Issue with Authelia for OAuth

[tuxpeople]

Hi

I'm using the eikek0/sharry image with tag v1.12.0 in Kubernetes. For OAuth, I try to use the ghcr.io/authelia/authelia image with tag 4.

This is my Sharry config for OAuth:

oauth = [
    {
      enabled = true
      id = "internal"
      name = "Account"
      icon = "fas fa-address-book"
      authorize-url = "https://auth.${SECRET_DOMAIN}/api/oidc/authorization"
      token-url = "https://auth.${SECRET_DOMAIN}/api/oidc/token"
      user-url = "https://auth.${SECRET_DOMAIN}/api/oidc/userinfo"
      user-id-key = "login"
      client-id = "sharry"
      client-secret = "${SHARRY_CLIENT_SECRET}"
    }
]

This is the relevant part of my Authelia config:

- id: sharry
  description: Sharry
  secret: ${SHARRY_CLIENT_SECRET}
  public: false
  authorization_policy: two_factor
  pre_configured_consent_duration: 1y
  redirect_uris:
    [
      "https://sharry.${SECRET_DOMAIN}/api/v2/open/auth/oauth/internal/resume",
    ]
  scopes:
    - openid
    - profile
    - groups
    - email
  userinfo_signing_algorithm: none

When I press the button for OAuth, Sharry tries to authenticate and eventually ends back at the login screen with "There was an invalid response status: 405". In the Authelia log, I see this:

time="2023-03-15T20:19:14+01:00" level=error msg="Authorization Request failed with error: The state is missing or does not have enough characters and is therefore considered too weak. Request parameter 'state' must be at least be 8 characters long to ensure sufficient entropy." method=GET path=/api/oidc/authorization remote_ip="2a02:21b4:865f:1800:50ed:36e6:a67a:62c1"stack="github.com/authelia/authelia/v4/internal/handlers/handler_oidc_authorization.go:32           OpenIDConnectAuthorization
github.com/authelia/authelia/v4/internal/middlewares/http_to_authelia_handler_adaptor.go:113 NewHTTPToAutheliaHandlerAdaptor.func1
github.com/authelia/authelia/v4/internal/middlewares/bridge.go:54                            (*BridgeBuilder).Build.func1.1
github.com/authelia/authelia/v4/internal/middlewares/headers.go:35                           SecurityHeadersNoStore.func1
github.com/authelia/authelia/v4/internal/middlewares/headers.go:25                           SecurityHeadersCSPNone.func1
github.com/authelia/authelia/v4/internal/middlewares/headers.go:16                           SecurityHeaders.func1
github.com/authelia/authelia/v4/internal/middlewares/cors.go:216                             (*CORSPolicy).Middleware.func1
github.com/fasthttp/router@v1.4.14/router.go:414                                             (*Router).Handler
github.com/valyala/fasthttp@v1.43.0/http.go:154                                              (*Response).StatusCode
github.com/authelia/authelia/v4/internal/middlewares/strip_path.go:22                        StripPath.func1.1
github.com/valyala/fasthttp@v1.43.0/server.go:2338                                           (*Server).serveConn
github.com/valyala/fasthttp@v1.43.0/workerpool.go:224                                        (*workerPool).workerFunc
github.com/valyala/fasthttp@v1.43.0/workerpool.go:196                                        (*workerPool).getCh.func1
runtime/asm_amd64.s:1594                                                                     goexit"

My knowledge in OAuth and both tools is limited, therefore I cannot be sure it's not a configuration issue. But as fas as I understand, the state parameter is not configurable, right? Do you have any idea where the problem could be located?

Kind regards

[eikek]

Hm, telling from authelias error message the state is too short. But I don't think it is less than 8 characters. Sharry creates a 8 character string and adds a signature, resulting in a length of at least 30 characters. You are right, it is not configurable, it is generated randomly.

You could maybe add this lines:

      "sharry.restserver.oauth.CodeFlow" = "Trace"
      "sharry.restserver.routes.LoginRoutes" = "Trace"

to the config in the logging section. It should print out more things when doing the auth flow. Then you see what sharry sends to authelia. Maybe this gives a clue.

