PSU on Synology Docker with OIDC

Okay so bit of an unusual setup, I’ve got a personal project I’d love to use PSU for - I’m building a local homebrew club website and figured it would be neat to do it in PS. I’ve just requested a trial license to try get this going.

I decided to host it on my local NAS/Synology using docker, I’ve got a reverse proxy setup so that I can just route https://customdomain.username.synology.me through to http://192.168.0.100:9919 (this is the NAS IP with the exposed port from my docker container, which is pointing to the internal container port of 5000 for PSU).

Anyway, it’s all up and running and working fine, I’ve got my persistent storage mounted on a local share and everything is good!

I figured I’d login to Azure and create an app registration and setup OIDC - I’d eventually love to get facebook social login working for this and use it as an identity provider in my app (never done this before so I’m learning as I go, hopefully it’s possible altho I’m not sure).
Anyway, one step at a time, just Azure based OIDC first, I’ve followed the same process that I’ve used when doing this for my org.

When attempting to login, I can see it’s making the call to microsoft and then passing back to the call back address https://customdomain.user.synology.me/auth/signin-oidc

But it’s telling me the page doesnt exist.
I’ve tried changing some of the env vars to the following:

Api__Url = https://customdomain.username.synology.me
ASPNETCORE_FORWARDEDHEADERS_ENABLED = true (also tried false)
Authentication__OIDC__Authority = https://login.microsoftonline.com/<tenantID>
Authentication__OIDC__CallbackPath = /auth/signin-oidc
Authentication__OIDC__ClientID = <clientid>
Authentication__OIDC__ClientSecret = <clientsecret>
Authentication__OIDC__Enabled = true
Authentication__OIDC__ResponseType = id_token token (also tried code)
Authentication__OIDC__SaveTokens = true
Authentication__OIDC__GetUserInfo = true (also tried false)
Authentication__OIDC__CorrelationCookieSameSite = secure (also tried none)
Authentication__OIDC__UseTokenLifetime = true

my redirect uri in the app registration is correct, I’ve also ticked Access tokens and ID tokens.
Originally (and I’m not sure exactly the settings) I was getting ’ Sorry, the page you are looking for is not found.’ default syno error page after the callback was made.
However after subsequent changes to the above values, I ended up getting a 500 error instead.

The error in my log hinted at not having a valid resource specified, so I added:

Authentication__OIDC__Resource = 'https://management.azure.com'

And granted permission in my app reg, after doing this, it goes back to the original issue with page not found.

I think I’ve just about tried every combo I can think of, do I need any custom headers on my reverse proxy? Any other ideas?

Logs currently dont show much other than:

2023-08-09 01:06:48.415 +01:00 [VRB] All hosts are allowed.
2023-08-09 01:06:48.416 +01:00 [DBG] Connection id "0HMSODHDHNBK7", Request id "0HMSODHDHNBK7:00000001": started reading request body.
2023-08-09 01:06:48.416 +01:00 [DBG] Connection id "0HMSODHDHNBK7", Request id "0HMSODHDHNBK7:00000001": done reading request body.
2023-08-09 01:06:48.417 +01:00 [VRB] Performing unprotect operation to key {cb50d976-984a-4a62-b7bd-aaeda8455312} with purposes ('/home/', 'Microsoft.AspNetCore.Authentication.OpenIdConnect.OpenIdConnectHandler', 'OpenIdConnect', 'v1').
2023-08-09 01:06:48.418 +01:00 [VRB] Performing unprotect operation to key {cb50d976-984a-4a62-b7bd-aaeda8455312} with purposes ('/home/', 'Microsoft.AspNetCore.Authentication.OpenIdConnect.OpenIdConnectHandler', 'System.String', 'OpenIdConnect', 'v1').
2023-08-09 01:06:48.419 +01:00 [VRB] Performing unprotect operation to key {cb50d976-984a-4a62-b7bd-aaeda8455312} with purposes ('/home/', 'Microsoft.AspNetCore.Authentication.OpenIdConnect.OpenIdConnectHandler', 'System.String', 'OpenIdConnect', 'v1').
2023-08-09 01:06:48.419 +01:00 [VRB] Performing unprotect operation to key {cb50d976-984a-4a62-b7bd-aaeda8455312} with purposes ('/home/', 'Microsoft.AspNetCore.Authentication.OpenIdConnect.OpenIdConnectHandler', 'System.String', 'OpenIdConnect', 'v1').
2023-08-09 01:06:48.419 +01:00 [VRB] Performing unprotect operation to key {cb50d976-984a-4a62-b7bd-aaeda8455312} with purposes ('/home/', 'Microsoft.AspNetCore.Authentication.OpenIdConnect.OpenIdConnectHandler', 'System.String', 'OpenIdConnect', 'v1').
2023-08-09 01:06:48.419 +01:00 [VRB] Performing unprotect operation to key {cb50d976-984a-4a62-b7bd-aaeda8455312} with purposes ('/home/', 'Microsoft.AspNetCore.Authentication.OpenIdConnect.OpenIdConnectHandler', 'System.String', 'OpenIdConnect', 'v1').
2023-08-09 01:06:48.419 +01:00 [VRB] Performing unprotect operation to key {cb50d976-984a-4a62-b7bd-aaeda8455312} with purposes ('/home/', 'Microsoft.AspNetCore.Authentication.OpenIdConnect.OpenIdConnectHandler', 'System.String', 'OpenIdConnect', 'v1').
2023-08-09 01:06:48.420 +01:00 [VRB] Performing unprotect operation to key {cb50d976-984a-4a62-b7bd-aaeda8455312} with purposes ('/home/', 'Microsoft.AspNetCore.Authentication.OpenIdConnect.OpenIdConnectHandler', 'System.String', 'OpenIdConnect', 'v1').
2023-08-09 01:06:48.420 +01:00 [VRB] Performing unprotect operation to key {cb50d976-984a-4a62-b7bd-aaeda8455312} with purposes ('/home/', 'Microsoft.AspNetCore.Authentication.OpenIdConnect.OpenIdConnectHandler', 'System.String', 'OpenIdConnect', 'v1').
2023-08-09 01:06:48.420 +01:00 [VRB] Performing unprotect operation to key {cb50d976-984a-4a62-b7bd-aaeda8455312} with purposes ('/home/', 'Microsoft.AspNetCore.Authentication.OpenIdConnect.OpenIdConnectHandler', 'System.String', 'OpenIdConnect', 'v1').
2023-08-09 01:06:48.420 +01:00 [VRB] Performing unprotect operation to key {cb50d976-984a-4a62-b7bd-aaeda8455312} with purposes ('/home/', 'Microsoft.AspNetCore.Authentication.OpenIdConnect.OpenIdConnectHandler', 'System.String', 'OpenIdConnect', 'v1').
2023-08-09 01:06:48.489 +01:00 [VRB] Performing protect operation to key {cb50d976-984a-4a62-b7bd-aaeda8455312} with purposes ('/home/', 'Microsoft.AspNetCore.Authentication.Cookies.CookieAuthenticationMiddleware', 'Cookies', 'v2').
2023-08-09 01:06:48.490 +01:00 [INF] Request finished HTTP/1.1 POST http://customdomain.user.synology.me/auth/signin-oidc application/x-www-form-urlencoded 4287 - 302 0 - 76.0060ms
2023-08-09 01:06:48.491 +01:00 [DBG] Connection id "0HMSODHDHNBK7" disconnecting.
2023-08-09 01:06:48.491 +01:00 [DBG] Connection id "0HMSODHDHNBK7" stopped.
2023-08-09 01:06:48.491 +01:00 [DBG] Connection id "0HMSODHDHNBK7" sending FIN because: "The Socket transport's send loop completed gracefully."
2023-08-09 01:06:50.393 +01:00 [VRB] Checking for aborted jobs...
2023-08-09 01:06:50.393 +01:00 [VRB] No newly aborted jobs found.

Also the Azure user is showing in the identities tab if I login via forms auth.