OIDC - Homarr is sending http://localhost:7575 as the origin/redirect URL to the Auth Provider rather than https://homarr.example.com

K-J-VV commented 9 months ago

Environment

Docker

Version

0.15.0

Describe the problem

Testing out the OIDC and have all setup, but it appears Homarr may need an additional environment variable set where we can define how Homarr identifies itself as.

For example, using Keycloak, I have redirect URL set as: https://homarr.example.com/api/auth/callback/oidc/

However, when attempting to login via the SSO button, Homarr is sending "http://localhost:7575" as the origin URL, thus failing redirect

I believe there needs to be an additional variable for HTTPS redirects to work and the variable needs to define what the user defined redirect URL is

Logs

No response

Context

No response

Please tick the boxes

[X] I confirm that I attached the proper logs
[X] I've read the docs
[X] I've checked for duplicate issues
[X] I've tried to debug myself

rubberduckdevops commented 2 months ago

Just wanted to drop in here and say that this is working for me after going through this thread.

  - TZ=America/New_York
  - DEFAULT_COLOR_SCHEME= dark
  - DISABLE_ANALYTICS= true
  - BASE_URL=homarr.mydomain.com (without https)
  - AUTH_PROVIDER=oidc
  - AUTH_OIDC_URI=https://authentik.mydomain.com/application/o/homarr (without ending /)
  - AUTH_OIDC_CLIENT_SECRET=secret from Authentik
  - AUTH_OIDC_CLIENT_ID=id from Authentik
  - AUTH_OIDC_CLIENT_NAME=Authentik

Also for Authentik

Redirect URIs .*

Only way to get it to work :) Thank you everyone!

DevGoran commented 2 months ago

``> Just wanted to drop in here and say that this is working for me after going through this thread.

  - TZ=America/New_York
  - DEFAULT_COLOR_SCHEME= dark
  - DISABLE_ANALYTICS= true
  - BASE_URL=homarr.mydomain.com (without https)
  - AUTH_PROVIDER=oidc
  - AUTH_OIDC_URI=https://authentik.mydomain.com/application/o/homarr (without ending /)
  - AUTH_OIDC_CLIENT_SECRET=secret from Authentik
  - AUTH_OIDC_CLIENT_ID=id from Authentik
  - AUTH_OIDC_CLIENT_NAME=Authentik

Also for Authentik

Redirect URIs .*

Only way to get it to work :) Thank you everyone!

I've done exactly the same but it seems like it does not work for me. It always redirects to: http://localhost:7575/api/auth/error?error=OAuthSignin

Error:

[next-auth][error][SIGNIN_OAUTH_ERROR] 
https://next-auth.js.org/errors#signin_oauth_error expected 200 OK, got: 301 Moved Permanently {
    message: 'expected 200 OK, got: 301 Moved Permanently',
  error: {
    stack: 'OPError: expected 200 OK, got: 301 Moved Permanently\n' +
      '    at processResponse (/app/node_modules/openid-client/lib/helpers/process_response.js:41:11)\n' +
      '    at Issuer.discover (/app/node_modules/openid-client/lib/issuer.js:152:20)\n' +
      '    at process.processTicksAndRejections (node:internal/process/task_queues:95:5)\n' +
      '    at async openidClient (/app/node_modules/next-auth/core/lib/oauth/client.js:16:14)\n' +
      '    at async getAuthorizationUrl (/app/node_modules/next-auth/core/lib/oauth/authorization-url.js:70:18)\n' +
      '    at async Object.signin (/app/node_modules/next-auth/core/routes/signin.js:38:24)\n' +
      '    at async AuthHandler (/app/node_modules/next-auth/core/index.js:260:26)\n' +
      '    at async NextAuthApiHandler (/app/node_modules/next-auth/next/index.js:22:19)\n' +
      '    at async auth (/app/.next/server/pages/api/auth/[...nextauth].js:143:12)',
    name: 'OPError'
  },
  providerId: 'oidc',
  message: 'expected 200 OK, got: 301 Moved Permanently'
}

Nginx conf:

server {
    listen 443 ssl;
    server_name dashboard.domain.com;

    # Path to the SSL certificate and key files
    ssl_certificate /path/fullchain.pem;
    ssl_certificate_key /path/privkey.pem;

