Closed xcsdm closed 1 month ago
can you run the meshcentral with debug for authlog and share the logs?
add to you .env
this ARGS=--debug authlog
and restart then check the console output
OR
set "logs": "authlog"
inside of settings
in your config.json
and check the log.txt
file that gets created
p.s: simply visiting https://mesh.example.com/auth-oidc-callback
will produce the LOGIN FAILED: REQUEST CONTAINS NO USER OR SID
message because you havent passed it any codes or auth etc which is correct
All logs are during an authentication/login attempt.
from docker compose logs:
meshcentral | Missing Modules: passport, openid-client, connect-flash
meshcentral | Installing modules [ 'passport', 'openid-client', 'connect-flash' ]
meshcentral | NPM Command Line: /usr/bin/node /usr/bin/npm install --save-exact --no-audit --omit=optional --no-fund passport openid-client connect-flash
meshcentral | MeshCentral HTTP redirection server running on port 80.
meshcentral | AUTHLOG: Server listening on 0.0.0.0 port 80.
meshcentral | MeshCentral v1.1.24, Hybrid (LAN + WAN) mode, Production mode.
meshcentral | MeshCentral Intel(R) AMT server running on mesh.example.com:4433.
meshcentral | AUTHLOG: Server listening on 0.0.0.0 port 4433.
meshcentral | AUTHLOG: OIDC: Setting up strategy for domain:
meshcentral | AUTHLOG: OIDC: Discovering Issuer Endpoints: https://auth.example.com/application/o/meshcentral/
meshcentral | Loaded web certificate from "https://mesh.example.com", host: "mesh.example.com"
meshcentral | SHA384 cert hash: REDACTED
meshcentral | SHA384 key hash: REDACTED
meshcentral | AUTHLOG: OIDC: Adding Issuer Metadata: {"issuer":"https://auth.example.com/application/o/meshcentral/","authorization_endpoint":"https://auth.example.com/application/o/authorize/","token_endpoint":"https://auth.example.com/application/o/token/","end_session_endpoint":"https://auth.example.com/application/o/meshcentral/end-session/","jwks_uri":"https://auth.example.com/application/o/meshcentral/jwks/"}
meshcentral | AUTHLOG: OIDC: Setup Complete
meshcentral | AUTHLOG: Setting up authentication strategies login and callback URLs for root domain.
meshcentral | AUTHLOG: OIDC: Authorization URL: /auth-oidc
meshcentral | AUTHLOG: OIDC: Callback URL: /auth-oidc-callback
meshcentral | MeshCentral HTTP server running on port 443.
From authlog.log
Jun 3 20:45:31 meshcentral http[29]: Server listening on 0.0.0.0 port 80.
Jun 3 20:45:32 meshcentral mps[29]: Server listening on 0.0.0.0 port 4433.
Jun 3 20:45:32 meshcentral setupDomainAuthStrategy[29]: OIDC: Setting up strategy for domain:
Jun 3 20:45:32 meshcentral setupDomainAuthStrategy[29]: OIDC: Discovering Issuer Endpoints: https://auth.example.com/application/o/meshcentral/
Jun 3 20:45:33 meshcentral setupDomainAuthStrategy[29]: OIDC: Adding Issuer Metadata: {"issuer":"https://auth.example.com/application/o/meshcentral/","authorization_endpoint":"https://auth.example.com/application/o/authorize/","token_endpoint":"https://auth.example.com/application/o/token/","end_session_endpoint":"https://auth.example.com/application/o/meshcentral/end-session/","jwks_uri":"https://auth.example.com/application/o/meshcentral/jwks/"}
Jun 3 20:45:33 meshcentral setupDomainAuthStrategy[29]: OIDC: Setup Complete
Jun 3 20:45:33 meshcentral setupHTTPHandlers[29]: Setting up authentication strategies login and callback URLs for root domain.
Jun 3 20:45:33 meshcentral setupHTTPHandlers[29]: OIDC: Authorization URL: /auth-oidc
Jun 3 20:45:33 meshcentral setupHTTPHandlers[29]: OIDC: Callback URL: /auth-oidc-callback
In case it is relevant, my nginx reverse proxy config:
# HTTPS server.
server {
listen 10.0.42.253:443 ssl;
include /etc/nginx/ssl.conf;
server_name mesh.example.com;
# MeshCentral uses long standing web socket connections, set longer timeouts.
proxy_send_timeout 330s;
proxy_read_timeout 330s;
location / {
proxy_pass http://10.0.42.253:8086/;
proxy_http_version 1.1;
# Allows websockets over HTTPS.
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection "upgrade";
proxy_set_header Host $host;
# Inform MeshCentral about the real host, port and protocol
proxy_set_header X-Forwarded-Host $host:$server_port;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
}
}
ok thanks, what about when you try logging in? it should give more logs
Login as local meshcentral user admin successful
Login with OIDC from Authentik, nothing additional logged Including the event from authentik logs
From authentik:
{
"user": {
"pk": 3,
"email": "myuser@example.com",
"username": "myuser"
},
"action": "authorize_application",
"app": "authentik.providers.oauth2.views.authorize",
"context": {
"flow": "869ba41c7bec4b44849724e84e6b2c4e",
"scopes": "profile openid email",
"http_request": {
"args": {
"scope": "openid profile email",
"state": "i_8im2_gB3EbV35-kspNFIhkab-C-fo7gO5HJ23e7NY",
"client_id": "REDACTED",
"failureFlash": "true",
"redirect_uri": "https://mesh.example.com/auth-oidc-callback",
"response_type": "code",
"code_challenge": "zYQRpZ4Tgjkze0PmkoHRCaKyPNkxmRgV9uyxypknuT8",
"failureRedirect": "/",
"code_challenge_method": "S256"
},
"path": "/api/v3/flows/executor/example-application-authorization/",
"method": "GET",
"user_agent": "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/124.0.0.0 Safari/537.36"
},
"authorized_application": {
"pk": "1f2ac4234b1e426086767200e45184cd",
"app": "authentik_core",
"name": "MeshCentral-old",
"model_name": "application"
}
},
"client_ip": "10.0.42.142",
"expires": "2025-06-03T20:59:59.453Z",
"brand": {
"pk": "698fbc6b80a74477a56f504509558c60",
"app": "authentik_brands",
"name": "Default brand",
"model_name": "brand"
}
}
From docker compose
sudo docker compose up -d && sudo docker compose logs meshcentral -f
[+] Running 3/3
✔ Network meshcentral_meshcentral-tier Created 0.1s
✔ Container mongodb Started 0.6s
✔ Container meshcentral Started 0.7s
meshcentral | Missing Modules: passport, openid-client, connect-flash
meshcentral | Installing modules [ 'passport', 'openid-client', 'connect-flash' ]
meshcentral | NPM Command Line: /usr/bin/node /usr/bin/npm install --save-exact --no-audit --omit=optional --no-fund passport openid-client connect-flash
meshcentral | MeshCentral HTTP redirection server running on port 80.
meshcentral | AUTHLOG: Server listening on 0.0.0.0 port 80.
meshcentral | MeshCentral v1.1.24, Hybrid (LAN + WAN) mode, Production mode.
meshcentral | MeshCentral Intel(R) AMT server running on mesh.example.com:4433.
meshcentral | AUTHLOG: Server listening on 0.0.0.0 port 4433.
meshcentral | AUTHLOG: OIDC: Setting up strategy for domain:
meshcentral | AUTHLOG: OIDC: Discovering Issuer Endpoints: https://auth.example.com/application/o/meshcentral/
meshcentral | Loaded web certificate from "https://mesh.example.com", host: "mesh.example.com"
meshcentral | SHA384 cert hash: 2a2d2e8b92d3c69e6ea937016c3dd638a3f6fe5c0c86f3a17ec2fe063d6f640a8643d4085c1e264164b5341323cfef19
meshcentral | SHA384 key hash: 4700277a409aa747e0b1ac2922a010da2099c20a269b1c6cd97a4001cc1505709a6470b8ad5526d16fd41d272bf2b256
meshcentral | AUTHLOG: OIDC: Adding Issuer Metadata: {"issuer":"https://auth.example.com/application/o/meshcentral/","authorization_endpoint":"https://auth.example.com/application/o/authorize/","token_endpoint":"https://auth.example.com/application/o/token/","end_session_endpoint":"https://auth.example.com/application/o/meshcentral/end-session/","jwks_uri":"https://auth.example.com/application/o/meshcentral/jwks/"}
meshcentral | AUTHLOG: OIDC: Setup Complete
meshcentral | AUTHLOG: Setting up authentication strategies login and callback URLs for root domain.
