search

Bubka / 2FAuth

A Web app to manage your Two-Factor Authentication (2FA) accounts and generate their security codes
https://docs.2fauth.app/
GNU Affero General Public License v3.0
1.85k stars 116 forks source link

5.1 SSO: Authentication via SSO rejected #325

Open Trapulo opened 3 months ago

Trapulo commented 3 months ago

Version

5.1.0

Details & Steps to reproduce

After upgrade to 5.1.0 when I access using OID (EntraID), after the signin the system respond "Authentication via SSO rejected".

Before the upgrade it worked.

Expectation

a full access

Error & Logs

No response

Execution environment

No response

Containerization

Additional information

No response

Bubka commented 3 months ago

Hi, This error message is shown when the provider refuses to authenticate the login request. Please check your OPENID_* env vars. Logs may contain further information, please check them as well.

Trapulo commented 3 months ago

production.ERROR: No application encryption key has been specified. {"exception":"[object] (Illuminate\Encryption\MissingAppKeyException(code: 0): No application encryption key has been specified. at /srv/vendor/laravel/framework/src/Illuminate/Encryption/EncryptionServiceProvider.php:7

Bubka commented 3 months ago

Thx. You have to set the APP_KEY env var.

Bubka commented 3 months ago

I don't understand how this is possible by the way. Running 2FAuth without APP_KEY set should return an HTTP error 500.

Trapulo commented 3 months ago

I have APP_KEY assigned. And it did work until the lats update to 5.1.0

Bubka commented 3 months ago

🤨

production.ERROR: No application encryption key has been specified. {"exception":"[object] (Illuminate\Encryption\MissingAppKeyException(code: 0): No application encryption key has been specified. at /srv/vendor/laravel/framework/src/Illuminate/Encryption/EncryptionServiceProvider.php:7

Does the time of this error match the time you tried to connect via SSO?

Trapulo commented 3 months ago

you are right: that error is not related to SSO problem When I try to access using SSO I haven't any log row at all :(

Diggen85 commented 1 month ago

I've the same Problem. Trying to Auth via Authentik OpenID Provider leads to SSO reject.

Env OPENID_AUTHORIZE_URL=https://auth.example.de/application/o/authorize/ OPENID_TOKEN_URL=https://auth.example.de/application/o/token/ OPENID_USERINFO_URL=https://auth.example.de/application/o/userinfo/ OPENID_CLIENT_ID=LDzqB....e5 OPENID_CLIENT_SECRET=R...U

Authentik Redirect URIs https://2fa.example.de/socialite/callback/openid

Logs 172.22.0.4 - - [14/May/2024:06:43:02 +0000] "GET /socialite/redirect/openid HTTP/1.1" 302 1394 "https://2fa.example.de/login" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/124.0.0.0 Safari/537.36" 172.22.0.4 - - [14/May/2024:06:43:03 +0000] "GET /socialite/callback/openid?code=d1...a HTTP/1.1" 302 430 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/124.0.0.0 Safari/537.36" 172.22.0.4 - - [14/May/2024:06:43:03 +0000] "GET /error?err=sso_failed HTTP/1.1" 200 2745 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/124.0.0.0 Safari/537.36" 172.22.0.4 - - [14/May/2024:06:43:17 +0000] "GET /api/v1/user HTTP/1.1" 401 41 "https://2fa.example.de/error?err=sso_failed" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/124.0.0.0 Safari/537.36"