search

immich-app / immich

High performance self-hosted photo and video management solution.
https://immich.app
GNU Affero General Public License v3.0
47.36k stars 2.41k forks source link

Immich expects a plain JSON object instead of a signed RS256 user info OAuth object #7877

Closed iamarkadyt closed 2 months ago

iamarkadyt commented 6 months ago

Setup

Authelia. Immich. Both configured to use/expect signing algorithm RS256.

What's broken

Authelia redirects back to Immich after signing in with the user info object. Signed with RS256. Immich does not recognize it and fails with the error below. Basically expecting a plain JSON object.

Current workaround

Disable user info object signing in Authelia. Something interesting here is that even if I instruct Immich to expect RS256 signed info (Signing Algorithm setting in OAuth section) and send it a plain JSON object (through Authelia) it still recognizes it and allows me through. Would that be considered a security issue?

Error message from the docker container

[Nest] 8  - 03/11/2024, 11:30:28 PM   ERROR [SyntaxError: Unexpected token 'e', "eyJhbGciOi"... is not valid JSON
    at JSON.parse (<anonymous>)
    at Client.userinfo (/usr/src/app/node_modules/openid-client/lib/client.js:1291:23)
    at process.processTicksAndRejections (node:internal/process/task_queues:95:5)
    at async AuthService.callback (/usr/src/app/dist/domain/auth/auth.service.js:160:25)
    at async OAuthController.finishOAuth (/usr/src/app/dist/immich/controllers/oauth.controller.js:37:38)] Failed to finish oauth

The OS that Immich Server is running on

Linux

Version of Immich Server

v1.98.1

Version of Immich Mobile App

n/a

Platform with the issue

Reproduction steps

1. Set up an OAuth client for Immich in Authelia.
2. Set up Client secret, id, URL and other parameters in Immich OAuth settings.
3. Set up user info signing with RS256 in both Authelia and Immich.
4. Once logged in in Authelia and redirected back to Immich, UI error shows up that says "failed to finish oauth"

Additional information

No response

ywjdlq commented 6 months ago

same problem update: setting authelia 'userinfo_signing_algorithm: none' works

iamarkadyt commented 6 months ago

@ywjdlq sure, but then you're sending a plain object instead of signing it to verify authenticity

gravelfreeman commented 4 months ago

same problem update: setting authelia 'userinfo_signing_algorithm: none' works

I'm having the same issue. @ywjdlq may I ask you if you've updated to v1.95.1? Because this version has a breaking change requesting use of RS256 which seems to be broken in Authelia or I'm unable to set it up.

I believe this is the reason why this issue is still open because @iamarkadyt is on version 1.98.1 which requires RS256 to be setup.

Immich documentation is still referencing Authelia documentation which is outdated.

I hope someone will bring the right configuration to setup RS256 with Authelia and Immich.

iamarkadyt commented 4 months ago

@gravelfreeman I'm actually not using the RS256 signing at the moment. Enabling it breaks the Authelia <> Immich integration. Everything works after disabling it however (userinfo_signed_response_alg: 'none'). Not as secure, but works for me for now.

Regarding documentation you linked most of it is correct, but I have a few settings added:

client:
  grant_types:
     - authorization_code
     - refresh_token
  response_types:
     - code:
  response_modes:
     - form_post
     - query
     - fragment
jrasm91 commented 2 months ago

The signing algorithm setting in immich maps to id_token_signed_response_alg in the oauth specification. This is separate from userinfo_signed_response_alg. The first setting specifies to sign the id token with that algorithm. The latter is plain json by default.

I've added a new immich setting profileSigningAlgorithm, which will map to this setting. This will be "fixed" (an enhancement request really), once #10756 is merged.

iamarkadyt commented 2 months ago

Thank you @jrasm91! :heart: