Closed K-J-VV closed 7 months ago
K-J-VV
commented
7 months ago Here is the URL that is returned after attempting login:
The webpage error is:
{ "error": "invalid_request", "error_description": "The requested redirect_uri is missing in the client configuration. If you have any questions, you may contact the administrator of the application." }
Again, the only redirect URL designated in Auth Provider is: https://homarr.example.com/api/auth/callback/oidc/
Meierschlumpf
commented
7 months ago For now you can add the environment variable NEXTAUTH_URL=https://homarr.example.com/, this should work. We should be able to find a fix for that @K-J-VV
Meierschlumpf
commented
7 months ago Can you try if the docker image with the tag fix-redirect-oidc works for you?
K-J-VV
commented
7 months ago @Meierschlumpf Using the NEXAUTH_URL variable in either version 0.15.0 or the fix-redirect-oidc tag I see the following error
With the following Log error
[next-auth][error][INVALID_CALLBACK_URL_ERROR] https://next-auth.js.org/errors#invalid_callback_url_error Invalid callback URL. Received: https,http://homarr.example.com//homarr.example.com/auth/login
K-J-VV
commented
7 months ago When I remove the new NEXTAUTH_URL variable, the Log error is
https://next-auth.js.org/errors#invalid_callback_url_error Invalid callback URL. Received: https,http://homarr.example.com//localhost:7575
Meierschlumpf
commented
7 months ago Okay it seems like sometimes x-forwarded-proto can define multiple protocols (comma seperated). I'll release an other version on the same tag fix-redirect-oidc where you can try it out, now it should just use https when contained in a comma seperated list. Additionally my logic for the url pathname was wrong that made it append //localhost:7575.
catrielmuller
commented
7 months ago Same problem here using fix-redirect-oidc on a Kubernetes enviroment with a Traefik on as a proxy.
I tried with this two environment variables with the same result (both and each one independently):
NEXTAUTH_URL: 'https://subdomain.example.com', BASE_URL: 'subdomain.example.com',
https://next-auth.js.org/errors#invalid_callback_url_error Invalid callback URL. Received: https,http://subdomain.example.com//subdomain.example.com InvalidCallbackUrl: Invalid callback URL. Received: https,http://subdomain.example.com//subdomain.example.com
at assertConfig (/app/node_modules/next-auth/core/lib/assert.js:62:12)
at AuthHandler (/app/node_modules/next-auth/core/index.js:77:52)
at process.processTicksAndRejections (node:internal/process/task_queues:95:5)
at async NextAuthApiHandler (/app/node_modules/next-auth/next/index.js:22:19)
at async auth (/app/.next/server/pages/api/auth/[...nextauth].js:129:12) {
code: 'INVALID_CALLBACK_URL_ERROR'
}Okay the new image is ready
catrielmuller
commented
7 months ago @Meierschlumpf , Same with the new image
"containerStatuses": [
{
"containerID": "containerd://a367d34f6fdd249d96c3625a222ab1967cb3259e7ce9764bf5d0c97babfb0119",
"image": "ghcr.io/ajnart/homarr:fix-redirect-oidc",
"imageID": "ghcr.io/ajnart/homarr@sha256:a1d2e8a3e6bbdba930a069ba62b67ed2249c484ee511763e0abe9573182504ab",
"lastState": {},
"name": "main",
"ready": true,
"restartCount": 0,
"started": true,
"state": {
"running": {
"startedAt": "2024-02-18T07:57:34Z"
}
}
}
],I tried with a full path like: NEXTAUTH_URL: 'https://subdomain.example.com/api/auth'
But I have the same result, that it's weird because that env variable should override the full URL path of the AUTH.
Meierschlumpf
commented
7 months ago But is the url then also https,http://subdomain.example.com//subdomain.example.com or something else? You should not be required to set the NEXTAUTH_URL normally
catrielmuller
commented
7 months ago @Meierschlumpf My Bad, It's working perfectly after removing the NEXTAUTH_URL env var. Thanks ❤️ form 🇦🇷
Meierschlumpf
commented
7 months ago Okay great, then we'll release a new version 0.15.1 within the next days were this issue should be fixed. Thanks to y'all for the help to test it ❤️
catrielmuller
commented
7 months ago @Meierschlumpf I have another problem with the OIDC.
The payload of the authorize call the redirect_url it's localhost
client_id: XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
scope: openid email profile groups
response_type: code
redirect_uri: http://localhost:7575/api/auth/callback/oidc
state: -ItbgeAiZqv5FMi0MPQo0GlFAo_5tQXoQOBSJUYW2Zc@catrielmuller is it always localhost? Even with the fix?
Meierschlumpf
commented
7 months ago There is a new image deployed that you can try, again it's tag is fix-redirect-oidc
thcrt
commented
7 months ago Also experiencing this issue. Running Homarr behind Caddy and Authentik.
