OIDC login fails after recent fixes

[xcsdm]

After pulling the lastest master docker image, all OIDC login attempts are redirected to the main login page.

Steps:

1. Open https://mesh.example.com/auth-oidc (or just click the OIDC login button on the login page)
2. Auth server performs authentication (Authentik in my case) and redirects to [server]/auth-oidc-callback?[many parameters omitted here]
3. I am redirected to https://mesh.example.com/

Note, I edited line 6789 to the below to test. The failureRedirect is where this is coming from

domain.passport.authenticate(`oidc-${domain.id}`, { failureRedirect: '/mytesturl/', failureFlash: true })(req, res, next);

No errors in the meshcentral container log No errors or messages in the authlog

If I simply open https://mesh.example.com/auth-oidc-callback the error "LOGIN FAILED: REQUEST CONTAINS NO USER OR SID" is logged in authlog, so logging itself appears to be working.

Expected behavior Successfully opening the Meshcentral dashboard

Additional context Reference #6132

Your config.json file

{
  "$schema": "https://raw.githubusercontent.com/Ylianst/MeshCentral/master/meshcentral-config-schema.json",
  "settings": {
    "plugins":{"enabled": false},
    "_mongoDb": null,
    "cert": "mesh.example.com",
    "_WANonly": true,
    "_LANonly": true,
    "sessionKey": "REDACTED",
    "port": 443,
    "_aliasPort": 443,
    "redirPort": 80,
    "_redirAliasPort": 80,
    "AgentPong": 300,
    "TLSOffload": true,
    "SelfUpdate": false,
    "AllowFraming": false,
    "WebRTC": false,
    "_trustedProxy": "CloudFlare",
    "trustedProxy": "10.0.42.253",
    "_ignoreAgentHashCheck": true,
    "authlog": "/opt/meshcentral/meshcentral-data/authlog.log"
  },
  "domains": {
    "": {
      "_title": "MyServer",
      "_title2": "Servername",
      "minify": true,
      "NewAccounts": false,
      "authStrategies": {
        "oidc": {
          "issuer": {
            "issuer": "https://auth.example.com/application/o/meshcentral/",
            "authorization_endpoint": "https://auth.example.com/application/o/authorize/",
            "token_endpoint": "https://auth.example.com/application/o/token/",
            "end_session_endpoint": "https://auth.example.com/application/o/meshcentral/end-session/",
            "jwks_uri": "https://auth.example.com/application/o/meshcentral/jwks/"
          },
          "client": {
            "client_id": "REDACTED",
            "client_secret": "REDACTED"
          },
          "newAccounts": true
        }
      },
      "localSessionRecording": false,
      "_userNameIsEmail": true,
      "certUrl": "https://mesh.example.com",
      "cert": "*.example.com"
    }
  },
  "_letsencrypt": {
    "__comment__": "Requires NodeJS 8.x or better, Go to https://letsdebug.net/ first before>",
    "_email": "myemail@mydomain.com",
    "_names": "myserver.mydomain.com",
    "production": false
  }
}

Docker Compose file:

#version: '3'

networks:
  meshcentral-tier:
    driver: bridge

services:
  mongodb:
    restart: always
    container_name: mongodb
    image: mongo:latest
    env_file:
      - .env
    volumes:
      # mongodb data-directory - A must for data persistence
      - ./meshcentral/mongodb_data:/data/db
    networks:
      - meshcentral-tier

  meshcentral:
    restart: always
    container_name: meshcentral
    # use the official meshcentral container
    #image: ghcr.io/ylianst/meshcentral:latest
    image: ghcr.io/ylianst/meshcentral:master
    #image: ghcr.io/ylianst/meshcentral:1.1.21
    depends_on:
      - mongodb
    ports:
      # MeshCentral will moan and try everything not to use port 80, but you can also use it if you so desire, just change the config.json according to your needs
      - 8086:443
    env_file:
      - .env
    volumes:
      # config.json and other important files live here. A must for data persistence
      - ./meshcentral/data:/opt/meshcentral/meshcentral-data
      # where file uploads for users live
      - ./meshcentral/user_files:/opt/meshcentral/meshcentral-files
      # location for the meshcentral-backups - this should be mounted to an external storage
      - ./meshcentral/backup:/opt/meshcentral/meshcentral-backups
      # location for site customization files
      - ./meshcentral/web:/opt/meshcentral/meshcentral-web
    networks:
      - meshcentral-tier

[si458]

can you run the meshcentral with debug for authlog and share the logs? add to you .env this ARGS=--debug authlog and restart then check the console output OR set "logs": "authlog" inside of settings in your config.json and check the log.txt file that gets created

p.s: simply visiting https://mesh.example.com/auth-oidc-callback will produce the LOGIN FAILED: REQUEST CONTAINS NO USER OR SID message because you havent passed it any codes or auth etc which is correct