    # SSL settings
    ssl_protocols TLSv1.2 TLSv1.3;
    ssl_prefer_server_ciphers on;
    ssl_ciphers HIGH:!aNULL:!MD5;

  location / {
      proxy_pass http://192.168.1.182:7575/;
      proxy_buffering off;
      proxy_set_header X-Real-IP $remote_addr;
      proxy_http_version 1.1;
      proxy_set_header Upgrade $http_upgrade;
      proxy_set_header Connection $http_connection;

environment:

AUTH_PROVIDER=oidc
AUTH_OIDC_CLIENT_SECRET=secret
AUTH_OIDC_CLIENT_ID=id
AUTH_OIDC_CLIENT_NAME=authentik
AUTH_OIDC_URI=https://authentik.domain.com/application/o/homarr/
AUTH_LOGOUT_REDIRECT_URL=https://authentik.domain.com/application/o/homarr/end-session/
AUTH_SESSION_EXPIRY_TIME=60d
AUTH_OIDC_AUTO_LOGIN=true
DISABLE_ANALYTICS=true
DEFAULT_COLOR_SCHEME=dark
BASE_URL=dashboard.domain.com

azerioxal commented 2 months ago

``> Just wanted to drop in here and say that this is working for me after going through this thread.

  - TZ=America/New_York
  - DEFAULT_COLOR_SCHEME= dark
  - DISABLE_ANALYTICS= true
  - BASE_URL=homarr.mydomain.com (without https)
  - AUTH_PROVIDER=oidc
  - AUTH_OIDC_URI=https://authentik.mydomain.com/application/o/homarr (without ending /)
  - AUTH_OIDC_CLIENT_SECRET=secret from Authentik
  - AUTH_OIDC_CLIENT_ID=id from Authentik
  - AUTH_OIDC_CLIENT_NAME=Authentik

Also for Authentik

Redirect URIs .*

Only way to get it to work :) Thank you everyone!

I've done exactly the same but it seems like it does not work for me. It always redirects to: http://localhost:7575/api/auth/error?error=OAuthSignin

Error:

[next-auth][error][SIGNIN_OAUTH_ERROR] 
https://next-auth.js.org/errors#signin_oauth_error expected 200 OK, got: 301 Moved Permanently {
    message: 'expected 200 OK, got: 301 Moved Permanently',
  error: {
    stack: 'OPError: expected 200 OK, got: 301 Moved Permanently\n' +
      '    at processResponse (/app/node_modules/openid-client/lib/helpers/process_response.js:41:11)\n' +
      '    at Issuer.discover (/app/node_modules/openid-client/lib/issuer.js:152:20)\n' +
      '    at process.processTicksAndRejections (node:internal/process/task_queues:95:5)\n' +
      '    at async openidClient (/app/node_modules/next-auth/core/lib/oauth/client.js:16:14)\n' +
      '    at async getAuthorizationUrl (/app/node_modules/next-auth/core/lib/oauth/authorization-url.js:70:18)\n' +
      '    at async Object.signin (/app/node_modules/next-auth/core/routes/signin.js:38:24)\n' +
      '    at async AuthHandler (/app/node_modules/next-auth/core/index.js:260:26)\n' +
      '    at async NextAuthApiHandler (/app/node_modules/next-auth/next/index.js:22:19)\n' +
      '    at async auth (/app/.next/server/pages/api/auth/[...nextauth].js:143:12)',
    name: 'OPError'
  },
  providerId: 'oidc',
  message: 'expected 200 OK, got: 301 Moved Permanently'
}

Nginx conf:

server {
    listen 443 ssl;
    server_name dashboard.domain.com;

    # Path to the SSL certificate and key files
    ssl_certificate /path/fullchain.pem;
    ssl_certificate_key /path/privkey.pem;

    # SSL settings
    ssl_protocols TLSv1.2 TLSv1.3;
    ssl_prefer_server_ciphers on;
    ssl_ciphers HIGH:!aNULL:!MD5;

  location / {
      proxy_pass http://192.168.1.182:7575/;
      proxy_buffering off;
      proxy_set_header X-Real-IP $remote_addr;
      proxy_http_version 1.1;
      proxy_set_header Upgrade $http_upgrade;
      proxy_set_header Connection $http_connection;

environment:

AUTH_PROVIDER=oidc
AUTH_OIDC_CLIENT_SECRET=secret
AUTH_OIDC_CLIENT_ID=id
AUTH_OIDC_CLIENT_NAME=authentik
AUTH_OIDC_URI=https://authentik.domain.com/application/o/homarr/
AUTH_LOGOUT_REDIRECT_URL=https://authentik.domain.com/application/o/homarr/end-session/
AUTH_SESSION_EXPIRY_TIME=60d
AUTH_OIDC_AUTO_LOGIN=true
DISABLE_ANALYTICS=true
DEFAULT_COLOR_SCHEME=dark
BASE_URL=dashboard.domain.com

I have the same issue. I have to use the NEXTAUTH_URL variable

DevGoran commented 2 months ago

Also does not work for me.

