[Bug] Internal Service Error OIDC #1502
Comments
slimshizn
changed the title
|
I'm having the exact same issue with the exact same error showing up. |
|
Also seeing the same here with Authentik, same stacktrace in the logs. My docker-compose config: |
|
Posting logs, I have a similar stacktrace but actually a different error: |
|
@zodac Did you setup encryption in authentik? and can you remove the last forward slash in |
|
I think it tried it with both trailing and non-trailing slash, but I'll go confirm. And I previously had a secret key but I've kept the same environment variable and value, |
|
No I mean in authentik, when you setup a Provider you can select an SSL cert, or authentik will auto-generate one. Is there one in place? |
|
I use the self-signed one provided by Authentik. |
|
Then you'll need to mount in into romm and set |
|
OK, I'll give that a whirl and report back, thanks! |
|
Going to have to correct myself. I do not have encryption enabled in Authentik, and I also have removed the last slash. Same stack trace as above. |
|
Ran again with |
|
Facing the same issue right now. With a signing key I get "unsupported algorithm" and without "invalid signing key".
Is this really necessary? All other OIDC services I use do not need a certificate mounted into the container. |
I too have this error, and I am using a Let's Encrypt certificate with a public chain, so I don't understand why the CERT would need to be loaded, especially if you utilize the jwks endpoint from the .well-known/openid-configuration endpoint which should be used the get the public keys of the signed JWT. |
|
Got the same error. |
No, I'm not using Unraid and the issue is still there. |
|
I'm seeing a similar error of I've tried both with and without the trailing slash for the Authentik URL. |
|
@undaunt , based on the Docker Compose configuration you shared previously, I noticed you have a typo where the environment variable is set as OIDC_REDIRECT:URI instead of OIDC_REDIRECT_URI |
|
@adamantike Yes, I noticed that as well. I did a full down, up, etc. when it was fixed but it did not impact the result. I also tried renaming the provider in case there were any hardcoded issues with Authentik specifically. |
|
3.7.3 still has this issue. |
|
We will need a more complete set of reproduction steps if we want to make progress on this issue resolution. |
|
I also had this bug, but I somehow solved it. I changed two things:
|
Just wanted to confirm that this also worked for me. Thanks @marissa999 ! :) |
Are you able to hide the normal login input fields with the env variable DISABLE_USERPASS_LOGIN=true ? That is not working for me, though i am not sure right now if this deserves its own issue or not |
Yes, it's working for me, though I have my environment variables configured like this: Maybe try quoting it? |
The |
|
I don't mind creating a new issue on this, but I'm having this exact same problem with the error "mismatching_state: CSRF Warning! State not equal in request and response." when attempting to sign in with Authelia.
Want me to open a new issue for this with all of those details or post in here? |
|
I'm having the same |
|
Okay so at least with Authentik I can shed a little light. If you do not select a signing certificate, Authentik will generate one for you using HS256 algo, however, when you generate a certificate in Authentik (or use their precreated self-signed cert) it is created with RS256. I've had this problem occur with other projects (like Actual), where their JWT library does not support any algorithm beyond RS256. This appears to be the same issue here, so it might be worth documenting. |
|
RomM version Describe the bug To Reproduce
Expected behavior Desktop (please complete the following information):
RomM Docker Compose File Authelia Docker Compose File Authelia Configuration Log from RomM |
|
I tried pivoting to Pocket ID and was following the guide at the wiki, but I received the following error about the redirect URL having a bad format. In the browser I received the same internal service error. Config: |
|
Update for my comment above - I've been in the process of switching all my apps from HTTP to HTTPS/SSL certificates (with caddy reverse proxy) - and by doing this (and a new URL) Authelia SSO now works. I'm not sure why, unless romm requires HTTPS? Otherwise it was definitely a pebkac issue. |
|
Also getting the same RomM .env config Authelia client config RomM log at error |
RomM version
3.7.2
Describe the bug
Logging in via authentik will cause a Internal Service Error, attempting to login again seems to work.
