search

go-vikunja / vikunja

Mirror of vikunja from https://code.vikunja.io/api
GNU Affero General Public License v3.0
1.02k stars 71 forks source link

invalid_scope on OIDC Login with Authelia after upgrading from 0.23.0 to 0.24.0 (& 0.24.1) #294

Closed FieldofClay closed 3 months ago

FieldofClay commented 3 months ago

Description

I have OIDC login configured with Authelia. This has been working fine until the upgrade to 0.24.x, when I have started getting an invalid_scope message when clicking the 'Login with Authelia' button. My configuration has not changed, on either Vikunja or Authelia and the Authelia version has remained the same. Downgrading to 0.23.0 resolves the issue.

Vikunja Config:

auth:
  local:
    enabled: false
  openid:
    enabled: true
    redirecturl: https://vikunja.mydomain.com/auth/openid/
    providers:
      - name: Authelia
        authurl: https://auth.mydomain.com
        logouturl:
        clientid: vikunja
        clientsecret: ###SECRET###
        scope: openid profile email

Relevant Authelia config:

identity_providers:
  oidc:
    jwks:
      - certificate_chain: |
          -----BEGIN CERTIFICATE-----
          #####################
          -----END CERTIFICATE-----
        key: |
          -----BEGIN PRIVATE KEY-----
          #####################
          -----END PRIVATE KEY-----
    hmac_secret: ###SECRET###
    cors:
      endpoints:
        - userinfo
        - authorization
        - token
        - revocation
        - introspection
      allowed_origins:
        - https://vikunja.mydomain.com
    clients:
      - client_id: vikunja
        client_name: Vikunja
        client_secret: '###SECRET###'
        public: false
        authorization_policy: one_factor
        token_endpoint_auth_method: client_secret_post
        redirect_uris:
          - https://vikunja.mydomain.com/auth/openid/authelia
        scopes:
          - email
          - openid
          - profile

When attempting to login, this error appears in Authelia, indicating Vikunja is not sending a valid scope:

Jul 26 09:49:01 authelia authelia[26877]: time="2024-07-26T09:49:01+00:00" level=error msg="Authorization Request failed with error: The requested scope is invalid, unknown, or malformed. The OAuth 2.0 Client is not allowed to request scope 'undefined'." method=GET path=/api/oidc/authorization remote_ip="##IPV6##" stack="github.com/authelia/authelia/v4/internal/handlers/handler_oidc_authorization.go:41           OpenIDConnectAuthorization\ngithub.com/authelia/authelia/v4/internal/middlewares/http_to_authelia_handler_adaptor.go:114 handleRouter.NewHTTPToAutheliaHandlerAdaptor.func21\ngithub.com/authelia/authelia/v4/internal/middlewares/bridge.go:54                            handleRouter.(*BridgeBuilder).Build.func16.1\ngithub.com/authelia/authelia/v4/internal/middlewares/headers.go:91                           SecurityHeadersNoStore.func1\ngithub.com/valyala/fasthttp@v1.52.0/userdata.go:57                                           (*userData).Get\ngithub.com/authelia/authelia/v4/internal/middlewares/headers.go:30                           SecurityHeadersBase.func1\ngithub.com/authelia/authelia/v4/internal/middlewares/cors.go:216                             handleRouter.(*CORSPolicy).Middleware.func22\ngithub.com/fasthttp/router@v1.5.0/router.go:441                                              (*Router).Handler\ngithub.com/authelia/authelia/v4/internal/middlewares/log_request.go:14                       handleRouter.LogRequest.func40\ngithub.com/authelia/authelia/v4/internal/middlewares/errors.go:38                            RecoverPanic.func1\ngithub.com/valyala/fasthttp@v1.52.0/server.go:2374                                           (*Server).serveConn\ngithub.com/valyala/fasthttp@v1.52.0/workerpool.go:224                                        (*workerPool).workerFunc\ngithub.com/valyala/fasthttp@v1.52.0/workerpool.go:196                                        (*workerPool).getCh.func1\nruntime/asm_amd64.s:1695                                                                     goexit"

Vikunja Version

0.24.0

Browser and version

Firefox, Chrome

Can you reproduce the bug on the Vikunja demo site?

No

Screenshots

image

kolaente commented 3 months ago

Which url do you get redirected to? If you check with the browser dev tools, which requests do you see in the network tab? Are there any messages in Vikunja's logs?

FieldofClay commented 3 months ago

The URL that I end up at is:

https://vikunja.mydomain.com/auth/openid/authelia?error=invalid_scope&error_description=The+requested+scope+is+invalid%2C+unknown%2C+or+malformed.+The+OAuth+2.0+Client+is+not+allowed+to+request+scope+%27undefined%27.&iss=https%3A%2F%2Fauth.mydomain.com&state=sp28wudtton

The noteworthy requests I see are:

303: https://auth.mydomain.com/api/oidc/authorization?client_id=vikunja&redirect_uri=https://vikunja.mydomain.com/auth/openid/authelia&response_type=code&scope=undefined&state=bx4s7yi6xv8
200: https://vikunja.mydomain.com/auth/openid/authelia?error=invalid_scope&error_description=The requested scope is invalid, unknown, or malformed. The OAuth 2.0 Client is not allowed to request scope 'undefined'.&iss=https://auth.mydomain.com&state=bx4s7yi6xv8

The only thing I get out of the logs from the api server is:

Aug 08 15:01:14 vikunja vikunja[462]: 2024-08-08T15:01:14.33178384+10:00: WEB         ▶ XXX.XXX.XXX.XXX  GET 200 / 103.005µs - Mozilla/5.0 (X11; Linux x86_64; rv:128.0) Gecko/20100101 Firefox/128.0
Aug 08 15:01:14 vikunja vikunja[462]: 2024-08-08T15:01:14.519527203+10:00: WEB         ▶ XXX.XXX.XXX.XXX  GET 200 /assets/index-BO9ASMil.css 746.091µs - Mozilla/5.0 (X11; Linux x86_64; rv:128.0) Gecko/20100101 Firefox/128.0
Aug 08 15:01:14 vikunja vikunja[462]: 2024-08-08T15:01:14.727705463+10:00: WEB         ▶ XXX.XXX.XXX.XXX  GET 200 /api/v1/info 363.948µs - Mozilla/5.0 (X11; Linux x86_64; rv:128.0) Gecko/20100101 Firefox/128.0
Aug 08 15:01:14 vikunja vikunja[462]: 2024-08-08T15:01:14.734677969+10:00: WEB         ▶ XXX.XXX.XXX.XXX  GET 200 /assets/llama-nightscape-mKZQPxXM.jpg 245.411µs - Mozilla/5.0 (X11; Linux x86_64; rv:128.0) Gecko/20100101 Firefox/128.0
Aug 08 15:01:14 vikunja vikunja[462]: 2024-08-08T15:01:14.794996327+10:00: WEB         ▶ XXX.XXX.XXX.XXX  GET 200 /assets/llama-SxB1d0EY.svg?url 136.01µs - Mozilla/5.0 (X11; Linux x86_64; rv:128.0) Gecko/20100101 Firefox/128.0
Aug 08 15:01:14 vikunja vikunja[462]: 2024-08-08T15:01:14.795594425+10:00: WEB         ▶ XXX.XXX.XXX.XXX  GET 200 /assets/no-auth-image-B3TdQwHl.jpg 489.458µs - Mozilla/5.0 (X11; Linux x86_64; rv:128.0) Gecko/20100101 Firefox/128.0
Aug 08 15:01:19 vikunja vikunja[462]: 2024-08-08T15:01:19.056353522+10:00: WEB         ▶ XXX.XXX.XXX.XXX  GET 200 /auth/openid/authelia?error=invalid_scope&error_description=The+requested+scope+is+invalid%2C+unknown%2C+or+malformed.+The+OAuth+2.0+Client+is+not+allowed+to+request+scope+%27undefined%27.&iss=https%3A%2F%2Fauth.mydomain.com&state=kju8qe3tcu 97.043µs - Mozilla/5.0 (X11; Linux x86_64; rv:128.0) Gecko/20100101 Firefox/128.0

I think it is also noteworthy to mention that I am running the manually installed binaries, using the frontend + api combo. Downgrading the frontend to 0.23.0 fixes the issue. The API server version is 0.22.1.

kolaente commented 3 months ago

Does it work if you remove the scope from Vikunja's config?

FieldofClay commented 3 months ago

No, there is not behaviour change when removing the scope from vikunja's config. I also played around with removing scope from Authelia's config, same result.

Downgrading to 0.23.0 with scope missing, allowed me to login OK.

kolaente commented 3 months ago

If you check https://vikunja.mydomain.com/api/v1/info, which value does the scope attribute under the providers entry have?

FieldofClay commented 3 months ago

Solved. When checking that endpoint I noticed that the version was still 0.22.1. Found that Arch Linux was still using the api folder on the download server (which maxes out at 0.22.1), instead of the vikunja folder. Updated (properly) to 0.24.2 and it is all working fine.

Thanks for your assistance @kolaente!