meshcentral | AUTHLOG: OIDC: Authorization URL: /auth-oidc
meshcentral | AUTHLOG: OIDC: Callback URL: /auth-oidc-callback
meshcentral | MeshCentral HTTP server running on port 443.
meshcentral | AUTHLOG: Accepted password for admin from 10.0.42.1 port 51034, SessionID: QE+mGIwN, Browser: Chrome/124.0.0.0, OS: Windows/10
meshcentral | AUTHLOG: User admin logout from 10.0.42.1 port 54152, SessionID: QE+mGIwN, Browser: Chrome/124.0.0.0, OS: Windows/10
very strange? works perfectly fine here?
MeshCentral HTTPS server running on mc.mydomain.com:443.
AUTHLOG: User Authorized: {"strategy":"oidc","sid":"~oidc:a1b2c3d4e5xxxxxxxxxxxxx","name":"authentik Default Admin","email":"simon@mydomain.com","emailVerified":true,"groups":["authentik Admins"],"preset":null}
AUTHLOG: OIDC: LOGIN SUCCESS: USER: "~oidc:a1b2c3d4e5xxxxxxxxxxxxx"
i have spotted a few issues with your config.json which you could try fixing to see if it makes a difference?
"cert": "*.example.com"
as that shouldnt be there"minify": true
as the could be a problem with the minify code"NewAccounts": false
to "NewAccounts": true
this needs to be true otherwise accounts cant be created from your oidc provideredit:
have you tried pulling the
master
docker image again as i changed a few things 2 days agohttps://github.com/Ylianst/MeshCentral/pkgs/container/meshcentral/223949079?tag=master
I made the config.json changes, but they did not fix the issue.
I have removed and re-pulled the master image a few times.
This is my access.log from nginx for the auth sessions. Both authentik and meshcentral run through the same reverse proxy. authentik is on a different host internally. meshcentral is on the same host as the nginx reverse proxy
10.0.42.149 - - [03/Jun/2024:17:53:14 -0400] "GET /auth-oidc HTTP/2.0" 302 0 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:126.0) Gecko/20100101 Firefox/126.0"
10.0.42.149 - - [03/Jun/2024:17:53:14 -0400] "GET /application/o/authorize/?client_id=MYCLIENTIDHERE&scope=openid%20profile%20email&response_type=code&redirect_uri=https%3A%2F%2Fmesh.example.com%2Fauth-oidc-callback&state=6w482FKAhvdBjLin-xSGE_kS8fSeb5vV7DEiyQsPYG4&failureRedirect=%2F&failureFlash=true&code_challenge=j_vf4K19nWrcgYn76WoxCSCcAAmbCY02MwQtV3ZLZdA&code_challenge_method=S256 HTTP/2.0" 302 23 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:126.0) Gecko/20100101 Firefox/126.0"
10.0.42.149 - - [03/Jun/2024:17:53:14 -0400] "GET /ws/client/ HTTP/1.1" 101 0 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:126.0) Gecko/20100101 Firefox/126.0"
10.0.42.149 - - [03/Jun/2024:17:53:14 -0400] "GET /if/flow/example-application-authorization/?client_id=MYCLIENTIDHERE&scope=openid+profile+email&response_type=code&redirect_uri=https%3A%2F%2Fmesh.example.com%2Fauth-oidc-callback&state=6w482FKAhvdBjLin-xSGE_kS8fSeb5vV7DEiyQsPYG4&failureRedirect=%2F&failureFlash=true&code_challenge=j_vf4K19nWrcgYn76WoxCSCcAAmbCY02MwQtV3ZLZdA&code_challenge_method=S256 HTTP/2.0" 200 1179 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:126.0) Gecko/20100101 Firefox/126.0"
