The provider authorization_endpoint could not be fetched

[YabaiKai]

Hi All,

I'm trying to get my Authelia instance to play nice with Nextcloud using this wonderful creation, but despite pouring over my configs for the last several hours, cannot get Nextcloud to reach Authelia, instead getting an error message "The provider authorization_endpoint could not be fetched. Make sure your provider has a well known configuration available."

I am running both Nextcloud and Authelia in docker containers, all behind an Nginx proxy (which I suspect might be the issue).

Here is my config for Nextcloud:

  'allow_user_to_change_display_name' => false,
  'lost_password_link' => 'disabled',
  'overwriteprotocol' => 'https',
  'allow_local_remote_servers' => true,
  'oidc_login_provider_url' => 'https://auth.<myinstance>.com',
  'oidc_login_client_id' => 'nextcloud',
  'oidc_login_client_secret' => '$goodsecret',
  'oidc_login_auto_redirect' => false,
  'oidc_login_end_session_redirect' => false,
  'oidc_login_button_text' => 'Log in with Authelia',
  'oidc_login_hide_password_form' => false,
  'oidc_login_use_id_token' => true,
  'oidc_login_attributes' => 
  array (
    'id' => 'sub',
    'name' => 'name',
    'mail' => 'email',
    'groups' => 'groups',
  ),
  'oidc_login_default_group' => 'oidc',
  'oidc_login_use_external_storage' => false,
  'oidc_login_scope' => 'openid profile email groups',
  'oidc_login_proxy_ldap' => false,
  'oidc_login_disable_registration' => true,
  'oidc_login_redir_fallback' => false,
  'oidc_login_alt_login_page' => 'assets/login.php',
  'oidc_login_tls_verify' => true,
  'oidc_create_groups' => false,
  'oidc_login_webdav_enabled' => false,
  'oidc_login_password_authentication' => false,
  'oidc_login_public_key_caching_time' => 86400,
  'oidc_login_min_time_between_jwks_requests' => 10,
  'oidc_login_well_known_caching_time' => 86400,
  'oidc_login_update_avatar' => false,

And the config in Authelia:

identity_providers:
  oidc:
    ## The other portions of the mandatory OpenID Connect 1.0 configuration go here.
    ## See: https://www.authelia.com/c/oidc
    hmac_secret: $goodsecret
    issuer_private_key: |
      -----BEGIN RSA PRIVATE KEY-----
      <snip>
      -----END RSA PRIVATE KEY-----
    clients:
    - id: nextcloud
      description: NextCloud
      secret: '$goodsecret'
      public: false
      authorization_policy: two_factor
      redirect_uris:
        - https://cloud.<myinstance>.com/apps/oidc_login/oidc
        - https://openidconnect.net/callback
        - https://oidcdebugger.com/debug
      scopes:
        - openid
        - profile
        - email
        - groups
      userinfo_signing_algorithm: none

As you can tell from my redirect_uris I used both openidconnect.net and oidcdebugger.com to test the Authelia side of things, and it all appears working fine. Any ideas? My only thought is that it has to be the reverse proxy not playing nice with Nextcloud as it appears from the logs that it's never reaching Authelia in the first place.

[pulsejet]

Your nextcloud instance should be able to reach https://auth.<myinstance>.com/.well-known/openid-configuration, which should have the JSON something like this. Is this the case?

[YabaiKai]

So I'm assuming this is my problem, that my Nextcloud instance can't reach https://<myinstance>.com/.well-known/openid-configuration. I can reach it however, both internally and externally, so I'm not sure what the problem is. Do you have any tips for debugging? I noticed when I used openidconnect.net and oidcdebugger.com, I would at least get errors in my Authelia logs, but I see nothing for this Nextcloud plugin.

This is the JSON I see, a few lines shorter than your example, but nothing critical missing. I put a newline after each comma for easier reading. Do you see any problems?

{"issuer":"https://auth.<instance>.com",
"jwks_uri":"https://auth.<instance>.com/jwks.json",
"authorization_endpoint":"https://auth.<instance>.com/api/oidc/authorization",
"token_endpoint":"https://auth.<instance>.com/api/oidc/token",
"subject_types_supported":["public"],
"response_types_supported":["code",
"token",
"id_token",
"code token",
"code id_token",
"token id_token",
"code token id_token",
"none"],
"response_modes_supported":["form_post",
"query",
"fragment"],
"scopes_supported":["offline_access",
"openid",
"profile",
"groups",
"email"],
"claims_supported":["amr",
"aud",
"azp",
"client_id",
"exp",
"iat",
"iss",
"jti",
"rat",
"sub",
"auth_time",
"nonce",
"email",
"email_verified",
"alt_emails",
"groups",
"preferred_username",
"name"],
"introspection_endpoint":"https://auth.<instance>.com/api/oidc/introspection",
"revocation_endpoint":"https://auth.<instance>.com/api/oidc/revocation",
"code_challenge_methods_supported":["S256"],
"require_pushed_authorization_requests":false,
"userinfo_endpoint":"https://auth.<instance>.com/api/oidc/userinfo",
"id_token_signing_alg_values_supported":["RS256"],
"userinfo_signing_alg_values_supported":["none",
"RS256"],
"request_object_signing_alg_values_supported":["none",
"RS256"],
"request_uri_parameter_supported":false,
"require_request_uri_registration":false,
"claims_parameter_supported":false,
"frontchannel_logout_supported":false,
"frontchannel_logout_session_supported":false,
"backchannel_logout_supported":false,
"backchannel_logout_session_supported":false}

[Reinitialized]

Hey @King-Cole, this seems related #199 as I ran into this myself today. Try the following and see if it fixes for you:

• Set oidc_login_provider_url to the base URL of your /.well-known/openid-configuration endpoint
• For example, if your Provider URL is https://access.example.net/application/o/example-app/.well-known/openid-configuration, then oidc_login_provider_url should be: 'oidc_login_provider_url' => 'https://access.example.net/application/o/example-app/',

[YabaiKai]

Thank you for the idea! I think my instance is already set this way though. https://auth.<myinstance>.com is my base URL. Adding /.well-known/openid-configuration to that gets me to my JSON page. I do not have the subdirectories in the middle like in your case. Let me know if I misunderstood or you have any other ideas!