Closed batman99000 closed 6 months ago
Hi 👋. Thank you for submitting your first issue to Homarr. Please ensure that you've provided all nessesary information. You can use the three dots > Edit button to update your post with additional images and information. Depending on the current volume of requests, the team should get in conact with you shortly.
Use ":" instead of "=" in the environment section Not sure this is the problem but this has caused problems for other users.
Your AUTH_OIDC_URI might be wrong, could it need to be "https://auth.example.org" instead? At least for my setup with basic authelia, I've only needed the base address, no paths.
Another thing, login has a tendency to not behave if you're trying to log on a user for which the email address is already registered in the user database.
Lastly, a v0.15.1 is coming out with a few fixes for OIDC, it might be that you're encountering one of those problems that is getting fixed in the latest release.
I tried switching out the equals for colons, and that actually caused more problems. So I switched back, and took your second piece of advice, and that worked! However, it just redirects to the login page again with a new error from Homarr:
[next-auth][error][OAUTH_CALLBACK_ERROR]
https://next-auth.js.org/errors#oauth_callback_error invalid_client (Client authentication failed (e.g., unknown client, no client authentication included, or unsupported authentication method).) {
error: OPError: invalid_client (Client authentication failed (e.g., unknown client, no client authentication included, or unsupported authentication method).)
at processResponse (/app/node_modules/openid-client/lib/helpers/process_response.js:38:13)
at Client.grant (/app/node_modules/openid-client/lib/client.js:1354:22)
at process.processTicksAndRejections (node:internal/process/task_queues:95:5)
at async oAuthCallback (/app/node_modules/next-auth/core/lib/oauth/callback.js:109:16)
at async Client.callback (/app/node_modules/openid-client/lib/client.js:493:24)
at async AuthHandler (/app/node_modules/next-auth/core/index.js:208:28)
at async Object.callback (/app/node_modules/next-auth/core/routes/callback.js:52:11)
at async NextAuthApiHandler (/app/node_modules/next-auth/next/index.js:22:19)
at async auth (/app/.next/server/pages/api/auth/[...nextauth].js:129:12) {
name: 'OAuthCallbackError',
code: undefined
},
providerId: 'oidc',
message: 'invalid_client (Client authentication failed (e.g., unknown client, no client authentication included, or unsupported authentication method).)'
}
On Authelia's side, it also has an error saying:
time="2024-03-14T00:20:32Z" level=error msg="Access Request failed with error: Client authentication failed (e.g., unknown client, no client authentication included, or unsupported authentication method). the passwords don't match" method=POST path=/api/oidc/token remote_ip=172.18.0.1 stack="github.com/authelia/authelia/v4/internal/handlers/handler_oidc_token.go:27 OpenIDConnectTokenPOST\ngithub.com/authelia/authelia/v4/internal/middlewares/http_to_authelia_handler_adaptor.go:113 NewHTTPToAutheliaHandlerAdaptor.func1\ngithub.com/authelia/authelia/v4/internal/middlewares/bridge.go:54 (*BridgeBuilder).Build.func1.1\ngithub.com/authelia/authelia/v4/internal/middlewares/headers.go:35 SecurityHeadersNoStore.func1\ngithub.com/authelia/authelia/v4/internal/middlewares/headers.go:25 SecurityHeadersCSPNone.func1\ngithub.com/authelia/authelia/v4/internal/middlewares/headers.go:16 SecurityHeaders.func1\ngithub.com/authelia/authelia/v4/internal/middlewares/cors.go:216 (*CORSPolicy).Middleware.func1\ngithub.com/fasthttp/router@v1.4.14/router.go:414 (*Router).Handler\ngithub.com/valyala/fasthttp@v1.43.0/http.go:154 (*Response).StatusCode\ngithub.com/valyala/fasthttp@v1.43.0/server.go:2338 (*Server).serveConn\ngithub.com/valyala/fasthttp@v1.43.0/workerpool.go:224 (*workerPool).workerFunc\ngithub.com/valyala/fasthttp@v1.43.0/workerpool.go:196 (*workerPool).getCh.func1\nruntime/asm_arm64.s:1172 goexit"
which I know the password is correct, and matches, because if I go directly to Authelia and signin, it works just fine. Unless it is referring to the client secret thing?
I have tried asking the documentation AI for what clues about what to do, and it just said to make sure IDs and secrets match, which they do.
If you could provide me anymore clues, i would appreciate it! The user I am trying to login as does not have an email attached to it in Homarr. It does in the LDAP database because it is required to with the service I use (lldap)
I figured it out, it was actually the client secret being mismatched. I put the hashed version into the value, not the non-hashed value. I appreciate your help, thank you again!
For future reference for the people, in Authelia's documentation How do I generate client secrets? says what you need to do. Essentially it boils down to this:
docker run authelia/authelia:latest authelia crypto hash generate pbkdf2 --variant sha512 --random --random.length 72 --random.charset rfc3986
AUTH_OIDC_CLIENT_SECRET
.Example input and output: Input:
docker run authelia/authelia:latest authelia crypto hash generate pbkdf2 --variant sha512 --random --random.length 72 --random.charset rfc3986
Output: (Do Not Use, generate your own using command above, generated specifically for this example)
Random Password: YcfJwTm89fGeoQUu9JWgxtonrd48Ye3AXwPUKr3Te565Mg6P3hCFUAyKMrk-bCL23ZR8DQgX
Digest: $pbkdf2-sha512$310000$G1KSRmUc8nw/VLWzwj9nxQ$p5WiQkFVguEj0uewpH41M0DaCljSzdY9YiDtOf9DrCIR2AJdVzVPI089M2fmUgM1L2b/yAemink1.GjerP/4WA
Did the above for completeness.
Glad you figured it out! OIDC and lldap have proven to be a bit of a challenge to setup. Thanks for documenting your findings, I'm sure it'll help users in the future.
Environment
Docker
Version
0.15.0
Describe the problem
I am trying to setup Authelia as an OIDC provider, using Traefik as a reverse proxy. I can access Homarr, and Authelia separately through their FQDNs, however I get the error in the logs below when I try to sign-in using OIDC. I have credentials enabled right now so I can still login, but I would like to change it to be OIDC only. Whenever I click the button to login through Authelia, the URL changes from https://homarr.example.org/auth/login to the callback URL, and Authelia never shows up.
Steps to Reproduce
Meanwhile, in Authelia's logs, everything seems to be returning fine, as below:
I have deployed using Docker with the most recent versions of both Authelia and Homarr (I pulled both just to make sure), and both are on the same docker network to make sure communication isn't a problem. I am monitoring both their logs through Portainer at the same time to get a better idea of what's happening, but I can't figure it out.
Docker compose for Homarr:
Authelia related config:
Please note: I have made changes to make sure no personal information is revealed, so if something doesn't match perfectly, don't worry! It matches in my actual compose file.
If you need more details, please let me know what I can provide! Also I am relatively new to Github, so sorry for any formatting mistakes.
Logs
Context
No response
Please tick the boxes