Next_Auth Error SIGNIN_OAUTH_ERROR

Environment

Docker

Version

0.15.0

Describe the problem

I am trying to setup Authelia as an OIDC provider, using Traefik as a reverse proxy. I can access Homarr, and Authelia separately through their FQDNs, however I get the error in the logs below when I try to sign-in using OIDC. I have credentials enabled right now so I can still login, but I would like to change it to be OIDC only. Whenever I click the button to login through Authelia, the URL changes from https://homarr.example.org/auth/login to the callback URL, and Authelia never shows up.

Steps to Reproduce

Spin up Homarr and Authelia, and configure
Try to login at Homar through Authelia, get redirected immediately to login screen on Homarr, Authelia never shows up, and the error in the logs below

Meanwhile, in Authelia's logs, everything seems to be returning fine, as below:

time="2024-03-13T21:07:26Z" level=trace msg="Request hit" method=GET path=/application/o/homarr/.well-known/openid-configuration remote_ip=172.18.0.1
time="2024-03-13T21:07:26Z" level=trace msg="Replied (status=200)" method=GET path=/application/o/homarr/.well-known/openid-configuration remote_ip=172.18.0.1

I have deployed using Docker with the most recent versions of both Authelia and Homarr (I pulled both just to make sure), and both are on the same docker network to make sure communication isn't a problem. I am monitoring both their logs through Portainer at the same time to get a better idea of what's happening, but I can't figure it out.

Docker compose for Homarr:

services:
  homarr:
    container_name: homarr
    image: ghcr.io/ajnart/homarr:latest
    restart: unless-stopped
    volumes:
      - ./configs:/app/data/configs
      - ./icons:/app/public/icons
      - ./data:/data
      - /var/run/docker.sock:/var/run/docker.sock:ro
    ports:
      - 7575:7575
    networks:
      - dockerproxy
    environment:
      - DEFAULT_COLOR_SCHEME=dark
      - DISABLE_ANALYTICS=true
      - EDIT_MODE_PASSWORD=[REDACTED]
      - TZ=America/Chicago
      - BASE_URL=homarr.example.org
      - NEXTAUTH_URL=https://homarr.example.org
      - AUTH_PROVIDER=credentials,oidc
      #- AUTH_LDAP_URI=ldap://192.168.0.4:3890
      #- AUTH_LDAP_BASE="dc=example,dc=org"
      #- AUTH_LDAP_BIND_DN="uid=admin,ou=people,dc=example,dc=org"
      #- AUTH_LDAP_BIND_PASSWORD=[REDACTED]"
      - AUTH_OIDC_URI=https://auth.example.org/application/o/homarr
      - AUTH_OIDC_CLIENT_SECRET=[REDACTED]
      - AUTH_OIDC_CLIENT_ID=homarr
      - AUTH_OIDC_CLIENT_NAME=Authelia
networks:
  dockerproxy:
    external: true

Authelia related config:

identity_providers:
  oidc:
    access_token_lifespan: 1h
    authorize_code_lifespan: 1m
    id_token_lifespan: 1h
    refresh_token_lifespan: 90m
    cors:
      endpoints:
         - authorization
         - token
         - revocation
         - introspection
         - userinfo
      allowed_origins:
        - "*"
    clients:
        - id: homarr
          secret: [REDACTED]
          public: false
          authorization_policy: one_factor
          consent_mode: implicit
          scopes:
            - openid
            - groups
            - email
            - profile
            - offline_access
          redirect_uris:
          - https://home.example.org/api/auth/callback/oidc
          #- http://192.168.0.4:7575/api/auth/callback/oidc

Please note: I have made changes to make sure no personal information is revealed, so if something doesn't match perfectly, don't worry! It matches in my actual compose file.

If you need more details, please let me know what I can provide! Also I am relatively new to Github, so sorry for any formatting mistakes.

Logs

[next-auth][error][SIGNIN_OAUTH_ERROR] 
https://next-auth.js.org/errors#signin_oauth_error Unexpected token '<', "<!DOCTYPE "... is not valid JSON {
  error: {
    message: `Unexpected token '<', "<!DOCTYPE "... is not valid JSON`,
    stack: `SyntaxError: Unexpected token '<', "<!DOCTYPE "... is not valid JSON\n` +
      '    at JSON.parse (<anonymous>)\n' +
      '    at IncomingMessage.get (/app/node_modules/openid-client/lib/helpers/request.js:153:30)\n' +
      '    at processResponse (/app/node_modules/openid-client/lib/helpers/process_response.js:55:25)\n' +
      '    at Issuer.discover (/app/node_modules/openid-client/lib/issuer.js:152:20)\n' +
      '    at process.processTicksAndRejections (node:internal/process/task_queues:95:5)\n' +
      '    at async openidClient (/app/node_modules/next-auth/core/lib/oauth/client.js:16:14)\n' +
      '    at async getAuthorizationUrl (/app/node_modules/next-auth/core/lib/oauth/authorization-url.js:70:18)\n' +
      '    at async AuthHandler (/app/node_modules/next-auth/core/index.js:260:26)\n' +
      '    at async NextAuthApiHandler (/app/node_modules/next-auth/next/index.js:22:19)',
      '    at async Object.signin (/app/node_modules/next-auth/core/routes/signin.js:38:24)\n' +
    name: 'SyntaxError'
  },
  providerId: 'oidc',
  message: `Unexpected token '<', "<!DOCTYPE "... is not valid JSON`
}

Context

No response

Please tick the boxes

[X] I confirm that I attached the proper logs
[X] I've read the docs
[X] I've checked for duplicate issues
[X] I've tried to debug myself

Hi 👋. Thank you for submitting your first issue to Homarr. Please ensure that you've provided all nessesary information. You can use the three dots > Edit button to update your post with additional images and information. Depending on the current volume of requests, the team should get in conact with you shortly.

Use ":" instead of "=" in the environment section Not sure this is the problem but this has caused problems for other users.

Your AUTH_OIDC_URI might be wrong, could it need to be "https://auth.example.org" instead? At least for my setup with basic authelia, I've only needed the base address, no paths.

Another thing, login has a tendency to not behave if you're trying to log on a user for which the email address is already registered in the user database.

Lastly, a v0.15.1 is coming out with a few fixes for OIDC, it might be that you're encountering one of those problems that is getting fixed in the latest release.

I tried switching out the equals for colons, and that actually caused more problems. So I switched back, and took your second piece of advice, and that worked! However, it just redirects to the login page again with a new error from Homarr:

[next-auth][error][OAUTH_CALLBACK_ERROR] 
https://next-auth.js.org/errors#oauth_callback_error invalid_client (Client authentication failed (e.g., unknown client, no client authentication included, or unsupported authentication method).) {
  error: OPError: invalid_client (Client authentication failed (e.g., unknown client, no client authentication included, or unsupported authentication method).)
      at processResponse (/app/node_modules/openid-client/lib/helpers/process_response.js:38:13)
      at Client.grant (/app/node_modules/openid-client/lib/client.js:1354:22)
      at process.processTicksAndRejections (node:internal/process/task_queues:95:5)
      at async oAuthCallback (/app/node_modules/next-auth/core/lib/oauth/callback.js:109:16)
      at async Client.callback (/app/node_modules/openid-client/lib/client.js:493:24)
      at async AuthHandler (/app/node_modules/next-auth/core/index.js:208:28)
      at async Object.callback (/app/node_modules/next-auth/core/routes/callback.js:52:11)
      at async NextAuthApiHandler (/app/node_modules/next-auth/next/index.js:22:19)
      at async auth (/app/.next/server/pages/api/auth/[...nextauth].js:129:12) {
    name: 'OAuthCallbackError',
    code: undefined
  },
  providerId: 'oidc',
  message: 'invalid_client (Client authentication failed (e.g., unknown client, no client authentication included, or unsupported authentication method).)'
}

