advplyr / audiobookshelf-app

Mobile application for Audiobookshelf
https://audiobookshelf.org
GNU General Public License v3.0
1.32k stars 173 forks source link

[Bug]: OAuth incorrectly requires HTTPS of the application server #1274

Open MikeBishop opened 3 months ago

MikeBishop commented 3 months ago

What was the Problem?

Using HTTP to access ABS, which authenticates via Authentik (over HTTPS) throws an error on login: "SSO: The URL to the server must be https:// secured"

Steps to Reproduce the Issue

  1. Set up a local-only ABS server accessed over HTTP.
  2. Set up OIDC with Authentik or another provider
  3. Log in successfully via the browser
  4. Attempt to log in via the app and see error

What was Expected?

Redirect to Authentik for login

Phone Model

OnePlus 11

Phone OS

Android 14

Audiobookshelf App Version

Android App - 0.9.74

Installation Source

Google Play Store

Additional Notes

The code points to RFC 6749, Section 10.9, which says:

In order to prevent man-in-the-middle attacks, the authorization server MUST require the use of TLS with server authentication as defined by [RFC2818] for any request sent to the authorization and token endpoints.

While the authorization server (Authentik) must require the use of HTTPS, there are no requirements imposed on ABS (resource server) here. The indicated variable should be configurable in settings or the check removed.

Sapd commented 3 months ago

While the authorization server (Authentik) must require the use of HTTPS, there are no requirements imposed on ABS (resource server) here. The indicated variable should be configurable in settings or the check removed.

That is true when you use ABS web interface. Basically you go to the webinterface and request authorization, the backend then generates everything required: like PKCE challenge, verifier and state. The client will never see the verifier. The backend starts the flow and will receive back an redirection URL from the auth server. Here the roles are clear: ABS is the resource server and Authentik is the authorization server.


The app however works differently and the backend behaves differently when the app is used: ABS acts as an almost full oauth2-proxy. Basically its a public oauth2 flow. The client/app itself generates PKCE challenge, verifier and state. The frontend/app starts the flow. The backend forwards the request, and will receive back an redirection URL from the auth server. The frontend will receive back an redirection URL from the backend. From the PoV of the app, the authorization server is just the ABS backend (and not authentik or so - even when having the browser redirect there) and responded directly.

The way the backend is written, the App is the oauth2 client, the backend is the oauth2 server but also an oauth2 client at the same time, Authentik is also always the oauth2 server

Giving another perspective: Even when users would not use the SSO functionality. We could remove the APIs for local login all together and just make use of the oauth2 flow which would then also authenticate against local users. It would not even really require a change at the client (but ofc heavy changes in the backend, for example also an auth page for the redirect) because it is already acting as full oauth2 client and the server-APIs as oauth2 server. The server would just have to mock that its always using SSO, even when it authentificates against local.

So the RFC explicitly states that the authorization endpoint must be https protected:

[...] for any request sent to the authorization and token endpoints.

The authorization endpoint for the app is the one under abs.example.com/auth/openid in the case of the mobile flow, not for the web flow as well as the one from authentik auth.example.com. The first one acting as middleman.


In any case, there is no reason to not use TLS. Especially if you have an advanced setup with an identity provider. Even if you are behind CGNAT or something like that, you can generate TLS certificates using DNS challenges - for example when your ABS is just local and not exposed.

I-Would-Like-To-Report-A-Bug-Please commented 3 months ago

Have you set your callback URLs to non https endpoint? Authentik /other oidc should redirect you to what's in callback URL so if that's configured incorrectly...

Sapd commented 3 months ago

Have you set your callback URLs to non https endpoint? Authentik /other oidc should redirect you to what's in callback URL so if that's configured incorrectly...

No his issue is different, when you want to use openid via the app it requires ABS itself having https. See my explanation above.

Btw. I think the requirement can be a bit lifted, but I would suggest using maybe an advanced setting hidden behind a button (maybe a settings button bellow the server URL which could open a pop-up), could be maybe combined with https://github.com/advplyr/audiobookshelf-app/issues/254