OAuth setup with Authelia

[cmintey]

This post is meant to serve as a companion to the guide in the docs with examples specifically for Authelia. The following configurations are only partial and are intended only as examples. You will likely need to modify them as necessary for your particular setup.

Authelia Configuration

Important

This is only an example and is not a full configuration. You should read through the Authelia documentation and adjust your configuration as needed.

identity_providers:
  oidc:
    jwks:
      - key: {{ secret "/secrets/private_key_file" | mindent 10 "|" | msquote }}
    enforce_pkce: public_clients_only
    cors:
      endpoints:
        - userinfo
        - authorization
        - token
        - revocation
        - introspection
      allowed_origins:
        - 'https://mealie.example.com'
      allowed_origins_from_client_redirect_uris: false
    clients:
      - client_id: mealie
        client_name: Mealie
        client_secret: <secret>
        token_endpoint_auth_method: client_secret_basic
        authorization_policy: one_factor
        redirect_uris:
          - 'https://mealie.example.com/login'
        public: false
        pkce_challenge_method: S256
        grant_types:
          - authorization_code
        scopes:
          - openid
          - profile
          - groups
          - email

Mealie Configuration

These are the minimum required environment variables to get it working. See the docs for full options.

OIDC_AUTH_ENABLED=True
OIDC_SIGNUP_ENABLED=True
OIDC_CONFIGURATION_URL=https://auth.example.com/.well-known/openid-configuration
OIDC_CLIENT_ID=mealie
OIDC_CLIENT_SECRET=<plaintext_secret>

[Shagon94]

Fixed the formatting, unfortunately does not work:

identity_providers:
  oidc:
    jwks:
      - key: {{ secret "/config/keys/private.pem" | mindent 10 "|" | msquote }}
    enforce_pkce: public_clients_only
    cors:
      endpoints:
        - userinfo
        - authorization
        - token
        - revocation
        - introspection
      allowed_origins:
        - https://mealie.example.com
      allowed_origins_from_client_redirect_uris: true
    clients:
      - client_id: mealie
        client_name: Mealie
        authorization_policy: one_factor
        redirect_uris:
          - https://mealie.example.com/login
        public: true
        pkce_challenge_method: S256
        grant_types:
          - authorization_code
        scopes:
          - openid
          - profile
          - groups
          - email

Any ideas? what exact environment variables are required?

[Shagon94]

I'm using Mealie in Unraid, environment variables for the docker container are:

• ALLOW_SIGNUP=false
• BASE_URL=https://mealie.example.com
• OIDC_AUTH_ENABLED=True
• OIDC_CONFIGURATION_URL=https://auth.example.com/.well-known/openid-configuration
• OIDC_CLIENT_ID=mealie
• OIDC_AUTO_REDIRECT=True

Where mealie.example.com is in nginx proxy manager. When going to the domain it results in a 500 error. I'm guessing something is either missing or misconfigured however as I am very new to oidc I am not sure

[cmintey]

Your mealie configuration looks fine. I would turn off AUTO_REDIRECT while you are testing this. You can enable debug logs for mealie by setting LOG_LEVEL=DEBUG in the environment variables.

A 500 is still a pretty vague error. Is there any specific message? Or anything in the logs of either Mealie or Authelia?

[Shagon94]

Fixed the 500 error, wrong port was used, however the current authentication mechanism still doesn't work.

Even if I login it still shows the login button as if I wasn't logged in.

The nginx-proxy-manager advanced configuration for this host is:

include /data/nginx/custom/authelia-location.conf;

location / {
    include /data/nginx/custom/proxy.conf;
    include /data/nginx/custom/authelia-authrequest.conf;
    proxy_pass $forward_scheme://$server:$port;
}

Where the authelia-location.conf, proxy.conf and authelia-authrequest.conf are the default ones from the authelia documentation.

Now, here's what happens, the same configuration is present for other services on my network. Visiting the page prompts me for login in authelia, however after a successful login I don't see my username at the top right, it's still a "login" button.

Screen.Recording.2024-03-29.at.5.20.35.PM.mov

[Shagon94]

I should also note that there are no errors, and the image used is ghcr.io/mealie-recipes/mealie:latest. After trying ~20 different combinations I finally figured it out.

