Sapd
commented
1 month ago While the authorization server (Authentik) must require the use of HTTPS, there are no requirements imposed on ABS (resource server) here. The indicated variable should be configurable in settings or the check removed.
That is true when you use ABS web interface. Basically you go to the webinterface and request authorization, the backend then generates everything required: like PKCE challenge, verifier and state. The client will never see the verifier. The backend starts the flow and will receive back an redirection URL from the auth server. Here the roles are clear: ABS is the resource server and Authentik is the authorization server.
The app however works differently and the backend behaves differently when the app is used: ABS acts as an almost full oauth2-proxy. Basically its a public oauth2 flow. The client/app itself generates PKCE challenge, verifier and state. The frontend/app starts the flow. The backend forwards the request, and will receive back an redirection URL from the auth server. The frontend will receive back an redirection URL from the backend. From the PoV of the app, the authorization server is just the ABS backend (and not authentik or so - even when having the browser redirect there) and responded directly.
The way the backend is written, the App is the oauth2 client, the backend is the oauth2 server but also an oauth2 client at the same time, Authentik is also always the oauth2 server
Giving another perspective: Even when users would not use the SSO functionality. We could remove the APIs for local login all together and just make use of the oauth2 flow which would then also authenticate against local users. It would not even really require a change at the client (but ofc heavy changes in the backend, for example also an auth page for the redirect) because it is already acting as full oauth2 client and the server-APIs as oauth2 server. The server would just have to mock that its always using SSO, even when it authentificates against local.
So the RFC explicitly states that the authorization endpoint must be https protected:
[...] for any request sent to the authorization and token endpoints.
The authorization endpoint for the app is the one under abs.example.com/auth/openid in the case of the mobile flow, not for the web flow as well as the one from authentik auth.example.com. The first one acting as middleman.
In any case, there is no reason to not use TLS. Especially if you have an advanced setup with an identity provider. Even if you are behind CGNAT or something like that, you can generate TLS certificates using DNS challenges - for example when your ABS is just local and not exposed.
I-Would-Like-To-Report-A-Bug-Please
What was the Problem?
Using HTTP to access ABS, which authenticates via Authentik (over HTTPS) throws an error on login: "SSO: The URL to the server must be https:// secured"
Steps to Reproduce the Issue
What was Expected?
Redirect to Authentik for login
Phone Model
OnePlus 11
Phone OS
Android 14
Audiobookshelf App Version
Android App - 0.9.74
Installation Source
Google Play Store
Additional Notes
The code points to RFC 6749, Section 10.9, which says:
While the authorization server (Authentik) must require the use of HTTPS, there are no requirements imposed on ABS (resource server) here. The indicated variable should be configurable in settings or the check removed.