With NEXTAUTH_URL set to https://mydomain.example, I get redirected to https://mydomain.example/auth/login?callbackUrl=https%3A%2F%2Fmydomain.example%2Fauth%2Flogin%3FredirectAfterLogin%3D%2Fboard&error=OAuthSignin.
With NEXTAUTH_URL unset, I get redirected to http://localhost:7575/api/auth/error?error=OAuthSignin.
This occurs whether I'm running latest or fix-redirect-oidc.
catrielmuller
commented
7 months ago @thcrt :
Authentik
The issue should be fixed by @Meierschlumpf on the last version fix-redirect-oidc, check that you pull always the image (Image Cache can be a problem in this situation)
"imageID": "ghcr.io/ajnart/homarr@sha256:1b0e36984570090ce75ddb1a066b4bbba34d50d83175c1da4a64eaf4e74dfd74"And when you configure the Auth Provider on Authentik, remember to set the sign key to authentik Self-signed Certificate because by default this field it's empty and will be use HS256 to encode the JWT token and Homarr (NextAuth) only support RS256
And the Redirect URI's/Origins don't work if you set a value, so I make it work using a wild card .*
BTW: Sorry for the screenshots in Spanish
EHRETic
commented
7 months ago Also experiencing this issue. Running Homarr behind Caddy and Authentik.
With
NEXTAUTH_URLset tohttps://mydomain.example, I get redirected tohttps://mydomain.example/auth/login?callbackUrl=https%3A%2F%2Fmydomain.example%2Fauth%2Flogin%3FredirectAfterLogin%3D%2Fboard&error=OAuthSignin.With
NEXTAUTH_URLunset, I get redirected tohttp://localhost:7575/api/auth/error?error=OAuthSignin.This occurs whether I'm running
latestorfix-redirect-oidc.
Hello,
I've the exact similar behavior with both images (and my fix-redirect-oidc image was downloaded 30 minutes prior this comment - didn't use this tag before)
I'm behind an NGINX reverse proxy and also using Authentik. My Docker compose file is pretty similar to the one above.
One "confusing thing" is that for most Oauth setups, there is detailed URLs. For example, I don't know if for AUTH_OIDC_URI I need to use : https://auth.my.domain/application/o/homarr/ or https://auth.my.domain/
Same for BASE_URL & NEXTAUTH_URL
Let me know what I can test further, I've a dedicated integration instance for testing 😉
catrielmuller
commented
7 months ago Also experiencing this issue. Running Homarr behind Caddy and Authentik. With
NEXTAUTH_URLset tohttps://mydomain.example, I get redirected tohttps://mydomain.example/auth/login?callbackUrl=https%3A%2F%2Fmydomain.example%2Fauth%2Flogin%3FredirectAfterLogin%3D%2Fboard&error=OAuthSignin. WithNEXTAUTH_URLunset, I get redirected tohttp://localhost:7575/api/auth/error?error=OAuthSignin. This occurs whether I'm runninglatestorfix-redirect-oidc.Hello,
I've the exact similar behavior with both images (and my fix-redirect-oidc image was downloaded 30 minutes prior this comment - didn't use this tag before)
I'm behind an NGINX reverse proxy and also using Authentik. My Docker compose file is pretty similar to the one above.
One "confusing thing" is that for most Oauth setups, there is detailed URLs. For example, I don't know if for AUTH_OIDC_URI I need to use : https://auth.my.domain/application/o/homarr/ or https://auth.my.domain/
Same for BASE_URL & NEXTAUTH_URL
Let me know what I can test further, I've a dedicated integration instance for testing 😉
I using only this env configs
BASE_URL: 'homarr.example.com', AUTH_PROVIDER: 'oidc', AUTH_OIDC_URI: 'https://authentik.example.com/application/o/homarr', AUTH_OIDC_CLIENT_SECRET: 'OIDC SECRET GET FROM AUTHENTIK', AUTH_OIDC_CLIENT_ID: 'OIDC ID GET FROM AUTHENTIK', AUTH_OIDC_CLIENT_NAME: 'ANY NAME THAT YOU WANNA SHOW ON THE UI', AUTH_OIDC_ADMIN_GROUP: 'admin', (Or any group that you have on authentik) AUTH_OIDC_OWNER_GROUP: 'admin', (Or any group that you have on authentik)
Don't use NEXTAUTH_URL
EHRETic
commented
7 months ago Don't use NEXTAUTH_URL
Hi,
Well, if I don't use NEXTAUTH_URL, I get the http://localhost:7575/api/auth/error?error=OAuthSignin redirection.
So let's share some infos:
In my environnement, each docker instance has it's own IP in a dedicated network. So I can manage easily external and internal apps with 2 different reverse proxies. Homarr is intended to be available outside.