NEXTAUTH_URL=https://dashboard.domain.com

https://dashboard.domain.com/auth/login?callbackUrl=http%3A%2F%2F192.192.192.192%3A7575%2F&error=OAuthSignin

nljc88 commented 1 month ago

Update from me - in the process of converting to Authelia (due to some unhappy security things I've seen with authentik).

I get this error in Homarr:

message: 'iss mismatch, expected http://auth.domain.com, got: https://auth.domain.com'

No idea where to go from here, have tried everything I can think of... Nginx Proxy Manager (Am I missing some advanced config there?? - Followed this with no luck also: https://thehomelab.wiki/books/dns-reverse-proxy/page/setup-authelia-to-work-with-nginx-proxy-manager)

nljc88 commented 1 month ago

Update from me - in the process of converting to Authelia (due to some unhappy security things I've seen with authentik).

I get this error in Homarr:

message: 'iss mismatch, expected http://auth.domain.com, got: https://auth.domain.com'

No idea where to go from here, have tried everything I can think of... Nginx Proxy Manager (Am I missing some advanced config there?? - Followed this with no luck also: https://thehomelab.wiki/books/dns-reverse-proxy/page/setup-authelia-to-work-with-nginx-proxy-manager)

Another update - I gave up on NGINX (tried all flavours, NPM, NPMPlus, NGINX etc). I'm sure I was missing something simple from a proxy POV, but could just never get auth passed through successfully.

Bit the bullet and converted to Traefik following this guide: https://docs.ibracorp.io/traefik - Although daunting at first and certainly a learning curve - I now have everything working perfectly and just have to add 3 or 4 lines to docker labels depending on what I want to do. I've also been able to set up Forward Auth, so could always turn off homarr auth if I needed to test, but still keep things locked down. (This also works great for apps without local auth or OIDC).

Note, even with the latest image, I still needed the NextAuth config line from above, otherwise always redirected to Localhost. One other note, was I needed some specific Pihole docker config, to ensure that containers could reference pihole for local/internal Green tick magic.

Happy hunting!

DevGoran commented 1 month ago

@Meierschlumpf, can you tell us whether it should work now without the NEXTAUTH variable and base url? I can't see anything in the documentation, so I'd assume it should work at least without it. For me, however, it just doesn't work and keeps redirecting to localhost.

rkj commented 1 month ago

Just a note that I'm still running into the redirect issue with Homarr, when using it behind Caddy, and Authelia for OIDC. My Caddy config:

reverse_proxy 192.168.61.1:7575

My Homarr docker-compose config (with secrets and domain redacted):

❯ cat docker-compose.yml 
services:
  homarr:
    image: ghcr.io/ajnart/homarr:0.15.4
    volumes:
      - /var/run/docker.sock:/var/run/docker.sock
      - configs:/app/data/configs
      - data:/data
      - icons:/app/public/icons
    ports:
      - '7575:7575'
    environment:
      - BASE_URL=homarr.example.me
      - TZ=America/Los_Angeles
      - DEFAULT_COLOR_SCHEME=dark
      - AUTH_PROVIDER=credentials,oidc
      - AUTH_OIDC_URI=https://authelia.example.me
      - AUTH_OIDC_CLIENT_ID=random string
      - AUTH_OIDC_CLIENT_SECRET=topsecret
      - AUTH_OIDC_CLIENT_NAME=Authelia
      - AUTH_LOGOUT_REDIRECT_URL=https://authelia.example.me/logout
      - AUTH_OIDC_ADMIN_GROUP=sudoers-users
      - AUTH_OIDC_OWNER_GROUP=sudoers-owners
      - NEXTAUTH_URL=https://homarr.example.me

I thought maybe BASE_URL should have fixed but it doesn't work, I still get redirects to localhost if I comment out NEXTAUTH_URL. Here's a screenshot from Chrome devtools: VXMyTqeEFc8ugJn

Hoempi commented 1 month ago

While setting up Authentik today I've run into the same issue today @rkj mentioned. The real bummer is that if I set up NEXTAUTH_URL the credential based login is no longer working. It just keeps on loading.