10.0.42.149 - - [03/Jun/2024:17:53:15 -0400] "GET /api/v3/root/config/ HTTP/2.0" 200 274 "https://auth.example.com/if/flow/example-application-authorization/?client_id=MYCLIENTIDHERE&scope=openid+profile+email&response_type=code&redirect_uri=https%3A%2F%2Fmesh.example.com%2Fauth-oidc-callback&state=6w482FKAhvdBjLin-xSGE_kS8fSeb5vV7DEiyQsPYG4&failureRedirect=%2F&failureFlash=true&code_challenge=j_vf4K19nWrcgYn76WoxCSCcAAmbCY02MwQtV3ZLZdA&code_challenge_method=S256" "Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:126.0) Gecko/20100101 Firefox/126.0"
10.0.42.149 - - [03/Jun/2024:17:53:15 -0400] "GET /api/v3/core/brands/current/ HTTP/2.0" 200 236 "https://auth.example.com/if/flow/example-application-authorization/?client_id=MYCLIENTIDHERE&scope=openid+profile+email&response_type=code&redirect_uri=https%3A%2F%2Fmesh.example.com%2Fauth-oidc-callback&state=6w482FKAhvdBjLin-xSGE_kS8fSeb5vV7DEiyQsPYG4&failureRedirect=%2F&failureFlash=true&code_challenge=j_vf4K19nWrcgYn76WoxCSCcAAmbCY02MwQtV3ZLZdA&code_challenge_method=S256" "Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:126.0) Gecko/20100101 Firefox/126.0"
10.0.42.149 - - [03/Jun/2024:17:53:15 -0400] "GET /api/v3/root/config/ HTTP/2.0" 200 274 "https://auth.example.com/if/flow/example-application-authorization/?client_id=MYCLIENTIDHERE&scope=openid+profile+email&response_type=code&redirect_uri=https%3A%2F%2Fmesh.example.com%2Fauth-oidc-callback&state=6w482FKAhvdBjLin-xSGE_kS8fSeb5vV7DEiyQsPYG4&failureRedirect=%2F&failureFlash=true&code_challenge=j_vf4K19nWrcgYn76WoxCSCcAAmbCY02MwQtV3ZLZdA&code_challenge_method=S256" "Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:126.0) Gecko/20100101 Firefox/126.0"
10.0.42.149 - - [03/Jun/2024:17:53:15 -0400] "GET /if/flow/example-application-authorization/assets/fonts/RedHatDisplay/RedHatDisplay-Medium.woff2 HTTP/2.0" 200 28661 "https://auth.example.com/if/flow/example-application-authorization/?client_id=MYCLIENTIDHERE&scope=openid+profile+email&response_type=code&redirect_uri=https%3A%2F%2Fmesh.example.com%2Fauth-oidc-callback&state=6w482FKAhvdBjLin-xSGE_kS8fSeb5vV7DEiyQsPYG4&failureRedirect=%2F&failureFlash=true&code_challenge=j_vf4K19nWrcgYn76WoxCSCcAAmbCY02MwQtV3ZLZdA&code_challenge_method=S256" "Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:126.0) Gecko/20100101 Firefox/126.0"
10.0.42.149 - - [03/Jun/2024:17:53:15 -0400] "GET /media/public/flow-backgrounds/SpaceInvaders_LGB2VfI.jpg HTTP/2.0" 499 0 "https://auth.example.com/if/flow/example-application-authorization/?client_id=MYCLIENTIDHERE&scope=openid+profile+email&response_type=code&redirect_uri=https%3A%2F%2Fmesh.example.com%2Fauth-oidc-callback&state=6w482FKAhvdBjLin-xSGE_kS8fSeb5vV7DEiyQsPYG4&failureRedirect=%2F&failureFlash=true&code_challenge=j_vf4K19nWrcgYn76WoxCSCcAAmbCY02MwQtV3ZLZdA&code_challenge_method=S256" "Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:126.0) Gecko/20100101 Firefox/126.0"
10.0.42.149 - - [03/Jun/2024:17:53:15 -0400] "GET /api/v3/core/brands/current/ HTTP/2.0" 200 236 "https://auth.example.com/if/flow/example-application-authorization/?client_id=MYCLIENTIDHERE&scope=openid+profile+email&response_type=code&redirect_uri=https%3A%2F%2Fmesh.example.com%2Fauth-oidc-callback&state=6w482FKAhvdBjLin-xSGE_kS8fSeb5vV7DEiyQsPYG4&failureRedirect=%2F&failureFlash=true&code_challenge=j_vf4K19nWrcgYn76WoxCSCcAAmbCY02MwQtV3ZLZdA&code_challenge_method=S256" "Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:126.0) Gecko/20100101 Firefox/126.0"
