-
-
Notifications
You must be signed in to change notification settings - Fork 717
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
[BUG] - Redirection loop with Authelia #3463
Comments
Seems similar to #3461, but in my case I have nginx instead of traefik. @DennisGaida would you say this is the same issue? |
Clearing the cookies in the browser allows the user to login again, however after some time, even though the authelia login is still valid (as other services work without issues) - mealie just does the redirect loop. |
No not the same issue at all - check your log it says wrong username and password. What helped in my case in checking the Authelia logs as well (debug level). |
I've restarted authelia and added all the settings mentioned in the authelia docs, seems that they were updated today, I've also restarted mealie. I'll update in a few days if the same redirect issue keeps happening. |
The same issue keeps happening, redirection loop nginx-proxy-manager logs: [13/Apr/2024:22:13:13 +0200] - 401 401 - POST https food.okej.dev "/api/auth/token" [Client 192.168.0.5] [Length 25] [Gzip -] [Sent-to mealie] "Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:124.0) Gecko/20100101 Firefox/124.0" "https://food.okej.dev/login/?direct=1"
[13/Apr/2024:22:13:13 +0200] - 307 307 - GET https food.okej.dev "/login?direct=1" [Client 192.168.0.5] [Length 0] [Gzip -] [Sent-to mealie] "Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:124.0) Gecko/20100101 Firefox/124.0" "https://food.okej.dev/login/?direct=1" So it seems that when the token expires it tries to refresh it by going to (mealie domain ) mealie logs:
I think this might be a bug with mealie, or a misconfiguration (unsure). The updated authelia config where this is reproducible (I'll update the first post as well): identity_providers:
oidc:
jwks:
- key: {{ secret "/config/keys/private.pem" | mindent 10 "|" | msquote }}
enforce_pkce: public_clients_only
cors:
endpoints:
- userinfo
- authorization
- token
- revocation
- introspection
allowed_origins:
- https://food.okej.dev
allowed_origins_from_client_redirect_uris: true
clients:
- client_id: mealie
client_name: mealie
authorization_policy: one_factor
redirect_uris:
- https://food.okej.dev/login
public: true
require_pkce: true
pkce_challenge_method: S256
grant_types:
- authorization_code
scopes:
- openid
- profile
- groups
- email
consent_mode: 'implicit'
userinfo_signed_response_alg: 'none'
token_endpoint_auth_method: 'none' To clarify - initial login works fine, only after some time does the authentication workflow break and does the redirect loop. |
This should be fixed by #3419. This fix is in |
I have the same issue only with Authentik. first login works fine, after some time the redirection loop starts and clearing the cookies fixes the problem for the next login, after which the redirection begins again. I also use traefik and the following is the section in the acces log that gets repeated over and over again:
I will test the PR request but have not yet found the time to do so. EDIT: |
I'm having a similar issue with Authentik and Caddy. I can login with OIDC and I can see all my current recipes, but the menu is empty and it still says Login in the top right corner. If I click login and then Login with OIDC it just says something went wrong. I can't see anything obvious in the logs. I'm using the nightly image. |
If I access mealie via mealie.my.domain with a DNS rewrite my.domain-> Lan IP, I can login using the normal username/password, and everything works, but as soon as I disable the rewrite and connect normally, I can Auth via Authentik and see all the recipes still, but cannot use the menu, and I can see the login button. Strange behaviour. It's like I'm logged in enough to see recipes, but I'm not actually logged in completely. |
Try in incognito - also -this issue is different than the one above as the fix mentioned in #3419 resolved the redirection issues. Your description of the problem sounds like either outdated cache or a misconfiguration. In either case - might be better to open a new issue for the problem you're facing |
I'm on 1.5.1 and I'm seeing the same infinite redirect with incorrect user:
since this pr was merged almost month ago I had assumed that it would be in the release from 14 days ago already. is that not the case? or will it be released with the next version? fwiw: i have not set the variables |
This still persists on v1.9.0 with kanidm for me, can this be reopened ?
|
First Check
What is the issue you are experiencing?
Using authelia oidc with mealie results in a redirection loop after some time.
Steps to Reproduce
ghcr.io/mealie-recipes/mealie:latest
Please provide relevant logs
Mealie Version
ghcr.io/mealie-recipes/mealie:latest
Deployment
Unraid
Additional Deployment Details
No response
The text was updated successfully, but these errors were encountered: