Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Can't use SSO with Authelia #16

Open
ProjectMoon opened this issue Nov 24, 2024 · 4 comments
Open

Can't use SSO with Authelia #16

ProjectMoon opened this issue Nov 24, 2024 · 4 comments

Comments

@ProjectMoon
Copy link

Describe the bug
When I set up Authelia for SSO, I get an error in the logs that says something along the lines of "OUATH repsonse is not conform." This seems to come from the underlying NextJS OAuth library, next-auth.

However, there is no indication of what the error actually is.

The configuration should be correct; I do not have issues with other self-hosted services. I also don't see any requests coming in to Authelia from Perplexideez, which is odd.

Error in logs:

{"level":"error","time":1732435293101,"pid":1,"hostname":"6422838d319e","err":{"type":"OperationProcessingError","message":"\"response\" is not a conform Authorization Server Metadata response","stack":"OperationProcessingError: \"response\" is not a conform Authorization Server Metadata response\n    at OPE (file:///app/node_modules/.pnpm/[email protected]/node_modules/oauth4webapi/build/index.js:92:12)\n    at Module.processDiscoveryResponse (file:///app/node_modules/.pnpm/[email protected]/node_modules/oauth4webapi/build/index.js:221:15)\n    at getAuthorizationUrl (file:///app/node_modules/.pnpm/@[email protected]/node_modules/@auth/core/lib/actions/signin/authorization-url.js:23:28)\n    at process.processTicksAndRejections (node:internal/process/task_queues:95:5)\n    at async Module.signIn (file:///app/node_modules/.pnpm/@[email protected]/node_modules/@auth/core/lib/actions/signin/index.js:10:56)\n    at async AuthInternal (file:///app/node_modules/.pnpm/@[email protected]/node_modules/@auth/core/lib/index.js:62:24)\n    at async Auth (file:///app/node_modules/.pnpm/@[email protected]/node_modules/@auth/core/index.js:111:34)\n    at async respond (file:///app/build/server/index.js:3496:22)\n    at async Array.ssr (file:///app/build/handler.js:1270:3)","code":"OAUTH_RESPONSE_IS_NOT_CONFORM","name":"OperationProcessingError"},"msg":"Error in auth"}

Is there a way to change the log level to hopefully get more useful info?

Screenshots
image

Desktop (please complete the following information):

  • OS: Gentoo Linux
  • Browser Firefox
  • Version 132

Smartphone (please complete the following information):

  • Device: Pixel 7 Pro
  • OS: CalyxOS (Android 15)
  • Browser Firefox
  • Version 132

Additional context
Environment variables are set in .env, and available in the container. They are correct on both the Authelia end and the Perplexideez end.
@chartmann1590
Copy link

I set mine up using authentik. And one thing I noticed was in this documentation, it says to share the well known configuration. But it actually wants the issuer link. So perhaps try changing the variable to the authentication issuer URL instead in the environment variables file.

@ProjectMoon
Copy link
Author

I set mine up using authentik. And one thing I noticed was in this documentation, it says to share the well known configuration. But it actually wants the issuer link. So perhaps try changing the variable to the authentication issuer URL instead in the environment variables file.

Thanks for the tip. What would be the issuer URL instead of the well known URL? I'm currently using the well known URL. I'm not asking for the specifics of Authelia, but more what an OIDC issuer URL is in general.

@chartmann1590
Copy link

OpenID Configuration URL: https://authurl.com/application/o/perplexideez/.well-known/openid-configuration

This is the discovery endpoint.

It provides a JSON document containing metadata about the identity provider, including all other endpoints listed in this configuration (e.g., authorize, token, etc.).

Applications can use this endpoint to dynamically fetch the necessary details for OIDC interactions.

OpenID Configuration Issuer: https://authurl.com/application/o/perplexideez/

The issuer is a unique identifier for the identity provider or authorization server.

The iss claim in tokens (e.g., ID tokens) will match this URL, ensuring that the token was issued by the expected identity provider.

@ProjectMoon
Copy link
Author

ProjectMoon commented Nov 24, 2024
edited
Loading

OK, that got Perplexideez to call Authelia. I set the issuer URL directly to the value from the well-known discovery endpoint. It's just my root auth URL.

But it seems that Perplexideez is not sending the state parameter, which Authelia requires to be at least 8 characters. It seems like NextAuth supports this, but when using a custom OIDC provider, it seems that explicitly enabling the check is necessary: checks: [ "state" ] as const in src/lib/auth.ts should work...

Perhaps best way would be to have another env var like OIDC_CHECKS that is passed in to the provider?

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@ProjectMoon @chartmann1590