10.0.42.149 - - [03/Jun/2024:17:53:15 -0400] "GET /api/v3/flows/executor/example-application-authorization/?query=client_id%3DMYCLIENTIDHERE%26scope%3Dopenid%2Bprofile%2Bemail%26response_type%3Dcode%26redirect_uri%3Dhttps%253A%252F%252Fmesh.example.com%252Fauth-oidc-callback%26state%3D6w482FKAhvdBjLin-xSGE_kS8fSeb5vV7DEiyQsPYG4%26failureRedirect%3D%252F%26failureFlash%3Dtrue%26code_challenge%3Dj_vf4K19nWrcgYn76WoxCSCcAAmbCY02MwQtV3ZLZdA%26code_challenge_method%3DS256 HTTP/2.0" 200 195 "https://auth.example.com/if/flow/example-application-authorization/?client_id=MYCLIENTIDHERE&scope=openid+profile+email&response_type=code&redirect_uri=https%3A%2F%2Fmesh.example.com%2Fauth-oidc-callback&state=6w482FKAhvdBjLin-xSGE_kS8fSeb5vV7DEiyQsPYG4&failureRedirect=%2F&failureFlash=true&code_challenge=j_vf4K19nWrcgYn76WoxCSCcAAmbCY02MwQtV3ZLZdA&code_challenge_method=S256" "Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:126.0) Gecko/20100101 Firefox/126.0"
10.0.42.149 - - [03/Jun/2024:17:53:15 -0400] "GET /media/blue-alien/BAlien32.png HTTP/2.0" 499 0 "https://auth.example.com/if/flow/example-application-authorization/?client_id=MYCLIENTIDHERE&scope=openid+profile+email&response_type=code&redirect_uri=https%3A%2F%2Fmesh.example.com%2Fauth-oidc-callback&state=6w482FKAhvdBjLin-xSGE_kS8fSeb5vV7DEiyQsPYG4&failureRedirect=%2F&failureFlash=true&code_challenge=j_vf4K19nWrcgYn76WoxCSCcAAmbCY02MwQtV3ZLZdA&code_challenge_method=S256" "Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:126.0) Gecko/20100101 Firefox/126.0"
10.0.42.149 - - [03/Jun/2024:17:53:15 -0400] "GET /ws/client/ HTTP/1.1" 101 4 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:126.0) Gecko/20100101 Firefox/126.0"
172.26.0.3 - MYCLIENTIDHERE [03/Jun/2024:17:53:15 -0400] "POST /application/o/token/ HTTP/1.1" 200 2007 "-" "openid-client/5.6.5 (https://github.com/panva/node-openid-client)"
10.0.42.149 - - [03/Jun/2024:17:53:15 -0400] "GET /auth-oidc-callback?code=58fff0170700493384ddd0416ba4e136&state=6w482FKAhvdBjLin-xSGE_kS8fSeb5vV7DEiyQsPYG4 HTTP/2.0" 302 46 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:126.0) Gecko/20100101 Firefox/126.0"
i think the is an issue with your reverse proxy (nginx)?
from the looks of those logs /auth-oidc-callback?code=xxxxxxxx
is returning a 302 status which is a page redirect
BUT
we dont send a 302?
we just build a HTML page with a redirect/refresh on it which would return a 200
res.set('Content-Type', 'text/html');
res.end('<html><head><meta http-equiv="refresh" content=0;url="' + domain.url + '"></head><body></body></html>');
also check the redirect url inside authentik
ignore my /oidctest/
as i use the multi-tenant for my testing
i think ive found the issue and also discovered another bug too!
im checking domain.id
but thats not present if your using authstrategies on the base domain domain ""
!
also the redirect url isnt filling in correctly IF you use aliasPort
which i am in my case,
so i can run mesh on 127.0.0.1:12346
but using port 443 in docker
OK fixed the aliasport issue, but turns out the domain.id isn't the issue? So I really do think ur issue is because ur reverse proxy is returning 302 rather than forwarding the server url correctly.
