torbenraab
commented
7 months ago At the moment the exact URL ist the URL defined in the WEB_URL Property and the Frontend sends
Closed Timelapser closed 1 week ago
torbenraab
commented
7 months ago At the moment the exact URL ist the URL defined in the WEB_URL Property and the Frontend sends
Timelapser
commented
7 months ago Hey, thanks! I changed my Authelia config to allow the base URL without the wildcard, but run into the following issue:
The state is missing or does not have enough characters and is therefore considered too weak. Request parameter 'state' must be at least be 8 characters long to ensure sufficient entropy.
Some SSO providers don't require a state to be set, but Authelia is strict in requiring it to avoid CSRF attacks etc. As far as I can see the state parameters still needs to be implemented (and also appears empty in my URL)
torbenraab
commented
7 months ago I will look into it before releasing the new dev version
torbenraab
commented
7 months ago Could you already test it? Is everything working?
Timelapser
commented
7 months ago Hey, the new state seems to be working & I have successfully logged in with Authelia now!
I have one more odd issue which I would like to know if you have any insights on- otherwise I can create a new issue for it. I am still testing what exact scenarios trigger this but have been able to somewhat repro it twice.
The following error happened when inviting new test users, sometime after accepting the invite & being brought back to the log-in screen logging in with OIDC: Error signing in! The payload is not valid
Followed by this triggering continously: Error signing in! Something went wrong please try again later
Logs:
WARNING Bad Request: /api/oidc-auth/
"POST /api/oidc-auth/ HTTP/1.0" 400
Internal Server Error: /api/oidc-auth/
"POST /api/oidc-auth/ HTTP/1.0" 500`
Failed to obtain access token: {'error': 'invalid_grant', 'error_description': 'The provided authorization grant (e.g., authorization code, resource owner credentials) or refresh token is invalid, expired, revoked, does not match the redirection URI used in the authorization request, or was issued to another client. The authorization code has already been used.'}```I will look into it. I renamed the issue.
vai
commented
5 months ago Just a comment that the same issue blocked Zitadel - the BASE_URL and the redirect URL need to match exactly.
And a question - what are the plans to keep this fork updated? I find it invaluable - I'm a tiny organization, and running my own IdP and avoiding per-seat costs for tooling is necessary for me. I can only contribute some testing and Zitadel setup docs for now.
osenchenko
commented
2 weeks ago I confirm that v0.23.1 works with Authelia.
settings for plane:
OIDC_CLIENT_ID="client_id"
OIDC_CLIENT_SECRET="client_secret"
OIDC_URL_AUTHORIZATION="https://authelia.acme.corp/api/oidc/authorization"
OIDC_URL_TOKEN="https://authelia.acme.corp/api/oidc/token"
OIDC_URL_USERINFO="https://authelia.acme.corp/api/oidc/userinfo"setting for Authelia:
- client_id: 'client_id'
client_name: 'plane'
client_secret: "client_secret"
redirect_uris:
- 'https://plane.acme.corp/auth/oidc/
scopes:
- 'openid'
- 'offline_access'
- 'profile'
- 'email'
userinfo_signed_response_alg: 'none'
token_endpoint_auth_method: 'client_secret_basic'Just to double that confirmation: it works for me as well and previous mentioned errors are no longer present!
Hey,
I am trying to set up OIDC with Authelia, but a successful login does not seem to properly redirect to access Plane yet. One possible issue is that Authelia needs a specific (absolute) redirect URI & in the god mode settings a wildcard seems to be defined: is there a way to find out a specific URI (or do I more likely have other misconfiguration on my end)?
Thanks!
Also see: https://github.com/authelia/authelia/discussions/4659 https://www.authelia.com/configuration/identity-providers/open-id-connect/