My Docker compose file (current):
version: '3'
services:
homarr:
image: ghcr.io/ajnart/homarr:fix-redirect-oidc
container_name: homarr
restart: unless-stopped
environment:
TZ: '${TZ}'
DEFAULT_COLOR_SCHEME: '${DEFAULT_COLOR_SCHEME}'
AUTH_PROVIDER: '${AUTH_PROVIDER}'
AUTH_OIDC_URI: '${AUTH_OIDC_URI}'
AUTH_OIDC_CLIENT_ID: '${AUTH_OIDC_CLIENT_ID}'
AUTH_OIDC_CLIENT_SECRET: '${AUTH_OIDC_CLIENT_SECRET}'
AUTH_OIDC_CLIENT_NAME: '${AUTH_OIDC_CLIENT_NAME}'
BASE_URL: '${BASE_URL}'
#NEXTAUTH_URL: '${NEXTAUTH_URL}'
volumes:
- config:/app/data/configs
- data:/data
- icons:/app/public/icons
networks:
default:
ipv4_address: 192.168.X.X
volumes:
config:
data:
icons:
networks:
default:
external: true
name: my_docker_network
ENV file:
TZ=Europe/Paris
DEFAULT_COLOR_SCHEME=light
AUTH_PROVIDER=oidc
AUTH_OIDC_URI=https://auth.myexternal.domain/application/o/homarr/
AUTH_OIDC_CLIENT_ID=xxxxx
AUTH_OIDC_CLIENT_SECRET=xxxxx
AUTH_OIDC_CLIENT_NAME=Authentik
BASE_URL=homarr.myexternal.domainMy NGINX server block:
server {
# Include HTTPS server standards
include /etc/nginx/conf.d/server_security.conf;
# Add HSTS header (not available on local server)
add_header Strict-Transport-Security "max-age=63072000; includeSubdomains" always;
server_name homarr.myexternal.domain;
location / {
proxy_pass http://192.168.X.X:7575;
proxy_http_version 1.1;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection 'upgrade';
proxy_set_header Host $host;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_cache_bypass $http_upgrade;
}
ssl_certificate /etc/letsencrypt/live/homarr.myexternal.domain/fullchain.pem; # managed by Certbot
ssl_certificate_key /etc/letsencrypt/live/homarr.myexternal.domain/privkey.pem; # managed by Certbot
}I use Authentik for several apps already so I hope everything is well configured there. I put .* for the redirect URLs and use the Authentik self-signed certificate.
Do you see anything that would not be as expected? Thanks for you help! 😉
catrielmuller
commented
7 months ago @EHRETic looks like you are using an old image, can you do this to force docker compose to pull the latest one:
docker-compose down
docker-compose build --pull (This is the important part)
docker-compose up -d@EHRETic , you can do this to check if you have the correct version:
docker image inspect ghcr.io/ajnart/homarr:fix-redirect-oidcand the ID should be sha256:1b0e36984570090ce75ddb1a066b4bbba34d50d83175c1da4a64eaf4e74dfd74
catrielmuller
commented
7 months ago @EHRETic BTW looks like docker-compose added the pull_policy attribute, so you can do something like this:
version: '3'
services:
homarr:
image: ghcr.io/ajnart/homarr:fix-redirect-oidc
pull_policy: always
container_name: homarrand the ID should be sha256:1b0e36984570090ce75ddb1a066b4bbba34d50d83175c1da4a64eaf4e74dfd74
Well, not sure but it looks OK (but the error remains) :
I did the following because I use Portainer:
I still get the localhost redirect 😊
catrielmuller
commented
7 months ago and the ID should be sha256:1b0e36984570090ce75ddb1a066b4bbba34d50d83175c1da4a64eaf4e74dfd74
Well, not sure but it looks OK (but the error remains) :
I did the following because I use Portainer:
- deleted container
- deleted image
- edited docker compose file as suggested
- recreated the container
I still get the localhost redirect 😊
Checking the code of the PR, can you try to add this parameter on your nginx config
proxy_set_header X-Forwarded-Host $host;proxy_set_header X-Forwarded-Host $host;
Nope, didn't change anything
catrielmuller
commented
7 months ago proxy_set_header X-Forwarded-Proto $scheme;
can you try to put the header in lowecase
proxy_set_header x-forwarded-proto $scheme; proxy_set_header x-forwarded-host $host;
Meierschlumpf
commented
7 months ago Maybe behind a dual proxy it does not work? Because the forward is overwritten by the second one
K-J-VV
commented
7 months ago Update:
OIDC and redirect login are working for me now using the latest fix-redirect-oidc tag, two things to note:
NOTE: there is no trailing / after oidc
yey3men2
commented
7 months ago Update:
OIDC and redirect login are working for me now using the latest fix-redirect-oidc tag, two things to note:
- Correct Auth Provider Redirect URL: https://homarr.example.com/api/auth/callback/oidc
NOTE: there is no trailing / after oidc
- In the .env file, I am using only the NEXTAUTH_URL variable
are you also using Authetik? mine still not working. can you share your config?