One thing u can try is check the redirect_url in the url is correct when it loads up the authentik login page
Another thing is to also copy the url u found in the logs and try pasting it manually in ur browser and see if u see any logs in meshcentral authlog
What is strange is that reverting back to 1.1.21 works. I have to change the callback url from auth-oidc-callback to oidc-callback and swap to the old format config.json, but it works with the same reverse proxy setup.
The 302 is coming from failureRedirect, but I cannot locate the failure
Something is triggering the failureRedirect instead of just authenticating at line 6789 of webserver.js If I change the failureRedirect path, the changed path is what is loading.
access.log with original failureRedirect /
10.0.42.149 - - [04/Jun/2024:07:30:07 -0400] "GET /oidc-callback?code=528055ca7c2f4b47a84f7e5f53c8b366&state=soYFEvsnzPm5rg06XAvRWaU1PLz7kIPDDgP0VrcEFXA HTTP/2.0" 302 46 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:126.0) Gecko/20100101 Firefox/126.0"
10.0.42.149 - - [04/Jun/2024:07:30:08 -0400] "GET / HTTP/2.0" 200 10954 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:126.0) Gecko/20100101 Firefox/126.0"
access.log with modified failureRedirect /testurl/
10.0.42.149 - - [04/Jun/2024:07:31:45 -0400] "GET /oidc-callback?code=91a439c0286a410ca4d39085daf1ece9&state=Liv0e5J9Vjkdd2Ox9eS9C_UHf-uv6kb3jZgalJ68EYA HTTP/2.0" 302 62 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:126.0) Gecko/20100101 Firefox/126.0"
10.0.42.149 - - [04/Jun/2024:07:31:45 -0400] "GET /testurl/ HTTP/2.0" 404 847 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:126.0) Gecko/20100101 Firefox/126.0"
one thing you can try for me is to check the output from the request BEFORE it heads into handleStrategyLogin
so line 6758 of webserver.js just under var domain = getDomain(req);
is put console.log('oidccallbackurl', domain.passport, req.session);
then restart container and try logging in and watch the console output on your server
you should see a LOT of json output,
can you share it? (might need to hide secret info in it)
Bingo!
It is working. I had not configured my OIDC connection on the Authentik side to sign the response
This portion of the log was critical. I'm unsure if it would be easily output from MeshCentral, but it immediately took me to the answer.
meshcentral | flash: {
meshcentral | error: [
meshcentral | 'unexpected JWT alg received, expected RS256, got: HS256',
meshcentral | 'unexpected JWT alg received, expected RS256, got: HS256',
meshcentral | 'unexpected JWT alg received, expected RS256, got: HS256',
meshcentral | 'unexpected JWT alg received, expected RS256, got: HS256',
meshcentral | 'unexpected JWT alg received, expected RS256, got: HS256',
meshcentral | 'unexpected JWT alg received, expected RS256, got: HS256',
meshcentral | 'unexpected JWT alg received, expected RS256, got: HS256'
meshcentral | ]
meshcentral | },
The whole output in case it helps anyone:
meshcentral | oidccallbackurl Authenticator {
meshcentral | _key: 'passport',
meshcentral | _strategies: {
meshcentral | session: SessionStrategy {
meshcentral | name: 'session',
meshcentral | _key: 'passport',
meshcentral | _deserializeUser: [Function: bound ]
meshcentral | },
meshcentral | 'oidc-': OpenIDConnectStrategy {
meshcentral | _client: Client {
meshcentral | authorization_signed_response_alg: 'RS256',
meshcentral | client_id: 'REDACTED',
meshcentral | client_secret: 'REDACTED',
meshcentral | grant_types: [
meshcentral | 'authorization_code'
meshcentral | ],
meshcentral | id_token_signed_response_alg: 'RS256',
meshcentral | introspection_endpoint_auth_method: 'client_secret_basic',