I've checked where the variable is being used and it's used here -

mealie/mealie/routes/app/app_about.py

Lines 63 to 69 in 79fb1fb

	@router.get("/oidc", response_model=OIDCInfo)
	def get_oidc_info(resp: Response):
	"""Get's the current OIDC configuration needed for the frontend"""
	settings = get_app_settings()
	resp.headers["Cache-Control"] = "public, max-age=604800"
	return OIDCInfo(configuration_url=settings.OIDC_CONFIGURATION_URL, client_id=settings.OIDC_CLIENT_ID)

Now if I lookup that file:

root@82872204f6f4:/app# tail -20 /app/mealie/routes/app/app_about.py
    """returns helpful startup information"""
    settings = get_app_settings()

    is_first_login = False
    with session as db:
        if db.query(User).filter_by(email=settings._DEFAULT_EMAIL).count() > 0:
            is_first_login = True

    return AppStartupInfo(
        is_first_login=is_first_login,
    )


@router.get("/theme", response_model=AppTheme)
def get_app_theme(resp: Response):
    """Get's the current theme settings"""
    settings = get_app_settings()

    resp.headers["Cache-Control"] = "public, max-age=604800"
    return AppTheme(**settings.theme.model_dump())

There is no mention of that endpoint therefor this functionality is not available on the latest tag.

Checking the v1.3.2 tag - https://github.com/mealie-recipes/mealie/blob/v1.3.2/mealie/routes/app/app_about.py still the same, the functionality is not yet present.

Given the wording in - https://github.com/mealie-recipes/mealie/releases/tag/v1.3.2

FYI - Next Release Will Contain 2 Major Changes

OIDC Login Support - #2860
Initial Startup Workflow - #3204

We plan to merge those two PR shortly after this, if you're interested in testing them before release (please help us!) check the discord the the annoucement of when the build is ready.

It means that this functionality is not yet available as of today and will be in the next version.

[cmintey]

Correct, this feature has not yet been released and is only available on nightly. The docs will be more explicit in the future on which versions certain features are in.

Also it looks from your video that you have set up Authelia as a forward proxy authentication for Mealie? That is not necessary for OIDC to work. Once this has been released or you switch to nightly, there will be a new button "Login with OAuth" that will redirect you to Authelia portal

[Shagon94]

Bonus suggestions:

• If OIDC_AUTO_REDIRECT is set to true you can bypass the local login when clicking on "login" button
• setting the home group to be private in /admin/manage/groups/ allows for a seamless login process, where mealie automatically redirects to authelia, and authelia logs you in

[GasimGasimzada]

I have Authelia 4.37.5 and Mealie Nightly.

Authelia:

     id: melie
     description: mealie
     authorization_policy: one_factor
     public: true
     grant_types:
       - authorization_code
     scopes:
      - openid
      - email
      - profile
      - groups
    redirect_uris:
      - https://mealie.gasimzada.casa/login
    userinfo_signing_algorithm: none

Mealie:

environment:
  - ALLOW_SIGNUP=false
  - PUID=1000
  - PGID=1000
  - TZ=Europe/Amsterdam
  - MAX_WORKERS=1
  - WEB_CONCURRENCY=1
  - BASE_URL=https://mealie.example.com
  - OIDC_AUTH_ENABLED=true
  - OIDC_SIGNUP_ENABLED=true
  - OIDC_CONFIGURATION_URL=https://auth.example.com/.well-known/openid-configuration
  - OIDC_CLIENT_ID=mealie
  - OIDC_ADMIN_GROUP=admins
  - OIDC_USER_GROUP=users
  - OIDC_AUTO_REDIRECT=false

When I log in with OIDC, the user is created (with correct permissions based on groups defined in Authelia) but I cannot log into Mealie. It basically never logs in. When I log in with the default Admin user, I can see the user being created with all the information there.

Is there something that I am missing here?

[cmintey]

That's strange. What is the AuthMethod for the user that you see in the admin panel?
Do you see any errors in the Mealie logs? You can enable debug logs for mealie by setting LOG_LEVEL=DEBUG in the environment variables to get more detailed logs.
Is there any errors in the browser dev tools console or networking tab?

[GasimGasimzada]

I did not do any change but after a while is started working. Maybe it was a cache issue or something.

[DennisGaida]

Out of interest: Why no client secret? Why use one_factor authorization policy? All my other OIDC integrations use client secret and look different than this one, e.g.:

      - client_id: xyz-tailscale-xyz
        client_secret: xyz
        scopes:
          - openid
          - profile
          - email
        redirect_uris:
          - https://login.tailscale.com/a/oauth_response

Also configuration for all others is a bit simpler / less to configure. Why go a different route? Safer? Less safe? Easier to manage?

[cmintey]

Mealie is partially a SPA and so the authentication plugin we use only supports OAuth Authorization Code Flow with PKCE. This flow does not need a client_secret. It is fully compliant and not any less secure.

[DennisGaida]

Interesting! Switched to nightly right away as soon as I saw OIDC support. Love me some OIDC for everything.

