OpenID defaulting to Google Instead of Authentik

[Guruleenyc]

I enabled openid in triliumnext, set the following docker container variables, and restarted The triliumnext docker.

TRILIUM_OAUTH_BASE_URL
TRILIUM_OAUTH_CLIENT_ID
TRILIUM_OAUTH_CLIENT_SECRET
TRILIUM_OIDC_ISSUER
TRILIUM_OIDC_AUTHORIZATION_URL
TRILIUM_OIDC_TOKEN_URL
TRILIUM_OIDC_USERINFO_URL
TRILIUM_OAUTH_ISSUER_NAME

However, I still receive " Login with Authentik" but button with a Google logo on it from triliumnext login page.
When I click on it it brings me to accounts.google.com instead of Authentik.

Looking under the MFA settings in triliumnext, when you tick on the openID option, the following verbiage is presented. It even states the default issuer is Google:

"OpenID is a standardized way to let you log into websites using an account from another service, like Google, to verify your identity. The default issuer is Google, but you can change it to any other OpenID provider. Check here for more information. Follow these instructions to setup an OpenID service through Google."

So why are my docker containing variables not being respected for Authentik instead?

Per AI:
"TriliumNext currently only supports Google as its OIDC/OpenID Connect Provider.

Even if you set all the correct Authentik environment variables in your Docker container, TriliumNext will not accept Authentik (or other custom OIDC providers) unless the application itself adds support for generic OIDC."

Is this true?

[dosubot]

Hi @Guruleenyc! I'm Dosu and I’m helping the Trilium team.

TriliumNext uses specific environment variables to configure OpenID. If any are missing or have typos, it defaults to Google—even if the login button says "Authentik" and shows a custom icon. The most critical variable is TRILIUM_OAUTH_ISSUER_BASE_URL; if this isn't set (or is misspelled), Trilium will redirect to accounts.google.com. The button's label and icon are set by TRILIUM_OAUTH_ISSUER_NAME and TRILIUM_OAUTH_ISSUER_ICON, but the actual authentication flow is determined by the issuer base URL.

Common pitfalls are typos (like missing the "T" in TRILIUM_OAUTH_ISSUER_NAME), missing variables, or Docker misconfiguration where environment variables aren't passed correctly. Trilium merges environment variables with config.ini at runtime, but env vars always take precedence and do not appear in config.ini itself. Restarting the container is required for changes to take effect.

To troubleshoot: double-check all these variables are set and spelled correctly in your Docker setup:

TRILIUM_OAUTH_BASE_URL
TRILIUM_OAUTH_CLIENT_ID
TRILIUM_OAUTH_CLIENT_SECRET
TRILIUM_OAUTH_ISSUER_BASE_URL
TRILIUM_OAUTH_ISSUER_NAME
TRILIUM_OAUTH_ISSUER_ICON

Check Trilium's logs for any missing variable warnings—they will list any that are missing or empty. If the issue persists, try recreating the container to clear any persistent config. If you want more targeted help, feel free to share your actual Docker environment variable setup (redacting secrets) source, source, source.

To reply, just mention @dosu.

---

^{How did I do? Good | Irrelevant | Incorrect | Verbose | Hallucination | Report 🐛 | Other}   

[Guruleenyc]

Comparing my docker container variables to what you provided, I do not see mismatch or typos. Hopefully someone other than a bot can give me more insight.

[Guruleenyc]

Anybody out there that can help?

[Guruleenyc]

You can see the Trilium login screen button URL when I hover over it in the lower right corner:

When I click on the button, it results in:

{
"message": "Router not found for request GET /authenticate"
}

[Guruleenyc]

Nothing in the Trilium logs after enabling Oauth, testing, and then reverting to totp:

13:31:48.713 Updating option 'mfaMethod' to 'oauth' 13:31:48.718 204 PUT /api/options with 0 bytes took 6ms 13:31:48.755 200 GET /api/options with 9545 bytes took 2ms 13:31:48.771 304 GET /api/options with 9545 bytes took 1ms 13:31:48.789 304 GET /api/database/backups with 533 bytes took 4ms 13:31:48.805 304 GET /api/options with 9545 bytes took 2ms 13:31:48.820 304 GET /api/options with 9545 bytes took 1ms 13:31:48.866 200 GET /api/totp/status with 43 bytes took 1ms 13:31:48.869 200 GET /api/oauth/status with 48 bytes took 1ms 13:32:01.440 200 GET /api/health-check with 15 bytes took 1ms 13:32:23.355 Updating option 'mfaMethod' to 'totp'

[Guruleenyc]

This is what I have for the variables in the Authentik docker container:

TRILIUM_OAUTH_BASE_URL
https://notes.mydomain.com

TRILIUM_OAUTH_CLIENT_ID
xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx

TRILIUM_OAUTH_CLIENT_SECRET
xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx

TRILIUM_OIDC_ISSUER
https://authentik.mydomain.com/application/o/triliumnext/

TRILIUM_OIDC_AUTHORIZATION_URL
https://authentik.mydomain.com/application/o/authorize/

TRILIUM_OIDC_TOKEN_URL
https://authentik.mydomain.com/application/o/token/

TRILIUM_OIDC_USERINFO_URL
https://authentik.mydomain.com/application/o/userinfo/

TRILIUM_OAUTH_ISSUER_NAME
Authentik`

[Guruleenyc]

I also checked my docker container variables at the CLI to be short, they do not have any typos:

docker exec -it triliumnext sh /usr/src/app # env | grep TRILIUM TRILIUM_OAUTH_BASE_URL=https://notes.mydomain com TRILIUM_OIDC_USERINFO_URL=https://authentik.mydomain com/application/o/userinfo/ TRILIUM_OIDC_AUTHORIZATION_URL=https://authentik.mydomain.com/application/o/authorize/ TRILIUM_OIDC_TOKEN_URL=https://authentik.mydomain com/application/o/token/ TRILIUM_OAUTH_ISSUER_NAME=Authentik TRILIUM_OAUTH_CLIENT_ID=i64UVAaxxxxxxxxxxxxxxx TRILIUM_OAUTH_CLIENT_SECRET=yLJH10bPxxxxxxxxxxxxxxxxxxxxxx TRILIUM_OIDC_ISSUER=https://authentik.mydomain.com/application/o/triliumnext/

Can someone please help me narrow this issue down and get it resolved. I really prefer to use my Authentik instance instead of Google oauth issuer

[eliandoran]

@JYC333 , can you help?

[JYC333]

I'll check this later

[Guruleenyc]

I'll check this later

@JYC333 I appreciate you!