[Bug]: Authelia OIDC - Callback Error 500

[undaunt]

Describe the issue

I'm seeing behavior similar to issue 2370 in that my config is almost the same within Authelia and my network is failing on the callback.

However, I'm not getting a password error but instead the following:

12/12/2023 11:06:34 PM SyntaxError: Unexpected token e in JSON at position 0
12/12/2023 11:06:34 PM     at JSON.parse (<anonymous>)
12/12/2023 11:06:34 PM     at Client.userinfo (/node_modules/openid-client/lib/client.js:1291:23)
12/12/2023 11:06:34 PM     at runMicrotasks (<anonymous>)
12/12/2023 11:06:34 PM     at processTicksAndRejections (node:internal/process/task_queues:96:5)
12/12/2023 11:06:34 PM     at async /node_modules/openid-client/lib/passport_strategy.js:181:24

Authelia:

identity_providers:
  oidc:
    hmac_secret: xxxxx
    issuer_private_key: |
      -----BEGIN RSA PRIVATE KEY-----
     mykey
      -----END RSA PRIVATE KEY-----
    access_token_lifespan: 1d
    authorize_code_lifespan: 1m
    id_token_lifespan: 1d
    refresh_token_lifespan: 90m
    enable_client_debug_messages: false
    enforce_pkce: public_clients_only
    cors:
      endpoints:
        - authorization
        - token
        - revocation
        - introspection
        #- userinfo # Tried with this enabled and disabled
      allowed_origins:
        - https://contoso.com
        - https://abs.contoso.com # I tried adding this one after reading the guide doc, no effect.
    clients:
    - id: audiobookshelf
      description: Audiobookshelf
      secret: '$pbkdf2-sha512$310000$xxxx'
      pre_configured_consent_duration: 3M
      redirect_uris:
        - https://abs.contoso.com/auth/openid/callback 
      scopes:
        - openid
        - profile
        - email
      userinfo_signing_algorithm: RS256

ABS is configured as per the docs.

Steps to reproduce the issue

1. Log in via SSO
2. Authenticate 2 factors to Authelia
3. Receive internal server error on URL, eg: https://abs.contoso.com/auth/openid/callback?code=authelia_ac_xxxxx&scope=openid+profile+email&state=xxxxxxx

Audiobookshelf version

v2.6.0

How are you running audiobookshelf?

Docker

[yassiezar]

Adding a +1 here, I'm running into the exact same issue. I have Authelia + ABS running in Docker on an unRaid server behind a reverse proxy (Nginx Proxy Manager). My Authelia config is near-enough the same as above and my reverse proxy is only upgrading http->https. Am I missing some necessary proxying configurations or headers? Is there a way to get the actual JSON string that seems to be malformed?

ABS Version: 2.6.0

[Sapd]

Given that it worked for others in Authelia I suspect some kind of configuration error.

Do you have any errors in the logs of authelia itself? It could be that instead of a JSON it returns some kind of error text.

Is there a way to get the actual JSON string that seems to be malformed

Its a bit difficult, its possible by modifying the source code of ABS. It would be probably easier if you find a config with your reverse proxy which can do that.

[yassiezar]

Given that it worked for others in Authelia I suspect some kind of configuration error.

I think you're right. Do you know of a working example Authelia config I can compare mine against?

I'll post my error logs below

ABS:

SyntaxError: Unexpected token e in JSON at position 0
    at JSON.parse (<anonymous>)
    at Client.userinfo (/node_modules/openid-client/lib/client.js:1291:23)
    at processTicksAndRejections (node:internal/process/task_queues:96:5)
    at async /node_modules/openid-client/lib/passport_strategy.js:181:24

NginxProxyManager:

2023/12/20 08:19:06 [warn] 1256#1256: *22752 using uninitialized "test" variable, client: 192.168.1.1, server: audiobookshelf.mydomain.com, request: "GET / HTTP/2.0", host: "audiobookshelf.mydomain.com"
2023/12/20 08:19:07 [warn] 1256#1256: *22752 using uninitialized "test" variable, client: 192.168.1.1, server: audiobookshelf.mydomain.com, request: "GET /_nuxt/725b80a.js HTTP/2.0", host: "audiobookshelf.mydomain.com", referrer: "https://audiobookshelf.mydomain.com/"
2023/12/20 08:19:07 [warn] 1256#1256: *22752 using uninitialized "test" variable, client: 192.168.1.1, server: audiobookshelf.mydomain.com, request: "GET /_nuxt/4bd050a.js HTTP/2.0", host: "audiobookshelf.mydomain.com", referrer: "https://audiobookshelf.mydomain.com/"
2023/12/20 08:19:07 [warn] 1256#1256: *22752 using uninitialized "test" variable, client: 192.168.1.1, server: audiobookshelf.mydomain.com, request: "GET /_nuxt/549f80e.js HTTP/2.0", host: "audiobookshelf.mydomain.com", referrer: "https://audiobookshelf.mydomain.com/"
2023/12/20 08:19:07 [warn] 1256#1256: *22752 using uninitialized "test" variable, client: 192.168.1.1, server: audiobookshelf.mydomain.com, request: "GET /_nuxt/499efb6.js HTTP/2.0", host: "audiobookshelf.mydomain.com", referrer: "https://audiobookshelf.mydomain.com/"
2023/12/20 08:19:07 [warn] 1256#1256: *22752 using uninitialized "test" variable, client: 192.168.1.1, server: audiobookshelf.mydomain.com, request: "GET /_nuxt/f0ddce0.js HTTP/2.0", host: "audiobookshelf.mydomain.com", referrer: "https://audiobookshelf.mydomain.com/"
2023/12/20 08:19:07 [warn] 1256#1256: *22752 using uninitialized "test" variable, client: 192.168.1.1, server: audiobookshelf.mydomain.com, request: "GET /_nuxt/b343f44.js HTTP/2.0", host: "audiobookshelf.mydomain.com", referrer: "https://audiobookshelf.mydomain.com/"
2023/12/20 08:19:07 [warn] 1256#1256: *22752 using uninitialized "test" variable, client: 192.168.1.1, server: audiobookshelf.mydomain.com, request: "GET /_nuxt/fonts/SourceSansPro-Regular.df87f53.ttf HTTP/2.0", host: "audiobookshelf.mydomain.com", referrer: "https://audiobookshelf.mydomain.com/"
2023/12/20 08:19:07 [warn] 1256#1256: *22752 using uninitialized "test" variable, client: 192.168.1.1, server: audiobookshelf.mydomain.com, request: "GET /icon64.png HTTP/2.0", host: "audiobookshelf.mydomain.com", referrer: "https://audiobookshelf.mydomain.com/"
2023/12/20 08:19:07 [warn] 1256#1256: *22752 using uninitialized "test" variable, client: 192.168.1.1, server: audiobookshelf.mydomain.com, request: "GET /icon.svg HTTP/2.0", host: "audiobookshelf.mydomain.com", referrer: "https://audiobookshelf.mydomain.com/"
2023/12/20 08:19:07 [warn] 1256#1256: *22752 using uninitialized "test" variable, client: 192.168.1.1, server: audiobookshelf.mydomain.com, request: "GET /_nuxt/a78cd12.js HTTP/2.0", host: "audiobookshelf.mydomain.com", referrer: "https://audiobookshelf.mydomain.com/"
2023/12/20 08:19:07 [warn] 1256#1256: *22752 using uninitialized "test" variable, client: 192.168.1.1, server: audiobookshelf.mydomain.com, request: "GET /_nuxt/87bee68.js HTTP/2.0", host: "audiobookshelf.mydomain.com", referrer: "https://audiobookshelf.mydomain.com/"
2023/12/20 08:19:07 [warn] 1256#1256: *22752 using uninitialized "test" variable, client: 192.168.1.1, server: audiobookshelf.mydomain.com, request: "GET /status HTTP/2.0", host: "audiobookshelf.mydomain.com", referrer: "https://audiobookshelf.mydomain.com/login"
2023/12/20 08:19:07 [warn] 1256#1256: *22752 using uninitialized "test" variable, client: 192.168.1.1, server: audiobookshelf.mydomain.com, request: "GET /auth/openid?callback=https://audiobookshelf.mydomain.com/login HTTP/2.0", host: "audiobookshelf.mydomain.com", referrer: "https://audiobookshelf.mydomain.com/login"
2023/12/20 08:19:29 [warn] 1256#1256: *22752 using uninitialized "test" variable, client: 192.168.1.1, server: audiobookshelf.mydomain.com, request: "GET /auth/openid/callback?code=authelia_ac_uJpNZC9QnaAO5jx58E1lzPaI2Izch3P1eruvoCAOjhU.-dZ_KGxrUS19298dt1JZC05WwP4GwZwgPTwnhBcR3bc&scope=openid+profile+email&state=NWn1vQbz7i2UdfvLb8L84FyfjIpQ3QhBcV6dBV0SgPQ HTTP/2.0", host: "audiobookshelf.mydomain.com", referrer: "https://auth.mydomain.com/"