meshcentral | post_logout_redirect_uri: 'https://mesh.example.com/login',
meshcentral | redirect_uris: [
meshcentral | 'https://mesh.example.com/auth-oidc-callback'
meshcentral | ],
meshcentral | response_types: [
meshcentral | 'code'
meshcentral | ],
meshcentral | revocation_endpoint_auth_method: 'client_secret_basic',
meshcentral | token_endpoint_auth_method: 'client_secret_basic'
meshcentral | },
meshcentral | _issuer: Issuer {
meshcentral | acr_values_supported: [
meshcentral | 'goauthentik.io/providers/oauth2/default'
meshcentral | ],
meshcentral | authorization_endpoint: 'https://auth.example.com/application/o/authorize/',
meshcentral | claim_types_supported: [
meshcentral | 'normal'
meshcentral | ],
meshcentral | claims_parameter_supported: false,
meshcentral | claims_supported: [
meshcentral | 'sub',
meshcentral | 'iss',
meshcentral | 'aud',
meshcentral | 'exp',
meshcentral | 'iat',
meshcentral | 'auth_time',
meshcentral | 'acr',
meshcentral | 'amr',
meshcentral | 'nonce',
meshcentral | 'email',
meshcentral | 'email_verified',
meshcentral | 'name',
meshcentral | 'given_name',
meshcentral | 'preferred_username',
meshcentral | 'nickname',
meshcentral | 'groups',
meshcentral | 'uid'
meshcentral | ],
meshcentral | code_challenge_methods_supported: [
meshcentral | 'plain',
meshcentral | 'S256'
meshcentral | ],
meshcentral | device_authorization_endpoint: 'https://auth.example.com/application/o/device/',
meshcentral | end_session_endpoint: 'https://auth.example.com/application/o/meshcentral/end-session/',
meshcentral | grant_types_supported: [
meshcentral | 'authorization_code',
meshcentral | 'refresh_token',
meshcentral | 'implicit',
meshcentral | 'client_credentials',
meshcentral | 'password',
meshcentral | 'urn:ietf:params:oauth:grant-type:device_code'
meshcentral | ],
meshcentral | id_token_signing_alg_values_supported: [
meshcentral | 'HS256'
meshcentral | ],
meshcentral | introspection_endpoint: 'https://auth.example.com/application/o/introspect/',
meshcentral | introspection_endpoint_auth_methods_supported: [
meshcentral | 'client_secret_post',
meshcentral | 'client_secret_basic'
meshcentral | ],
meshcentral | issuer: 'https://auth.example.com/application/o/meshcentral/',
meshcentral | jwks_uri: 'https://auth.example.com/application/o/meshcentral/jwks/',
meshcentral | redirect_uri: 'https://mesh.example.com/oidc-callback',
meshcentral | request_parameter_supported: false,
meshcentral | request_uri_parameter_supported: true,
meshcentral | require_request_uri_registration: false,
meshcentral | response_modes_supported: [
meshcentral | 'query',
meshcentral | 'fragment',
meshcentral | 'form_post'
meshcentral | ],
meshcentral | response_types_supported: [
meshcentral | 'code',
meshcentral | 'id_token',
meshcentral | 'id_token token',
meshcentral | 'code token',
meshcentral | 'code id_token',
meshcentral | 'code id_token token'
meshcentral | ],
meshcentral | revocation_endpoint: 'https://auth.example.com/application/o/revoke/',
meshcentral | revocation_endpoint_auth_methods_supported: [
meshcentral | 'client_secret_post',
meshcentral | 'client_secret_basic'
meshcentral | ],
meshcentral | scopes_supported: [
meshcentral | 'email',
meshcentral | 'profile',
meshcentral | 'openid'
meshcentral | ],
meshcentral | subject_types_supported: [
meshcentral | 'public'
meshcentral | ],
meshcentral | token_endpoint: 'https://auth.example.com/application/o/token/',
meshcentral | token_endpoint_auth_methods_supported: [
meshcentral | 'client_secret_post',
meshcentral | 'client_secret_basic'
meshcentral | ],
meshcentral | userinfo_endpoint: 'https://auth.example.com/application/o/userinfo/'
meshcentral | },
meshcentral | _verify: [Function: oidcCallback],
