Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[BUG] - Oauth infinite redirect with traefik & Authelia #3461

Closed
5 of 6 tasks
DennisGaida opened this issue Apr 13, 2024 · 2 comments
Closed
5 of 6 tasks

[BUG] - Oauth infinite redirect with traefik & Authelia #3461

DennisGaida opened this issue Apr 13, 2024 · 2 comments
Labels
bug Something isn't working OIDC triage

Comments

@DennisGaida
Copy link
Contributor

First Check

  • This is not a feature request.
  • I added a very descriptive title to this issue (title field is above this).
  • I used the GitHub search to find a similar issue and didn't find it.
  • I searched the Mealie documentation, with the integrated search.
  • I already read the docs and didn't find an answer.
  • This issue can be replicated on the demo site (https://demo.mealie.io/).

What is the issue you are experiencing?

I get an infinite redirect loop (307) after authenticating with Authelia. May be releated to #3399 or #3419.

Steps to Reproduce

  1. Configured Authelia & Mealie as explained here: OAuth setup with Authelia #3338
  2. Clicked on "Login with Authelia" on https://mealie.example.com/login?direct=1
  3. Get redirected to the consent form at https://auth.example.com/consent?id=
  4. Click on Accept
  5. Get redirected to Mealie
  6. Observe infinite redirects (307)

Please provide relevant logs

Mealie log level is set to debug.

INFO:     192.168.x.y:36872 - "GET /login?code=authelia_ac_<token>&iss=https%3A%2F%2Fauth.example.com&scope=openid+profile+email+groups&state=mMJ07fVyqE HTTP/1.1" 307 Temporary Redirect                                                                                                      INFO:     192.168.x.y:36872 - "GET /login/?code=authelia_ac_<token>&iss=https%3A%2F%2Fauth.example.com&scope=openid+profile+email+groups&state=mMJ07fVyqE HTTP/1.1" 200 OK                                                                                                                     INFO:     192.168.x.y:36872 - "GET /sw.js HTTP/1.1" 304 Not Modified
INFO:     192.168.x.y:36872 - "GET /favicon.ico HTTP/1.1" 200 OK
INFO:     192.168.x.y:36872 - "GET /icons/android-chrome-maskable-512x512.png HTTP/1.1" 200 OK
INFO:     192.168.x.y:36886 - "GET /api/app/about/theme HTTP/1.1" 200 OK
INFO:     192.168.x.y:36886 - "GET /sw.js HTTP/1.1" 304 Not Modified
INFO:     192.168.x.y:36886 - "GET / HTTP/1.1" 200 OK
INFO:     192.168.x.y:36886 - "GET /login?direct=1 HTTP/1.1" 307 Temporary Redirect
INFO:     192.168.x.y:36886 - "GET /favicon.ico HTTP/1.1" 200 OK
INFO:     192.168.x.y:36886 - "GET /icons/apple-touch-icon.png HTTP/1.1" 200 OK
INFO:     192.168.x.y:36886 - "GET /sw.js HTTP/1.1" 304 Not Modified
INFO:     192.168.x.y:36886 - "GET /login/?direct=1 HTTP/1.1" 200 OK
INFO:     192.168.x.y:36886 - "GET /favicon.ico HTTP/1.1" 200 OK
INFO:     192.168.x.y:36872 - "GET /icons/android-chrome-maskable-512x512.png HTTP/1.1" 200 OK
INFO:     192.168.x.y:36886 - "GET /sw.js HTTP/1.1" 304 Not Modified
INFO:     192.168.x.y:36872 - "GET /api/app/about/theme HTTP/1.1" 200 OK
INFO:     192.168.x.y:36872 - "GET /api/app/about/oidc HTTP/1.1" 200 OK
INFO:     192.168.x.y:36872 - "GET /login?direct=1 HTTP/1.1" 307 Temporary Redirect

Mealie Version

2a541f081ac9ec37b4fb6e830826368d6d4e5260

Deployment

Docker (Linux)

Additional Deployment Details

using :nightly

Authelia config is using redirect_uris: https://mealie.example.com/login

Mealie config environment variables:

      ALLOW_SIGNUP: false
      MAX_WORKERS: 1
      WEB_CONCURRENCY: 1
      BASE_URL: https://mealie.example.com
      OIDC_AUTH_ENABLED: "true"
      OIDC_CONFIGURATION_URL: https://auth.example.com/.well-known/openid-configuration
      OIDC_CLIENT_ID: mealie-test
      OIDC_PROVIDER_NAME: Authelia
      OIDC_ADMIN_GROUP: admins
      OIDC_SIGNUP_ENABLED: "true"
      OIDC_AUTO_REDIRECT: "false"
      LOG_LEVEL: DEBUG
@DennisGaida DennisGaida added bug Something isn't working triage labels Apr 13, 2024
@DennisGaida
Copy link
Contributor Author

Figured out the culprit, though not sure yet who is at fault: Also leveraging Authelia as a forward-auth solution in front of Mealie with traefik. When I remove Authelia from the middleware/middleware-chain, authentication goes through without infinite redirect.

@DennisGaida
Copy link
Contributor Author

DennisGaida commented Apr 13, 2024
edited
Loading

This may be specific to Authelia 4.38, but you need an forward auth endpoint that doesn't have HeaderAuthorization activated. Of course it may not make sense to use forward-auth and OIDC together, but that's another discussion.

Example Authelia config:

  endpoints:
    authz:
      forward-auth-no-headerauth:
        implementation: 'ForwardAuth'
        authn_strategies:
          - name: 'HeaderProxyAuthorization'
            schemes:
              - Basic
              - Bearer
          - name: 'CookieSession'

Example traefik middleware:

      forwardAuth:
        address: http://authelia:9091/api/authz/forward-auth-no-headerauth

This way no infinite redirect. Adding this documentation to https://www.authelia.com/integration/openid-connect/mealie/

@Shagon94 Shagon94 mentioned this issue Apr 13, 2024
Closed
6 tasks
@cmintey cmintey mentioned this issue Apr 16, 2024
Closed
6 tasks
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
bug Something isn't working OIDC triage
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@DennisGaida @boc-the-git