Meierschlumpf commented 1 month ago

@rkj do you get logs on your homarr instance?

rkj commented 1 month ago

Actually yes:

homarr_homarr.1.kr5qhggb1dto@flerovium    | [next-auth][error][OAUTH_CALLBACK_ERROR]
homarr_homarr.1.kr5qhggb1dto@flerovium    | https://next-auth.js.org/errors#oauth_callback_error invalid_grant (The provided authorization grant (e.g., authorization code, resource owner credentials) or refresh token is invalid, expired, revoked, does not match the redirection URI used in the authorization request, or was issued to another client. The 'redirect_uri' from this request does not match the one from the authorize request.) {
homarr_homarr.1.kr5qhggb1dto@flerovium    |   error: OPError: invalid_grant (The provided authorization grant (e.g., authorization code, resource owner credentials) or refresh token is invalid, expired, revoked, does not match the redirection URI used in the authorization request, or was issued to another client. The 'redirect_uri' from this request does not match the one from the authorize request.)
homarr_homarr.1.kr5qhggb1dto@flerovium    |       at processResponse (/app/node_modules/openid-client/lib/helpers/process_response.js:38:13)
homarr_homarr.1.kr5qhggb1dto@flerovium    |       at Client.grant (/app/node_modules/openid-client/lib/client.js:1354:22)
homarr_homarr.1.kr5qhggb1dto@flerovium    |       at process.processTicksAndRejections (node:internal/process/task_queues:95:5)
homarr_homarr.1.kr5qhggb1dto@flerovium    |       at async Client.callback (/app/node_modules/openid-client/lib/client.js:493:24)
homarr_homarr.1.kr5qhggb1dto@flerovium    |       at async oAuthCallback (/app/node_modules/next-auth/core/lib/oauth/callback.js:109:16)
homarr_homarr.1.kr5qhggb1dto@flerovium    |       at async Object.callback (/app/node_modules/next-auth/core/routes/callback.js:52:11)
homarr_homarr.1.kr5qhggb1dto@flerovium    |       at async AuthHandler (/app/node_modules/next-auth/core/index.js:208:28)
homarr_homarr.1.kr5qhggb1dto@flerovium    |       at async NextAuthApiHandler (/app/node_modules/next-auth/next/index.js:22:19)
homarr_homarr.1.kr5qhggb1dto@flerovium    |       at async auth (/app/.next/server/pages/api/auth/[...nextauth].js:143:12) {
homarr_homarr.1.kr5qhggb1dto@flerovium    |     name: 'OAuthCallbackError',
homarr_homarr.1.kr5qhggb1dto@flerovium    |     code: undefined
homarr_homarr.1.kr5qhggb1dto@flerovium    |   },
homarr_homarr.1.kr5qhggb1dto@flerovium    |   providerId: 'oidc',
homarr_homarr.1.kr5qhggb1dto@flerovium    |   message: "invalid_grant (The provided authorization grant (e.g., authorization code, resource owner credentials) or refresh token is invalid, expired, revoked, does not match the redirection URI used in the authorization request, or was issued to another client. The 'redirect_uri' from this request does not match the one from the authorize request.)"
homarr_homarr.1.kr5qhggb1dto@flerovium    | }

The important part is (I think): The 'redirect_uri' from this request does not match the one from the authorize request, but I'm not sure what homarr is setting and why adding NEXTAUTH_URL fixes it - I suspect it uses localhost, but not sure how to verify.

Hoempi commented 1 month ago

@Meierschlumpf: I guess I had the same underlying error. This is what I got from Authentik:

{
    "asn": {
        "asn": 13335,
        "as_org": "CLOUDFLARENET",
        "network": "172.70.110.0/23"
    },
    "geo": {
        "lat": 40.781,
        "city": "New York",
        "long": -73.9501,
        "country": "US",
        "continent": "NA"
    },
    "message": "Invalid redirect URI used by provider",
    "expected": [
        "https://portal.example.com/api/auth/callback/oidc"
    ],
    "provider": {
        "pk": 72,
        "app": "authentik_providers_oauth2",
        "name": "Portal OAuth",
        "model_name": "oauth2provider"
    },
    "http_request": {
        "args": {},
        "path": "/application/o/token/",
        "method": "POST",
        "request_id": "a91d200bfee443689441e5c73fa724a5",
        "user_agent": "openid-client/5.6.1 (https://github.com/panva/node-openid-client)"
    },
    "redirect_uri": "http://localhost:7575/api/auth/callback/oidc"
}

After setting up NEXTAUTH_URL like @rkj did, the correct redirect URI was send to Authentik.