meshcentral | _passReqToCallback: false,
meshcentral | _usePKCE: 'S256',
meshcentral | _key: 'oidc-',
meshcentral | _params: [Object],
meshcentral | _extras: {},
meshcentral | name: 'auth.example.com'
meshcentral | }
meshcentral | },
meshcentral | _serializers: [ [Function (anonymous)] ],
meshcentral | _deserializers: [ [Function (anonymous)] ],
meshcentral | _infoTransformers: [],
meshcentral | _framework: {
meshcentral | initialize: [Function: initialize],
meshcentral | authenticate: [Function: authenticate]
meshcentral | },
meshcentral | _sm: SessionManager {
meshcentral | _key: 'passport',
meshcentral | _serializeUser: [Function: bound ]
meshcentral | },
meshcentral | Authenticator: [Function: Authenticator],
meshcentral | Passport: [Function: Authenticator],
meshcentral | Strategy: <ref *1> [Function: Strategy] { Strategy: [Circular *1] },
meshcentral | strategies: { SessionStrategy: [Function: SessionStrategy] },
meshcentral | _userProperty: 'user'
meshcentral | } Session {
meshcentral | flash: {
meshcentral | error: [
meshcentral | 'unexpected JWT alg received, expected RS256, got: HS256',
meshcentral | 'unexpected JWT alg received, expected RS256, got: HS256',
meshcentral | 'unexpected JWT alg received, expected RS256, got: HS256',
meshcentral | 'unexpected JWT alg received, expected RS256, got: HS256',
meshcentral | 'unexpected JWT alg received, expected RS256, got: HS256',
meshcentral | 'unexpected JWT alg received, expected RS256, got: HS256',
meshcentral | 'unexpected JWT alg received, expected RS256, got: HS256'
meshcentral | ]
meshcentral | },
meshcentral | 'oidc-': {
meshcentral | state: 'LzkRQPOPEzsQEMcSu1wZc6dwoC3myJ1xcpzYrdh2caI',
meshcentral | response_type: 'code',
meshcentral | code_verifier: 'kKB1wjl5sWpeToldqna3_2eYFkRr9bS47J4nVzBwRJk'
meshcentral | },
meshcentral | regenerate: [Function (anonymous)],
meshcentral | save: [Function (anonymous)]
meshcentral | }
meshcentral | AUTHLOG: User Authorized: {"strategy":"oidc","sid":"~oidc:myuser@example.com","name":"My User","email":"myuser@example.com","emailVerified":true,"groups":["authentik Admins","MeshCentral Users"],"preset":null}
meshcentral | AUTHLOG: OIDC: LOGIN SUCCESS: USER: "~oidc:myuser@example.com"
glad u got it fixed!
can u do me a favour tho?
can you close this issue as you have fixed it now :)
and can you ALSO open a new enhancement request and just explain in it,
can we plz display the flash errors for the external auths like saml or oidc on the login screen
currently i dont think we display any errors!
if we had the errors being displayed it would of helped this issue out alot quicker!
p.s: my output shows this below, so yeh yours is different even tho we use the same software for auth
id_token_signing_alg_values_supported: [
'RS256'
],
p.s again: what setting did you change in authentik? i want to replicate the issue to get it to display errors
The authentik setting was on the Oauth2 Provider, under the Redirect URIs/Origins, I had no Signing Key selected.
This worked in 1.1.21, but with the updated libraries, it looks to be required now.
Closing as fixed
After pulling the lastest master docker image, all OIDC login attempts are redirected to the main login page.
Steps:
Note, I edited line 6789 to the below to test. The failureRedirect is where this is coming from
No errors in the meshcentral container log No errors or messages in the authlog
If I simply open https://mesh.example.com/auth-oidc-callback the error "LOGIN FAILED: REQUEST CONTAINS NO USER OR SID" is logged in authlog, so logging itself appears to be working.
Expected behavior Successfully opening the Meshcentral dashboard
Additional context Reference #6132
Your config.json file
Docker Compose file: