.txt

Expected behaviour

I should be logged in

Actual behaviour

I am not able to log in

Possible solutions

The suspicious code which should be debugged is placed from here:

platform/pods/authProviders/src/openid.ts

Line 66 in 52b21ef

measureCtx.info('try auth via', { provider: 'openid' })

to here
https://github.com/hcengineering/platform/blob/52b21efee759593c356c60052c02e53c20f4417f/pods/authProviders/src/openid.ts#L89C1-L90C1

[lexiv0re]

It looks like the auth is not successful on the IdP side. I'd suggest to:

1. Verify the redirect URL is configured properly on the IdP application side
2. Check the IdP log of events for any clues
3. Click "Preserve log" in the browser's dev tools before clicking 'Continue with openid' to inspect all the redirects on the IdP side