Closed iamarkadyt closed 2 months ago
same problem update: setting authelia 'userinfo_signing_algorithm: none' works
@ywjdlq sure, but then you're sending a plain object instead of signing it to verify authenticity
same problem update: setting authelia 'userinfo_signing_algorithm: none' works
I'm having the same issue. @ywjdlq may I ask you if you've updated to v1.95.1? Because this version has a breaking change requesting use of RS256 which seems to be broken in Authelia or I'm unable to set it up.
I believe this is the reason why this issue is still open because @iamarkadyt is on version 1.98.1 which requires RS256 to be setup.
Immich documentation is still referencing Authelia documentation which is outdated.
I hope someone will bring the right configuration to setup RS256 with Authelia and Immich.
@gravelfreeman I'm actually not using the RS256 signing at the moment. Enabling it breaks the Authelia <> Immich integration. Everything works after disabling it however (userinfo_signed_response_alg: 'none'
). Not as secure, but works for me for now.
Regarding documentation you linked most of it is correct, but I have a few settings added:
client:
grant_types:
- authorization_code
- refresh_token
response_types:
- code:
response_modes:
- form_post
- query
- fragment
The signing algorithm setting in immich maps to id_token_signed_response_alg
in the oauth specification. This is separate from userinfo_signed_response_alg
. The first setting specifies to sign the id token with that algorithm. The latter is plain json by default.
I've added a new immich setting profileSigningAlgorithm
, which will map to this setting. This will be "fixed" (an enhancement request really), once #10756 is merged.
Thank you @jrasm91! :heart:
Setup
Authelia. Immich. Both configured to use/expect signing algorithm RS256.
What's broken
Authelia redirects back to Immich after signing in with the user info object. Signed with RS256. Immich does not recognize it and fails with the error below. Basically expecting a plain JSON object.
Current workaround
Disable user info object signing in Authelia. Something interesting here is that even if I instruct Immich to expect RS256 signed info (Signing Algorithm setting in OAuth section) and send it a plain JSON object (through Authelia) it still recognizes it and allows me through. Would that be considered a security issue?
Error message from the docker container
The OS that Immich Server is running on
Linux
Version of Immich Server
v1.98.1
Version of Immich Mobile App
n/a
Platform with the issue
Reproduction steps
Additional information
No response