[DennisGaida]

I get an infinite redirect after logging in. Configuration works as described, Authelia assigns a token - but after that I am caught in a loop. Debug-level logging shows this:

INFO:     192.168.x.y:56548 - "GET /login?direct=1 HTTP/1.1" 307 Temporary Redirect
INFO:     192.168.x.y:56548 - "GET /login?direct=1 HTTP/1.1" 307 Temporary Redirect
INFO:     192.168.x.y:56548 - "GET /login?direct=1 HTTP/1.1" 307 Temporary Redirect
INFO:     192.168.x.y:56548 - "GET /login?direct=1 HTTP/1.1" 307 Temporary Redirect
INFO:     192.168.x.y:56548 - "GET /login?direct=1 HTTP/1.1" 307 Temporary Redirect

I'm not redirecting to the direct=1 URL in the Authelia config. My config is as described above in the original post.

[DennisGaida]

Oh wow! Waiting for the :nightly build to integrate this PR - maybe it is already integrated? Didn’t check what nightly entails vs mealie-next branch. Maybe it fixes stuff.

[boc-the-git]

That is already in nightly, as soon as the PR is merged.
Using nightly and helping prove the solution works is very helpful.

[DennisGaida]

Yeah. Doesn't work. :-) Opening an issue now. #3461

[boc-the-git]

Thanks for testing @DennisGaida, that feedback is critical to helping find issues

[DennisGaida]

Figured out my problem - see closed issue.

[james-d-elliott]

Not actually tested but here's a theoretically working guide provided Mealie supports PKCE S256: https://www.authelia.com/integration/openid-connect/mealie/

[DennisGaida]

Did test the guide. Works as-is :-)

[Kladdiskakan]

I don't know if it me completely missing something but I can't make the integration work. I reach the login page and once i press the oauth-login button, I get redirected to a 404 page the url looks is the following: https://mealie.domain.lan/null?protocol=oauth2&response_type=code&access_type=&client_id=mealie&redirect_uri=https%3A%2F%2Fmealie.domain.lan%2Flogin&scope=openid+profile+email+groups&state=H9IxUKZ8ve&code_challenge_method=S256&code_challenge=sXYZAoYBWM3EY2-o7fZjrUY8qU04Bgom3M443pxrBl8. My authelia conf is:

identity_providers:
  oidc:
    hmac_secret: ':>)'
    jwks:
      - key_id: 'example'
        algorithm: 'RS256'
        key: {{ secret "/config/secrets/oidc/jwks/private_authelia.pem" | mindent 10 "|" | msquote }}
    cors:
      endpoints:
        - userinfo
        - authorization
        - token
        - revocation
        - introspection
      allowed_origins:
        - 'https://mealie.domain.lan'
      allowed_origins_from_client_redirect_uris: false

    clients:
       - client_id: 'mealie'
        client_name: 'Mealie'
        public: true
        authorization_policy: 'one_factor'
        require_pkce: true
        pkce_challenge_method: 'S256'
        grant_types:
          - 'authorization_code'
        redirect_uris:
          - 'https://mealie.domain.lan/login'
        scopes:
          - openid
          - profile
          - groups
          - email
        userinfo_signed_response_alg: 'none'
        token_endpoint_auth_method: 'none'

And this is my enviroment variables from the compose file:

  environment:
      - ALLOW_SIGNUP=true
      - PUID=1000
      - PGID=1000
      - TZ=Europe/Berlin
      - MAX_WORKERS=1
      - WEB_CONCURRENCY=1
      - BASE_URL=https://mealie.domain.lan
      # Database Settings
      - DB_ENGINE=postgres
      - POSTGRES_USER=username
      - POSTGRES_PASSWORD=password
      - POSTGRES_SERVER=db
      - POSTGRES_PORT=5432
      - POSTGRES_DB=mealie
      - OIDC_AUTH_ENABLED=true
      - OIDC_SIGNUP_ENABLED=true
      - OIDC_CONFIGURATION_URL=https://authelia.domain.lan/.well-known/openid-configuration
      - OIDC_CLIENT_ID=mealie
      - OIDC_AUTO_REDIRECT=false
      - OIDC_ADMIN_GROUP=mealie-admins
      - OIDC_USER_GROUP=mealie-users
      - LOG_LEVEL=DEBUG

I've tried to switch around with different settings in order to get it work but without success. When I look at the network tab I get a error on a options request to my authelia address where the "Transferred" value is: "CORS missing allow origin"

[cmintey]

Hmm looks right to me, maybe try setting allowed_origins_from_client_redirect_uris: true in Authelia. Some people reported having to have that for CORS to work. Also make sure you reset browser cache or use a private window

[boc-the-git]

Also chuck your yaml into a formatter.
It looks to be formatted incorrectly. How much that matters for your issue, I've no idea.

[DennisGaida]

Check out my closed issue #3461 I had exactly the same URL with null in there as well. Also try to follow the guide here to the letter: https://www.authelia.com/integration/openid-connect/mealie/. Make sure you are using the latest version of Authelia as well.

[Kladdiskakan]

Fixed it! Seems most likely that it was the cache that messed with me. Now i've reached my next issue which is that I won't create an account/login after i've accepted mealie to get its permissions. The log says: [OIDC] Required claims not present. Expected: {'email', 'name', 'preferred_username'} Actual: dict_keys(['amr', 'at_hash', 'aud', 'auth_time', 'azp', 'exp', 'iat', 'iss', 'jti', 'sub']) So it seems to be something around the scope, but i can't manage to find what it actually could be. I've added '' around each scope item in the config.

[cmintey]

You must have at least these scopes defined in Authelia. Seems like they are not included in your Authelia config or Authelia is not providing those claims when requested. Probably a config issue

scopes:
  - 'openid'
  - 'email'
  - 'profile'

[krair]

First off, loving the support for OIDC, thank you again for the implementation!

Quick question:

When I put my admin user into the mealie-admins group, I am hit with 401's and incorrect username or password errors. Setting the logs to debug I get:

DEBUG    2024-05-22T12:40:49 - [OIDC] User does not have the required group. Found: ['admin', 'mealie-admins'] - Required: mealie-users

config includes:

    "OIDC_USER_GROUP": "mealie-users",
    "OIDC_ADMIN_GROUP": "mealie-admins",

The temporary solution seems to just put the admin user into the mealie-users group, as that still allows me to login and doesn't change my Mealie admin permissions. But that doesn't seem like the best solution.

Am I missing something here?

[boc-the-git]

First off, loving the support for OIDC, thank you again for the implementation!

Credit to @cmintey !

I'm not an expert on it, but from what I understand you need to give your user both the OIDC_USER_GROUP and OIDC_ADMIN_GROUP to make them an admin. So I think the "temporary solution" you're talking about is what's required.
Though I welcome anyone to correct me :)

[krair]

Ahhhhh OK. I read the docs 5 times, but now that you put it that way I am reading the docs differently. Alright, the admin user is in both groups. Thanks @boc-the-git for the clarification.

I'll admit this seems a bit redundant and unnecessary, but if that's how it is, I will follow it.

[gpas45]

I tried setting up authelia, but it didn't work
Authorization in Authelia passes, but after authorization it redirects to the start page with authorization. There is nothing in the logs, debugging is enabled.

mealie config:
- OIDC_AUTH_ENABLED=true
- OIDC_SIGNUP_ENABLED=true
- OIDC_CONFIGURATION_URL=https://authelia.lan/.well-known/openid-configuration
- OIDC_CLIENT_ID=mealie
- OIDC_AUTO_REDIRECT=false
- OIDC_ADMIN_GROUP=mealie-admins
- OIDC_USER_GROUP=mealie-users
- LOG_LEVEL=DEBUG

authelia config:

  - client_id: 'mealie'
    client_name: 'Mealie'
    public: true
    authorization_policy: 'two_factor'
    require_pkce: true
    pkce_challenge_method: 'S256'
    redirect_uris:
      - 'https://mealie.lan/login'
    grant_types:
      - authorization_code
    scopes:
      - 'openid'
      - 'email'
      - 'profile'
      - 'groups'
    userinfo_signed_response_alg: 'none'
    token_endpoint_auth_method: 'none'

INFO 2024-07-21T08:59:21 - [192.168.254.21:0] 307 Temporary Redirect "GET /login?code=authelia_ac_zYpqmL_zUlyMYxfFJKI4tcVtYD78eVza5edvJDz-6L8.ZdYQ35Uug8xCvDlrVFOjzRn91pQbaCON1RgZqHN36AI&iss=https%3A%2F%2Fauthelia.lan&scope=openid+profile+email+groups&state=pwVwtQjKxZ HTTP/1.1"
INFO 2024-07-21T08:59:21 - [192.168.254.21:0] 200 OK "GET /login/?code=authelia_ac_zYpqmL_zUlyMYxfFJKI4tcVtYD78eVza5edvJDz-6L8.ZdYQ35Uug8xCvDlrVFOjzRn91pQbaCON1RgZqHN36AI&iss=https%3A%2F%2Fauthelia.lan&scope=openid+profile+email+groups&state=pwVwtQjKxZ HTTP/1.1"
INFO 2024-07-21T08:59:21 - [192.168.254.21:0] 200 OK "GET /api/app/about/startup-info HTTP/1.1"
INFO 2024-07-21T08:59:21 - [192.168.254.21:0] 200 OK "GET /api/app/about HTTP/1.1"
INFO 2024-07-21T08:59:21 - [192.168.254.21:0] 200 OK "GET /api/app/about HTTP/1.1"
INFO 2024-07-21T08:59:22 - [192.168.254.21:0] 304 Not Modified "GET /sw.js HTTP/1.1"

[atrayu13]

I, too, have the same exact problem! I've tried turning up logging in both mealie and Authelia, but there's just nothing additional noted. I've enabled LDAP auth as a fallback, but I'd really like to get OIDC working properly...

My configuration is practically verbatim from the Authelia Mealie Integrations page.

[james-d-elliott]

If the only logs for authelia when logging is set to debug are Authorization Request logs, and there are no Access Request logs, that indicates that mealie is never making an access request to the token endpoint of Authelia. See the Frequently Asked Questions for more information that may be helpful.

[atrayu13]

I figured it out!

I think it was CORS issues... I had another look at my overall OIDC config in Authelia, and went back to the docs, and noticed I didn't have any CORS configurations in place.

After adding in the CORS configs in Authelia, I started actually getting errors (either in the Authelia or Mealie logs, I can't remember which). But my OIDC_USER_CLAIM variable was incorrectly set. After changing it to email, everything started to work!

Here's the CORS config in Authelia that got it to work for me:

cors:
      endpoints:
        - 'authorization'
        - 'pushed-authorization-request'
        - 'token'
        - 'revocation'
        - 'introspection'
        - 'userinfo'
      allowed_origins:
        - '*'
      allowed_origins_from_client_redirect_uris: false

[mrshappy0]

Can someone update with an example for Mealie (latest version). I'm having the most unusual time debugging my setup. Authelia logs show the login with OIDC is successful but I get the following error from Mealie logs:

ERROR    2024-10-22T19:16:26 - [OIDC] Required claims not present. Expected: {'name', 'email', 'groups'} Actual: dict_keys(['amr', 'at_hash', 'aud', 'auth_time', 'azp', 'exp', 'iat', 'iss', 'jti', 'nonce', 'sub'])

I supply the scope as recommended in my authelia config yml:

    clients:
      - client_id: mealie-client
        authorization_policy: one_factor
        public: false
        client_secret: >-
          $argon2id$v=19$m=16,t=2,p=<redacted>
        redirect_uris:
          - 'https://mealie.domain-here.net/login'
          - 'https://localhost:3000/login'
        require_pkce: true
        pkce_challenge_method: 'S256'
        scopes:
          - openid
          - email
          - profile
          - groups
        grant_types:
          - authorization_code
        userinfo_signed_response_alg: none

[cmintey]

Phew! Glad we got it resolved 😄

[james-d-elliott]

That image supports the claims parameter and expects it is used to include additional claims outside the standard claims within the ID Token per the spec. There's a way to manually configure that but by default we'll be expecting the clients to correctly request the additional claims they want or use the User Info endpoint as per the spec.

[cmintey]

@james-d-elliott Mm, so if we want to continue to use scopes instead of requesting individual claims, we'll need to call the userinfo endpoint? I do see that called out in the spec, but it seems like many IdPs don't fully follow that

[james-d-elliott]

Not necessarily, there is a reusable claims policy which can be configured to include the claims in the ID Token for a given client or clients automatically. There is also the claims authorization request parameter which is meant for requesting additional claims in the ID Token.

We're focused on including all of the security, privacy, and general compliance elements of the spec and related specs. The specs are a contract and us implementing them correctly with reasonable escape hatches is the direction we are going to take with this and practically all elements of Authelia. I think it's opinionated but flexible in logical ways. In this situation it has privacy and information security implications and generally improves that for Authelia users when the client is compliant with the spec.

Scopes themselves are intended to request scopes for the Access Token which is used to access the User Info endpoint. They communicate what the Access Token has permission to do, in this case retrieval of information, or in the instance of the allowed scopes registered for a specific client it also communicates what specific claims they are permitted to request in the claims parameter instead of the scopes parameter.

Also what other IdP's do is actually not all that relevant for us mainly because of situations like many IdP's allowing things like regex in the registered redirect_uris which is expressly prohibited in the specs for an incredibly important security risk. We may use their ideas for inspiration to solve unique issues but that's probably the extent of it.

[cmintey]

Cool, thanks for explaining that!