search

ajnart / homarr

Customizable browser's home page to interact with your homeserver's Docker containers (e.g. Sonarr/Radarr)
https://homarr.dev
MIT License
6.02k stars 275 forks source link

OIDC - Homarr is sending http://localhost:7575 as the origin/redirect URL to the Auth Provider rather than https://homarr.example.com #1909

Closed K-J-VV closed 7 months ago

K-J-VV commented 7 months ago

Environment

Docker

Version

0.15.0

Describe the problem

Testing out the OIDC and have all setup, but it appears Homarr may need an additional environment variable set where we can define how Homarr identifies itself as.

For example, using Keycloak, I have redirect URL set as: https://homarr.example.com/api/auth/callback/oidc/

However, when attempting to login via the SSO button, Homarr is sending "http://localhost:7575" as the origin URL, thus failing redirect

I believe there needs to be an additional variable for HTTPS redirects to work and the variable needs to define what the user defined redirect URL is

Logs

No response

Context

No response

Please tick the boxes

mikelv702 commented 2 weeks ago

Just wanted to drop in here and say that this is working for me after going through this thread. 

  - TZ=America/New_York
  - DEFAULT_COLOR_SCHEME= dark
  - DISABLE_ANALYTICS= true
  - BASE_URL=homarr.mydomain.com (without https)
  - AUTH_PROVIDER=oidc
  - AUTH_OIDC_URI=https://authentik.mydomain.com/application/o/homarr (without ending /)
  - AUTH_OIDC_CLIENT_SECRET=secret from Authentik
  - AUTH_OIDC_CLIENT_ID=id from Authentik
  - AUTH_OIDC_CLIENT_NAME=Authentik

Also for Authentik

Redirect URIs .*

Only way to get it to work :) Thank you everyone!

DevGoran commented 5 days ago

``> Just wanted to drop in here and say that this is working for me after going through this thread.

  - TZ=America/New_York
  - DEFAULT_COLOR_SCHEME= dark
  - DISABLE_ANALYTICS= true
  - BASE_URL=homarr.mydomain.com (without https)
  - AUTH_PROVIDER=oidc
  - AUTH_OIDC_URI=https://authentik.mydomain.com/application/o/homarr (without ending /)
  - AUTH_OIDC_CLIENT_SECRET=secret from Authentik
  - AUTH_OIDC_CLIENT_ID=id from Authentik
  - AUTH_OIDC_CLIENT_NAME=Authentik

Also for Authentik

Redirect URIs .*

Only way to get it to work :) Thank you everyone!

I've done exactly the same but it seems like it does not work for me. It always redirects to: http://localhost:7575/api/auth/error?error=OAuthSignin

Error:

[next-auth][error][SIGNIN_OAUTH_ERROR] 
https://next-auth.js.org/errors#signin_oauth_error expected 200 OK, got: 301 Moved Permanently {
    message: 'expected 200 OK, got: 301 Moved Permanently',
  error: {
    stack: 'OPError: expected 200 OK, got: 301 Moved Permanently\n' +
      '    at processResponse (/app/node_modules/openid-client/lib/helpers/process_response.js:41:11)\n' +
      '    at Issuer.discover (/app/node_modules/openid-client/lib/issuer.js:152:20)\n' +
      '    at process.processTicksAndRejections (node:internal/process/task_queues:95:5)\n' +
      '    at async openidClient (/app/node_modules/next-auth/core/lib/oauth/client.js:16:14)\n' +
      '    at async getAuthorizationUrl (/app/node_modules/next-auth/core/lib/oauth/authorization-url.js:70:18)\n' +
      '    at async Object.signin (/app/node_modules/next-auth/core/routes/signin.js:38:24)\n' +
      '    at async AuthHandler (/app/node_modules/next-auth/core/index.js:260:26)\n' +
      '    at async NextAuthApiHandler (/app/node_modules/next-auth/next/index.js:22:19)\n' +
      '    at async auth (/app/.next/server/pages/api/auth/[...nextauth].js:143:12)',
    name: 'OPError'
  },
  providerId: 'oidc',
  message: 'expected 200 OK, got: 301 Moved Permanently'
}

Nginx conf:

server {
    listen 443 ssl;
    server_name dashboard.domain.com;

    # Path to the SSL certificate and key files
    ssl_certificate /path/fullchain.pem;
    ssl_certificate_key /path/privkey.pem;

    # SSL settings
    ssl_protocols TLSv1.2 TLSv1.3;
    ssl_prefer_server_ciphers on;
    ssl_ciphers HIGH:!aNULL:!MD5;

  location / {
      proxy_pass http://192.168.1.182:7575/;
      proxy_buffering off;
      proxy_set_header X-Real-IP $remote_addr;
      proxy_http_version 1.1;
      proxy_set_header Upgrade $http_upgrade;
      proxy_set_header Connection $http_connection;

environment:

AUTH_PROVIDER=oidc
AUTH_OIDC_CLIENT_SECRET=secret
AUTH_OIDC_CLIENT_ID=id
AUTH_OIDC_CLIENT_NAME=authentik
AUTH_OIDC_URI=https://authentik.domain.com/application/o/homarr/
AUTH_LOGOUT_REDIRECT_URL=https://authentik.domain.com/application/o/homarr/end-session/
AUTH_SESSION_EXPIRY_TIME=60d
AUTH_OIDC_AUTO_LOGIN=true
DISABLE_ANALYTICS=true
DEFAULT_COLOR_SCHEME=dark
BASE_URL=dashboard.domain.com
azerioxal commented 5 days ago

``> Just wanted to drop in here and say that this is working for me after going through this thread.

  - TZ=America/New_York
  - DEFAULT_COLOR_SCHEME= dark
  - DISABLE_ANALYTICS= true
  - BASE_URL=homarr.mydomain.com (without https)
  - AUTH_PROVIDER=oidc
  - AUTH_OIDC_URI=https://authentik.mydomain.com/application/o/homarr (without ending /)
  - AUTH_OIDC_CLIENT_SECRET=secret from Authentik
  - AUTH_OIDC_CLIENT_ID=id from Authentik
  - AUTH_OIDC_CLIENT_NAME=Authentik

Also for Authentik

Redirect URIs .*

Only way to get it to work :) Thank you everyone!

I've done exactly the same but it seems like it does not work for me. It always redirects to: http://localhost:7575/api/auth/error?error=OAuthSignin

Error:

[next-auth][error][SIGNIN_OAUTH_ERROR] 
https://next-auth.js.org/errors#signin_oauth_error expected 200 OK, got: 301 Moved Permanently {
    message: 'expected 200 OK, got: 301 Moved Permanently',
  error: {
    stack: 'OPError: expected 200 OK, got: 301 Moved Permanently\n' +
      '    at processResponse (/app/node_modules/openid-client/lib/helpers/process_response.js:41:11)\n' +
      '    at Issuer.discover (/app/node_modules/openid-client/lib/issuer.js:152:20)\n' +
      '    at process.processTicksAndRejections (node:internal/process/task_queues:95:5)\n' +
      '    at async openidClient (/app/node_modules/next-auth/core/lib/oauth/client.js:16:14)\n' +
      '    at async getAuthorizationUrl (/app/node_modules/next-auth/core/lib/oauth/authorization-url.js:70:18)\n' +
      '    at async Object.signin (/app/node_modules/next-auth/core/routes/signin.js:38:24)\n' +
      '    at async AuthHandler (/app/node_modules/next-auth/core/index.js:260:26)\n' +
      '    at async NextAuthApiHandler (/app/node_modules/next-auth/next/index.js:22:19)\n' +
      '    at async auth (/app/.next/server/pages/api/auth/[...nextauth].js:143:12)',
    name: 'OPError'
  },
  providerId: 'oidc',
  message: 'expected 200 OK, got: 301 Moved Permanently'
}

Nginx conf:

server {
    listen 443 ssl;
    server_name dashboard.domain.com;

    # Path to the SSL certificate and key files
    ssl_certificate /path/fullchain.pem;
    ssl_certificate_key /path/privkey.pem;

    # SSL settings
    ssl_protocols TLSv1.2 TLSv1.3;
    ssl_prefer_server_ciphers on;
    ssl_ciphers HIGH:!aNULL:!MD5;

  location / {
      proxy_pass http://192.168.1.182:7575/;
      proxy_buffering off;
      proxy_set_header X-Real-IP $remote_addr;
      proxy_http_version 1.1;
      proxy_set_header Upgrade $http_upgrade;
      proxy_set_header Connection $http_connection;

environment:

AUTH_PROVIDER=oidc
AUTH_OIDC_CLIENT_SECRET=secret
AUTH_OIDC_CLIENT_ID=id
AUTH_OIDC_CLIENT_NAME=authentik
AUTH_OIDC_URI=https://authentik.domain.com/application/o/homarr/
AUTH_LOGOUT_REDIRECT_URL=https://authentik.domain.com/application/o/homarr/end-session/
AUTH_SESSION_EXPIRY_TIME=60d
AUTH_OIDC_AUTO_LOGIN=true
DISABLE_ANALYTICS=true
DEFAULT_COLOR_SCHEME=dark
BASE_URL=dashboard.domain.com

I have the same issue. I have to use the NEXTAUTH_URL variable

DevGoran commented 5 days ago

Also does not work for me.

NEXTAUTH_URL=https://dashboard.domain.com

https://dashboard.domain.com/auth/login?callbackUrl=http%3A%2F%2F192.192.192.192%3A7575%2F&error=OAuthSignin

nljc88 commented 1 day ago

Update from me - in the process of converting to Authelia (due to some unhappy security things I've seen with authentik).

I get this error in Homarr:

message: 'iss mismatch, expected http://auth.domain.com, got: https://auth.domain.com'

No idea where to go from here, have tried everything I can think of... Nginx Proxy Manager (Am I missing some advanced config there?? - Followed this with no luck also: https://thehomelab.wiki/books/dns-reverse-proxy/page/setup-authelia-to-work-with-nginx-proxy-manager)