I'm integrating OPNsense with Authentik via OIDC. The connection works with the Issuer URL https://auth.example.com/application/o/opnsense/, and the .well-known/openid-configuration is now being resolved correctly (as OPNsense suffixes it automatically). Logs show a successful login for user "genericuser" (email: user@example.com), and the UserInfo endpoint returns a sub claim, but the username appears as empty in the audit log. After authentication, I'm redirected back to the OPNsense login page. The discovery configuration indicates that claims like email and preferred_username are supported, and I've tried mapping both without success, suggesting OPNsense may not be requesting or processing them correctly. This is likely due to missing or unmapped claims (e.g., preferred_username, email, or groups) required to create a session. The current scope is limited to openid, and group mappings may not be properly configured. I assumed the correct claims would be available if OPNsense requested them, but this doesn't seem to happen. Need help to ensure the correct claims are requested, passed, and mapped to resolve the redirect issue.
2025-10-18T17:47:15
Notice
audit
Successful login for user '' from: [REDACTED]:0:1bd:a760:998a:8b69 (oidc-app: Authentik)
2025-10-18T17:47:15
Notice
audit
OIDC requestUserInfo received --> {"sub":"b589d7f7234e68370adc299176dbc3fcd8a59a44de724dda38057494909752ba","nonce":"102fb9dfc250d65df849d71a26a0b143"}
Has anyone already successfully connected opnsense to authentik?
I have the same issue with authentik (https://forum.opnsense.org/index.php?topic=48884.msg250257#msg250257).
I was surprised there is not claim field in OPNsense and suspect that opnsense does not request the correct claims.
https://github.com/opnsense/core/issues/9299