[xcsdm]

All logs are during an authentication/login attempt.

from docker compose logs:

meshcentral  | Missing Modules: passport, openid-client, connect-flash
meshcentral  | Installing modules [ 'passport', 'openid-client', 'connect-flash' ]
meshcentral  | NPM Command Line: /usr/bin/node /usr/bin/npm install --save-exact --no-audit --omit=optional --no-fund passport openid-client connect-flash
meshcentral  | MeshCentral HTTP redirection server running on port 80.
meshcentral  | AUTHLOG: Server listening on 0.0.0.0 port 80.
meshcentral  | MeshCentral v1.1.24, Hybrid (LAN + WAN) mode, Production mode.
meshcentral  | MeshCentral Intel(R) AMT server running on mesh.example.com:4433.
meshcentral  | AUTHLOG: Server listening on 0.0.0.0 port 4433.
meshcentral  | AUTHLOG: OIDC: Setting up strategy for domain:
meshcentral  | AUTHLOG: OIDC: Discovering Issuer Endpoints: https://auth.example.com/application/o/meshcentral/
meshcentral  | Loaded web certificate from "https://mesh.example.com", host: "mesh.example.com"
meshcentral  |   SHA384 cert hash: REDACTED
meshcentral  |   SHA384 key hash: REDACTED
meshcentral  | AUTHLOG: OIDC: Adding Issuer Metadata: {"issuer":"https://auth.example.com/application/o/meshcentral/","authorization_endpoint":"https://auth.example.com/application/o/authorize/","token_endpoint":"https://auth.example.com/application/o/token/","end_session_endpoint":"https://auth.example.com/application/o/meshcentral/end-session/","jwks_uri":"https://auth.example.com/application/o/meshcentral/jwks/"}
meshcentral  | AUTHLOG: OIDC: Setup Complete
meshcentral  | AUTHLOG: Setting up authentication strategies login and callback URLs for root domain.
meshcentral  | AUTHLOG: OIDC: Authorization URL: /auth-oidc
meshcentral  | AUTHLOG: OIDC: Callback URL: /auth-oidc-callback
meshcentral  | MeshCentral HTTP server running on port 443.

From authlog.log

Jun 3 20:45:31 meshcentral http[29]: Server listening on 0.0.0.0 port 80.
Jun 3 20:45:32 meshcentral mps[29]: Server listening on 0.0.0.0 port 4433.
Jun 3 20:45:32 meshcentral setupDomainAuthStrategy[29]: OIDC: Setting up strategy for domain:
Jun 3 20:45:32 meshcentral setupDomainAuthStrategy[29]: OIDC: Discovering Issuer Endpoints: https://auth.example.com/application/o/meshcentral/
Jun 3 20:45:33 meshcentral setupDomainAuthStrategy[29]: OIDC: Adding Issuer Metadata: {"issuer":"https://auth.example.com/application/o/meshcentral/","authorization_endpoint":"https://auth.example.com/application/o/authorize/","token_endpoint":"https://auth.example.com/application/o/token/","end_session_endpoint":"https://auth.example.com/application/o/meshcentral/end-session/","jwks_uri":"https://auth.example.com/application/o/meshcentral/jwks/"}
Jun 3 20:45:33 meshcentral setupDomainAuthStrategy[29]: OIDC: Setup Complete
Jun 3 20:45:33 meshcentral setupHTTPHandlers[29]: Setting up authentication strategies login and callback URLs for root domain.
Jun 3 20:45:33 meshcentral setupHTTPHandlers[29]: OIDC: Authorization URL: /auth-oidc
Jun 3 20:45:33 meshcentral setupHTTPHandlers[29]: OIDC: Callback URL: /auth-oidc-callback

In case it is relevant, my nginx reverse proxy config:

# HTTPS server.
server {

  listen 10.0.42.253:443 ssl; 

  include /etc/nginx/ssl.conf;

  server_name mesh.example.com;

 # MeshCentral uses long standing web socket connections, set longer timeouts.
 proxy_send_timeout 330s;
 proxy_read_timeout 330s;

 location / {
   proxy_pass http://10.0.42.253:8086/;
   proxy_http_version 1.1;

 # Allows websockets over HTTPS.
   proxy_set_header Upgrade $http_upgrade;
   proxy_set_header Connection "upgrade";
   proxy_set_header Host $host;
 # Inform MeshCentral about the real host, port and protocol
   proxy_set_header X-Forwarded-Host $host:$server_port;
   proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
   proxy_set_header X-Forwarded-Proto $scheme;
 }
}

[si458]

ok thanks, what about when you try logging in? it should give more logs

[xcsdm]

Login as local meshcentral user admin successful

Login with OIDC from Authentik, nothing additional logged Including the event from authentik logs