EHRETic
commented
7 months ago proxy_set_header x-forwarded-proto $scheme; proxy_set_header x-forwarded-host $host;
Nope, didn't change a thing (I'm no expert, but I dont think NGINX makes a differences in interpretation)
Maybe behind a dual proxy it does not work? Because the forward is overwritten by the second one
I'm using them paralely, so only one is "in the way".
Update:
OIDC and redirect login are working for me now using the latest fix-redirect-oidc tag, two things to note:
- Correct Auth Provider Redirect URL: https://homarr.example.com/api/auth/callback/oidc
This is confusing, I finally got it working with @catrielmuller configuration, meaning:
AUTH_PROVIDER=oidc
AUTH_OIDC_URI=https://authentik.domain.com/application/o/homarr
AUTH_OIDC_CLIENT_ID=xxxx
AUTH_OIDC_CLIENT_SECRET=xxxx
AUTH_OIDC_CLIENT_NAME=Authentik
BASE_URL=homarr.domain.comBut I have something that might need some code (or doc) update... The redirect only works if I put .* but if I put https://homarr.domain.com/api/auth/callback/oidc (with or without / at the end), I get:
EHRETic
commented
7 months ago I can confirm that something is not fully recognized because app link doesn't appear in Authentik application list should be a link where the yellow is):
I have also no Homarr shortcut in my Authentik home, which should come automatically:
catrielmuller
commented
7 months ago @EHRETic if you enter to the provider there is a button to create an application associated to that provider.
If you modify that APP you can set the launch url where you should put the public URL of Homarr
Meierschlumpf
commented
7 months ago You can continue your conversation, I just closed it because the issue with the redirect should be fixed
EHRETic
commented
7 months ago @catrielmuller thanks a lot for the tip, this ease the creation of the app, I didn't knew it! 👌 But it didn't change the app link/icon creation.
I did though manage to get it appear by manually filling up this field:
But it is the only application where I did put a value in there. All the other didn't require that, Authentik did find it itself. And it mention: If left empty, authentik will try to extract the launch URL based on the selected provider.
But no worries, it works now fine and I'm just trying to check if there is not something missing in Oauth implementation.
Thanks a lot for you help 😉
EHRETic
commented
7 months ago You can continue your conversation, I just closed it because the issue with the redirect should be fixed
Thanks a lot! 🙂
yey3men2
commented
7 months ago still not working for me, here is my config:
image ghcr.io/ajnart/homarr:fix-redirect-oidc
image id sha256:fd183a046dda01d5a2e254fb0babd75d8b0c51782a3ce180bdb35e692f55e425
- TZ=America/New_York
- DEFAULT_COLOR_SCHEME= dark
- DISABLE_ANALYTICS= true
- BASE_URL=https://homarr.mydomain.com
- AUTH_PROVIDER=oidc
- AUTH_OIDC_URI=https://authentik.mydomain.com/application/o/homarr/
- AUTH_OIDC_CLIENT_SECRET=secret from Authentik
- AUTH_OIDC_CLIENT_ID=id from Authentik
- AUTH_OIDC_CLIENT_NAME=AuthentikRedirect URIs/Origins (RegEx) .* also tried https://homarr.mydomain.com/api/auth/callback/oidc and https://homarr.mydomain.com
Exporting hostname...
Migrating database...
yarn run v1.22.19
$ ts-node ./migrate.ts
Done in 1.24s.
Starting production server...
Listening on port 7575 url: http://6641176fc803:7575
[next-auth][error][SIGNIN_OAUTH_ERROR]
https://next-auth.js.org/errors#signin_oauth_error expected 200 OK, got: 301 Moved Permanently {
error: {
message: 'expected 200 OK, got: 301 Moved Permanently',
stack: 'OPError: expected 200 OK, got: 301 Moved Permanently\n' +
' at processResponse (/app/node_modules/openid-client/lib/helpers/process_response.js:41:11)\n' +
' at Issuer.discover (/app/node_modules/openid-client/lib/issuer.js:152:20)\n' +
' at process.processTicksAndRejections (node:internal/process/task_queues:95:5)\n' +
' at async openidClient (/app/node_modules/next-auth/core/lib/oauth/client.js:16:14)\n' +
' at async getAuthorizationUrl (/app/node_modules/next-auth/core/lib/oauth/authorization-url.js:70:18)\n' +
' at async Object.signin (/app/node_modules/next-auth/core/routes/signin.js:38:24)\n' +
' at async AuthHandler (/app/node_modules/next-auth/core/index.js:260:26)\n' +
' at async NextAuthApiHandler (/app/node_modules/next-auth/next/index.js:22:19)\n' +
' at async auth (/app/.next/server/pages/api/auth/[...nextauth].js:129:12)',
name: 'OPError'
},
providerId: 'oidc',
message: 'expected 200 OK, got: 301 Moved Permanently'
}
every time I test I use an incoginito window in chrome
what am I missing?
