search

advplyr / audiobookshelf-app

Mobile application for Audiobookshelf
https://audiobookshelf.org
GNU General Public License v3.0
1.23k stars 164 forks source link

Login Doesn't allow redirect to additional authentication (authelia) #1155

Closed Binvention closed 6 months ago

Binvention commented 6 months ago

Steps to reproduce

  1. Audiobookshelf server protected using authelia and nginx so that access must first be granted through authelia before accessing the server
  2. SSO setup between authelia and audiobookshelf
  3. attempt to login via mobile app

Expected behaviour

Actual behaviour

Environment data

Audiobookshelf Version: 2.8.1 docker

nginx config is exact same as swag example config at https://github.com/linuxserver/reverse-proxy-confs/blob/master/audiobookshelf.subdomain.conf.sample with the authelia lines uncommented

Android Issue

Android version: 14

Device model: pixel 6

Stock or customized system: stock

iOS Issue

iOS Version:

iPhone model:

advplyr commented 6 months ago

Where are you seeing that error?

Do you have the mobile-redirect redirect URI set in Abs settings? https://www.audiobookshelf.org/guides/oidc_authentication

Binvention commented 6 months ago

Yes I do have that setting the problem is that it never gets to the login page for authelia from the server selection page. I think the SSO option works but that requires it loading the audiobookshelf login first then redirecting to authelia. Since authelia is protecting the audiobookshelf login it requires authelia be loaded first. I'll see if I can get a screenshot Screenshot_20240327-174708.png

advplyr commented 6 months ago

You haven't configured authelia correctly then because Abs app needs to be able to make that first request without being redirected. Abs will handle the redirecting, your setup shouldn't be doing that.

I'm not familiar with authelia so I can't give you specific setup instructions but you can share what you have setup

nichwall commented 6 months ago

Are you using forward authentication?

Binvention commented 6 months ago

I'm using the example configuration found in the swag documentation https://github.com/linuxserver/reverse-proxy-confs/blob/master/audiobookshelf.subdomain.conf.sample with the authelia portions uncommented. What urls would need to be excluded from security in order for this to work without compromising the additional security or allowing people without the proper group permissions to access the app (since audiobookshelf's openid implementation doesn't check groups)

Sapd commented 6 months ago

@Binvention You are trying to use forward auth. That will never work with a mobile app - even if you would try to adapt the app for that.

What urls would need to be excluded from security

It would not matter - even if you would remove the check. It cannot technically work, because for authentication there is always a redirect to your app provider (in this case authelia). So it would either need to:

since audiobookshelf's openid implementation doesn't check group

ABS now includes that functionality in the latest :edge image, however you would need to use a property mapping if you don't want to use the standard group names (user, guest, admin).

Its a bit weird, checking groups functionality and property mapping is practically a standard which is supported by a lot of open id providers (keycloak, authentik, okta etc.)

Binvention commented 6 months ago

It is very possible. Applications such as immich, jellyfin, and home assistant have been setup in this way (although home assistant not as cleanly). Most of them do it with some form of allowing the redirects in app which opens up the default browser for authentication and then passes an API token back to the app. Then in the proxy or authentication provider settings allow specific locations to bypass authentication (such as /API/ since it has its own security implementation that functions with the mobile app). Although I've had issues setting the other apps up in this way as well I know others have done it and audiobookshelf is the only one that flat out doesn't allow the redirect to begin with. Which I found especially odd since it's one of the few that has openid support by default. I was hoping this would allow 2FA and SSO for all my home apps but without forward authentication there's no way to ensure 2FA is enforced for audiobookshelf. The root account at minimum would not be protected by 2FA.

Binvention commented 6 months ago

I do think this would be a good option to have but for the time being I've settled on this option mentioned in a different app:

Disable forward authentication in proxy settings. Disable password login in audiobookshelf settings (so openid is the only login option)

This does work as expected with the browser opening to handle the authentication with the desired 2FA and then returning to the app now logged in. This does mean I have to depend on the security of audiobookshelf itself more than what I would have to with forward authentication allowed.

Sapd commented 6 months ago

Applications such as immich, jellyfin, and home assistant have been setup in this way (although home assistant not as cleanly).

Can you send me link to documentation or code? I quickly tried it with the Jellyfin App on iOS and desktop and it will directly refuse connecting when a redirect occurs - same like ABS.

For Home Assistant I googled this, which does not seem to be unproblematic and suffers of the issues Im describing below: https://github.com/BeryJu/hass-auth-header/issues/124 Also I tried point HA against a auth redirect, and it seems that it just creates an OpenID-style auth request: /auth/authorize?response_type=code&client_id=https://home-assistant.io/iOS&redirect_uri=homeassistant://auth-callback which needs heavy whitelisting and code support (see below)

Then in the proxy or authentication provider settings allow specific locations to bypass authentication (such as /API/ since it has its own security implementation that functions with the mobile app).

This does mean I have to depend on the security of audiobookshelf itself more than what I would have to with forward authentication allowed.

I understand the method which you are describing, but effectively you would have to whitelist all requests to the backend, with the only exception being the login route. And with OpenID you can disable the login form/route all together (like you mentioned and did).

Security wise you are at the same point, no matter if you use forward auth (with whitelisted backend) or OpenID. I do not really see how you can increase security by using forward auth. The only thing you would protect, is serving the ABS frontend (which one can download from GitHub anyways...), or the login route if you wouldn't restrict to OpenID.

Audiobookshelf is the only one that flat out doesn't allow the redirect to begin with. Which I found especially odd since it's one of the few that has openid support by default.

The redirect in a pop-up is not a automatic thing and is in a much different place then OpenID. Even if you would remove that check nothing would happen. You would have to replace that check with code that opens a pop-up. Then you would need extra code which checks if there was a redirection from the idP and does a redirect back to the app similar to what OpenID does (just reinventing the wheel in a bad way).

Although I've had issues setting the other apps up in this way as well I know others have done it [...]

Problematic is, that Forward-Auth is not a standard. So it is hard to properly support it for most scenarios - thats probably why from the linked Home-Assistant issue above (at the very bottom), a commenter critiqued bugs on Android, and that HA should implement proper OpenID support.

Edit: I also noticed that Home Assistant does not have PKCE challenges in the auth request.... that is quite insecure on mobile.