From authentik:

{
    "user": {
        "pk": 3,
        "email": "myuser@example.com",
        "username": "myuser"
    },
    "action": "authorize_application",
    "app": "authentik.providers.oauth2.views.authorize",
    "context": {
        "flow": "869ba41c7bec4b44849724e84e6b2c4e",
        "scopes": "profile openid email",
        "http_request": {
            "args": {
                "scope": "openid profile email",
                "state": "i_8im2_gB3EbV35-kspNFIhkab-C-fo7gO5HJ23e7NY",
                "client_id": "REDACTED",
                "failureFlash": "true",
                "redirect_uri": "https://mesh.example.com/auth-oidc-callback",
                "response_type": "code",
                "code_challenge": "zYQRpZ4Tgjkze0PmkoHRCaKyPNkxmRgV9uyxypknuT8",
                "failureRedirect": "/",
                "code_challenge_method": "S256"
            },
            "path": "/api/v3/flows/executor/example-application-authorization/",
            "method": "GET",
            "user_agent": "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/124.0.0.0 Safari/537.36"
        },
        "authorized_application": {
            "pk": "1f2ac4234b1e426086767200e45184cd",
            "app": "authentik_core",
            "name": "MeshCentral-old",
            "model_name": "application"
        }
    },
    "client_ip": "10.0.42.142",
    "expires": "2025-06-03T20:59:59.453Z",
    "brand": {
        "pk": "698fbc6b80a74477a56f504509558c60",
        "app": "authentik_brands",
        "name": "Default brand",
        "model_name": "brand"
    }
}

From docker compose

 sudo docker compose up -d && sudo docker compose logs meshcentral -f
[+] Running 3/3
 ✔ Network meshcentral_meshcentral-tier  Created                                                                                                              0.1s
 ✔ Container mongodb                     Started                                                                                                              0.6s
 ✔ Container meshcentral                 Started                                                                                                              0.7s
meshcentral  | Missing Modules: passport, openid-client, connect-flash
meshcentral  | Installing modules [ 'passport', 'openid-client', 'connect-flash' ]
meshcentral  | NPM Command Line: /usr/bin/node /usr/bin/npm install --save-exact --no-audit --omit=optional --no-fund passport openid-client connect-flash
meshcentral  | MeshCentral HTTP redirection server running on port 80.
meshcentral  | AUTHLOG: Server listening on 0.0.0.0 port 80.
meshcentral  | MeshCentral v1.1.24, Hybrid (LAN + WAN) mode, Production mode.
meshcentral  | MeshCentral Intel(R) AMT server running on mesh.example.com:4433.
meshcentral  | AUTHLOG: Server listening on 0.0.0.0 port 4433.
meshcentral  | AUTHLOG: OIDC: Setting up strategy for domain:
meshcentral  | AUTHLOG: OIDC: Discovering Issuer Endpoints: https://auth.example.com/application/o/meshcentral/
meshcentral  | Loaded web certificate from "https://mesh.example.com", host: "mesh.example.com"
meshcentral  |   SHA384 cert hash: 2a2d2e8b92d3c69e6ea937016c3dd638a3f6fe5c0c86f3a17ec2fe063d6f640a8643d4085c1e264164b5341323cfef19
meshcentral  |   SHA384 key hash: 4700277a409aa747e0b1ac2922a010da2099c20a269b1c6cd97a4001cc1505709a6470b8ad5526d16fd41d272bf2b256
meshcentral  | AUTHLOG: OIDC: Adding Issuer Metadata: {"issuer":"https://auth.example.com/application/o/meshcentral/","authorization_endpoint":"https://auth.example.com/application/o/authorize/","token_endpoint":"https://auth.example.com/application/o/token/","end_session_endpoint":"https://auth.example.com/application/o/meshcentral/end-session/","jwks_uri":"https://auth.example.com/application/o/meshcentral/jwks/"}
meshcentral  | AUTHLOG: OIDC: Setup Complete
meshcentral  | AUTHLOG: Setting up authentication strategies login and callback URLs for root domain.
meshcentral  | AUTHLOG: OIDC: Authorization URL: /auth-oidc
meshcentral  | AUTHLOG: OIDC: Callback URL: /auth-oidc-callback
meshcentral  | MeshCentral HTTP server running on port 443.
meshcentral  | AUTHLOG: Accepted password for admin from 10.0.42.1 port 51034, SessionID: QE+mGIwN, Browser: Chrome/124.0.0.0, OS: Windows/10
meshcentral  | AUTHLOG: User admin logout from 10.0.42.1 port 54152, SessionID: QE+mGIwN, Browser: Chrome/124.0.0.0, OS: Windows/10

[si458]

very strange? works perfectly fine here?