yey3men2
commented
7 months ago still not working for me, here is my config:
image info
image
ghcr.io/ajnart/homarr:fix-redirect-oidcimage idsha256:fd183a046dda01d5a2e254fb0babd75d8b0c51782a3ce180bdb35e692f55e425environment
- TZ=America/New_York - DEFAULT_COLOR_SCHEME= dark - DISABLE_ANALYTICS= true - BASE_URL=https://homarr.mydomain.com - AUTH_PROVIDER=oidc - AUTH_OIDC_URI=https://authentik.mydomain.com/application/o/homarr/ - AUTH_OIDC_CLIENT_SECRET=secret from Authentik - AUTH_OIDC_CLIENT_ID=id from Authentik - AUTH_OIDC_CLIENT_NAME=AuthentikAuthentik
Redirect URIs/Origins (RegEx)
.*also triedhttps://homarr.mydomain.com/api/auth/callback/oidcandhttps://homarr.mydomain.comhomarr docker container logs
Exporting hostname... Migrating database... yarn run v1.22.19 $ ts-node ./migrate.ts Done in 1.24s. Starting production server... Listening on port 7575 url: http://6641176fc803:7575 [next-auth][error][SIGNIN_OAUTH_ERROR] https://next-auth.js.org/errors#signin_oauth_error expected 200 OK, got: 301 Moved Permanently { error: { message: 'expected 200 OK, got: 301 Moved Permanently', stack: 'OPError: expected 200 OK, got: 301 Moved Permanently\n' + ' at processResponse (/app/node_modules/openid-client/lib/helpers/process_response.js:41:11)\n' + ' at Issuer.discover (/app/node_modules/openid-client/lib/issuer.js:152:20)\n' + ' at process.processTicksAndRejections (node:internal/process/task_queues:95:5)\n' + ' at async openidClient (/app/node_modules/next-auth/core/lib/oauth/client.js:16:14)\n' + ' at async getAuthorizationUrl (/app/node_modules/next-auth/core/lib/oauth/authorization-url.js:70:18)\n' + ' at async Object.signin (/app/node_modules/next-auth/core/routes/signin.js:38:24)\n' + ' at async AuthHandler (/app/node_modules/next-auth/core/index.js:260:26)\n' + ' at async NextAuthApiHandler (/app/node_modules/next-auth/next/index.js:22:19)\n' + ' at async auth (/app/.next/server/pages/api/auth/[...nextauth].js:129:12)', name: 'OPError' }, providerId: 'oidc', message: 'expected 200 OK, got: 301 Moved Permanently' }every time I test I use an incoginito window in chrome
what am I missing?
the current error I get is: http://localhost:7575/api/auth/error?error=OAuthSignin
EHRETic
commented
7 months ago @yey3men2
Can you try this:
environment
- TZ=America/New_York - DEFAULT_COLOR_SCHEME= dark - DISABLE_ANALYTICS= true - BASE_URL=homarr.mydomain.com (without https) - AUTH_PROVIDER=oidc - AUTH_OIDC_URI=https://authentik.mydomain.com/application/o/homarr (without ending /) - AUTH_OIDC_CLIENT_SECRET=secret from Authentik - AUTH_OIDC_CLIENT_ID=id from Authentik - AUTH_OIDC_CLIENT_NAME=AuthentikAuthentik
Redirect URIs/Origins (RegEx)
.*
This is working for me with Authentik and only **.*** in redirect made it work but we might also need to look at your reverse proxy configuration. 😉
unbelauscht
commented
7 months ago I can reproduce the problem: Homarr keeps returning localhost:
https://home.example.com/api/auth/providers returns
{"oidc":{"id":"oidc","name":"SSO","type":"oauth","signinUrl":"http://localhost:7575/api/auth/signin/oidc","callbackUrl":"http://localhost:7575/api/auth/callback/oidc"},"empty":{"id":"empty","name":"Empty","type":"oauth","signinUrl":"http://localhost:7575/api/auth/signin/empty","callbackUrl":"http://localhost:7575/api/auth/callback/empty"}}Config:
containers:
- env:
- name: TZ
value: Europe/Berlin
- name: NODE_TLS_REJECT_UNAUTHORIZED
value: "0"
- name: BASE_URL
value: home.example.com
- name: AUTH_PROVIDER
value: oidc
- name: AUTH_OIDC_URI
value: https://accounts.example.com/application/o/homarr
- name: AUTH_OIDC_CLIENT_ID
value: xxx
- name: AUTH_OIDC_CLIENT_NAME
value: SSO
- name: AUTH_OIDC_ADMIN_GROUP
value: homarr-admins
- name: DEFAULT_COLOR_SCHEME
value: dark
envFrom:
- secretRef:
name: homarr-oidc
image: ghcr.io/ajnart/homarr:fix-redirect-oidcExporting hostname...
2024-02-24T17:07:49.834682941+01:00 Migrating database...
2024-02-24T17:07:50.163991656+01:00 yarn run v1.22.19
2024-02-24T17:07:50.191741511+01:00 $ ts-node ./migrate.ts
2024-02-24T17:07:53.142970807+01:00 Done in 2.98s.
2024-02-24T17:07:53.158554652+01:00 Starting production server...
2024-02-24T17:07:54.416648891+01:00 Listening on port 7575 url: http://homarr-6896ffb79d-4vxzh:7575
(node:55) Warning: Setting the NODE_TLS_REJECT_UNAUTHORIZED environment variable to '0' makes TLS connections and HTTPS requests insecure by disabling certificate verification.
(Use `node --trace-warnings ...` to show where the warning was created)
[next-auth][error][OAUTH_CALLBACK_ERROR]
2024-02-24T17:11:15.242831877+01:00 https://next-auth.js.org/errors#oauth_callback_error invalid_client (Client authentication failed (e.g., unknown client, no client authentication included, or unsupported authentication method)) {
2024-02-24T17:11:15.242839689+01:00 error: OPError: invalid_client (Client authentication failed (e.g., unknown client, no client authentication included, or unsupported authentication method))
2024-02-24T17:11:15.242844056+01:00 at processResponse (/app/node_modules/openid-client/lib/helpers/process_response.js:38:13)
2024-02-24T17:11:15.242848042+01:00 at Client.grant (/app/node_modules/openid-client/lib/client.js:1354:22)
2024-02-24T17:11:15.242851532+01:00 at process.processTicksAndRejections (node:internal/process/task_queues:95:5)
2024-02-24T17:11:15.242855032+01:00 at async Client.callback (/app/node_modules/openid-client/lib/client.js:493:24)
2024-02-24T17:11:15.242858429+01:00 at async oAuthCallback (/app/node_modules/next-auth/core/lib/oauth/callback.js:109:16)
2024-02-24T17:11:15.242861996+01:00 at async Object.callback (/app/node_modules/next-auth/core/routes/callback.js:52:11)
2024-02-24T17:11:15.242865367+01:00 at async AuthHandler (/app/node_modules/next-auth/core/index.js:208:28)
2024-02-24T17:11:15.242880007+01:00 at async NextAuthApiHandler (/app/node_modules/next-auth/next/index.js:22:19)
2024-02-24T17:11:15.242884201+01:00 at async auth (/app/.next/server/pages/api/auth/[...nextauth].js:129:12) {
2024-02-24T17:11:15.242887870+01:00 name: 'OAuthCallbackError',
2024-02-24T17:11:15.242891586+01:00 code: undefined
2024-02-24T17:11:15.242894909+01:00 },
2024-02-24T17:11:15.242898280+01:00 providerId: 'oidc',
2024-02-24T17:11:15.242901902+01:00 message: 'invalid_client (Client authentication failed (e.g., unknown client, no client authentication included, or unsupported authentication method))'
2024-02-24T17:11:15.242905353+0Also running Authentik and I am out of guesses.
EDIT: Setting NEXTAUTH_URL makes it work for me also.
sirjmann92
commented
7 months ago EDIT: With fix-redirect-oidc version
Original post: Also still having the localhost:7575 issue, confirmed I'm using the right image. Using NEXTAUTH_URL makes it work.
.env file
AUTH_PROVIDER=oidc
BASE_URL=homarr.example
AUTH_OIDC_URI=http://auth.example/application/o/homarr
AUTH_OIDC_CLIENT_ID=ID
AUTH_OIDC_CLIENT_SECRET=SECRET
AUTH_OIDC_CLIENT_NAME=Authentik
NEXTAUTH_URL=http://homarr.examplecompose file (relevant parts)
homarr:
container_name: homarr
image: ghcr.io/ajnart/homarr:fix-redirect-oidcIn Authentik: Redirect URI: http://homarr.example/api/auth/callback/oidc Launch URL: http://homarr.example
In Nginx Proxy Manager hostname: homarr.example forward IP: 192.168.x.y:7575 Nothing in Advanced settings
In Pi-hole DNS A record: 'example' -> 192.168.x.y CNAME record: homarr.example -> 'example'
nljc88
commented
6 months ago Here's whats working for me after about 4 hours of trying every conceivable setting combination... NOTE, I needed to remove my email address from the user profile in homarr - this required me disabling OIDC so I could login locally, removing my email address and then enabling OIDC again with the below settings
With LATEST version docker image
.env file AUTH_PROVIDER=oidc BASE_URL=homepage.domain.com AUTH_OIDC_URI=https://auth.domain.com/application/o/homarr (NO TRAILING /) AUTH_OIDC_CLIENT_ID=ID AUTH_OIDC_CLIENT_SECRET=SECRET AUTH_OIDC_CLIENT_NAME=Authentik NEXTAUTH_URL=https://homepage.domain.com
In Authentik: Redirect URI: .* Launch URL: https://homepage.domain.com
In Nginx Proxy Manager hostname: homepage.domain.com forward IP: 192.168.x.y:7575 Nothing in Advanced settings
sirjmann92
commented
6 months ago I also had to remove my email from Homarr. I assume it might because the username and email I was using in Authentik was the same as the ones I was using in Homarr and there was some duplicate user or user conflict issue. Removing the email address from Homarr caused Homarr to create TWO ADMIN and OWNER users with identical usernames but one (the Homarr native username) without an email address. Seems to work fine like this, so I left it.
