Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

OIDC redirect uri received wrong #2254

Open
4 tasks done
mikimite opened this issue Jan 16, 2025 · 2 comments
Open
4 tasks done

OIDC redirect uri received wrong #2254

mikimite opened this issue Jan 16, 2025 · 2 comments
Labels
🐛 Bug Something isn't working

Comments

@mikimite
Copy link

Environment

Docker

Version

0.15.10

Describe the problem

Problem

I am setting the system through plain http with homarr and authentik all managed with traefik
Somehow, the uri received by the Identity provider is forced to https, diferent to the one I and homarr only shows the provided Logs. Seems to me that.

Also, when fails on error, also redirects to https.

https://dashboard.<secret>/api/auth/error?error=OAuthCallback

I have been checking the code but can't locate the issue. Focused mainly on

homarr/src/utils/auth/oidc.ts

Line 23 in ed3d143

export const createRedirectUri = (headers: OidcRedirectCallbackHeaders, pathname: string) => {

I also checked other related closed issues with OIDC but no luck

Configs

Homarr

  homarr:
    image: ghcr.io/ajnart/homarr:latest
    restart: unless-stopped
    networks:
      - frontend
    labels:
      - traefik.enable=true
      - traefik.http.routers.homarr.rule=Host(`dashboard.<secret>)
      - traefik.http.services.homarr.loadbalancer.server.port=7575
      - traefik.http.routers.homarr.entrypoints=web
      # - traefik.http.routers.homarr.middlewares=homarr-headers
      # - traefik.http.middlewares.homarr-headers.headers.customRequestHeaders.X-Forwarded-Proto=http

As you can see, i tried also giving the headers so it gets it.
I verified that the server takes the header because if y set https, the browser gets an https redirection, but Authentik seems that always gets the https and I always get the https on error

BASE_URL=http://dashboard.<secret>
NEXTAUTH_URL=http://dashboard.<secret>
AUTH_PROVIDER="oidc, credentials"
AUTH_OIDC_URI="http://authentik.<secret>/application/o/homarr"
AUTH_OIDC_CLIENT_SECRET="<secret>"
AUTH_OIDC_CLIENT_ID="<secret>"
AUTH_OIDC_CLIENT_NAME="Authentik"
# AUTH_OIDC_AUTO_LOGIN: "true"
AUTH_OIDC_ADMIN_GROUP="<secret>_admins"
AUTH_OIDC_OWNER_GROUP="<secret>_users"
DEFAULT_COLOR_SCHEME=dark

Authentik

Image

Results

{
    "message": "Invalid redirect URI used by provider",
    "expected": [
        {
            "url": "http://dashboard.<secret>/api/auth/callback/oidc",
            "matching_mode": "strict"
        }
    ],
    "provider": {
        "pk": 4,
        "app": "authentik_providers_oauth2",
        "name": "Provider for Homarr",
        "model_name": "oauth2provider"
    },
    "http_request": {
        "args": {},
        "path": "/application/o/token/",
        "method": "POST",
        "request_id": "37b0ce7128124b979b7c6d2202da9fec",
        "user_agent": "openid-client/5.6.1 (https://github.com/panva/node-openid-client)"
    },
    "redirect_uri": "https://dashboard.<secret>/api/auth/callback/oidc"
}

Logs

homarr-1 | [next-auth][error][OAUTH_CALLBACK_ERROR]
homarr-1 | https://next-auth.js.org/errors#oauth_callback_error invalid_client (Client authentication failed (e.g., unknown client, no client authentication included, or unsupported authentication method)) {
homarr-1 | error: OPError: invalid_client (Client authentication failed (e.g., unknown client, no client authentication included, or unsupported authentication method))
homarr-1 | at processResponse (/app/node_modules/openid-client/lib/helpers/process_response.js:38:13)
homarr-1 | at Client.grant (/app/node_modules/openid-client/lib/client.js:1354:22)
homarr-1 | at process.processTicksAndRejections (node:internal/process/task_queues:95:5)
homarr-1 | at async Client.callback (/app/node_modules/openid-client/lib/client.js:493:24)
homarr-1 | at async oAuthCallback (/app/node_modules/next-auth/core/lib/oauth/callback.js:109:16)
homarr-1 | at async Object.callback (/app/node_modules/next-auth/core/routes/callback.js:52:11)
homarr-1 | at async AuthHandler (/app/node_modules/next-auth/core/index.js:208:28)
homarr-1 | at async NextAuthApiHandler (/app/node_modules/next-auth/next/index.js:22:19)
homarr-1 | at async auth (/app/.next/server/pages/api/auth/[...nextauth].js:143:12) {
homarr-1 | name: 'OAuthCallbackError',
homarr-1 | code: undefined
homarr-1 | },
homarr-1 | providerId: 'oidc',
homarr-1 | message: 'invalid_client (Client authentication failed (e.g., unknown client, no client authentication included, or unsupported authentication method))'
homarr-1 | }

Context

No response

Please tick the boxes

  • I confirm that I attached the proper logs
  • I've read the docs
  • I've checked for duplicate issues
  • I've tried to debug myself
@mikimite mikimite added the 🐛 Bug Something isn't working label Jan 16, 2025
@github-project-automation github-project-automation bot moved this to 🆕 New in Homarr Kanban Jan 16, 2025
@github-actions GitHub Actions
Copy link

Hi 👋. Thank you for submitting your first issue to Homarr. Please ensure that you've provided all nessesary information. You can use the three dots > Edit button to update your post with additional images and information. Depending on the current volume of requests, the team should get in conact with you shortly.

@mikimite
Copy link
Author

By the way, it migrated to https, and is working but I think is still an issue. Can be closed if no further investigation is comming

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
🐛 Bug Something isn't working
Projects
Homarr Kanban
Status: 🆕 New
Milestone
No milestone
Development

No branches or pull requests
1 participant
@mikimite