[tuxpeople]

This is what I get:

2023.03.17 20:03:25:0000 [io-comp...] [DEBUG] sharry.restserver.routes.LoginRoutes.applyOrElse:55 - Redirecting to OAuth provider internal: https://auth.${SECRET_DOMAIN}/api/oidc/authorization?client_id=sharry&redirect_uri=https%3A%2F%2Fsharry.${SECRET_DOMAIN}%2Fapi%2Fv2%2Fopen%2Fauth%2Foauth%2Finternal%2Fresume&response_type=code
2023.03.17 20:03:25:0001 [io-comp...] [INFO ] org.http4s.server.middleware.Logger - HTTP/1.1 GET /api/v2/open/auth/oauth/internal
2023.03.17 20:03:25:0002 [io-comp...] [INFO ] org.http4s.server.middleware.Logger - HTTP/1.1 303 See Other
2023.03.17 20:03:26:0000 [io-comp...] [INFO ] org.http4s.server.middleware.Logger - HTTP/1.1 GET /api/v2/open/auth/oauth/internal/resume?error=invalid_state&error_description=The+state+is+missing+or+does+not+have+enough+characters+and+is+therefore+considered+too+weak.+Request+parameter+%27state%27+must+be+at+least+be+8+characters+long+to+ensure+sufficient+entropy.&state=
2023.03.17 20:03:26:0001 [io-comp...] [INFO ] org.http4s.server.middleware.Logger - HTTP/1.1 307 Temporary Redirect
2023.03.17 20:03:25:0003 [io-comp...] [INFO ] org.http4s.server.middleware.Logger - HTTP/1.1 GET /app/login?oauth=1
2023.03.17 20:03:25:0004 [io-comp...] [INFO ] org.http4s.server.middleware.Logger - HTTP/1.1 200 OK
2023.03.17 20:03:26:0000 [io-comp...] [INFO ] org.http4s.server.middleware.Logger - HTTP/1.1 GET /api/v2/open/info/version
2023.03.17 20:03:26:0001 [io-comp...] [INFO ] org.http4s.server.middleware.Logger - HTTP/1.1 200 OK
2023.03.17 20:03:25:0005 [io-comp...] [INFO ] org.http4s.server.middleware.Logger - HTTP/1.1 POST /api/v2/sec/auth/session
2023.03.17 20:03:25:0006 [io-comp...] [INFO ] org.http4s.server.middleware.Logger - HTTP/1.1 403 Forbidden

Maybe I misread that, but I think there should be a state in line 1 and Sharry gets state= back in line 4 which equals empty.

[eikek]

Oh no! You are right, the parameter is not even there. I need to look into this.

[tuxpeople]

Did you have a chance to look into this?

[eikek]

Did you have a chance to look into this?

No, unfortunately I haven't had enough time yet.

[hibare]

Having same issue. I'm trying to switch from Gokapi to Sharry

[eikek]

Hi there, I just tried to reproduce, but I couldn't. It is working fine in my case. For comparison here are my configs. On a first glance I don't see any obvious differences. I also checked that the state parameter is in the url. What version of sharry are you using? Could you try the nightly version perhaps just to see if it's also in the latest build?

---

docker-compose.yml

```yaml --- version: "3.8" services: authelia: container_name: authelia #image: docker.io/authelia/authelia:latest image: ghcr.io/authelia/authelia:4 restart: unless-stopped ports: - 9091:9091 environment: AUTHELIA_JWT_SECRET_FILE: /secrets/JWT_SECRET AUTHELIA_SESSION_SECRET_FILE: /secrets/SESSION_SECRET ## AUTHELIA_STORAGE_POSTGRES_PASSWORD_FILE: /secrets/STORAGE_PASSWORD AUTHELIA_STORAGE_ENCRYPTION_KEY_FILE: /secrets/STORAGE_ENCRYPTION_KEY volumes: - ${PWD}/data/authelia/config:/config - ${PWD}/data/authelia/secrets:/secrets ```

Client config in authelia

```yaml ## Clients is a list of known clients and their configuration. clients: - id: sharry description: Sharry Test secret: this_is_a_secret sector_identifier: localhost public: false authorization_policy: one_factor pre_configured_consent_duration: 10M # audience: [] scopes: - openid - email - profile redirect_uris: - http://localhost:9090/api/v2/open/auth/oauth/authelia/resume response_modes: - form_post - query - fragment userinfo_signing_algorithm: none ```

Sharry auth config part

```conf { id = "authelia", enabled = true, name = "Authelia", icon = "fab fa-openid", scope = "profile openid email", authorize-url = "http://localhost:9091/api/oidc/authorization", token-url = "http://localhost:9091/api/oidc/token", user-url = "http://localhost:9091/api/oidc/userinfo", user-id-key = "preferred_username", client-id = "sharry", client-secret = "this_is_a_secret" } ```

[hibare]

Nightly build seems to work just fine

[eikek]

Thanks @hibare - good to know. I'll then do a 1.12.1 release soon.

[tuxpeople]

I can't test right now, as my box broke down and I'm waiting for a new power supply. Looks like it will not arrive before I'm away next week. Therefore I need to trust you guys and I'm looking forward deploying 1.12.1

[FrankelJb]

I got this working on 1.12.1. I copied the parameters from here and adjusted to my secrets and URIs and now its all good.