Meierschlumpf commented 1 month ago

Okay intresting, I'll setup authelia (with traefik) and try to reproduce. Maybe I'm also able to debug it locally then

Meierschlumpf commented 1 month ago

Okas was able to reproduce, now I'll try to find the issue:

Meierschlumpf commented 1 month ago

@Hoempi @rkj can somebody of you try if it works when you add the env variable AUTH_TRUST_HOST and set it to true. If you have the NEXT_AUTH_URL defined obviously remove it.

rkj commented 1 month ago

Works great for me, thank you!

Meierschlumpf commented 1 month ago

Okay OMG that was a disaster on my side, I spent like 4 hours trying to get authelia to work and finally by hacking something together and code analysis of the next auth version we had a year ago, I was able to find this piece of code:

/** Extract the origin from the environment */
export function detectOrigin(forwardedHost: any, protocol: any) {
  // If we detect a Vercel environment, we can trust the host
  if (process.env.VERCEL ?? process.env.AUTH_TRUST_HOST)
    return `${protocol === "http" ? "http" : "https"}://${forwardedHost}`

  // If `NEXTAUTH_URL` is `undefined` we fall back to "http://localhost:3000"
  return process.env.NEXTAUTH_URL
}

And because we have NEXTAUTH_URL set by default to http://localhost:7575 it always redirected to that one 🥲

Meierschlumpf commented 1 month ago

I'll create a pull request where we add this env variable in the Dockerfile @rkj can you, after we released that, revert the change for on authelia?

rkj commented 1 month ago

Actually, just noticed something weird, the login flow works, I see the dashboard, but I cannot edit the board, and in the profile menu I only see "Switch theme" and "Login"... Switching back to NEXTAUTH_URL fixes it, so maybe there are some more edge cases :(

Meierschlumpf commented 1 month ago

Oh no 😢 I guess I'll have to investigate further

Meierschlumpf commented 1 month ago

Okay found something @rkj

Hypothesis:

When you log in this way you are no longer able to go to /auth/login and get redirected. When you rename your cookie from __Secure-next-auth.session-token to next-auth.session-token your user profile is shown at /manage but you can open /auth/login

Solution: I added a change to my Pull request where it always uses the next-auth.session-token. I've published an image so you can try it out fix-oidc-wrong-redirect

nljc88 commented 1 month ago

Okay found something @rkj

Hypothesis:

When you log in this way you are no longer able to go to /auth/login and get redirected. When you rename your cookie from __Secure-next-auth.session-token to next-auth.session-token your user profile is shown at /manage but you can open /auth/login

Solution: I added a change to my Pull request where it always uses the next-auth.session-token. I've published an image so you can try it out fix-oidc-wrong-redirect

Confirming this works so far with Authelia, Traefik and removing Next Auth URL. Variables below:

"AUTH_PROVIDER=oidc"
"AUTH_OIDC_URI=https://auth.domain.com"
"AUTH_OIDC_CLIENT_SECRET=***"
"AUTH_OIDC_CLIENT_ID=***"
"AUTH_OIDC_CLIENT_NAME=Auth"
"AUTH_OIDC_ADMIN_GROUP=admin"
"AUTH_OIDC_OWNER_GROUP=admin"

nljc88 commented 1 month ago

Quick update on the fix-oidc-wrong-redirect branch. Once the token is stale from Authelia, the logout button doesn't work and nothing redirects you to Authelia to reauthenticate unless you refresh the browser.

DevGoran commented 1 month ago

Authentik + nginx: With both, latest and fix-oidc-wrong-redirect I keep receiving following:

[next-auth][error][SIGNIN_OAUTH_ERROR] 
  message: 'expected 200 OK, got: 301 Moved Permanently'
}
https://next-auth.js.org/errors#signin_oauth_error expected 200 OK, got: 301 Moved Permanently {
    message: 'expected 200 OK, got: 301 Moved Permanently',
  error: {
    stack: 'OPError: expected 200 OK, got: 301 Moved Permanently\n' +
      '    at processResponse (/app/node_modules/openid-client/lib/helpers/process_response.js:41:11)\n' +
      '    at Issuer.discover (/app/node_modules/openid-client/lib/issuer.js:152:20)\n' +
      '    at process.processTicksAndRejections (node:internal/process/task_queues:95:5)\n' +
      '    at async openidClient (/app/node_modules/next-auth/core/lib/oauth/client.js:16:14)\n' +
      '    at async getAuthorizationUrl (/app/node_modules/next-auth/core/lib/oauth/authorization-url.js:70:18)\n' +
      '    at async Object.signin (/app/node_modules/next-auth/core/routes/signin.js:38:24)\n' +
      '    at async AuthHandler (/app/node_modules/next-auth/core/index.js:260:26)\n' +
      '    at async NextAuthApiHandler (/app/node_modules/next-auth/next/index.js:22:19)\n' +
      '    at async auth (/app/.next/server/pages/api/auth/[...nextauth].js:143:12)',
    name: 'OPError'
  },
  providerId: 'oidc',

Any idea why?

nljc88 commented 1 month ago

Authentik + nginx: With both, latest and fix-oidc-wrong-redirect I keep receiving following:

[next-auth][error][SIGNIN_OAUTH_ERROR] 
  message: 'expected 200 OK, got: 301 Moved Permanently'
}
https://next-auth.js.org/errors#signin_oauth_error expected 200 OK, got: 301 Moved Permanently {
    message: 'expected 200 OK, got: 301 Moved Permanently',
  error: {
    stack: 'OPError: expected 200 OK, got: 301 Moved Permanently\n' +
      '    at processResponse (/app/node_modules/openid-client/lib/helpers/process_response.js:41:11)\n' +
      '    at Issuer.discover (/app/node_modules/openid-client/lib/issuer.js:152:20)\n' +
      '    at process.processTicksAndRejections (node:internal/process/task_queues:95:5)\n' +
      '    at async openidClient (/app/node_modules/next-auth/core/lib/oauth/client.js:16:14)\n' +
      '    at async getAuthorizationUrl (/app/node_modules/next-auth/core/lib/oauth/authorization-url.js:70:18)\n' +
      '    at async Object.signin (/app/node_modules/next-auth/core/routes/signin.js:38:24)\n' +
      '    at async AuthHandler (/app/node_modules/next-auth/core/index.js:260:26)\n' +
      '    at async NextAuthApiHandler (/app/node_modules/next-auth/next/index.js:22:19)\n' +
      '    at async auth (/app/.next/server/pages/api/auth/[...nextauth].js:143:12)',
    name: 'OPError'
  },
  providerId: 'oidc',

Any idea why?

No idea why, but these are the exact errors I had when trying to get things working with nginx. Which led me to convert to traefik and find success.

I think it all has to do with forwarding headers and other related that I’m just not aware enough of. I’m sure it can be solved, I just spent far too long and couldn’t get it working. I did have it working for other platforms though (portainer as an example).

Hoempi commented 1 month ago

I'm currently away from home, else I would already have responded earlier.

But if it is of any help, I could provide my Caddy and Authentik configs this evening or tomorrow morning, depending on when I'll be home.

Hoempi commented 1 month ago

I got around to fetch the details. If I missed something, please let me know.

Caddy:

portal.mydomain.com/ {
    reverse_proxy 172.16.0.5:7575
}

.env for Homarr:

TZ=Europe/Berlin
BASE_URL=portal.hempen.family
AUTH_PROVIDER=oidc
#AUTH_TRUST_HOST=true
NEXTAUTH_URL=https://portal.mydomain.com
AUTH_OIDC_URI=https://auth.mydomain.com/application/o/portal
AUTH_OIDC_CLIENT_NAME=Authentik
AUTH_OIDC_CLIENT_ID=ThisIsAPlaceHolderForMyClientIDReally!!!
AUTH_OIDC_CLIENT_SECRET=OfCourseIWontShareMyClientSecretOnTheInternetThatWouldEitherBeReallyDumbOrASignOfMissingUnderstandingAboutSecurityConceptsAndSo!
AUTH_LOGOUT_REDIRECT_URL=https://auth.mydomain.com/application/o/portal/end-session/
AUTH_OIDC_ADMIN_GROUP="server-admin"
AUTH_OIDC_OWNER_GROUP="server-admin"

Outpost in Authentik

Authentication flow: default-authentication-flow (Welcome to authentik!)
Authorization flow: default-provider-authorization-explicit-consent (Authorize Application)
Client ID: ThisIsAPlaceHolderForMyClientIDReally!!!
Client Secret: OfCourseIWontShareMyClientSecretOnTheInternetThatWouldEitherBeReallyDumbOrASignOfMissingUnderstandingAboutSecurityConceptsAndSo!
Redirect URIs/Origins (RegEx): https://portal.mydomain.com/api/auth/callback/oidc
Signing Key: authentik Self-signed Certificate

// Edit: While streamlining other parts, I realized I had an error in the Caddy Config. The directice tls_internal needed to be removed, else Caddy would hand out self-signed certificates instead of getting them from Let's Encrypt.

