search

TomBursch / kitchenowl

KitchenOwl is a self-hosted grocery list and recipe manager. The backend is made with Flask and the frontend with Flutter. Easily add items to your shopping list before you go shopping. You can also create recipes and add items based on what you want to cook.
https://kitchenowl.org/
GNU Affero General Public License v3.0
1.33k stars 79 forks source link

Bug: Issue with SSO using authentik #391

Open filipfigzalski opened 10 months ago

filipfigzalski commented 10 months ago

Is this urgent?

No

What parts are affected

Both

What is the server version

v93

What is the client version

v0.4.21

What platform are you using

Web, Linux

What's the problem 🤔

I was trying to set up SSO with Authentik, but for some reason I get following issue.

Share your logs

back-1   | [2024-02-03 12:54:55,166] ERROR in config: {"error": "service_error", "error_description": "Remote key update from https://auth.domain.tld/application/o/kitchenowl/jwks/ failed, malformed JWKS."}
back-1   | Traceback (most recent call last):
back-1   |   File "/opt/venv/lib/python3.11/site-packages/flask/app.py", line 867, in full_dispatch_request
back-1   |     rv = self.dispatch_request()
back-1   |          ^^^^^^^^^^^^^^^^^^^^^^^
back-1   |   File "/opt/venv/lib/python3.11/site-packages/flask/app.py", line 852, in dispatch_request
back-1   |     return self.ensure_sync(self.view_functions[rule.endpoint])(**view_args)
back-1   |            ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
back-1   |   File "/opt/venv/lib/python3.11/site-packages/flask_jwt_extended/view_decorators.py", line 170, in decorator
back-1   |     return current_app.ensure_sync(fn)(*args, **kwargs)
back-1   |            ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
back-1   |   File "/usr/src/kitchenowl/app/helpers/validate_args.py", line 26, in func_wrapper
back-1   |     return func(arguments, *args, **kwargs)
back-1   |            ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
back-1   |   File "/usr/src/kitchenowl/app/controller/auth/auth_controller.py", line 267, in loginWithOIDC
back-1   |     tokenResponse = client.do_access_token_request(
back-1   |                     ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
back-1   |   File "/opt/venv/lib/python3.11/site-packages/oic/oic/__init__.py", line 704, in do_access_token_request
back-1   |     atr = super().do_access_token_request(
back-1   |           ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
back-1   |   File "/opt/venv/lib/python3.11/site-packages/oic/oauth2/__init__.py", line 928, in do_access_token_request
back-1   |     return self.request_and_return(
back-1   |            ^^^^^^^^^^^^^^^^^^^^^^^^
back-1   |   File "/opt/venv/lib/python3.11/site-packages/oic/oauth2/__init__.py", line 823, in request_and_return
back-1   |     return self.parse_request_response(resp, response, body_type, state, **kwargs)
back-1   |            ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
back-1   |   File "/opt/venv/lib/python3.11/site-packages/oic/oauth2/__init__.py", line 764, in parse_request_response
back-1   |     return self.parse_response(
back-1   |            ^^^^^^^^^^^^^^^^^^^^
back-1   |   File "/opt/venv/lib/python3.11/site-packages/oic/oauth2/__init__.py", line 678, in parse_response
back-1   |     verf = resp.verify(**kwargs)
back-1   |            ^^^^^^^^^^^^^^^^^^^^^
back-1   |   File "/opt/venv/lib/python3.11/site-packages/oic/oic/message.py", line 360, in verify
back-1   |     self["id_token"] = verify_id_token(self, **kwargs)
back-1   |                        ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
back-1   |   File "/opt/venv/lib/python3.11/site-packages/oic/oic/message.py", line 310, in verify_id_token
back-1   |     idt = IdToken().from_jwt(_jws, **args)
back-1   |           ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
back-1   |   File "/opt/venv/lib/python3.11/site-packages/oic/oauth2/message.py", line 665, in from_jwt
back-1   |     key = self.get_verify_keys(
back-1   |           ^^^^^^^^^^^^^^^^^^^^^
back-1   |   File "/opt/venv/lib/python3.11/site-packages/oic/oauth2/message.py", line 590, in get_verify_keys
back-1   |     self._add_key(keyjar, jso[ent], key, _key_type, _kid, nki)
back-1   |   File "/opt/venv/lib/python3.11/site-packages/oic/oauth2/message.py", line 491, in _add_key
back-1   |     "Key set summary for {}: {}".format(issuer, key_summary(keyjar, issuer))
back-1   |                                                 ^^^^^^^^^^^^^^^^^^^^^^^^^^^
back-1   |   File "/opt/venv/lib/python3.11/site-packages/oic/utils/keyio.py", line 1209, in key_summary
back-1   |     for key in kb.keys():
back-1   |                ^^^^^^^^^
back-1   |   File "/opt/venv/lib/python3.11/site-packages/oic/utils/keyio.py", line 308, in keys
back-1   |     self._uptodate()
back-1   |   File "/opt/venv/lib/python3.11/site-packages/oic/utils/keyio.py", line 265, in _uptodate
back-1   |     if self.update():
back-1   |        ^^^^^^^^^^^^^
back-1   |   File "/opt/venv/lib/python3.11/site-packages/oic/utils/keyio.py", line 289, in update
back-1   |     res = self.do_remote()
back-1   |           ^^^^^^^^^^^^^^^^
back-1   |   File "/opt/venv/lib/python3.11/site-packages/oic/utils/keyio.py", line 214, in do_remote
back-1   |     raise_exception(UpdateFailed, MALFORMED.format(self.source))
back-1   |   File "/opt/venv/lib/python3.11/site-packages/oic/utils/keyio.py", line 43, in raise_exception
back-1   |     raise excep(_err, "application/json")