Authelia:

time="2023-12-20T08:19:07Z" level=debug msg="Authorization Request with id '6eab724c-b809-4b2a-ad4b-71082de5b73d' on client with id 'audiobookshelf' is being processed" method=GET path=/api/oidc/authorization remote_ip=192.168.1.1
[mysql] 2023/12/20 08:19:22 packets.go:122: closing bad idle connection: EOF
[mysql] 2023/12/20 08:19:22 connection.go:173: driver: bad connection
time="2023-12-20T08:19:22Z" level=debug msg="Mark 1FA authentication attempt made by user 'myuser'" method=POST path=/api/firstfactor remote_ip=192.168.1.1
time="2023-12-20T08:19:22Z" level=debug msg="Successful 1FA authentication attempt made by user 'myuser'" method=POST path=/api/firstfactor remote_ip=192.168.1.1
time="2023-12-20T08:19:22Z" level=debug msg="Authorization Request with id '2772ef66-f79e-4687-98e2-c03d9ba84c98' on client with id 'audiobookshelf' is being processed" method=GET path=/api/oidc/authorization remote_ip=192.168.1.1
time="2023-12-20T08:19:22Z" level=debug msg="Authorization Request with id '2772ef66-f79e-4687-98e2-c03d9ba84c98' on client with id 'audiobookshelf' using consent mode 'explicit' proceeding to generate a new consent session" method=GET path=/api/oidc/authorization remote_ip=192.168.1.1
time="2023-12-20T08:19:22Z" level=debug msg="Authorization Request with id '2772ef66-f79e-4687-98e2-c03d9ba84c98' on client with id 'audiobookshelf' using consent mode 'explicit' authentication level 'one_factor' is sufficient for client level 'one_factor'" method=GET path=/api/oidc/authorization remote_ip=192.168.1.1
time="2023-12-20T08:19:22Z" level=debug msg="Authorization Request with id '2772ef66-f79e-4687-98e2-c03d9ba84c98' on client with id 'audiobookshelf' using consent mode 'explicit' is being redirected to 'https://auth.jclock.co.uk/consent?id=c539c502-ac7c-4ddc-b2e9-31c66c7f2ec8'" method=GET path=/api/oidc/authorization remote_ip=192.168.1.1
time="2023-12-20T08:19:29Z" level=debug msg="Authorization Request with id 'cc698381-039b-429e-8a72-0f7aba0f8aa5' on client with id 'audiobookshelf' is being processed" method=GET path=/api/oidc/authorization remote_ip=192.168.1.1
time="2023-12-20T08:19:29Z" level=debug msg="Authorization Request with id 'cc698381-039b-429e-8a72-0f7aba0f8aa5' on client with id 'audiobookshelf' was successfully processed, proceeding to build Authorization Response" method=GET path=/api/oidc/authorization remote_ip=192.168.1.1
time="2023-12-20T08:19:29Z" level=debug msg="Access Request with id 'cc698381-039b-429e-8a72-0f7aba0f8aa5' on client with id 'audiobookshelf' is being processed" method=POST path=/api/oidc/token remote_ip=192.168.1.1
time="2023-12-20T08:19:29Z" level=debug msg="Access Request with id 'cc698381-039b-429e-8a72-0f7aba0f8aa5' on client with id 'audiobookshelf' has successfully been processed" method=POST path=/api/oidc/token remote_ip=192.168.1.1

The only thing that stands out is NPM complaining about using an uninitialised 'test' variable. Do you have an idea where I should look?

[prof729]

@yassiezar remove the line userinfo_signing_algorithm: RS256 from authelia configuration (or change it to default value userinfo_signing_algorithm: "none").

It's failing because it's tryting to parse json response from authelia in this line https://github.com/panva/node-openid-client/blob/main/lib/client.js#L1291 but with userinfo_signing_algorithm: RS256 the response is not JSON but JWT token string. And it's failing on parsing it as JSON.

In the example configuration https://github.com/adepssimius/audiobookshelf-web/blob/master/content/guides/11.sso_configuration.md#authelia there is no value specified for userinfo_signing_algorithm . (Just noticed that the configuration is from someone fork not official one but it works for me 😄 )

Hope it helps 😄

[undaunt]

@prof729 That worked, thanks. The signing algorithm is specified as RS256 here but perhaps a note to exclude it in Authelia would be helpful.

[yassiezar]

@prof729 That worked for me as well, thanks!

[Sapd]

@prof729 That worked, thanks. The signing algorithm is specified as RS256 here but perhaps a note to exclude it in Authelia would be helpful.

Actually this is referred to the token not userinfo. We have to make it more explicit in the docs.