To Reproduce
Steps to reproduce the behavior:
Expected behavior
Login with authentik without error.
Additional context
[2025-01-12 16:44:30 +0000] [23] [ERROR] Exception in ASGI application
Traceback (most recent call last):
File "/src/.venv/lib/python3.12/site-packages/uvicorn/protocols/http/h11_impl.py", line 407, in run_asgi
result = await app( # type: ignore[func-returns-value]
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
File "/src/.venv/lib/python3.12/site-packages/uvicorn/middleware/proxy_headers.py", line 69, in call
return await self.app(scope, receive, send)
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
File "/src/.venv/lib/python3.12/site-packages/fastapi/applications.py", line 1054, in call
await super().call(scope, receive, send)
File "/src/.venv/lib/python3.12/site-packages/sentry_sdk/integrations/starlette.py", line 409, in _sentry_patched_asgi_app
return await middleware(scope, receive, send)
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
File "/src/.venv/lib/python3.12/site-packages/sentry_sdk/integrations/asgi.py", line 161, in _run_asgi3
return await self._run_app(scope, receive, send, asgi_version=3)
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
File "/src/.venv/lib/python3.12/site-packages/sentry_sdk/integrations/asgi.py", line 262, in _run_app
raise exc from None
File "/src/.venv/lib/python3.12/site-packages/sentry_sdk/integrations/asgi.py", line 257, in _run_app
return await self.app(
^^^^^^^^^^^^^^^
File "/src/.venv/lib/python3.12/site-packages/starlette/applications.py", line 113, in call
await self.middleware_stack(scope, receive, send)
File "/src/.venv/lib/python3.12/site-packages/sentry_sdk/integrations/starlette.py", line 200, in _create_span_call
return await old_call(app, scope, new_receive, new_send, **kwargs)
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
File "/src/.venv/lib/python3.12/site-packages/starlette/middleware/errors.py", line 187, in call
raise exc
File "/src/.venv/lib/python3.12/site-packages/starlette/middleware/errors.py", line 165, in call
await self.app(scope, receive, _send)
File "/src/.venv/lib/python3.12/site-packages/sentry_sdk/integrations/starlette.py", line 200, in _create_span_call
return await old_call(app, scope, new_receive, new_send, **kwargs)
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
File "/src/.venv/lib/python3.12/site-packages/starlette/middleware/base.py", line 185, in call
with collapse_excgroups():
^^^^^^^^^^^^^^^^^^^^
File "/usr/lib/python3.12/contextlib.py", line 158, in exit
self.gen.throw(value)
File "/src/.venv/lib/python3.12/site-packages/starlette/_utils.py", line 82, in collapse_excgroups
raise exc
File "/src/.venv/lib/python3.12/site-packages/starlette/middleware/base.py", line 187, in call
response = await self.dispatch_func(request, call_next)
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
File "/backend/utils/context.py", line 41, in set_context_middleware
return await call_next(request)
^^^^^^^^^^^^^^^^^^^^^^^^
File "/src/.venv/lib/python3.12/site-packages/starlette/middleware/base.py", line 163, in call_next
raise app_exc
File "/src/.venv/lib/python3.12/site-packages/starlette/middleware/base.py", line 149, in coro
await self.app(scope, receive_or_disconnect, send_no_error)
File "/src/.venv/lib/python3.12/site-packages/sentry_sdk/integrations/starlette.py", line 200, in _create_span_call
return await old_call(app, scope, new_receive, new_send, **kwargs)
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
File "/backend/handler/auth/middleware.py", line 147, in call
await self.app(scope, receive, send_wrapper)
File "/src/.venv/lib/python3.12/site-packages/sentry_sdk/integrations/starlette.py", line 348, in _sentry_authenticationmiddleware_call
await old_call(self, scope, receive, send)
File "/src/.venv/lib/python3.12/site-packages/sentry_sdk/integrations/starlette.py", line 200, in _create_span_call
return await old_call(app, scope, new_receive, new_send, **kwargs)
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