MeshCentral HTTPS server running on mc.mydomain.com:443.
AUTHLOG: User Authorized: {"strategy":"oidc","sid":"~oidc:a1b2c3d4e5xxxxxxxxxxxxx","name":"authentik Default Admin","email":"simon@mydomain.com","emailVerified":true,"groups":["authentik Admins"],"preset":null}
AUTHLOG: OIDC: LOGIN SUCCESS: USER: "~oidc:a1b2c3d4e5xxxxxxxxxxxxx"

i have spotted a few issues with your config.json which you could try fixing to see if it makes a difference?

1. remove "cert": "*.example.com" as that shouldnt be there
2. remove "minify": true as the could be a problem with the minify code
3. change "NewAccounts": false to "NewAccounts": true this needs to be true otherwise accounts cant be created from your oidc provider

edit: have you tried pulling the master docker image again as i changed a few things 2 days ago https://github.com/Ylianst/MeshCentral/pkgs/container/meshcentral/223949079?tag=master

[xcsdm]

I made the config.json changes, but they did not fix the issue.

I have removed and re-pulled the master image a few times.

This is my access.log from nginx for the auth sessions. Both authentik and meshcentral run through the same reverse proxy. authentik is on a different host internally. meshcentral is on the same host as the nginx reverse proxy

