Kasm OpenID Configueration failing with a "Missing access token parameter" error.

[obadaahmar]

Describe the bug Kasm is facing an "Internal Error" whenever I try to authenticate via Authentik's OpenID setup, the logs spits out this error: "oauthlib/oauth2/rfc6749/parameters.py\", line 451, in validate_token_parameters\noauthlib.oauth2.rfc6749.errors.MissingTokenError: (missing_token) Missing access token parameter."

To Reproduce Steps to reproduce the behavior:

1. Go to 'kasm.domain.tld'
2. Click on 'login via Authentik'
3. Get"Internal Error" page.

Expected behavior A successful authorisation via Authentik OpenID.

Screenshots Included are the Authentik and Kasm OpenID setup:

Logs Output of docker-compose logs or kubectl logs respectively

kasm log for the error: "message": "Unhandled exception occurred\nTraceback (most recent call last):\n File \"cherrypy/_cprequest.py\", line 628, in respond\n File \"cherrypy/_cprequest.py\", line 687, in _do_respond\n File \"cherrypy/lib/encoding.py\", line 219, in __call__\n File \"cherrypy/_cpdispatch.py\", line 54, in __call__\n File \"utils.py\", line 99, in wrapper\n File \"client_api.py\", line 952, in oidc_callback\n File \"authentication/oidc/__init__.py\", line 52, in process_callback\n File \"requests_oauthlib/oauth2_session.py\", line 360, in fetch_token\n File \"oauthlib/oauth2/rfc6749/clients/base.py\", line 427, in parse_request_body_response\n File \"oauthlib/oauth2/rfc6749/parameters.py\", line 441, in parse_token_response\n File \"oauthlib/oauth2/rfc6749/parameters.py\", line 451, in validate_token_parameters\noauthlib.oauth2.rfc6749.errors.MissingTokenError: (missing_token) Missing access token parameter."

Application authroized log from Authentik:

Context
{
    "asn": {
        "asn": 43357,
        "as_org": "Owl Limited",
        "network": "103.136.147.0/24"
    },
    "geo": {
        "lat": -33.8715,
        "city": "Sydney",
        "long": 151.2006,
        "country": "AU",
        "continent": "OC"
    },
    "flow": "4a09a248d5cexxxxxxxxxxxxxxxxxxxxxx",
    "scopes": "profile email openid",
    "http_request": {
        "args": {
            "scope": "email openid profile",
            "state": "708228d4803e4907870cdbxxxxxxxxxxxxxxxxxxxxxxxxxxxxx",
            "client_id": "cGjahZGUW7dxxxxxxxxxxxxxxxxxxxxxxxxxx",
            "redirect_uri": "https://kasm.domain.tld/api/oidc_callback",
            "response_type": "code"
        },
        "path": "/api/v3/flows/executor/default-provider-authorization-implicit-consent/",
        "method": "GET",
        "user_agent": "Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:123.0) Gecko/20100101 Firefox/123.0"
    },
    "authorized_application": {
        "pk": "d2d9f364xxxxxxxx",
        "app": "authentik_core",
        "name": "Kasm",
        "model_name": "application"
    }
}
User
{
    "pk": 9,
    "email": "first.last@domain.tld",
    "username": "firstlast"
}

Version and Deployment (please complete the following information):

• authentik version: [2024.2.2]
• Deployment: [docker via UnRaid]

[CrustyB]

same issue. If I browse the URL at all, I get a internal error. https://fqdn.com/api/oidc_callback Seems completely independent of Authentik or any other OIDC resource.

[sgtslaughta]

Can confirm as well on 2023.10.3

[aldervall]

Getting this on Zitadel IdP also.

Unhandled exception occurred Traceback (most recent call last): File "cherrypy/_cprequest.py", line 628, in respond File "cherrypy/_cprequest.py", line 687, in _do_respond File "cherrypy/lib/encoding.py", line 219, in call File "cherrypy/_cpdispatch.py", line 54, in call File "utils.py", line 99, in wrapper File "client_api.py", line 947, in oidc_callback KeyError: 'state'

[sgtslaughta]

Update

• After some trial and error, it appears as if it was some configuration issues on both ends. If you are using something like a Cloudflare tunnel or reverse proxy, be very mindful of how each end will be accessing each other. For example, public DNS domains may not be accessible behind a reverse proxy, among other considerations. Furthermore, both applications will generate the connection strings/urls based off how you are accessing the server. For example: creating the provider in Authentik and accessing the server via https://192.168.1.10, the strings will be generated using that as the host in the URI. This may not be how Kasm is accessing Authentik.

Solution

• Both Oauth2 and SAML tested and working, accessing Kasm via Cloudflare tunnels. We had to add Authentik as another CF tunnel endpoint so that Kasm could redirect properly (public subdomain -> public subdomain). If you don't want to expose your SSO, you could use CF Access applications to restrict access OR use LDAP for back-end auth. I am not an expert and there is probably a 'better' more 'correcter' way, but it worked for us.

[Archgeus]

I have this issue as well. Exactly like OP described.

[CrustyB]

No Cloudflare in my setup. My issue is between the authentik server on 192.168.1.5 and the kasm on 192.168.1.10... The KASM url itself generates an Internal error... that can't be right.

[CrazyWolf13]

@obadaahmar I could get it working.

I got the same error as you, but could solve it.

Possibly you can try the following:

• Setting hostname in kaasm: https://auth.yourdomain.tld
• Create a new group (for example "kaasm-admin") then add that group to your user and set the kaasm group mapping to that name, possibly it doesn't like spaces.
• Set the subject mode back to user's hashed ID.
• Set username mapping to "preferred_username" in kaasm

That steps worked for me :)