On Authelia's side, it also has an error saying:

time="2024-03-14T00:20:32Z" level=error msg="Access Request failed with error: Client authentication failed (e.g., unknown client, no client authentication included, or unsupported authentication method). the passwords don't match" method=POST path=/api/oidc/token remote_ip=172.18.0.1 stack="github.com/authelia/authelia/v4/internal/handlers/handler_oidc_token.go:27                   OpenIDConnectTokenPOST\ngithub.com/authelia/authelia/v4/internal/middlewares/http_to_authelia_handler_adaptor.go:113 NewHTTPToAutheliaHandlerAdaptor.func1\ngithub.com/authelia/authelia/v4/internal/middlewares/bridge.go:54                            (*BridgeBuilder).Build.func1.1\ngithub.com/authelia/authelia/v4/internal/middlewares/headers.go:35                           SecurityHeadersNoStore.func1\ngithub.com/authelia/authelia/v4/internal/middlewares/headers.go:25                           SecurityHeadersCSPNone.func1\ngithub.com/authelia/authelia/v4/internal/middlewares/headers.go:16                           SecurityHeaders.func1\ngithub.com/authelia/authelia/v4/internal/middlewares/cors.go:216                             (*CORSPolicy).Middleware.func1\ngithub.com/fasthttp/router@v1.4.14/router.go:414                                             (*Router).Handler\ngithub.com/valyala/fasthttp@v1.43.0/http.go:154                                              (*Response).StatusCode\ngithub.com/valyala/fasthttp@v1.43.0/server.go:2338                                           (*Server).serveConn\ngithub.com/valyala/fasthttp@v1.43.0/workerpool.go:224                                        (*workerPool).workerFunc\ngithub.com/valyala/fasthttp@v1.43.0/workerpool.go:196                                        (*workerPool).getCh.func1\nruntime/asm_arm64.s:1172                                                                     goexit"

which I know the password is correct, and matches, because if I go directly to Authelia and signin, it works just fine. Unless it is referring to the client secret thing?

I have tried asking the documentation AI for what clues about what to do, and it just said to make sure IDs and secrets match, which they do.

If you could provide me anymore clues, i would appreciate it! The user I am trying to login as does not have an email attached to it in Homarr. It does in the LDAP database because it is required to with the service I use (lldap)

I figured it out, it was actually the client secret being mismatched. I put the hashed version into the value, not the non-hashed value. I appreciate your help, thank you again!

For future reference for the people, in Authelia's documentation How do I generate client secrets? says what you need to do. Essentially it boils down to this:

Run this command:

docker run authelia/authelia:latest authelia crypto hash generate pbkdf2 --variant sha512 --random --random.length 72 --random.charset rfc3986

It will spit out two things into the terminal: "Random Password: " followed by 72 random characters. Below that it will say "Digest: " and show the hashed version of the random password. Copy the Digest version into the client secret for Authelia (i.e. into configuration.yml). Then Copy the Random password into the value for AUTH_OIDC_CLIENT_SECRET.
After that, the passwords should be matching and should work.

Example input and output: Input:

docker run authelia/authelia:latest authelia crypto hash generate pbkdf2 --variant sha512 --random --random.length 72 --random.charset rfc3986

Output: (Do Not Use, generate your own using command above, generated specifically for this example)

Random Password: YcfJwTm89fGeoQUu9JWgxtonrd48Ye3AXwPUKr3Te565Mg6P3hCFUAyKMrk-bCL23ZR8DQgX
Digest: $pbkdf2-sha512$310000$G1KSRmUc8nw/VLWzwj9nxQ$p5WiQkFVguEj0uewpH41M0DaCljSzdY9YiDtOf9DrCIR2AJdVzVPI089M2fmUgM1L2b/yAemink1.GjerP/4WA

Did the above for completeness.

Glad you figured it out! OIDC and lldap have proven to be a bit of a challenge to setup. Thanks for documenting your findings, I'm sure it'll help users in the future.

ajnart / homarr