front-1  | 10.1.1.1 - - [03/Feb/2024:12:54:49 +0000] "GET /version.json?cachebuster=1706964889567 HTTP/1.1" 200 92 "https://recipe.domain.tld/" "Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:122.0) Gecko/20100101 Firefox/122.0" "-"
front-1  | 10.1.1.1 - - [03/Feb/2024:12:54:49 +0000] "GET /flutter_service_worker.js?v=3875269676 HTTP/1.1" 304 0 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:122.0) Gecko/20100101 Firefox/122.0" "-"
front-1  | 10.1.1.1 - - [03/Feb/2024:12:54:49 +0000] "GET /api/health/8M4F88S8ooi4sMbLBfkkV7ctWwgibW6V HTTP/1.1" 200 79 "https://recipe.domain.tld/" "Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:122.0) Gecko/20100101 Firefox/122.0" "-"
front-1  | 10.1.1.1 - - [03/Feb/2024:12:54:49 +0000] "GET /api/onboarding HTTP/1.1" 200 21 "https://recipe.domain.tld/" "Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:122.0) Gecko/20100101 Firefox/122.0" "-"
front-1  | 10.1.1.1 - - [03/Feb/2024:12:54:52 +0000] "GET /api/auth/oidc?provider=custom HTTP/1.1" 200 327 "https://recipe.domain.tld/signin" "Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:122.0) Gecko/20100101 Firefox/122.0" "-"
front-1  | 10.1.1.1 - - [03/Feb/2024:12:54:53 +0000] "GET /signin/redirect?code=9db87a15e21f449f87ce5c05bfffb8a4&state=9QtEzNFuCrRWsV5d HTTP/1.1" 200 3413 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:122.0) Gecko/20100101 Firefox/122.0" "-"
front-1  | 10.1.1.1 - - [03/Feb/2024:12:54:53 +0000] "GET /flutter_service_worker.js?v=3875269676 HTTP/1.1" 304 0 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:122.0) Gecko/20100101 Firefox/122.0" "-"
front-1  | 10.1.1.1 - - [03/Feb/2024:12:54:54 +0000] "GET /flutter_service_worker.js?v=3875269676 HTTP/1.1" 304 0 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:122.0) Gecko/20100101 Firefox/122.0" "-"
front-1  | 10.1.1.1 - - [03/Feb/2024:12:54:54 +0000] "GET /version.json?cachebuster=1706964894342 HTTP/1.1" 200 92 "https://recipe.domain.tld/signin/redirect?code=9db87a15e21f449f87ce5c05bfffb8a4&state=9QtEzNFuCrRWsV5d" "Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:122.0) Gecko/20100101 Firefox/122.0" "-"
front-1  | 10.1.1.1 - - [03/Feb/2024:12:54:54 +0000] "GET /api/health/8M4F88S8ooi4sMbLBfkkV7ctWwgibW6V HTTP/1.1" 200 79 "https://recipe.domain.tld/signin/redirect?code=9db87a15e21f449f87ce5c05bfffb8a4&state=9QtEzNFuCrRWsV5d" "Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:122.0) Gecko/20100101 Firefox/122.0" "-"
front-1  | 10.1.1.1 - - [03/Feb/2024:12:54:54 +0000] "GET /api/onboarding HTTP/1.1" 200 21 "https://recipe.domain.tld/" "Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:122.0) Gecko/20100101 Firefox/122.0" "-"
front-1  | 10.1.1.1 - - [03/Feb/2024:12:54:55 +0000] "POST /api/auth/callback HTTP/1.1" 500 20 "https://recipe.domain.tld/signin/redirect?code=9db87a15e21f449f87ce5c05bfffb8a4&state=9QtEzNFuCrRWsV5d" "Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:122.0) Gecko/20100101 Firefox/122.0" "-"
front-1  | 10.1.1.1 - - [03/Feb/2024:12:54:55 +0000] "GET /api/onboarding HTTP/1.1" 200 21 "https://recipe.domain.tld/" "Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:122.0) Gecko/20100101 Firefox/122.0" "-"