10.0.42.149 - - [03/Jun/2024:17:53:14 -0400] "GET /auth-oidc HTTP/2.0" 302 0 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:126.0) Gecko/20100101 Firefox/126.0"
10.0.42.149 - - [03/Jun/2024:17:53:14 -0400] "GET /application/o/authorize/?client_id=MYCLIENTIDHERE&scope=openid%20profile%20email&response_type=code&redirect_uri=https%3A%2F%2Fmesh.example.com%2Fauth-oidc-callback&state=6w482FKAhvdBjLin-xSGE_kS8fSeb5vV7DEiyQsPYG4&failureRedirect=%2F&failureFlash=true&code_challenge=j_vf4K19nWrcgYn76WoxCSCcAAmbCY02MwQtV3ZLZdA&code_challenge_method=S256 HTTP/2.0" 302 23 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:126.0) Gecko/20100101 Firefox/126.0"
10.0.42.149 - - [03/Jun/2024:17:53:14 -0400] "GET /ws/client/ HTTP/1.1" 101 0 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:126.0) Gecko/20100101 Firefox/126.0"
10.0.42.149 - - [03/Jun/2024:17:53:14 -0400] "GET /if/flow/example-application-authorization/?client_id=MYCLIENTIDHERE&scope=openid+profile+email&response_type=code&redirect_uri=https%3A%2F%2Fmesh.example.com%2Fauth-oidc-callback&state=6w482FKAhvdBjLin-xSGE_kS8fSeb5vV7DEiyQsPYG4&failureRedirect=%2F&failureFlash=true&code_challenge=j_vf4K19nWrcgYn76WoxCSCcAAmbCY02MwQtV3ZLZdA&code_challenge_method=S256 HTTP/2.0" 200 1179 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:126.0) Gecko/20100101 Firefox/126.0"
10.0.42.149 - - [03/Jun/2024:17:53:15 -0400] "GET /api/v3/root/config/ HTTP/2.0" 200 274 "https://auth.example.com/if/flow/example-application-authorization/?client_id=MYCLIENTIDHERE&scope=openid+profile+email&response_type=code&redirect_uri=https%3A%2F%2Fmesh.example.com%2Fauth-oidc-callback&state=6w482FKAhvdBjLin-xSGE_kS8fSeb5vV7DEiyQsPYG4&failureRedirect=%2F&failureFlash=true&code_challenge=j_vf4K19nWrcgYn76WoxCSCcAAmbCY02MwQtV3ZLZdA&code_challenge_method=S256" "Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:126.0) Gecko/20100101 Firefox/126.0"
10.0.42.149 - - [03/Jun/2024:17:53:15 -0400] "GET /api/v3/core/brands/current/ HTTP/2.0" 200 236 "https://auth.example.com/if/flow/example-application-authorization/?client_id=MYCLIENTIDHERE&scope=openid+profile+email&response_type=code&redirect_uri=https%3A%2F%2Fmesh.example.com%2Fauth-oidc-callback&state=6w482FKAhvdBjLin-xSGE_kS8fSeb5vV7DEiyQsPYG4&failureRedirect=%2F&failureFlash=true&code_challenge=j_vf4K19nWrcgYn76WoxCSCcAAmbCY02MwQtV3ZLZdA&code_challenge_method=S256" "Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:126.0) Gecko/20100101 Firefox/126.0"
10.0.42.149 - - [03/Jun/2024:17:53:15 -0400] "GET /api/v3/root/config/ HTTP/2.0" 200 274 "https://auth.example.com/if/flow/example-application-authorization/?client_id=MYCLIENTIDHERE&scope=openid+profile+email&response_type=code&redirect_uri=https%3A%2F%2Fmesh.example.com%2Fauth-oidc-callback&state=6w482FKAhvdBjLin-xSGE_kS8fSeb5vV7DEiyQsPYG4&failureRedirect=%2F&failureFlash=true&code_challenge=j_vf4K19nWrcgYn76WoxCSCcAAmbCY02MwQtV3ZLZdA&code_challenge_method=S256" "Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:126.0) Gecko/20100101 Firefox/126.0"
10.0.42.149 - - [03/Jun/2024:17:53:15 -0400] "GET /if/flow/example-application-authorization/assets/fonts/RedHatDisplay/RedHatDisplay-Medium.woff2 HTTP/2.0" 200 28661 "https://auth.example.com/if/flow/example-application-authorization/?client_id=MYCLIENTIDHERE&scope=openid+profile+email&response_type=code&redirect_uri=https%3A%2F%2Fmesh.example.com%2Fauth-oidc-callback&state=6w482FKAhvdBjLin-xSGE_kS8fSeb5vV7DEiyQsPYG4&failureRedirect=%2F&failureFlash=true&code_challenge=j_vf4K19nWrcgYn76WoxCSCcAAmbCY02MwQtV3ZLZdA&code_challenge_method=S256" "Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:126.0) Gecko/20100101 Firefox/126.0"
10.0.42.149 - - [03/Jun/2024:17:53:15 -0400] "GET /media/public/flow-backgrounds/SpaceInvaders_LGB2VfI.jpg HTTP/2.0" 499 0 "https://auth.example.com/if/flow/example-application-authorization/?client_id=MYCLIENTIDHERE&scope=openid+profile+email&response_type=code&redirect_uri=https%3A%2F%2Fmesh.example.com%2Fauth-oidc-callback&state=6w482FKAhvdBjLin-xSGE_kS8fSeb5vV7DEiyQsPYG4&failureRedirect=%2F&failureFlash=true&code_challenge=j_vf4K19nWrcgYn76WoxCSCcAAmbCY02MwQtV3ZLZdA&code_challenge_method=S256" "Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:126.0) Gecko/20100101 Firefox/126.0"
10.0.42.149 - - [03/Jun/2024:17:53:15 -0400] "GET /api/v3/core/brands/current/ HTTP/2.0" 200 236 "https://auth.example.com/if/flow/example-application-authorization/?client_id=MYCLIENTIDHERE&scope=openid+profile+email&response_type=code&redirect_uri=https%3A%2F%2Fmesh.example.com%2Fauth-oidc-callback&state=6w482FKAhvdBjLin-xSGE_kS8fSeb5vV7DEiyQsPYG4&failureRedirect=%2F&failureFlash=true&code_challenge=j_vf4K19nWrcgYn76WoxCSCcAAmbCY02MwQtV3ZLZdA&code_challenge_method=S256" "Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:126.0) Gecko/20100101 Firefox/126.0"
10.0.42.149 - - [03/Jun/2024:17:53:15 -0400] "GET /api/v3/flows/executor/example-application-authorization/?query=client_id%3DMYCLIENTIDHERE%26scope%3Dopenid%2Bprofile%2Bemail%26response_type%3Dcode%26redirect_uri%3Dhttps%253A%252F%252Fmesh.example.com%252Fauth-oidc-callback%26state%3D6w482FKAhvdBjLin-xSGE_kS8fSeb5vV7DEiyQsPYG4%26failureRedirect%3D%252F%26failureFlash%3Dtrue%26code_challenge%3Dj_vf4K19nWrcgYn76WoxCSCcAAmbCY02MwQtV3ZLZdA%26code_challenge_method%3DS256 HTTP/2.0" 200 195 "https://auth.example.com/if/flow/example-application-authorization/?client_id=MYCLIENTIDHERE&scope=openid+profile+email&response_type=code&redirect_uri=https%3A%2F%2Fmesh.example.com%2Fauth-oidc-callback&state=6w482FKAhvdBjLin-xSGE_kS8fSeb5vV7DEiyQsPYG4&failureRedirect=%2F&failureFlash=true&code_challenge=j_vf4K19nWrcgYn76WoxCSCcAAmbCY02MwQtV3ZLZdA&code_challenge_method=S256" "Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:126.0) Gecko/20100101 Firefox/126.0"
10.0.42.149 - - [03/Jun/2024:17:53:15 -0400] "GET /media/blue-alien/BAlien32.png HTTP/2.0" 499 0 "https://auth.example.com/if/flow/example-application-authorization/?client_id=MYCLIENTIDHERE&scope=openid+profile+email&response_type=code&redirect_uri=https%3A%2F%2Fmesh.example.com%2Fauth-oidc-callback&state=6w482FKAhvdBjLin-xSGE_kS8fSeb5vV7DEiyQsPYG4&failureRedirect=%2F&failureFlash=true&code_challenge=j_vf4K19nWrcgYn76WoxCSCcAAmbCY02MwQtV3ZLZdA&code_challenge_method=S256" "Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:126.0) Gecko/20100101 Firefox/126.0"
10.0.42.149 - - [03/Jun/2024:17:53:15 -0400] "GET /ws/client/ HTTP/1.1" 101 4 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:126.0) Gecko/20100101 Firefox/126.0"
172.26.0.3 - MYCLIENTIDHERE [03/Jun/2024:17:53:15 -0400] "POST /application/o/token/ HTTP/1.1" 200 2007 "-" "openid-client/5.6.5 (https://github.com/panva/node-openid-client)"
10.0.42.149 - - [03/Jun/2024:17:53:15 -0400] "GET /auth-oidc-callback?code=58fff0170700493384ddd0416ba4e136&state=6w482FKAhvdBjLin-xSGE_kS8fSeb5vV7DEiyQsPYG4 HTTP/2.0" 302 46 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:126.0) Gecko/20100101 Firefox/126.0"