Meierschlumpf commented 1 month ago

When you use the custom image it should not be necessary to have the NEXTAUTH_URL set when AUTH_TRUST_HOST is set

Meierschlumpf commented 1 month ago

No idea why, but these are the exact errors I had when trying to get things working with nginx. Which led me to convert to traefik and find success.

Maybe it's also related to a trailing slash like in the following issue? https://github.com/nextauthjs/next-auth/discussions/8654

Or add one to the end: https://stackoverflow.com/questions/74975413/next-auth-with-zitadel-cloud-expected-200-ok-got-301-moved-permanently

DevGoran commented 1 month ago

God... I actually tried this but didn't work before (likely because I had multiple issues at that point back then).

It finally works with nginx and the latest version of homarr, not with the custom image:

Nginx conf:

server {
    listen 443 ssl;
    server_name dashboard.domain.com;

    location / {
        proxy_pass http://IP:PORT;
        proxy_set_header Host $host;
        proxy_set_header X-Real-IP $remote_addr;
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
        proxy_set_header X-Forwarded-Proto $scheme;
        proxy_http_version 1.1;
        proxy_set_header Upgrade $http_upgrade;
        proxy_set_header Connection "upgrade";
    }
}

env:

AUTH_PROVIDER=oidc
AUTH_OIDC_CLIENT_SECRET=secret
AUTH_OIDC_CLIENT_ID=id
AUTH_OIDC_CLIENT_NAME=authentik
AUTH_OIDC_URI=https://authentik.domain.com/application/o/homarr
AUTH_LOGOUT_REDIRECT_URL=https://authentik.domain.com/application/o/homarr/end-session/
AUTH_SESSION_EXPIRY_TIME=60d
AUTH_OIDC_AUTO_LOGIN=false
DISABLE_ANALYTICS=true
TZ=Europe/Zurich
DEFAULT_COLOR_SCHEME=dark
NEXTAUTH_URL=https://dashboard.domain.com
BASE_URL=dashboard.domain.com

Authentik: Redirect URL in authentik: https://dashboard.domain.com/api/auth/callback/oidc Had to use the authentik self-signed certificate since the one from let's encrypt is not RSA but ECC.

nljc88 commented 1 month ago

Confirmed no trailing slash! First thing I checked :D

On Fri, Oct 11, 2024 at 12:01 PM Meier Lukas @.***> wrote:

No idea why, but these are the exact errors I had when trying to get things working with nginx. Which led me to convert to traefik and find success.

Maybe it's also related to a trailing slash like in the following issue? nextauthjs/next-auth#8654 https://github.com/nextauthjs/next-auth/discussions/8654

— Reply to this email directly, view it on GitHub https://github.com/ajnart/homarr/issues/1909#issuecomment-2407707228, or unsubscribe https://github.com/notifications/unsubscribe-auth/AEMOZ7WZG25ML4UAVOFGMWTZ27Y5TAVCNFSM6AAAAABDNQN2UOVHI2DSMVQWIX3LMV43OSLTON2WKQ3PNVWWK3TUHMZDIMBXG4YDOMRSHA . You are receiving this because you were mentioned.Message ID: @.***>

AntonioMallen commented 1 month ago

I tried the config of @DevGoran in authentik x homarr but getting this after login in auth.example.es (the redirections works fine but the login not) : After_Login

And if i am logged and try click in the logging section i get this: Clickin login

Someone has a problem like this?

DevGoran commented 1 month ago

I tried the config of @DevGoran in authentik x homarr but getting this after login in auth.example.es (the redirections works fine but the login not) :

And if i am logged and try click in the logging section i get this:

Someone has a problem like this?

What is the container log showing you? Are you also using nginx?

AntonioMallen commented 1 month ago

@DevGoran I am using NPM (Nginx Proxy Manager as reverse proxy) and Authentik as SSO Provider. The log is not showing anything but in the insepct window i get a http 307 response: Sin título I have this in config:

DevGoran commented 1 month ago

@AntonioMallen what is your npm config looking like? I've had used npm in the past but it caused too many issues to me, which is why I switched to just the regular nginx.