Share your configuration

--- docker-compose.yml
version: "3"
services:
  front:
    image: tombursch/kitchenowl-web:latest
    restart: unless-stopped
    ports:
      - 8012:80
    depends_on:
      - back
  back:
    image: tombursch/kitchenowl:latest
    restart: unless-stopped
    env_file:
      - .env
    volumes:
      - kitchenowl_data:/data

volumes:
  kitchenowl_data:

--- .env
JWT_SECRET_KEY=KId1wkjVYzhu87VhExPiz0YJk0GVhWQuHZUk2CAyv2whxDTAlmPuatYV8OHAIMDW

FRONT_URL=https://recipe.domain.tld

OIDC_ISSUER=https://auth.domain.tld/application/o/kitchenowl/
OIDC_CLIENT_ID=[redacted]
OIDC_CLIENT_SECRET=[redacted]
shangri26199 commented 9 months ago

After seeeing this i decided to test this out myself. Using the same configuration as you is working for me. Authentik [2024.2.1] , used the new application wizard Kitchenowl Server v93 Kitchenowl Client v0.4.21 (firefox web, windows10)

I can't get it to work for my android device and currently debugging it.

TomBursch commented 7 months ago

Could this be related to #428?

shangri26199 commented 7 months ago

Sorry i forgot to report back. Auth against authentik sso works perfectly fine. My .env file:

FRONT_URL=https://kitchenowl.example.tld OIDC_ISSUER=https://authentik.example.tld/application/o/kitchenowl/ OIDC_CLIENT_ID=XX OIDC_CLIENT_SECRET=XXX

In authentik using the application wizard and afterwords chaning the redirect URLs to the following kitchenowl:///signin/redirect https://kitchenowl.exmaple.tld/signin/redirect

works for everyone using my service, including android,ios and me on win10 desktop+firefox