[si458]

i think the is an issue with your reverse proxy (nginx)? from the looks of those logs /auth-oidc-callback?code=xxxxxxxx is returning a 302 status which is a page redirect BUT we dont send a 302? we just build a HTML page with a redirect/refresh on it which would return a 200

res.set('Content-Type', 'text/html');
res.end('<html><head><meta http-equiv="refresh" content=0;url="' + domain.url + '"></head><body></body></html>');

[si458]

also check the redirect url inside authentik ignore my /oidctest/ as i use the multi-tenant for my testing

[si458]

i think ive found the issue and also discovered another bug too! im checking domain.id but thats not present if your using authstrategies on the base domain domain ""! also the redirect url isnt filling in correctly IF you use aliasPort which i am in my case, so i can run mesh on 127.0.0.1:12346 but using port 443 in docker

[si458]

OK fixed the aliasport issue, but turns out the domain.id isn't the issue? So I really do think ur issue is because ur reverse proxy is returning 302 rather than forwarding the server url correctly.

One thing u can try is check the redirect_url in the url is correct when it loads up the authentik login page

Another thing is to also copy the url u found in the logs and try pasting it manually in ur browser and see if u see any logs in meshcentral authlog

[xcsdm]

What is strange is that reverting back to 1.1.21 works. I have to change the callback url from auth-oidc-callback to oidc-callback and swap to the old format config.json, but it works with the same reverse proxy setup.

The 302 is coming from failureRedirect, but I cannot locate the failure

Something is triggering the failureRedirect instead of just authenticating at line 6789 of webserver.js If I change the failureRedirect path, the changed path is what is loading.

access.log with original failureRedirect /

10.0.42.149 - - [04/Jun/2024:07:30:07 -0400] "GET /oidc-callback?code=528055ca7c2f4b47a84f7e5f53c8b366&state=soYFEvsnzPm5rg06XAvRWaU1PLz7kIPDDgP0VrcEFXA HTTP/2.0" 302 46 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:126.0) Gecko/20100101 Firefox/126.0"
10.0.42.149 - - [04/Jun/2024:07:30:08 -0400] "GET / HTTP/2.0" 200 10954 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:126.0) Gecko/20100101 Firefox/126.0"

access.log with modified failureRedirect /testurl/

10.0.42.149 - - [04/Jun/2024:07:31:45 -0400] "GET /oidc-callback?code=91a439c0286a410ca4d39085daf1ece9&state=Liv0e5J9Vjkdd2Ox9eS9C_UHf-uv6kb3jZgalJ68EYA HTTP/2.0" 302 62 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:126.0) Gecko/20100101 Firefox/126.0"
10.0.42.149 - - [04/Jun/2024:07:31:45 -0400] "GET /testurl/ HTTP/2.0" 404 847 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:126.0) Gecko/20100101 Firefox/126.0"

[si458]

one thing you can try for me is to check the output from the request BEFORE it heads into handleStrategyLogin so line 6758 of webserver.js just under var domain = getDomain(req); is put console.log('oidccallbackurl', domain.passport, req.session); then restart container and try logging in and watch the console output on your server you should see a LOT of json output, can you share it? (might need to hide secret info in it)

[xcsdm]

Bingo!

It is working. I had not configured my OIDC connection on the Authentik side to sign the response

This portion of the log was critical. I'm unsure if it would be easily output from MeshCentral, but it immediately took me to the answer.

meshcentral  |   flash: {
meshcentral  |     error: [
meshcentral  |       'unexpected JWT alg received, expected RS256, got: HS256',
meshcentral  |       'unexpected JWT alg received, expected RS256, got: HS256',
meshcentral  |       'unexpected JWT alg received, expected RS256, got: HS256',
meshcentral  |       'unexpected JWT alg received, expected RS256, got: HS256',
meshcentral  |       'unexpected JWT alg received, expected RS256, got: HS256',
meshcentral  |       'unexpected JWT alg received, expected RS256, got: HS256',
meshcentral  |       'unexpected JWT alg received, expected RS256, got: HS256'
meshcentral  |     ]
meshcentral  |   },

The whole output in case it helps anyone:

meshcentral  | oidccallbackurl Authenticator {
meshcentral  |   _key: 'passport',
meshcentral  |   _strategies: {
meshcentral  |     session: SessionStrategy {
meshcentral  |       name: 'session',
meshcentral  |       _key: 'passport',
meshcentral  |       _deserializeUser: [Function: bound ]
meshcentral  |     },
meshcentral  |     'oidc-': OpenIDConnectStrategy {
meshcentral  |       _client: Client {
meshcentral  |         authorization_signed_response_alg: 'RS256',
meshcentral  |         client_id: 'REDACTED',
meshcentral  |         client_secret: 'REDACTED',
meshcentral  |         grant_types: [
meshcentral  |           'authorization_code'
meshcentral  |         ],
meshcentral  |         id_token_signed_response_alg: 'RS256',
meshcentral  |         introspection_endpoint_auth_method: 'client_secret_basic',
meshcentral  |         post_logout_redirect_uri: 'https://mesh.example.com/login',
meshcentral  |         redirect_uris: [
meshcentral  |           'https://mesh.example.com/auth-oidc-callback'
meshcentral  |         ],
meshcentral  |         response_types: [
meshcentral  |           'code'
meshcentral  |         ],
meshcentral  |         revocation_endpoint_auth_method: 'client_secret_basic',
meshcentral  |         token_endpoint_auth_method: 'client_secret_basic'
meshcentral  |       },
meshcentral  |       _issuer: Issuer {
meshcentral  |         acr_values_supported: [
meshcentral  |           'goauthentik.io/providers/oauth2/default'
meshcentral  |         ],
meshcentral  |         authorization_endpoint: 'https://auth.example.com/application/o/authorize/',
meshcentral  |         claim_types_supported: [
meshcentral  |           'normal'
meshcentral  |         ],
meshcentral  |         claims_parameter_supported: false,
meshcentral  |         claims_supported: [
meshcentral  |           'sub',
meshcentral  |           'iss',
meshcentral  |           'aud',
meshcentral  |           'exp',
meshcentral  |           'iat',
meshcentral  |           'auth_time',
meshcentral  |           'acr',
meshcentral  |           'amr',
meshcentral  |           'nonce',
meshcentral  |           'email',
meshcentral  |           'email_verified',
meshcentral  |           'name',
meshcentral  |           'given_name',
meshcentral  |           'preferred_username',
meshcentral  |           'nickname',
meshcentral  |           'groups',
meshcentral  |           'uid'
meshcentral  |         ],
meshcentral  |         code_challenge_methods_supported: [
meshcentral  |           'plain',
meshcentral  |           'S256'
meshcentral  |         ],
meshcentral  |         device_authorization_endpoint: 'https://auth.example.com/application/o/device/',
meshcentral  |         end_session_endpoint: 'https://auth.example.com/application/o/meshcentral/end-session/',
meshcentral  |         grant_types_supported: [
meshcentral  |           'authorization_code',
meshcentral  |           'refresh_token',
meshcentral  |           'implicit',
meshcentral  |           'client_credentials',
meshcentral  |           'password',
meshcentral  |           'urn:ietf:params:oauth:grant-type:device_code'
meshcentral  |         ],
meshcentral  |         id_token_signing_alg_values_supported: [
meshcentral  |           'HS256'
meshcentral  |         ],
meshcentral  |         introspection_endpoint: 'https://auth.example.com/application/o/introspect/',
meshcentral  |         introspection_endpoint_auth_methods_supported: [
meshcentral  |           'client_secret_post',
meshcentral  |           'client_secret_basic'
meshcentral  |         ],
meshcentral  |         issuer: 'https://auth.example.com/application/o/meshcentral/',
meshcentral  |         jwks_uri: 'https://auth.example.com/application/o/meshcentral/jwks/',
meshcentral  |         redirect_uri: 'https://mesh.example.com/oidc-callback',
meshcentral  |         request_parameter_supported: false,
meshcentral  |         request_uri_parameter_supported: true,
