[BUG] - Redirection loop with Authelia

[Shagon94]

First Check

• This is not a feature request.
• I added a very descriptive title to this issue (title field is above this).
• I used the GitHub search to find a similar issue and didn't find it.
• I searched the Mealie documentation, with the integrated search.
• I already read the docs and didn't find an answer.
• This issue can be replicated on the demo site (https://demo.mealie.io/).

What is the issue you are experiencing?

Using authelia oidc with mealie results in a redirection loop after some time.

Steps to Reproduce

1. Setup authelia:

identity_providers:
  oidc:
    jwks:
      - key: {{ secret "/config/keys/private.pem" | mindent 10 "|" | msquote }}
    enforce_pkce: public_clients_only
    cors:
      endpoints:
        - userinfo
        - authorization
        - token
        - revocation
        - introspection
      allowed_origins:
        - https://food.okej.dev
      allowed_origins_from_client_redirect_uris: true
    clients:
      - client_id: mealie
        client_name: mealie
        authorization_policy: one_factor
        redirect_uris:
          - https://food.okej.dev/login
        public: true
        require_pkce: true
        pkce_challenge_method: S256
        grant_types:
          - authorization_code
        scopes:
          - openid
          - profile
          - groups
          - email
        consent_mode: 'implicit'
        userinfo_signed_response_alg: 'none'
        token_endpoint_auth_method: 'none'

2. Use the docker container ghcr.io/mealie-recipes/mealie:latest
3. Use the following environment variables for that container:

OIDC_AUTH_ENABLED=True
OIDC_CONFIGURATION_URL=https://auth.okej.dev/.well-known/openid-configuration
OIDC_CLIENT_ID=mealie
OIDC_AUTO_REDIRECT=True
OIDC_ADMIN_GROUP=admins

4. After some time, observe that go to mealie site and observe redirect loop

Please provide relevant logs

ERROR: 13-Apr-24 20:03:59       Incorrect username or password from 192.168.0.4
INFO:     172.18.0.9:45808 - "POST /api/auth/token HTTP/1.1" 401 Unauthorized
INFO:     172.18.0.9:45820 - "GET /login?direct=1 HTTP/1.1" 307 Temporary Redirect
INFO:     172.18.0.9:45832 - "GET /api/app/about/startup-info HTTP/1.1" 200 OK
INFO:     172.18.0.9:45822 - "GET /api/app/about HTTP/1.1" 200 OK
INFO:     172.18.0.9:45846 - "GET /api/app/about HTTP/1.1" 200 OK
ERROR: 13-Apr-24 20:03:59       Incorrect username or password from 192.168.0.4
INFO:     172.18.0.9:45848 - "POST /api/auth/token HTTP/1.1" 401 Unauthorized
INFO:     172.18.0.9:45862 - "GET /login?direct=1 HTTP/1.1" 307 Temporary Redirect
INFO:     172.18.0.9:45880 - "GET /api/app/about/startup-info HTTP/1.1" 200 OK
INFO:     172.18.0.9:45888 - "GET /api/app/about HTTP/1.1" 200 OK
INFO:     172.18.0.9:45876 - "GET /api/app/about HTTP/1.1" 200 OK
INFO:     172.18.0.9:45892 - "GET /sw.js HTTP/1.1" 304 Not Modified
ERROR: 13-Apr-24 20:04:00       Incorrect username or password from 192.168.0.4
INFO:     172.18.0.9:45900 - "POST /api/auth/token HTTP/1.1" 401 Unauthorized
INFO:     172.18.0.9:45916 - "GET /login?direct=1 HTTP/1.1" 307 Temporary Redirect
INFO:     172.18.0.9:45930 - "GET /api/app/about/startup-info HTTP/1.1" 200 OK
INFO:     172.18.0.9:45918 - "GET /api/app/about HTTP/1.1" 200 OK
INFO:     172.18.0.9:45942 - "GET /api/app/about HTTP/1.1" 200 OK
INFO:     172.18.0.9:45958 - "GET /sw.js HTTP/1.1" 304 Not Modified

Mealie Version

ghcr.io/mealie-recipes/mealie:latest

Deployment

Unraid

Additional Deployment Details

No response

[Shagon94]

Seems similar to #3461, but in my case I have nginx instead of traefik. @DennisGaida would you say this is the same issue?

[Shagon94]

Clearing the cookies in the browser allows the user to login again, however after some time, even though the authelia login is still valid (as other services work without issues) - mealie just does the redirect loop.

[DennisGaida]

No not the same issue at all - check your log it says wrong username and password. What helped in my case in checking the Authelia logs as well (debug level).
Your point about cookies: always test authentication issues in a fresh private window. You can’t be sure what auto cookies are looming around somewhere in your main profile. It’s a bit of a hassle since you need to login all the time, but this way you know it’s not cookies being the problem.

[Shagon94]

I've restarted authelia and added all the settings mentioned in the authelia docs, seems that they were updated today, I've also restarted mealie.

I'll update in a few days if the same redirect issue keeps happening.

[Shagon94]

The same issue keeps happening, redirection loop

nginx-proxy-manager logs:

[13/Apr/2024:22:13:13 +0200] - 401 401 - POST https food.okej.dev "/api/auth/token" [Client 192.168.0.5] [Length 25] [Gzip -] [Sent-to mealie] "Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:124.0) Gecko/20100101 Firefox/124.0" "https://food.okej.dev/login/?direct=1"
[13/Apr/2024:22:13:13 +0200] - 307 307 - GET https food.okej.dev "/login?direct=1" [Client 192.168.0.5] [Length 0] [Gzip -] [Sent-to mealie] "Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:124.0) Gecko/20100101 Firefox/124.0" "https://food.okej.dev/login/?direct=1"

So it seems that when the token expires it tries to refresh it by going to (mealie domain )/api/auth/token and fails with a 401.

mealie logs:

INFO:     172.18.0.9:45900 - "POST /api/auth/token HTTP/1.1" 401 Unauthorized
INFO:     172.18.0.9:45916 - "GET /login?direct=1 HTTP/1.1" 307 Temporary Redirect

I think this might be a bug with mealie, or a misconfiguration (unsure). The updated authelia config where this is reproducible (I'll update the first post as well):

identity_providers:
  oidc:
    jwks:
      - key: {{ secret "/config/keys/private.pem" | mindent 10 "|" | msquote }}
    enforce_pkce: public_clients_only
    cors:
      endpoints:
        - userinfo
        - authorization
        - token
        - revocation
        - introspection
      allowed_origins:
        - https://food.okej.dev
      allowed_origins_from_client_redirect_uris: true
    clients:
      - client_id: mealie
        client_name: mealie
        authorization_policy: one_factor
        redirect_uris:
          - https://food.okej.dev/login
        public: true
        require_pkce: true
        pkce_challenge_method: S256
        grant_types:
          - authorization_code
        scopes:
          - openid
          - profile
          - groups
          - email
        consent_mode: 'implicit'
        userinfo_signed_response_alg: 'none'
        token_endpoint_auth_method: 'none'

To clarify - initial login works fine, only after some time does the authentication workflow break and does the redirect loop.

[cmintey]

This should be fixed by #3419. This fix is in nightly if you want to try it out, otherwise you can wait for the next release

[ArthurHuyghe]

I have the same issue only with Authentik. first login works fine, after some time the redirection loop starts and clearing the cookies fixes the problem for the next login, after which the redirection begins again.
Mealie logs:
ERROR: 14-Apr-24 13:04:27 Incorrect username or password from 10.0.0.195 over and over again.

I also use traefik and the following is the section in the acces log that gets repeated over and over again:

"GET /sw.js HTTP/2.0" 304 0 "-" "-" 71657 "mealie@docker" "http://172.18.0.4:9000" 3ms
10.0.0.195 - - [14/Apr/2024:13:07:35 +0200] "GET /application/o/mealie/.well-known/openid-configuration HTTP/2.0" 200 578 "-" "-" 71656 "authentik@docker" "https://172.18.0.9:9443" 705ms
10.0.0.195 - - [14/Apr/2024:13:07:36 +0200] "POST /api/auth/token HTTP/2.0" 401 25 "-" "-" 71658 "mealie@docker" "http://172.18.0.4:9000" 3ms
10.0.0.195 - - [14/Apr/2024:13:07:36 +0200] "GET /login?direct=1 HTTP/2.0" 307 0 "-" "-" 71659 "mealie@docker" "http://172.18.0.4:9000" 4ms
10.0.0.195 - - [14/Apr/2024:13:07:36 +0200] "GET /api/app/about/startup-info HTTP/2.0" 200 37 "-" "-" 71661 "mealie@docker" "http://172.18.0.4:9000" 5ms

I will test the PR request but have not yet found the time to do so.

