search

matrix-org / matrix-authentication-service

OAuth2.0 + OpenID Provider for Matrix Homeservers
https://matrix-org.github.io/matrix-authentication-service/
Apache License 2.0
109 stars 32 forks source link

introspection_endpoint missing auth signing algorithm values #3126

Open rabidpug opened 4 weeks ago

rabidpug commented 4 weeks ago

Hi,

I have started getting the following error and am unable to authenticate. The provider is Authelia's OIDC.

ERROR http.server.request{otel.kind="server" otel.name="GET /upstream/authorize/:provider_id" network.protocol.name="http" network.protocol.version="1.1" http.request.method="GET" url.path="/upstream/authorize/xxxxxxxxxxxx" url.scheme="http" http.route="/upstream/authorize/:provider_id" user_agent.original="Mozilla/5.0 (X11; Linux x86_64; rv:129.0) Gecko/20100101 Firefox/129.0"}:handlers.upstream_oauth2.authorize.get{upstream_oauth_provider.id=xxxxxxxxxxxxxxxxx}:metadata_cache.get{issuer=https://login.xxxxxx.xxx}:metadata_cache.fetch{issuer=https://login.xxxxxxx.xxx}: mas_handlers::upstream_oauth2::cache: crates/handlers/src/upstream_oauth2/cache.rs:195: error=introspection_endpoint missing auth signing algorithm values

Not sure if this is what it's referring to, but it appears signing alg RS256 is at least supported.

>  curl -fsSL https://login.xxxxxxxxx.xx/.well-known/openid-configuration | jq '. | with_entries(select(.key | startswith("introspection")))'
{
  "introspection_endpoint": "https://login.xxxxxxxx.xxx/api/oidc/introspection",
  "introspection_endpoint_auth_methods_supported": [
    "client_secret_basic",
    "client_secret_post",
    "client_secret_jwt",
    "private_key_jwt"
  ],
  "introspection_signing_alg_values_supported": [
    "RS256",
    "none"
  ]
}

Let me know what other information you might need to understand the issue and I'll provide it.

Thanks!

sandhose commented 2 weeks ago

This is technically an issue on Authelia's OIDC metadata. The metadata is supposed to be called introspection_endpoint_auth_signing_alg_values_supported, not introspection_signing_alg_values_supported

I think you should be able to bypass this check by setting the provider discovery_mode to insecure, e.g.

upstream_oauth2:
  providers:
    - id: ...
      issuer: https://foo/
      discovery_mode: insecure
matrixbot commented 4 days ago

For your information, this issue has been copied over to the Element fork of matrix-authentication-service: https://github.com/element-hq/matrix-authentication-service/issues/3126