Open ID Connect not working with Firezone due to client_secret field not properly recognized as hashed

[NeoXTof]

Version

v4.38.3

Deployment Method

Docker

Reverse Proxy

NGINX

Reverse Proxy Version

1.23.1 on Synology DSM 7.2.1-69057 Update 4

Description

Open ID Connect client secret not parsed properly

Reproduction

Configure a OIDC Client with a hashed client secret. When Authelia is starting, the is a warning message indicating the client_secret is in cleartext.

When trying to login from the client through Authelia, the login fail because "The provided client secret did not match the registered client secret."

When replacing the hashed secret in the config file by the unhased generated password, the warning message is still present but the login succeed

Expectations

The hashed secret shall be recognized as hashed and not clear text and the login shall succeed.

Configuration (Authelia)

---
theme: dark
default_2fa_method: totp
server:
  address: tcp://0.0.0.0:9091
log:
  level: debug
  file_path: "/var/log/authelia/authelia.log"
  keep_stdout: true
totp:
  disable: false
  issuer: authelia.mydomain.com
  algorithm: sha1
  digits: 6
  period: 30
  skew: 1
  secret_size: 32
webauthn:
  disable: false
  display_name: authelia.mydomain.com
  timeout: 60s
  attestation_conveyance_preference: indirect
  user_verification: preferred
authentication_backend:
  password_reset:
    disable: true
  refresh_interval: 5m
  ldap:
    address: ldap://lldap:3890
    implementation: custom
    timeout: 5s
    start_tls: false
    base_dn: dc=mydomain,dc=com
    user: uid=admin,ou=people,dc=mydomain,dc=com
    password: {{ secret "/secrets/AUTHENTICATION_BACKEND_LDAP_PASSWORD" }}
    additional_users_dn: ou=people
    users_filter: "(&({username_attribute}={input})(objectClass=person))"
    additional_groups_dn: ou=groups
    groups_filter: "(member={dn})"
    attributes:
      display_name: displayName
      distinguished_name: 'distinguishedName'
      username: 'uid'
      mail: 'mail'
      member_of: 'memberOf'
      group_name: 'cn'
password_policy:
  standard:
    enabled: false
    min_length: 8
    max_length: 0
    require_uppercase: true
    require_lowercase: true
    require_number: true
    require_special: true
access_control:
  default_policy: deny
  rules:
    - domain: "mydomain.com"
      policy: two_factor
    - domain: "*.mydomain.com"
      policy: two_factor  
session:
  secret: {{ secret "/secrets/SESSION_SECRET" }}
  name: authelia_session
  same_site: lax
  expiration: 1h
  inactivity: 5m
  remember_me: 1M
  redis:
    host: redis
    port: 6379
  cookies:
    - domain: mydomain.com
      authelia_url: https://authelia.mydomain.com
      name: authelia_session
      same_site: lax
      expiration: 1h
      inactivity: 5m
      remember_me: 1M
regulation:
  max_retries: 3
  find_time: 2m
  ban_time: 5m
storage:
  encryption_key: {{ secret "/secrets/STORAGE_ENCRYPTION_KEY" }}
  local:
    path: /config/db.sqlite3
notifier:
  disable_startup_check: false
  smtp: 
    address: smtp.gmail.com:587
    username: xxxxx.yyyyy@gmail.com
    password: {{ secret "/secrets/NOTIFIER_SMTP_PASSWORD" }}
    sender: xxxxx.yyyyy@gmail.com
identity_validation:
  reset_password:
    jwt_lifespan: '5 minutes'
    jwt_algorithm: 'HS256'
    jwt_secret: {{ secret "/secrets/JWT_SECRET" }}
identity_providers:
  oidc:
    hmac_secret: {{ secret "/secrets/IDENTITY_PROVIDERS_OIDC_HMAC_SECRET" }}
    jwks:
      - key_id: 'authelia'
        algorithm: 'RS256'
        use: 'sig'
        key: {{ secret "/secrets/IDENTITY_PROVIDERS_OIDC_ISSUER_PRIVATE_KEY" | mindent 10 "|" | msquote }}
    lifespans: 
       access_token: 2d
       refresh_token: 3d
    cors:
      endpoints:
        - authorization
        - token
        - revocation
        - introspection
        - userinfo
    clients:
      - client_id: xxxxxxxxxxxxxxxxxxxxQW69Lc
        client_name: Firezone
        client_secret: '$pbkdf2-sha512$xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx/xxxxxxxxxxxx/xxxxxx.xxxxxxxxx'
        public: false
        authorization_policy: two_factor
        pre_configured_consent_duration: '1M'
        require_pkce: true
        pkce_challenge_method: S256
        redirect_uris:
          - https://firezone.mydomain.com:4443/auth/oidc/authelia/callback/
        scopes:
          - openid
          - profile
          - groups
          - email
        userinfo_signed_response_alg: none
        response_types:
          - 'code'
        response_modes:
          - 'form_post'
          - 'query'
          - 'fragment'
        token_endpoint_auth_method: 'client_secret_post'
      - client_id: xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxV0Ark
        client_name: Upsnap
        client_secret: '$pbkdf2-sha512$xxxxxxxxxx.xxxxxxxxxxxxxxxxxxx/xxxxxxxxxxxxxx/xxxxxxxxxxxxxxxxxxxx'
        public: false
        authorization_policy: two_factor
        require_pkce: true
        pkce_challenge_method: S256
        redirect_uris:
          - https://upsnap.mydomain.com:4443/api/oauth2-redirect
        scopes:
          - openid
          - profile
          - email
        userinfo_signed_response_alg: none
...

Build Information

Last Tag: v4.38.3
State: tagged clean
Branch: v4.38.3
Commit: c017108ed51582c748bca16aae12fcba186dbf4e
Build Number: 27755
Build OS: linux
Build Arch: amd64
Build Compiler: gc
Build Date: Sun, 17 Mar 2024 21:04:10 +1100
Extra: 

Go: 
    Version: go1.22.1
    Module Path: github.com/authelia/authelia/v4
    Executable Path: github.com/authelia/authelia/v4/cmd/authelia
    Settings:
        -buildmode: pie
        -compiler: gc
        -trimpath: true
        DefaultGODEBUG: httplaxcontentlength=1,httpmuxgo121=1,tls10server=1,tlsrsakex=1,tlsunsafeekm=1
        CGO_ENABLED: 1
        GOARCH: amd64
        GOOS: linux
        GOAMD64: v1
        vcs: git
        vcs.revision: c017108ed51582c748bca16aae12fcba186dbf4e
        vcs.time: 2024-03-17T09:53:43Z
        vcs.modified: true
    Dependencies:
        authelia.com/provider/oauth2@v0.1.2 (h1:nC8uV7vDh5qbyz56Jts7kxcHfx3jRdKKG+kyGugsLmU=)
        filippo.io/edwards25519@v1.1.0 (h1:FNf4tywRC1HmFuKW5xopWpigGjJKiJSV0Cqo0cJWDaA=)
        github.com/Azure/go-ntlmssp@v0.0.0-20221128193559-754e69321358 (h1:mFRzDkZVAjdal+s7s0MwaRv9igoPqLRdzOLzw/8Xvq8=)
        github.com/Gurpartap/logrus-stack@v0.0.0-20170710170904-89c00d8a28f4 (h1:vdT7QwBhJJEVNFMBNhRSFDRCB6O16T28VhvqRgqFyn8=)
        github.com/andybalholm/brotli@v1.1.0 (h1:eLKJA0d02Lf0mVpIDgYnqXcUn0GqVmEFny3VuID1U3M=)
        github.com/asaskevich/govalidator@v0.0.0-20230301143203-a9d515a09cc2 (h1:DklsrG3dyBCFEj5IhUbnKptjxatkF07cF2ak3yi77so=)
        github.com/authelia/jsonschema@v0.1.7 (h1:RbtTeTG7GiWIrx2A+3O+b33jr/mLlSmqGYyk1w5gLNA=)
        github.com/authelia/otp@v1.0.0 (h1:X6YeBMb16CkW8fFpLBQc0ams+Ed0zw1R/5pfih/1vLU=)
        github.com/beorn7/perks@v1.0.1 (h1:VlbKKnNfV8bJzeqoa4cOKqO6bYr3WgKZxO8Z16+hsOM=)
        github.com/boombuler/barcode@v1.0.1 (h1:NDBbPmhS+EqABEs5Kg3n/5ZNjy73Pz7SIV+KCeqyXcs=)
        github.com/cespare/xxhash/v2@v2.2.0 (h1:DC2CZ1Ep5Y4k3ZQ899DldepgrayRUGE6BBZ/cd9Cj44=)
        github.com/davecgh/go-spew@v1.1.1 (h1:vj9j/u1bqnvCEfJOwUhtlOARqs3+rkHYY13jYWTU97c=)
        github.com/dgraph-io/ristretto@v0.1.1 (h1:6CWw5tJNgpegArSHpNHJKldNeq03FQCwYvfMVWajOK8=)
        github.com/dgryski/go-rendezvous@v0.0.0-20200823014737-9f7001d12a5f (h1:lO4WD4F/rVNCu3HqELle0jiPLLBs70cWOduZpkS1E78=)
        github.com/dlclark/regexp2@v1.4.0 (h1:F1rxgk7p4uKjwIQxBs9oAXe5CqrXlCduYEJvrF4u93E=)
        github.com/duosecurity/duo_api_golang@v0.0.0-20240205144049-bb361ad4ae1c (h1:xFrCg835Y/ig7iWQqyVmGFG5cd1OztnlN3rF64ltEpY=)
        github.com/dustin/go-humanize@v1.0.1 (h1:GzkhY7T5VNhEkwH0PVJgjz+fX1rhBrR7pRT3mDkpeCY=)
        github.com/facebookgo/stack@v0.0.0-20160209184415-751773369052 (h1:JWuenKqqX8nojtoVVWjGfOF9635RETekkoH6Cc9SX0A=)
        github.com/fasthttp/router@v1.5.0 (h1:3Qbbo27HAPzwbpRzgiV5V9+2faPkPt3eNuRaDV6LYDA=)
        github.com/fasthttp/session/v2@v2.5.4 (h1:SeblRaKHYQoVBjJIF1KlZD0F8QX1poA80h/KaLhNo8I=)
        github.com/fsnotify/fsnotify@v1.7.0 (h1:8JEhPFa5W2WU7YfeZzPNqzMP6Lwt7L2715Ggo0nosvA=)
        github.com/fxamacker/cbor/v2@v2.6.0 (h1:sU6J2usfADwWlYDAFhZBQ6TnLFBHxgesMrQfQgk1tWA=)
        github.com/go-asn1-ber/asn1-ber@v1.5.5 (h1:MNHlNMBDgEKD4TcKr36vQN68BA00aDfjIt3/bD50WnA=)
        github.com/go-crypt/crypt@v0.2.19 (h1:9VFKbVCuWH4cQDbjUA6fGiaHx+w0CXI19rHQGTZqESE=)
        github.com/go-crypt/x@v0.2.13 (h1:YUgKO62hIcPz11ViwHZx89g/OJhOis9+kK13ZunWpS0=)
        github.com/go-jose/go-jose/v4@v4.0.1 (h1:QVEPDE3OluqXBQZDcnNvQrInro2h0e4eqNbnZSWqS6U=)
        github.com/go-ldap/ldap/v3@v3.4.6 (h1:ert95MdbiG7aWo/oPYp9btL3KJlMPKnP58r09rI8T+A=)
        github.com/go-sql-driver/mysql@v1.8.0 (h1:UtktXaU2Nb64z/pLiGIxY4431SJ4/dR5cjMmlVHgnT4=)
        github.com/go-viper/mapstructure/v2@v2.0.0-alpha.1 (h1:TQcrn6Wq+sKGkpyPvppOz99zsMBaUOKXq6HSv655U1c=)
        github.com/go-webauthn/webauthn@v0.10.2 (h1:OG7B+DyuTytrEPFmTX503K77fqs3HDK/0Iv+z8UYbq4=)
        github.com/go-webauthn/x@v0.1.9 (h1:v1oeLmoaa+gPOaZqUdDentu6Rl7HkSSsmOT6gxEQHhE=)
        github.com/golang-jwt/jwt/v5@v5.2.1 (h1:OuVbFODueb089Lh128TAcimifWaLhJwVflnrgM17wHk=)
        github.com/golang/glog@v1.2.0 (h1:uCdmnmatrKCgMBlM4rMuJZWOkPDqdbZPnrMXDY4gI68=)
        github.com/golang/protobuf@v1.5.3 (h1:KhyjKVUg7Usr/dYsdSqoFveMYd5ko72D+zANwlG1mmg=)
        github.com/google/go-tpm@v0.9.0 (h1:sQF6YqWMi+SCXpsmS3fd21oPy/vSddwZry4JnmltHVk=)
        github.com/google/uuid@v1.6.0 (h1:NIvaJDMOsjHA8n1jAhLSgzrAzy1Hgr+hNrb57e+94F0=)
        github.com/hashicorp/go-cleanhttp@v0.5.2 (h1:035FKYIWjmULyFRBKPs8TBQoi0x6d9G4xc9neXJWAZQ=)
        github.com/hashicorp/go-retryablehttp@v0.7.5 (h1:bJj+Pj19UZMIweq/iie+1u5YCdGrnxCT9yvm0e+Nd5M=)
        github.com/iancoleman/orderedmap@v0.3.0 (h1:5cbR2grmZR/DiVt+VJopEhtVs9YGInGIxAoMJn+Ichc=)
        github.com/jackc/pgpassfile@v1.0.0 (h1:/6Hmqy13Ss2zCq62VdNG8tM1wchn8zjSGOBJ6icpsIM=)
        github.com/jackc/pgservicefile@v0.0.0-20221227161230-091c0ba34f0a (h1:bbPeKD0xmW/Y25WS6cokEszi5g+S0QxI/d45PkRi7Nk=)
        github.com/jackc/pgx/v5@v5.5.5 (h1:amBjrZVmksIdNjxGW/IiIMzxMKZFelXbUoPNb+8sjQw=)
        github.com/jackc/puddle/v2@v2.2.1 (h1:RhxXJtFG022u4ibrCSMSiu5aOq1i77R3OHKNJj77OAk=)
        github.com/jmoiron/sqlx@v1.3.5 (h1:vFFPA71p1o5gAeqtEAwLU4dnX2napprKtHr7PYIcN3g=)
        github.com/klauspost/compress@v1.17.6 (h1:60eq2E/jlfwQXtvZEeBUYADs+BwKBWURIY+Gj2eRGjI=)
        github.com/knadh/koanf/maps@v0.1.1 (h1:G5TjmUh2D7G2YWf5SQQqSiHRJEjaicvU0KpypqB3NIs=)
        github.com/knadh/koanf/parsers/yaml@v0.1.0 (h1:ZZ8/iGfRLvKSaMEECEBPM1HQslrZADk8fP1XFUxVI5w=)
        github.com/knadh/koanf/providers/confmap@v0.1.0 (h1:gOkxhHkemwG4LezxxN8DMOFopOPghxRVp7JbIvdvqzU=)
        github.com/knadh/koanf/providers/env@v0.1.0 (h1:LqKteXqfOWyx5Ab9VfGHmjY9BvRXi+clwyZozgVRiKg=)
        github.com/knadh/koanf/providers/posflag@v0.1.0 (h1:mKJlLrKPcAP7Ootf4pBZWJ6J+4wHYujwipe7Ie3qW6U=)
        github.com/knadh/koanf/v2@v2.1.0 (h1:eh4QmHHBuU8BybfIJ8mB8K8gsGCD/AUQTdwGq/GzId8=)
        github.com/mattn/go-sqlite3@v1.14.22 (h1:2gZY6PC6kBnID23Tichd1K+Z0oS6nE/XwU+Vz/5o4kU=)
        github.com/mitchellh/copystructure@v1.2.0 (h1:vpKXTN4ewci03Vljg/q9QvCGUDttBOGBIa15WveJJGw=)
        github.com/mitchellh/mapstructure@v1.5.0 (h1:jeMsZIYE/09sWLaz43PL7Gy6RuMjD2eJVyuac5Z2hdY=)
        github.com/mitchellh/reflectwalk@v1.0.2 (h1:G2LzWKi524PWgd3mLHV8Y5k7s6XUvT0Gef6zxSIeXaQ=)
        github.com/mohae/deepcopy@v0.0.0-20170929034955-c48cc78d4826 (h1:RWengNIwukTxcDr9M+97sNutRR1RKhG96O6jWumTTnw=)
        github.com/ory/herodot@v0.10.3-0.20230807143059-27cd6936499b (h1:AEUyF55UrqTuhJh72I9azACdJrRrDBBjK/XWgVxuQvY=)
        github.com/ory/x@v0.0.616 (h1:iaojp7MvFW1cdirSZFK/XeuJvyhUEVXQdY61bmIOkzk=)
        github.com/philhofer/fwd@v1.1.2 (h1:bnDivRJ1EWPjUIRXV5KfORO897HTbpFAQddBdE8t7Gw=)
        github.com/pkg/errors@v0.9.1 (h1:FEBLx1zS214owpjy7qsBeixbURkuhQAwrK5UwLGTwt4=)
        github.com/pmezard/go-difflib@v1.0.0 (h1:4DBwDE0NGyQoBHbLQYPwSUPoCMWR5BEzIk/f1lZbAQM=)
        github.com/prometheus/client_golang@v1.19.0 (h1:ygXvpU1AoN1MhdzckN+PyD9QJOSD4x7kmXYlnfbA6JU=)
        github.com/prometheus/client_model@v0.5.0 (h1:VQw1hfvPvk3Uv6Qf29VrPF32JB6rtbgI6cYPYQjL0Qw=)
        github.com/prometheus/common@v0.48.0 (h1:QO8U2CdOzSn1BBsmXJXduaaW+dY/5QLjfB8svtSzKKE=)
        github.com/prometheus/procfs@v0.12.0 (h1:jluTpSng7V9hY0O2R9DzzJHYb2xULk9VTR1V1R/k6Bo=)
        github.com/redis/go-redis/v9@v9.5.1 (h1:H1X4D3yHPaYrkL5X06Wh6xNVM/pX0Ft4RV0vMGvLBh8=)
        github.com/savsgio/gotils@v0.0.0-20240303185622-093b76447511 (h1:KanIMPX0QdEdB4R3CiimCAbxFrhB3j7h0/OvpYGVQa8=)
        github.com/sirupsen/logrus@v1.9.3 (h1:dueUQJ1C2q9oE3F7wvmSGAaVtTmUizReu6fjN8uqzbQ=)
        github.com/spf13/cobra@v1.8.0 (h1:7aJaZx1B85qltLMc546zn58BxxfZdR/W22ej9CFoEf0=)
        github.com/spf13/pflag@v1.0.5 (h1:iy+VFUOCP1a+8yFto/drg2CJ5u0yRoB7fZw3DKv/JXA=)
        github.com/stretchr/testify@v1.9.0 (h1:HtqpIVDClZ4nwg75+f6Lvsy/wHu+3BoSGCbBAcpTsTg=)
        github.com/tinylib/msgp@v1.1.9 (h1:SHf3yoO2sGA0veCJeCBYLHuttAVFHGm2RHgNodW7wQU=)
        github.com/trustelem/zxcvbn@v1.0.1 (h1:mp4JFtzdDYGj9WYSD3KQSkwwUumWNFzXaAjckaTYpsc=)
        github.com/valyala/bytebufferpool@v1.0.0 (h1:GqA5TC/0021Y/b9FG4Oi9Mr3q7XYx6KllzawFIhcdPw=)
        github.com/valyala/fasthttp@v1.52.0 (h1:wqBQpxH71XW0e2g+Og4dzQM8pk34aFYlA1Ga8db7gU0=)
        github.com/wneessen/go-mail@v0.4.1 (h1:m2rSg/sc8FZQCdtrV5M8ymHYOFrC6KJAQAIcgrXvqoo=)
        github.com/x448/float16@v0.8.4 (h1:qLwI1I70+NjRFUR3zs1JPUCgaCXSh3SW62uAKT1mSBM=)
        golang.org/x/crypto@v0.21.0 (h1:X31++rzVUdKhX5sWmSOFZxx8UW/ldWx55cbf08iNAMA=)
        golang.org/x/net@v0.22.0 (h1:9sGLhx7iRIHEiX0oAJ3MRZMUCElJgy7Br1nO+AMN3Tc=)
        golang.org/x/oauth2@v0.18.0 (h1:09qnuIAgzdx1XplqJvW6CQqMCtGZykZWcXzPMPUusvI=)
        golang.org/x/sync@v0.6.0 (h1:5BMeUDZ7vkXGfEr1x9B4bRcTH4lpkTkpdh0T/J+qjbQ=)
        golang.org/x/sys@v0.18.0 (h1:DBdB3niSjOA/O0blCZBqDefyWNYveAYMNF1Wum0DYQ4=)
        golang.org/x/term@v0.18.0 (h1:FcHjZXDMxI8mM3nwhX9HlKop4C0YQvCVCdwYl2wOtE8=)
        golang.org/x/text@v0.14.0 (h1:ScX5w1eTa3QqT8oi6+ziP7dTV1S2+ALU0bI+0zXKWiQ=)
        google.golang.org/genproto/googleapis/rpc@v0.0.0-20231106174013-bbf56f31fb17 (h1:Jyp0Hsi0bmHXG6k9eATXoYtjd6e2UzZ1SCn/wIupY14=)
        google.golang.org/grpc@v1.59.0 (h1:Z5Iec2pjwb+LEOqzpB2MR12/eKFhDPhuqW91O+4bwUk=)
        google.golang.org/protobuf@v1.33.0 (h1:uNO2rsAINq/JlFpSdYEKIZ0uKD/R9cpdv0T+yoGwGmI=)
        gopkg.in/yaml.v3@v3.0.1 (h1:fxVm/GzAzEWqLHuvctI91KS9hhNmmWOoWu0XTYJS7CA=)

Logs (Authelia)

time="2024-03-18T09:38:36+01:00" level=debug msg="Process user information" gid=0 gids="1,2,3,4,6,10,11,20,26,27" name=root uid=0 username=root
time="2024-03-18T09:38:36+01:00" level=warning msg="Configuration: identity_providers: oidc: clients: client 'xxxxxxxxxxxxxxxxxxxxQW69Lc': option 'client_secret' is plaintext but for clients not using the 'token_endpoint_auth_method' of 'client_secret_jwt' it should be a hashed value as plaintext values are deprecated with the exception of 'client_secret_jwt' and will be removed in the near future"
time="2024-03-18T09:38:36+01:00" level=warning msg="Configuration: identity_providers: oidc: clients: client 'xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxV0Ark': option 'client_secret' is plaintext but for clients not using the 'token_endpoint_auth_method' of 'client_secret_jwt' it should be a hashed value as plaintext values are deprecated with the exception of 'client_secret_jwt' and will be removed in the near future"
time="2024-03-18T09:38:36+01:00" level=info msg="Authelia v4.38.3 is starting"
time="2024-03-18T09:38:36+01:00" level=info msg="Log severity set to debug"
time="2024-03-18T09:38:36+01:00" level=debug msg="Registering client xxxxxxxxxxxxxxxxxxxxQW69Lc with policy two_factor (two_factor)"
time="2024-03-18T09:38:36+01:00" level=debug msg="Registering client xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxV0Ark with policy two_factor (two_factor)"
time="2024-03-18T09:38:36+01:00" level=info msg="Storage schema is being checked for updates"
time="2024-03-18T09:38:36+01:00" level=info msg="Storage schema is already up to date"
time="2024-03-18T09:38:37+01:00" level=debug msg="LDAP Supported OIDs. Control Types: none. Extensions: 1.3.6.1.4.1.4203.1.11.1"
time="2024-03-18T09:38:37+01:00" level=info msg="Listening for non-TLS connections on '[::]:9091' path '/'" server=main service=server
time="2024-03-18T09:38:37+01:00" level=debug msg="Create Server Service (metrics) skipped"
time="2024-03-18T09:38:37+01:00" level=info msg="Startup complete"
time="2024-03-18T09:39:24+01:00" level=debug msg="Authorization Request with id '0b9fc2bd-8a57-4633-bc3c-1bdba1ae215b' on client with id 'xxxxxxxxxxxxxxxxxxxxQW69Lc' is being processed" method=GET path=/api/oidc/authorization remote_ip=192.168.1.1
time="2024-03-18T09:39:29+01:00" level=debug msg="Mark 1FA authentication attempt made by user 'neoxtof@neoxtof.ovh'" method=POST path=/api/firstfactor remote_ip=192.168.1.1
time="2024-03-18T09:39:29+01:00" level=debug msg="Successful 1FA authentication attempt made by user 'neoxtof@neoxtof.ovh'" method=POST path=/api/firstfactor remote_ip=192.168.1.1
time="2024-03-18T09:39:29+01:00" level=debug msg="Authorization Request with id 'bc107a78-dde3-415d-b74f-2e264e59f76f' on client with id 'xxxxxxxxxxxxxxxxxxxxQW69Lc' is being processed" method=GET path=/api/oidc/authorization remote_ip=192.168.1.1
time="2024-03-18T09:39:29+01:00" level=debug msg="Authorization Request with id 'bc107a78-dde3-415d-b74f-2e264e59f76f' on client with id 'xxxxxxxxxxxxxxxxxxxxQW69Lc' using consent mode 'pre-configured' proceeding to generate a new consent session" method=GET path=/api/oidc/authorization remote_ip=192.168.1.1
time="2024-03-18T09:39:29+01:00" level=debug msg="Authorization Request with id 'bc107a78-dde3-415d-b74f-2e264e59f76f' on client with id 'xxxxxxxxxxxxxxxxxxxxQW69Lc' using consent mode 'pre-configured' authentication level 'one_factor' is insufficient for client level 'two_factor'" method=GET path=/api/oidc/authorization remote_ip=192.168.1.1
time="2024-03-18T09:39:29+01:00" level=debug msg="Authorization Request with id 'bc107a78-dde3-415d-b74f-2e264e59f76f' on client with id 'xxxxxxxxxxxxxxxxxxxxQW69Lc' using consent mode 'pre-configured' is being redirected to 'https://authelia.mydomain.com:4443/?workflow=openid_connect&workflow_id=277c3592-2f06-44b6-b554-23088c5dd3b1'" method=GET path=/api/oidc/authorization remote_ip=192.168.1.1
time="2024-03-18T09:39:39+01:00" level=debug msg="Mark TOTP authentication attempt made by user 'neoxtof@neoxtof.ovh'" method=POST path=/api/secondfactor/totp remote_ip=192.168.1.1
time="2024-03-18T09:39:39+01:00" level=debug msg="Successful TOTP authentication attempt made by user 'neoxtof@neoxtof.ovh'" method=POST path=/api/secondfactor/totp remote_ip=192.168.1.1
time="2024-03-18T09:39:39+01:00" level=debug msg="Authorization Request with id 'cee520a8-59ea-4d70-bff2-05c793d2af77' on client with id 'xxxxxxxxxxxxxxxxxxxxQW69Lc' is being processed" method=GET path=/api/oidc/authorization remote_ip=192.168.1.1
time="2024-03-18T09:39:39+01:00" level=debug msg="Authorization Request with id 'cee520a8-59ea-4d70-bff2-05c793d2af77' on client with id 'xxxxxxxxxxxxxxxxxxxxQW69Lc' using consent mode 'pre-configured' attempting to discover pre-configurations with signature of client id 'xxxxxxxxxxxxxxxxxxxxQW69Lc' and subject '2749e01a-78da-4633-ace0-9cb56b761ac9' and scopes 'openid email profile'" method=GET path=/api/oidc/authorization remote_ip=192.168.1.1
time="2024-03-18T09:39:39+01:00" level=debug msg="Authorization Request with id 'cee520a8-59ea-4d70-bff2-05c793d2af77' on client with id 'xxxxxxxxxxxxxxxxxxxxQW69Lc' using consent mode 'pre-configured' successfully looked up pre-configured consent with signature of client id 'xxxxxxxxxxxxxxxxxxxxQW69Lc' and subject '2749e01a-78da-4633-ace0-9cb56b761ac9' and scopes 'openid email profile' with id '1'" method=GET path=/api/oidc/authorization remote_ip=192.168.1.1
time="2024-03-18T09:39:40+01:00" level=debug msg="Authorization Request with id 'cee520a8-59ea-4d70-bff2-05c793d2af77' on client with id 'xxxxxxxxxxxxxxxxxxxxQW69Lc' was successfully processed, proceeding to build Authorization Response" method=GET path=/api/oidc/authorization remote_ip=192.168.1.1
time="2024-03-18T09:39:40+01:00" level=error msg="Access Request failed with error: Client authentication failed (e.g., unknown client, no client authentication included, or unsupported authentication method). The provided client secret did not match the registered client secret." method=POST path=/api/oidc/token remote_ip=192.168.1.1 stack="github.com/authelia/authelia/v4/internal/handlers/handler_oidc_token.go:25                   OpenIDConnectTokenPOST\ngithub.com/authelia/authelia/v4/internal/middlewares/http_to_authelia_handler_adaptor.go:114 handleRouter.NewHTTPToAutheliaHandlerAdaptor.func25\ngithub.com/authelia/authelia/v4/internal/middlewares/bridge.go:54                            handleRouter.(*BridgeBuilder).Build.func16.1\ngithub.com/authelia/authelia/v4/internal/middlewares/headers.go:82                           SecurityHeadersNoStore.func1\ngithub.com/valyala/fasthttp@v1.52.0/userdata.go:57                                           (*userData).Get\ngithub.com/authelia/authelia/v4/internal/middlewares/cors.go:216                             handleRouter.(*CORSPolicy).Middleware.func26\ngithub.com/fasthttp/router@v1.5.0/router.go:441                                              (*Router).Handler\ngithub.com/authelia/authelia/v4/internal/middlewares/log_request.go:14                       handleRouter.LogRequest.func40\ngithub.com/authelia/authelia/v4/internal/middlewares/errors.go:38                            RecoverPanic.func1\ngithub.com/valyala/fasthttp@v1.52.0/server.go:2374                                           (*Server).serveConn\ngithub.com/valyala/fasthttp@v1.52.0/workerpool.go:224                                        (*workerPool).workerFunc\ngithub.com/valyala/fasthttp@v1.52.0/workerpool.go:196                                        (*workerPool).getCh.func1\nruntime/asm_amd64.s:1695                                                                     goexit"

Logs (Proxy / Application)

No response

Documentation

It was working properly with the same OIDC clients secret on Authelia 4.37.5

Pre-Submission Checklist

• I agree to follow the Code of Conduct

• This is a bug report and not a support request

• I have read the security policy and this bug report is not a security issue or security related issue

• I have either included the complete configuration file or I am sure it's unrelated to the configuration

• I have either included the complete debug / trace logs or the output of the build-info command if the logs are not relevant

• I have provided all of the required information in full with the only alteration being reasonable sanitization in accordance with the Troubleshooting Sanitization reference guide

• I have checked for related proxy or application logs and included them if available

• I have checked for related issues and checked the documentation

[glime-ai[bot]]

Please note this response was created using generative AI leveraging previously available information from the repository. This information may be helpful however it is our strong recommendation that you carefully consider the information before blindly applying it.

---

Based on the information provided and the logs, it seems like the issue you're encountering with Authelia version 4.38.3 is related to the handling of hashed client secrets for OpenID Connect (OIDC) clients. The warning messages in the logs indicate that Authelia is treating the hashed client secrets as plaintext, which is not expected behavior when the secrets are correctly hashed.

Given the detailed logs and configuration you've shared, it appears that the hashed secrets are correctly formatted using the $pbkdf2-sha512$ prefix, which should be recognized by Authelia as hashed values. However, the error message during the token request suggests that the comparison between the provided client secret and the registered (hashed) client secret fails, leading to the authentication failure.

This behavior might be a bug introduced in Authelia version 4.38.3, especially since you mentioned that it was working properly with the same OIDC client secrets on Authelia version 4.37.5. It's possible that there have been changes in the handling or validation of hashed client secrets between these versions.

To address this issue, I recommend the following steps:

1. Check for Known Issues: Review the Authelia GitHub repository, specifically the issues section, to see if this is a known problem with version 4.38.3. There might already be a discussion or a bug report related to this issue.

2. Update Configuration: Double-check the configuration of your OIDC clients in Authelia to ensure that the hashed secrets are correctly formatted and that there are no typos or formatting issues.

3. Seek Support or Report the Issue: If the problem persists and you cannot find any related issues in the Authelia GitHub repository, consider opening a new issue to report this behavior. Include the details you've provided here, along with the Authelia version, deployment method, and relevant logs. The Authelia team or the community might be able to provide further assistance or a workaround.

4. Consider Downgrading: If this issue is critical to your setup and you cannot find a timely solution, consider temporarily downgrading to Authelia version 4.37.5, which you mentioned was working correctly with your configuration.

Remember to keep your configurations and any sensitive information secure when sharing details on public platforms or GitHub issues.

This comment was generated by Glime.

[james-d-elliott]

Please provide replication conditions such as the config for the app itself showing the secret is plaintext and the associated hashed password in the authelia config. Every client I use works and all of them are hashed, same situation for all of our test suites which test OpenID Connect 1.0 apps that are correctly configured in this way.

See:

• Authelia Config: https://github.com/authelia/authelia/blob/master/internal/suites/OIDCTraefik/configuration.yml#L72-L86
• App Config: https://github.com/authelia/authelia/blob/master/internal/suites/example/compose/oidc-client/entrypoint.sh#L5

[NeoXTof]

Here is the authelia OIDC client config with the hashed password not sanitized

identity_providers:
oidc:
hmac_secret: {{ secret "/secrets/IDENTITY_PROVIDERS_OIDC_HMAC_SECRET" }}
jwks:
- key_id: 'authelia'
algorithm: 'RS256'
use: 'sig'
key: {{ secret "/secrets/IDENTITY_PROVIDERS_OIDC_ISSUER_PRIVATE_KEY" | mindent 10 "|" | msquote }}
lifespans:
access_token: 2d
refresh_token: 3d
cors:
endpoints:
- authorization
- token
- revocation
- introspection
- userinfo
clients:
- client_id: 7MHXk7EIOGMaXoHt3XjQYVRiSWcQijlpQAwOUNh6K1kZaZymv95WpxqmBzqQW69Lc
client_name: Firezone
client_secret: '$pbkdf2-sha512$310000$PZ8ORs5v/coGvTZD6I3cCw$e.3.F6GsSSZsbbpVbpHwY9miFjT87jKTUnvMEYkiOprkDi1vztFanG/paXHlVin0yUpAY4o/XqUlK9.WxX71Vg'
public: false
authorization_policy: two_factor
pre_configured_consent_duration: '1M'
require_pkce: true
pkce_challenge_method: S256
redirect_uris:
- https://firezone.mydomain.com:4443/auth/oidc/authelia/callback/
scopes:
- openid
- profile
- groups
- email
userinfo_signed_response_alg: none
response_types:
- 'code'
response_modes:
- 'form_post'
- 'query'
- 'fragment'
token_endpoint_auth_method: 'client_secret_post'

and here is the Firezone configuration

Config ID: authelia
Label: Authelia
Scope: openid email profile
Client ID: 7MHXk7EIOGMaXoHt3XjQYVRiSWcQijlpQAwOUNh6K1kZaZymv95WpxqmBzqQW69Lc
Client secret: JvejTu7UugSp-4etQk9_jlQFDORVgotRo2tYIBf9gEsjqDqLgr22tKKfVQTjDWpFxDrs1WLl
Discovery Document URI: https://authelia.mydomain.com:4443/.well-known/openid-configuration
Redirect URI: https://firezone.mydomain.com:4443/auth/oidc/authelia/callback/

[james-d-elliott]

I still can't replicate this with client_secret_post or client_secret_basic.

Test Client: client_secret_post

identity_providers:
  oidc:
    clients:
    - client_id: '7MHXk7EIOGMaXoHt3XjQYVRiSWcQijlpQAwOUNh6K1kZaZymv95WpxqmBzqQW69Lc'
      client_secret: '$pbkdf2-sha512$310000$PZ8ORs5v/coGvTZD6I3cCw$e.3.F6GsSSZsbbpVbpHwY9miFjT87jKTUnvMEYkiOprkDi1vztFanG/paXHlVin0yUpAY4o/XqUlK9.WxX71Vg'  # The digest of 'JvejTu7UugSp-4etQk9_jlQFDORVgotRo2tYIBf9gEsjqDqLgr22tKKfVQTjDWpFxDrs1WLl'.
      public: false
      audience:
        - 'https://whoami.example.dev'
        - 'https://whoamialt.example.dev'
      grant_types:
        - 'client_credentials'
      token_endpoint_auth_method: 'client_secret_post'

Test Code: client_secret_post

import requests
import urllib

client_id = urllib.parse.quote('7MHXk7EIOGMaXoHt3XjQYVRiSWcQijlpQAwOUNh6K1kZaZymv95WpxqmBzqQW69Lc')
client_secret = urllib.parse.quote('JvejTu7UugSp-4etQk9_jlQFDORVgotRo2tYIBf9gEsjqDqLgr22tKKfVQTjDWpFxDrs1WLl')

token_response = requests.post('https://auth.example.dev/api/oidc/token', data={'grant_type': 'client_credentials', 'client_id': client_id, 'client_secret': client_secret})

token = token_response.json()['access_token']

token

Test Client: client_secret_basic

identity_providers:
  oidc:
    clients:
    - client_id: '7MHXk7EIOGMaXoHt3XjQYVRiSWcQijlpQAwOUNh6K1kZaZymv95WpxqmBzqQW69Lc'
      client_secret: '$pbkdf2-sha512$310000$PZ8ORs5v/coGvTZD6I3cCw$e.3.F6GsSSZsbbpVbpHwY9miFjT87jKTUnvMEYkiOprkDi1vztFanG/paXHlVin0yUpAY4o/XqUlK9.WxX71Vg'  # The digest of 'JvejTu7UugSp-4etQk9_jlQFDORVgotRo2tYIBf9gEsjqDqLgr22tKKfVQTjDWpFxDrs1WLl'.
      public: false
      audience:
        - 'https://whoami.example.dev'
        - 'https://whoamialt.example.dev'
      grant_types:
        - 'client_credentials'
      token_endpoint_auth_method: 'client_secret_basic'

Test Code: client_secret_basic

import requests
import urllib

client_id = urllib.parse.quote('7MHXk7EIOGMaXoHt3XjQYVRiSWcQijlpQAwOUNh6K1kZaZymv95WpxqmBzqQW69Lc')
client_secret = urllib.parse.quote('JvejTu7UugSp-4etQk9_jlQFDORVgotRo2tYIBf9gEsjqDqLgr22tKKfVQTjDWpFxDrs1WLl')

token_response = requests.post('https://auth.example.dev/api/oidc/token', auth=(client_id, client_secret), data={'grant_type': 'client_credentials'})

token = token_response.json()['access_token']

token

[NeoXTof]

Strange. And for the warning message when Authelia is starting ? (hashed password recognized as plaintext)

I'll try restarting from scratch and generate a new password/hash pair

[james-d-elliott]

Are you using expand-env?

[NeoXTof]

Are you using expand-env?

yes. Disabling it solve the issue (no more warning at startup and login working fine)

[james-d-elliott]

You didn't quote every $ in the client secret (in fact you quoted none of them) per the known limitations docs: https://www.authelia.com/configuration/methods/files/#expand-environment-variable-filter

[james-d-elliott]

Easy. Closing and converting to a troubleshooting discussion as it's not a valid issue.

[NeoXTof]

thanks a lot, and sorry for this wrong issue

[james-d-elliott]

All good, thanks for reporting and glad we got it fixed.