EDIT:
The nightly-build fixed the issue for me.

[joshoram80]

I'm having a similar issue with Authentik and Caddy. I can login with OIDC and I can see all my current recipes, but the menu is empty and it still says Login in the top right corner. If I click login and then Login with OIDC it just says something went wrong. I can't see anything obvious in the logs. I'm using the nightly image.

[joshoram80]

If I access mealie via mealie.my.domain with a DNS rewrite my.domain-> Lan IP, I can login using the normal username/password, and everything works, but as soon as I disable the rewrite and connect normally, I can Auth via Authentik and see all the recipes still, but cannot use the menu, and I can see the login button. Strange behaviour. It's like I'm logged in enough to see recipes, but I'm not actually logged in completely.

[Shagon94]

Try in incognito - also -this issue is different than the one above as the fix mentioned in #3419 resolved the redirection issues.

Your description of the problem sounds like either outdated cache or a misconfiguration.

In either case - might be better to open a new issue for the problem you're facing

[damianon]

I'm on 1.5.1 and I'm seeing the same infinite redirect with incorrect user:

ERROR    2024-05-01T21:28:47 - Incorrect username or password from 172.18.0.1
INFO     2024-05-01T21:28:47 - [172.18.0.1:0] 401 Unauthorized "POST /api/auth/token HTTP/1.1"
INFO     2024-05-01T21:28:47 - [172.18.0.1:0] 304 Not Modified "GET /sw.js HTTP/1.1"

since this pr was merged almost month ago I had assumed that it would be in the release from 14 days ago already. is that not the case? or will it be released with the next version?

fwiw: i have not set the variables OIDC_USER_GROUP and OIDC_ADMIN_GROUP

[ToxicMushroom]

This still persists on v1.9.0 with kanidm for me, can this be reopened ?

mealie  | INFO     2024-06-21T23:04:58 - [172.71.182.125:0] 307 Temporary Redirect "GET /login?state=6wd5Hx6cmb&code=longcode HTTP/1.1"
mealie  | INFO     2024-06-21T23:04:58 - [172.71.182.125:0] 200 OK "GET /login/?state=6wd5Hx6cmb&code=longcode HTTP/1.1"
mealie  | ERROR    2024-06-21T23:04:58 - Incorrect username or password from 172.71.182.125
mealie  | ERROR    2024-06-21T23:04:58 - Incorrect username or password from 172.71.182.125
mealie  | INFO     2024-06-21T23:04:58 - [172.71.182.125:0] 401 Unauthorized "POST /api/auth/token HTTP/1.1"
mealie  | ERROR    2024-06-21T23:04:59 - Incorrect username or password from 172.71.182.125
mealie  | ERROR    2024-06-21T23:04:59 - Incorrect username or password from 172.71.182.125
mealie  | INFO     2024-06-21T23:04:59 - [172.71.182.125:0] 401 Unauthorized "POST /api/auth/token HTTP/1.1"
mealie  | INFO     2024-06-21T23:04:59 - [172.71.182.125:0] 307 Temporary Redirect "GET /login?direct=1 HTTP/1.1"
mealie  | INFO     2024-06-21T23:04:59 - [172.71.182.125:0] 200 OK "GET /api/app/about HTTP/1.1"

    "OIDC_AUTH_ENABLED": true,
    "OIDC_CLIENT_ID": "mealie",
    "OIDC_CONFIGURATION_URL": "https://idm.melijn.com/oauth2/openid/mealie/.well-known/openid-configuration",
    "OIDC_SIGNUP_ENABLED": true,
    "OIDC_USER_GROUP": "mealie_users@idm.melijn.com",
    "OIDC_ADMIN_GROUP": "mealie_admins@idm.melijn.com",
    "OIDC_AUTO_REDIRECT": false,
    "OIDC_PROVIDER_NAME": "Kanidm",
    "OIDC_REMEMBER_ME": false,
    "OIDC_SIGNING_ALGORITHM": "ES256",
    "OIDC_USER_CLAIM": "preferred_username",
    "OIDC_GROUPS_CLAIM": "groups",
    "OIDC_TLS_CACERTFILE": null,