AntonioMallen commented 1 month ago

@DevGoran I am using only npm as redirection, i have the same config with other dockers with sso in authentik(Like Seafile, Redmine, Gitea...). I think i had some variable bad in the homarr config or in the authentik provider but i cant see tho.

Meierschlumpf commented 1 month ago

I tried the config of @DevGoran in authentik x homarr but getting this after login in auth.example.es (the redirections works fine but the login not) :

And if i am logged and try click in the logging section i get this:

Someone has a problem like this?

This is exactly what is fixed in the mentioned docker image that will be merged to dev soon. fix-oidc-wrong-redirect

AntonioMallen commented 1 month ago

@Meierschlumpf Oh sorry i didnt understand well the post (My english is a bad). Thanks for the help!

silverbios commented 1 month ago

I am experiencing a similar issue even with version 0.15.6. My problem is with the callback URL sent from Homarr to my SSO. My Homarr URL is https://DOMAIN.COM:7575, but after attempting to log in via SSO, I receive a redirect error based on the origin URL I defined in the settings. Upon checking the callback URL, I noticed that the callback URL from Homarr is https://DOMAIN.COM, and it does not include the port number, even though I set it in the Docker Compose environment.

maskalix commented 1 month ago

Still having problem with redirect url (localhost:7575)

mundi86 commented 3 weeks ago

Same error here, using authentik and nginx proxy manager:

got the error: homarr | stack: 'OPError: expected 200 OK, got: 301 Moved Permanently\n' + homarr | ' at processResponse (/app/node_modules/openid-client/lib/helpers/process_response.js:41:11)\n' + homarr | ' at Issuer.discover (/app/node_modules/openid-client/lib/issuer.js:152:20)\n' + homarr | ' at process.processTicksAndRejections (node:internal/process/task_queues:95:5)\n' + homarr | ' at async openidClient (/app/node_modules/next-auth/core/lib/oauth/client.js:16:14)\n' + homarr | ' at async getAuthorizationUrl (/app/node_modules/next-auth/core/lib/oauth/authorization-url.js:70:18)\n' + homarr | ' at async Object.signin (/app/node_modules/next-auth/core/routes/signin.js:38:24)\n' + homarr | ' at async AuthHandler (/app/node_modules/next-auth/core/index.js:260:26)\n' + homarr | ' at async NextAuthApiHandler (/app/node_modules/next-auth/next/index.js:22:19)\n' + homarr | ' at async auth (/app/.next/server/pages/api/auth/[...nextauth].js:143:12)', homarr | name: 'OPError' homarr | }, homarr | providerId: 'oidc', homarr | message: 'expected 200 OK, got: 301 Moved Permanently'

here my compose: version: "3.8" services: homarr: container_name: homarr image: ghcr.io/ajnart/homarr:latest restart: unless-stopped volumes:

/var/run/docker.sock:/var/run/docker.sock # Optional, only if you want docker integration
config_nfs:/app/data/configs
icons_nfs:/app/public/icons
data_nfs:/data ports:
7575:7575 environment: AUTH_PROVIDER: oidc AUTH_OIDC_URI: https://auth.domain.win/application/o/homarr/ AUTH_OIDC_CLIENT_SECRET: $$$ AUTH_OIDC_CLIENT_ID: $$$ AUTH_OIDC_CLIENT_NAME: Authentik AUTH_OIDC_ADMIN_GROUP: AdminGroup AUTH_OIDC_OWNER_GROUP: AdminGroup AUTH_SESSION_EXPIRY_TIME: 60d AUTH_OIDC_AUTO_LOGIN: false DISABLE_ANALYTICS: true TZ: Europe/Zurich DEFAULT_COLOR_SCHEME: dark NEXTAUTH_URL: https://homarr.domain.win BASE_URL: homarr.domain.win volumes: config_nfs: driver: local driver_opts: type: nfs o: addr=192.168.1.123,nolock,rw device: :/volume1/Docker/Volumens/homarr/config icons_nfs: driver: local driver_opts: type: nfs o: addr=192.168.1.123,nolock,rw device: :/volume1/Docker/Volumens/homarr/icons data_nfs: driver: local driver_opts: type: nfs o: addr=192.168.1.123,nolock,rw device: :/volume1/Docker/Volumens/homarr/data networks: nginxproxymanager_default: external: true

in authentik is set the redirect url to .* and tryed https://homarr.domain.win/api/auth/callback/oidc

ajnart / homarr