search

advplyr / audiobookshelf

Self-hosted audiobook and podcast server
https://audiobookshelf.org
GNU General Public License v3.0
5.87k stars 410 forks source link

[Bug]: OIDC not working in mobile app #3069

Open Doug411 opened 1 month ago

Doug411 commented 1 month ago

What happened?

I'm unable to use oath in the mobile app. When I set my redirects in Authentik as you listed (on separate lines).... I get a redirect uri error. I'm using Nginx Proxy Manager. Not sure how to fix it. If I set my redirect URI to it works, but I don't really want to do that. It has always worked in browser, just not in mobile app unless I set the redirect to .

Reference...(tried setting redirect in authentik as stated in thread below. Not sure how to check x-forwarded-proto, but i've never had that issue on other OIDC apps.

for Authentik:

To add to this, in Authentik or other SSO software the redirect uri has to be set to:

https://youraudiobookdomain/auth/openid/callback audiobookshelf://oauth Don't use wildcards like .*, they are not required. (In Authentik its seperated by new line, in Keycloak by comma afaik).

Also make sure your reverse proxy creates a X-Forwarded-Proto header correctly, otherwise you might receive a redirect_uri mismatch, because the redirect_uri is set to http even when the request was made using https.

What did you expect to happen?

Successful login in mobile app

Steps to reproduce the issue

  1. open app. click on oath login

Audiobookshelf version

v2.10.1

How are you running audiobookshelf?

Docker

What OS is your Audiobookshelf server hosted from?

Linux

If the issue is being seen in the UI, what browsers are you seeing the problem on?

None

Logs

xx

Additional Notes

No response

nichwall commented 1 month ago

Did you add the mobile-redirect mentioned at the end of the docs?

https://www.audiobookshelf.org/guides/oidc_authentication/

Doug411 commented 1 month ago

No I missed that. I just made that change to add the mobile redirect, but kept getting a 400 error.

Then I uninstalled the app and reinstalled it. When I reinstall it, it launches straight away into my audiobookshelf server with my account. It didnt even direct me to authentik to get my login info.

However when I delete my audiobookshelf cache and app data, and try to set it up manually by entering my external audibookshelf url and clicking SSO login, I get a 400 error. Then I uninstall the app, reinstall and it launches right back into my server.

How does it know my server URL and ID from a fresh install. Is my database connection cached somewhere and somehow not fully deleted when i clear data/cache and uninstall the app, and therefore its not really doing a fresh install... Will new users will get the 400 error? Or is it just vudu magic and I can accept that it will work for new users (hopefully it routes them to authentik and they can login successfully)

FYI it was late last night... but I do think it was doing this before I added the mobile redirect... I seem to recall that I deleted the app and when I reinstalled it launched right into my server. I assumed it was still broken because I couldn't manually delete the server and readd it manually.

advplyr commented 1 month ago

Make sure to restart the server after making changes to the OIDC settings. Updating that after it is initialized is a work in progress.

After a successful login the users api token is used for authentication for all future auth attempts. The api token is cached but uninstalling and clearing data will remove it.

advplyr commented 1 month ago

Is this still an issue?

JorisM commented 1 month ago

@advplyr for me yes, with the latest docker version and the latest android app i get the same behaviour as described by @Doug411