avephill
commented
6 months ago With LATEST version docker image
.env file AUTH_PROVIDER=oidc BASE_URL=homepage.domain.com AUTH_OIDC_URI=https://auth.domain.com/application/o/homarr (NO TRAILING /) AUTH_OIDC_CLIENT_ID=ID AUTH_OIDC_CLIENT_SECRET=SECRET AUTH_OIDC_CLIENT_NAME=Authentik NEXTAUTH_URL=https://homepage.domain.com
In Authentik: Redirect URI: .* Launch URL: https://homepage.domain.com
In Nginx Proxy Manager hostname: homepage.domain.com forward IP: 192.168.x.y:7575 Nothing in Advanced settings
I go it working exactly as described here, thank you. I was able to specify redirect URI as https://example.com/api/auth/callback/oidc instead of .* without any problems
Snyaify
commented
6 months ago such a pain in my head with those oidc provider. After updating to latest images i've reinstalled app.
.env file AUTH_PROVIDER=oidc,credetials BASE_URL=homarr.mydomain.com AUTH_OIDC_URI=https://auth.domain.com/application/o/homarr (without TRAILING /) AUTH_OIDC_CLIENT_ID=ID AUTH_OIDC_CLIENT_SECRET=SECRET AUTH_OIDC_CLIENT_NAME=Authentik NEXTAUTH_URL=https://homarr.mydomain.com/
then created internal admin user and with private browser windows i've tried to login with authentik. 1st attempt was successfull, then i've promoted authentik user in homarr to admin user, after logging out in private browser window and logging in with authentik again my user automatically demoted to regular user and after each log out user always demoted to regular user.
then i'm tried to add to .env: AUTH_OIDC_OWNER_GROUP=admin AUTH_OIDC_ADMIN_GROUP=admin and after recreate container i can't login with authentik. When i press login with Authentik, browser takes me back to the main page with url=https://homarr.mydomain.com/auth/login?callbackUrl=https%3A%2F%2Fhomarr.mydomain.com%2F&error=OAuthSignin Now i even can't get it work with oidc auth
in homear log:
user admin is trying to log in. checking password...
15.03.2024
09:44:15
user admin successfully authorized
15.03.2024
09:44:23
[next-auth][error][SIGNIN_OAUTH_ERROR]
15.03.2024
09:44:23
https://next-auth.js.org/errors#signin_oauth_error Socket connection timeout {
15.03.2024
09:44:23
error: {
15.03.2024
09:44:23
message: 'Socket connection timeout',
15.03.2024
09:44:23
stack: 'Error [ERR_SOCKET_CONNECTION_TIMEOUT]: Socket connection timeout\n' +
15.03.2024
09:44:23
' at new NodeError (node:internal/errors:399:5)\n' +
15.03.2024
09:44:23
' at internalConnectMultiple (node:net:1099:20)\n' +
15.03.2024
09:44:23
' at Timeout.internalConnectMultipleTimeout (node:net:1638:3)\n' +
15.03.2024
09:44:23
' at listOnTimeout (node:internal/timers:575:11)\n' +
15.03.2024
09:44:23
' at process.processTimers (node:internal/timers:514:7)',
15.03.2024
09:44:23
name: 'Error'
15.03.2024
09:44:23
},
15.03.2024
09:44:23
providerId: 'oidc',
15.03.2024
09:44:23
message: 'Socket connection timeout'
15.03.2024
09:44:23
}@Snyaify - I had a similar issue. It sounds like a user conflict. I resolved it by removing the email address of the original Homarr Owner because I wanted the same username/owner for both Authentik and Homarr and it was causing a conflict (the same loop you described with the same error).
This is how I fixed it:
This created an identical Owner and Admin in Homarr. One had both the email add the username, the other has just the username. Both usernames match and both are Admin and Owner. Works fine.
I would just delete all users that aren't the Owner from Homarr and delete the email address from the Owner to start fresh. Any users you login with via Authentik that are in your "admin" group will automatically be added to Homarr. But if you have a user that has the same username and email address as that of a user in Homarr, you will get the loop when you try to log in with that user. It feels like a bug to me, but my workaround worked for me.
Good luck!
Snyaify
commented
6 months ago @Snyaify - I had a similar issue. It sounds like a user conflict. I resolved it by removing the email address of the original Homarr Owner because I wanted the same username/owner for both Authentik and Homarr and it was causing a conflict (the same loop you described with the same error).
This is how I fixed it:
- I removed the reference to .env in my compose.yaml
- Installed it again with the new compose file (with .env commented out) - (docker compose up -d)
- Disabled the proxy in nginx proxy manager, so I could do local login again
- Logged into Homarr with original Owner account
- Deleted any additional users
- IMPORTANT PART Deleted the email address from the Owner in Homarr
- Re-enabled the .env reference
- Installed Homarr again so it picked up the .env change (docker compose up -d)
- Re-enabled the proxy in nginx proxy manager
- Logged into Homarr with my Authentik admin
This created an identical Owner and Admin in Homarr. One had both the email add the username, the other has just the username. Both usernames match and both are Admin and Owner. Works fine.
I would just delete all users that aren't the Owner from Homarr and delete the email address from the Owner to start fresh. Any users you login with via Authentik that are in your "admin" group will automatically be added to Homarr. But if you have a user that has the same username and email address as that of a user in Homarr, you will get the loop when you try to log in with that user. It feels like a bug to me, but my workaround worked for me.
Good luck!
Thanks, it worked out
Snyaify
commented
6 months ago damn, i can't understand what's going on. Today login with authentik doesn't work again
[next-auth][error][SIGNIN_OAUTH_ERROR]
https://next-auth.js.org/errors#signin_oauth_error Socket connection timeout {
error: {
message: 'Socket connection timeout',
stack: 'Error [ERR_SOCKET_CONNECTION_TIMEOUT]: Socket connection timeout\n' +
' at new NodeError (node:internal/errors:399:5)\n' +
' at internalConnectMultiple (node:net:1099:20)\n' +
' at Timeout.internalConnectMultipleTimeout (node:net:1638:3)\n' +
' at listOnTimeout (node:internal/timers:575:11)\n' +
' at process.processTimers (node:internal/timers:514:7)',
name: 'Error'
},
providerId: 'oidc',
message: 'Socket connection timeout'
}others services login with authentik works perfectly (nextcloud, portainer, etc)
today 20-03-2024 all working again.. yesterday i dosn't do anything .. strange things :(
pathwayx99
commented
6 months ago Here's whats working for me after about 4 hours of trying every conceivable setting combination... NOTE, I needed to remove my email address from the user profile in homarr - this required me disabling OIDC so I could login locally, removing my email address and then enabling OIDC again with the below settings
With LATEST version docker image
.env file AUTH_PROVIDER=oidc BASE_URL=homepage.domain.com AUTH_OIDC_URI=https://auth.domain.com/application/o/homarr (NO TRAILING /) AUTH_OIDC_CLIENT_ID=ID AUTH_OIDC_CLIENT_SECRET=SECRET AUTH_OIDC_CLIENT_NAME=Authentik NEXTAUTH_URL=https://homepage.domain.com
In Authentik: Redirect URI: .* Launch URL: https://homepage.domain.com
In Nginx Proxy Manager hostname: homepage.domain.com forward IP: 192.168.x.y:7575 Nothing in Advanced settings
I can confirm this is what works for me as well. Homarr and Authentik behind a Traefik proxy. Thank you for the help!
serious-scribbler
commented
5 months ago Here's whats working for me after about 4 hours of trying every conceivable setting combination... NOTE, I needed to remove my email address from the user profile in homarr - this required me disabling OIDC so I could login locally, removing my email address and then enabling OIDC again with the below settings
With LATEST version docker image
.env file AUTH_PROVIDER=oidc BASE_URL=homepage.domain.com AUTH_OIDC_URI=https://auth.domain.com/application/o/homarr (NO TRAILING /) AUTH_OIDC_CLIENT_ID=ID AUTH_OIDC_CLIENT_SECRET=SECRET AUTH_OIDC_CLIENT_NAME=Authentik NEXTAUTH_URL=https://homepage.domain.com
In Authentik: Redirect URI: .* Launch URL: https://homepage.domain.com
In Nginx Proxy Manager hostname: homepage.domain.com forward IP: 192.168.x.y:7575 Nothing in Advanced settings
Thank you @nljc88 💯 finally got it working after lots of debugging without success thanks to your comment.
Environment
Docker
Version
0.15.0
Describe the problem
Testing out the OIDC and have all setup, but it appears Homarr may need an additional environment variable set where we can define how Homarr identifies itself as.
For example, using Keycloak, I have redirect URL set as: https://homarr.example.com/api/auth/callback/oidc/
However, when attempting to login via the SSO button, Homarr is sending "http://localhost:7575" as the origin URL, thus failing redirect
I believe there needs to be an additional variable for HTTPS redirects to work and the variable needs to define what the user defined redirect URL is
Logs
No response
Context
No response
Please tick the boxes