meshcentral  |         require_request_uri_registration: false,
meshcentral  |         response_modes_supported: [
meshcentral  |           'query',
meshcentral  |           'fragment',
meshcentral  |           'form_post'
meshcentral  |         ],
meshcentral  |         response_types_supported: [
meshcentral  |           'code',
meshcentral  |           'id_token',
meshcentral  |           'id_token token',
meshcentral  |           'code token',
meshcentral  |           'code id_token',
meshcentral  |           'code id_token token'
meshcentral  |         ],
meshcentral  |         revocation_endpoint: 'https://auth.example.com/application/o/revoke/',
meshcentral  |         revocation_endpoint_auth_methods_supported: [
meshcentral  |           'client_secret_post',
meshcentral  |           'client_secret_basic'
meshcentral  |         ],
meshcentral  |         scopes_supported: [
meshcentral  |           'email',
meshcentral  |           'profile',
meshcentral  |           'openid'
meshcentral  |         ],
meshcentral  |         subject_types_supported: [
meshcentral  |           'public'
meshcentral  |         ],
meshcentral  |         token_endpoint: 'https://auth.example.com/application/o/token/',
meshcentral  |         token_endpoint_auth_methods_supported: [
meshcentral  |           'client_secret_post',
meshcentral  |           'client_secret_basic'
meshcentral  |         ],
meshcentral  |         userinfo_endpoint: 'https://auth.example.com/application/o/userinfo/'
meshcentral  |       },
meshcentral  |       _verify: [Function: oidcCallback],
meshcentral  |       _passReqToCallback: false,
meshcentral  |       _usePKCE: 'S256',
meshcentral  |       _key: 'oidc-',
meshcentral  |       _params: [Object],
meshcentral  |       _extras: {},
meshcentral  |       name: 'auth.example.com'
meshcentral  |     }
meshcentral  |   },
meshcentral  |   _serializers: [ [Function (anonymous)] ],
meshcentral  |   _deserializers: [ [Function (anonymous)] ],
meshcentral  |   _infoTransformers: [],
meshcentral  |   _framework: {
meshcentral  |     initialize: [Function: initialize],
meshcentral  |     authenticate: [Function: authenticate]
meshcentral  |   },
meshcentral  |   _sm: SessionManager {
meshcentral  |     _key: 'passport',
meshcentral  |     _serializeUser: [Function: bound ]
meshcentral  |   },
meshcentral  |   Authenticator: [Function: Authenticator],
meshcentral  |   Passport: [Function: Authenticator],
meshcentral  |   Strategy: <ref *1> [Function: Strategy] { Strategy: [Circular *1] },
meshcentral  |   strategies: { SessionStrategy: [Function: SessionStrategy] },
meshcentral  |   _userProperty: 'user'
meshcentral  | } Session {
meshcentral  |   flash: {
meshcentral  |     error: [
meshcentral  |       'unexpected JWT alg received, expected RS256, got: HS256',
meshcentral  |       'unexpected JWT alg received, expected RS256, got: HS256',
meshcentral  |       'unexpected JWT alg received, expected RS256, got: HS256',
meshcentral  |       'unexpected JWT alg received, expected RS256, got: HS256',
meshcentral  |       'unexpected JWT alg received, expected RS256, got: HS256',
meshcentral  |       'unexpected JWT alg received, expected RS256, got: HS256',
meshcentral  |       'unexpected JWT alg received, expected RS256, got: HS256'
meshcentral  |     ]
meshcentral  |   },
meshcentral  |   'oidc-': {
meshcentral  |     state: 'LzkRQPOPEzsQEMcSu1wZc6dwoC3myJ1xcpzYrdh2caI',
meshcentral  |     response_type: 'code',
meshcentral  |     code_verifier: 'kKB1wjl5sWpeToldqna3_2eYFkRr9bS47J4nVzBwRJk'
meshcentral  |   },
meshcentral  |   regenerate: [Function (anonymous)],
meshcentral  |   save: [Function (anonymous)]
meshcentral  | }
meshcentral  | AUTHLOG: User Authorized: {"strategy":"oidc","sid":"~oidc:myuser@example.com","name":"My User","email":"myuser@example.com","emailVerified":true,"groups":["authentik Admins","MeshCentral Users"],"preset":null}
meshcentral  | AUTHLOG: OIDC: LOGIN SUCCESS: USER: "~oidc:myuser@example.com"

[si458]

glad u got it fixed! can u do me a favour tho? can you close this issue as you have fixed it now :) and can you ALSO open a new enhancement request and just explain in it, can we plz display the flash errors for the external auths like saml or oidc on the login screen currently i dont think we display any errors! if we had the errors being displayed it would of helped this issue out alot quicker!

p.s: my output shows this below, so yeh yours is different even tho we use the same software for auth

id_token_signing_alg_values_supported: [
  'RS256'
],

p.s again: what setting did you change in authentik? i want to replicate the issue to get it to display errors

[xcsdm]

The authentik setting was on the Oauth2 Provider, under the Redirect URIs/Origins, I had no Signing Key selected.

This worked in 1.1.21, but with the updated libraries, it looks to be required now.

[xcsdm]

Closing as fixed