File "/src/.venv/lib/python3.12/site-packages/starlette/middleware/authentication.py", line 48, in call
await self.app(scope, receive, send)
File "/src/.venv/lib/python3.12/site-packages/sentry_sdk/integrations/starlette.py", line 200, in _create_span_call
return await old_call(app, scope, new_receive, new_send, **kwargs)
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
File "/backend/handler/auth/middleware.py", line 19, in call
await super().call(scope, receive, send)
File "/src/.venv/lib/python3.12/site-packages/starlette_csrf/middleware.py", line 72, in call
await self.app(scope, receive, send)
File "/src/.venv/lib/python3.12/site-packages/sentry_sdk/integrations/starlette.py", line 200, in _create_span_call
return await old_call(app, scope, new_receive, new_send, **kwargs)
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
File "/src/.venv/lib/python3.12/site-packages/starlette/middleware/cors.py", line 85, in call
await self.app(scope, receive, send)
File "/src/.venv/lib/python3.12/site-packages/sentry_sdk/integrations/starlette.py", line 298, in _sentry_exceptionmiddleware_call
await old_call(self, scope, receive, send)
File "/src/.venv/lib/python3.12/site-packages/sentry_sdk/integrations/starlette.py", line 200, in _create_span_call
return await old_call(app, scope, new_receive, new_send, **kwargs)
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
File "/src/.venv/lib/python3.12/site-packages/starlette/middleware/exceptions.py", line 62, in call
await wrap_app_handling_exceptions(self.app, conn)(scope, receive, send)
File "/src/.venv/lib/python3.12/site-packages/starlette/_exception_handler.py", line 53, in wrapped_app
raise exc
File "/src/.venv/lib/python3.12/site-packages/starlette/_exception_handler.py", line 42, in wrapped_app
await app(scope, receive, sender)
File "/src/.venv/lib/python3.12/site-packages/starlette/routing.py", line 715, in call
await self.middleware_stack(scope, receive, send)
File "/src/.venv/lib/python3.12/site-packages/starlette/routing.py", line 735, in app
await route.handle(scope, receive, send)
File "/src/.venv/lib/python3.12/site-packages/starlette/routing.py", line 288, in handle
await self.app(scope, receive, send)
File "/src/.venv/lib/python3.12/site-packages/starlette/routing.py", line 76, in app
await wrap_app_handling_exceptions(app, request)(scope, receive, send)
File "/src/.venv/lib/python3.12/site-packages/starlette/_exception_handler.py", line 53, in wrapped_app
raise exc
File "/src/.venv/lib/python3.12/site-packages/starlette/_exception_handler.py", line 42, in wrapped_app
await app(scope, receive, sender)
File "/src/.venv/lib/python3.12/site-packages/starlette/routing.py", line 73, in app
response = await f(request)
^^^^^^^^^^^^^^^^
File "/src/.venv/lib/python3.12/site-packages/sentry_sdk/integrations/fastapi.py", line 143, in _sentry_app
return await old_app(*args, **kwargs)
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
File "/src/.venv/lib/python3.12/site-packages/fastapi/routing.py", line 301, in app
raw_response = await run_endpoint_function(
^^^^^^^^^^^^^^^^^^^^^^^^^^^^
File "/src/.venv/lib/python3.12/site-packages/fastapi/routing.py", line 212, in run_endpoint_function
return await dependant.call(**values)
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
File "/backend/endpoints/auth.py", line 254, in auth_openid
token = await oauth.openid.authorize_access_token(request)
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
File "/src/.venv/lib/python3.12/site-packages/authlib/integrations/starlette_client/apps.py", line 80, in authorize_access_token
params = self._format_state_params(state_data, params)
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
File "/src/.venv/lib/python3.12/site-packages/authlib/integrations/base_client/sync_app.py", line 234, in _format_state_params
raise MismatchingStateError()
authlib.integrations.base_client.errors.MismatchingStateError: mismatching_state: CSRF Warning! State not equal in request and response.
The text was updated successfully, but these errors were encountered: