Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Error using refresh_token because of missing audience although none is configured #6290

Closed
8 tasks done
StefanRichterHuber opened this issue Nov 17, 2023 · 3 comments
Closed
8 tasks done

Error using refresh_token because of missing audience although none is configured #6290

StefanRichterHuber opened this issue Nov 17, 2023 · 3 comments
Labels
priority/4/normal Normal priority items status/needs-triage Issues which have not expressly been classified by a team member yet status/resolved Issue is resolved either by user action or a fix type/bug Confirmed Bugs
Milestone
v4.38.0

Comments

@StefanRichterHuber
Copy link

Version

v4.37.5

Deployment Method

Docker

Reverse Proxy

Traefik

Reverse Proxy Version

2.1.0

Description

I have a working authelia instance with an custom web app using OIDC:

I can successfully authenticate using code workflow and validate the key. I also got the refresh_token.
But when trying to use the refresh token (POST request against https://authelia.example.com/api/oidc/token following OIDC spec with grant_type = refresh_token, client_id, client_secret, refresh_token and scope, the request fails with status code 400.

Following is part of log file:

ime="2023-11-17T13:59:37+01:00" level=error msg="Access Request failed with error: The request is missing a required parameter, includes an invalid parameter value, includes a parameter more than once, or is otherwise malformed. Requested audience 'devplatform' has not been whitelisted by the OAuth 2.0 Client." method=POST path=/api/oidc/token remote_ip=93.104.110.43 stack="github.com/authelia/authelia/v4/internal/handlers/handler_oidc_token.go:27                   OpenIDConnectTokenPOST\ngithub.com/authelia/authelia/v4/internal/middlewares/http_to_authelia_handler_adaptor.go:113 NewHTTPToAutheliaHandlerAdaptor.func1\ngithub.com/authelia/authelia/v4/internal/middlewares/bridge.go:54                            (*BridgeBuilder).Build.func1.1\ngithub.com/authelia/authelia/v4/internal/middlewares/headers.go:35                           SecurityHeadersNoStore.func1\ngithub.com/authelia/authelia/v4/internal/middlewares/headers.go:25                           SecurityHeadersCSPNone.func1\ngithub.com/authelia/authelia/v4/internal/middlewares/headers.go:16                           SecurityHeaders.func1\ngithub.com/authelia/authelia/v4/internal/middlewares/cors.go:216                             (*CORSPolicy).Middleware.func1\ngithub.com/fasthttp/router@v1.4.14/router.go:414                                             (*Router).Handler\ngithub.com/valyala/fasthttp@v1.43.0/http.go:154                                              (*Response).StatusCode\ngithub.com/valyala/fasthttp@v1.43.0/server.go:2338                                           (*Server).serveConn\ngithub.com/valyala/fasthttp@v1.43.0/workerpool.go:224                                        (*workerPool).workerFunc\ngithub.com/valyala/fasthttp@v1.43.0/workerpool.go:196                                        (*workerPool).getCh.func1\nruntime/asm_arm64.s:1172

I neither have configured any audience nor use send any with the request, but for some reason client_id is mentioned here as required audience.

Reproduction

Try to use a refresh token in an OIDC workflow without any audiance configured.

Expectations

No response

Configuration (Authelia)

identity_providers:
  oidc:
    hmac_secret: *snip*
    issuer_certificate_chain: *snip*
    issuer_private_key: *snip*
    access_token_lifespan: 1h
    authorize_code_lifespan: 1m
    id_token_lifespan: 1h
    refresh_token_lifespan: 90m
    enable_client_debug_messages: false
    enforce_pkce: public_clients_only   
 - id: devplatform
      description: Local dev env
      secret: *snip*
      public: false
      authorization_policy: one_factor
      redirect_uris:
        - http://localhost:8080/auth/callback
      grant_types:
        - refresh_token
        - authorization_code
        - client_credentials
      scopes:
        - openid
        - email
        - profile
        - groups
        - offline_access
      userinfo_signing_algorithm: none
      pre_configured_consent_duration: 1w

Build Information

Last Tag: v4.37.5
State: tagged clean
Branch: v4.37.5
Commit: 566a0d7fc71b450123ad33d350cd3890d311da82
Build Number: 17068
Build OS: linux
Build Arch: arm64
Build Date: Wed, 21 Dec 2022 19:54:54 +1100
Extra:

Logs (Authelia)

time="2023-11-17T13:57:02+01:00" level=info msg="Authelia v4.37.5 is starting"
time="2023-11-17T13:57:02+01:00" level=info msg="Log severity set to debug"
time="2023-11-17T13:57:02+01:00" level=debug msg="Registering client portainer with policy two_factor (two_factor)"
time="2023-11-17T13:57:02+01:00" level=debug msg="Registering client gitea with policy two_factor (two_factor)"
time="2023-11-17T13:57:02+01:00" level=debug msg="Registering client nodered with policy two_factor (two_factor)"
time="2023-11-17T13:57:02+01:00" level=debug msg="Registering client devplatform with policy one_factor (one_factor)"
time="2023-11-17T13:57:02+01:00" level=info msg="Storage schema is being checked for updates"
time="2023-11-17T13:57:02+01:00" level=info msg="Storage schema is already up to date"
time="2023-11-17T13:57:02+01:00" level=debug msg="notification provider: startup check skipped as it is disabled"
time="2023-11-17T13:57:02+01:00" level=warning msg="Could not connect to NTP server to validate the system time is properly synchronized: dial udp: address 0.de.pool.ntp.org: missing port in address"
time="2023-11-17T13:57:02+01:00" level=debug msg="Directory is being watched for changes to the file" directory=/config file=users_database.yml
time="2023-11-17T13:57:02+01:00" level=info msg="Initializing server for non-TLS connections on '[::]:9091' path '/'"
time="2023-11-17T13:57:30+01:00" level=debug msg="Authorization Request with id '5f82115d-3a9b-43ad-9615-692db9463bca' on client with id 'devplatform' is being processed" method=GET path=/api/oidc/authorization remote_ip=93.104.110.43
time="2023-11-17T13:57:30+01:00" level=debug msg="Authorization Request with id '5f82115d-3a9b-43ad-9615-692db9463bca' on client with id 'devplatform' using consent mode 'pre-configured' attempting to discover pre-configurations with signature of client id 'devplatform' and subject '885dcaa9-be97-4ccc-9582-43a9cb15e410' and scopes 'openid email profile groups offline_access'" method=GET path=/api/oidc/authorization remote_ip=93.104.110.43
time="2023-11-17T13:57:30+01:00" level=debug msg="Authorization Request with id '5f82115d-3a9b-43ad-9615-692db9463bca' on client with id 'devplatform' using consent mode 'pre-configured' unsuccessfully looked up pre-configured consent with signature of client id 'devplatform' and subject '885dcaa9-be97-4ccc-9582-43a9cb15e410' and scopes 'openid email profile groups offline_access'" method=GET path=/api/oidc/authorization remote_ip=93.104.110.43
time="2023-11-17T13:57:30+01:00" level=debug msg="Authorization Request with id '5f82115d-3a9b-43ad-9615-692db9463bca' on client with id 'devplatform' using consent mode 'pre-configured' proceeding to generate a new consent session" method=GET path=/api/oidc/authorization remote_ip=93.104.110.43
time="2023-11-17T13:57:30+01:00" level=debug msg="Authorization Request with id '5f82115d-3a9b-43ad-9615-692db9463bca' on client with id 'devplatform' using consent mode 'pre-configured' authentication level 'two_factor' is sufficient for client level 'one_factor'" method=GET path=/api/oidc/authorization remote_ip=93.104.110.43
time="2023-11-17T13:57:30+01:00" level=debug msg="Authorization Request with id '5f82115d-3a9b-43ad-9615-692db9463bca' on client with id 'devplatform' using consent mode 'pre-configured' is being redirected to 'https://authelia.xyreo3.de/consent?id=3884276e-a8bb-47fe-b79f-349d8b64905e'" method=GET path=/api/oidc/authorization remote_ip=93.104.110.43
time="2023-11-17T13:57:35+01:00" level=debug msg="Consent session with id '3884276e-a8bb-47fe-b79f-349d8b64905e' for user 'stefan': pre-configured and set to expire at 2023-11-24 13:57:35.639230426 +0100 CET m=+604833.760095532" method=POST path=/api/oidc/consent remote_ip=93.104.110.43
time="2023-11-17T13:57:35+01:00" level=debug msg="Authorization Request with id '9f2a0d38-afa0-413e-8261-c60cefcd27c7' on client with id 'devplatform' is being processed" method=GET path=/api/oidc/authorization remote_ip=93.104.110.43
time="2023-11-17T13:57:35+01:00" level=debug msg="Authorization Request with id '9f2a0d38-afa0-413e-8261-c60cefcd27c7' on client with id 'devplatform' using consent mode 'pre-configured' attempting to discover pre-configurations with signature of client id 'devplatform' and subject '885dcaa9-be97-4ccc-9582-43a9cb15e410' and scopes 'openid email profile groups offline_access'" method=GET path=/api/oidc/authorization remote_ip=93.104.110.43
time="2023-11-17T13:57:35+01:00" level=debug msg="Authorization Request with id '9f2a0d38-afa0-413e-8261-c60cefcd27c7' on client with id 'devplatform' using consent mode 'pre-configured' successfully looked up pre-configured consent with signature of client id 'devplatform' and subject '885dcaa9-be97-4ccc-9582-43a9cb15e410' and scopes 'openid email profile groups offline_access' with id '1'" method=GET path=/api/oidc/authorization remote_ip=93.104.110.43
time="2023-11-17T13:57:35+01:00" level=debug msg="Authorization Request with id '9f2a0d38-afa0-413e-8261-c60cefcd27c7' on client with id 'devplatform' was successfully processed, proceeding to build Authorization Response" method=GET path=/api/oidc/authorization remote_ip=93.104.110.43
time="2023-11-17T13:57:36+01:00" level=debug msg="Access Request with id '9f2a0d38-afa0-413e-8261-c60cefcd27c7' on client with id 'devplatform' is being processed" method=POST path=/api/oidc/token remote_ip=93.104.110.43
time="2023-11-17T13:57:36+01:00" level=debug msg="Access Request with id '9f2a0d38-afa0-413e-8261-c60cefcd27c7' on client with id 'devplatform' has successfully been processed" method=POST path=/api/oidc/token remote_ip=93.104.110.43
time="2023-11-17T13:57:42+01:00" level=debug msg="Authorization Request with id '09e963c3-030f-4b36-bff3-b378316397f0' on client with id 'devplatform' is being processed" method=GET path=/api/oidc/authorization remote_ip=93.104.110.43
time="2023-11-17T13:57:42+01:00" level=debug msg="Authorization Request with id '09e963c3-030f-4b36-bff3-b378316397f0' on client with id 'devplatform' using consent mode 'pre-configured' attempting to discover pre-configurations with signature of client id 'devplatform' and subject '885dcaa9-be97-4ccc-9582-43a9cb15e410' and scopes 'openid email profile groups offline_access'" method=GET path=/api/oidc/authorization remote_ip=93.104.110.43
time="2023-11-17T13:57:42+01:00" level=debug msg="Authorization Request with id '09e963c3-030f-4b36-bff3-b378316397f0' on client with id 'devplatform' using consent mode 'pre-configured' successfully looked up pre-configured consent with signature of client id 'devplatform' and subject '885dcaa9-be97-4ccc-9582-43a9cb15e410' and scopes 'openid email profile groups offline_access' with id '1'" method=GET path=/api/oidc/authorization remote_ip=93.104.110.43
time="2023-11-17T13:57:42+01:00" level=debug msg="Authorization Request with id '09e963c3-030f-4b36-bff3-b378316397f0' on client with id 'devplatform' was successfully processed, proceeding to build Authorization Response" method=GET path=/api/oidc/authorization remote_ip=93.104.110.43
time="2023-11-17T13:57:43+01:00" level=debug msg="Access Request with id '09e963c3-030f-4b36-bff3-b378316397f0' on client with id 'devplatform' is being processed" method=POST path=/api/oidc/token remote_ip=93.104.110.43
time="2023-11-17T13:57:43+01:00" level=debug msg="Access Request with id '09e963c3-030f-4b36-bff3-b378316397f0' on client with id 'devplatform' has successfully been processed" method=POST path=/api/oidc/token remote_ip=93.104.110.43
time="2023-11-17T13:57:47+01:00" level=error msg="Access Request failed with error: The request is missing a required parameter, includes an invalid parameter value, includes a parameter more than once, or is otherwise malformed. Requested audience 'devplatform' has not been whitelisted by the OAuth 2.0 Client." method=POST path=/api/oidc/token remote_ip=93.104.110.43 stack="github.com/authelia/authelia/v4/internal/handlers/handler_oidc_token.go:27                   OpenIDConnectTokenPOST\ngithub.com/authelia/authelia/v4/internal/middlewares/http_to_authelia_handler_adaptor.go:113 NewHTTPToAutheliaHandlerAdaptor.func1\ngithub.com/authelia/authelia/v4/internal/middlewares/bridge.go:54                            (*BridgeBuilder).Build.func1.1\ngithub.com/authelia/authelia/v4/internal/middlewares/headers.go:35                           SecurityHeadersNoStore.func1\ngithub.com/authelia/authelia/v4/internal/middlewares/headers.go:25                           SecurityHeadersCSPNone.func1\ngithub.com/authelia/authelia/v4/internal/middlewares/headers.go:16                           SecurityHeaders.func1\ngithub.com/authelia/authelia/v4/internal/middlewares/cors.go:216                             (*CORSPolicy).Middleware.func1\ngithub.com/fasthttp/router@v1.4.14/router.go:414                                             (*Router).Handler\ngithub.com/valyala/fasthttp@v1.43.0/http.go:154                                              (*Response).StatusCode\ngithub.com/valyala/fasthttp@v1.43.0/server.go:2338                                           (*Server).serveConn\ngithub.com/valyala/fasthttp@v1.43.0/workerpool.go:224                                        (*workerPool).workerFunc\ngithub.com/valyala/fasthttp@v1.43.0/workerpool.go:196                                        (*workerPool).getCh.func1\nruntime/asm_arm64.s:1172                                                                     goexit"
time="2023-11-17T13:58:26+01:00" level=debug msg="Authorization Request with id 'f01fb16d-ed47-409f-8e00-f14e63826a4e' on client with id 'devplatform' is being processed" method=GET path=/api/oidc/authorization remote_ip=93.104.110.43
time="2023-11-17T13:58:26+01:00" level=debug msg="Authorization Request with id 'f01fb16d-ed47-409f-8e00-f14e63826a4e' on client with id 'devplatform' using consent mode 'pre-configured' attempting to discover pre-configurations with signature of client id 'devplatform' and subject '885dcaa9-be97-4ccc-9582-43a9cb15e410' and scopes 'openid email profile groups offline_access'" method=GET path=/api/oidc/authorization remote_ip=93.104.110.43
time="2023-11-17T13:58:26+01:00" level=debug msg="Authorization Request with id 'f01fb16d-ed47-409f-8e00-f14e63826a4e' on client with id 'devplatform' using consent mode 'pre-configured' successfully looked up pre-configured consent with signature of client id 'devplatform' and subject '885dcaa9-be97-4ccc-9582-43a9cb15e410' and scopes 'openid email profile groups offline_access' with id '1'" method=GET path=/api/oidc/authorization remote_ip=93.104.110.43
time="2023-11-17T13:58:26+01:00" level=debug msg="Authorization Request with id 'f01fb16d-ed47-409f-8e00-f14e63826a4e' on client with id 'devplatform' was successfully processed, proceeding to build Authorization Response" method=GET path=/api/oidc/authorization remote_ip=93.104.110.43
time="2023-11-17T13:58:26+01:00" level=debug msg="Access Request with id 'f01fb16d-ed47-409f-8e00-f14e63826a4e' on client with id 'devplatform' is being processed" method=POST path=/api/oidc/token remote_ip=93.104.110.43
time="2023-11-17T13:58:26+01:00" level=debug msg="Access Request with id 'f01fb16d-ed47-409f-8e00-f14e63826a4e' on client with id 'devplatform' has successfully been processed" method=POST path=/api/oidc/token remote_ip=93.104.110.43
time="2023-11-17T13:58:38+01:00" level=error msg="Access Request failed with error: The request is missing a required parameter, includes an invalid parameter value, includes a parameter more than once, or is otherwise malformed. Requested audience 'devplatform' has not been whitelisted by the OAuth 2.0 Client." method=POST path=/api/oidc/token remote_ip=93.104.110.43 stack="github.com/authelia/authelia/v4/internal/handlers/handler_oidc_token.go:27                   OpenIDConnectTokenPOST\ngithub.com/authelia/authelia/v4/internal/middlewares/http_to_authelia_handler_adaptor.go:113 NewHTTPToAutheliaHandlerAdaptor.func1\ngithub.com/authelia/authelia/v4/internal/middlewares/bridge.go:54                            (*BridgeBuilder).Build.func1.1\ngithub.com/authelia/authelia/v4/internal/middlewares/headers.go:35                           SecurityHeadersNoStore.func1\ngithub.com/authelia/authelia/v4/internal/middlewares/headers.go:25                           SecurityHeadersCSPNone.func1\ngithub.com/authelia/authelia/v4/internal/middlewares/headers.go:16                           SecurityHeaders.func1\ngithub.com/authelia/authelia/v4/internal/middlewares/cors.go:216                             (*CORSPolicy).Middleware.func1\ngithub.com/fasthttp/router@v1.4.14/router.go:414                                             (*Router).Handler\ngithub.com/valyala/fasthttp@v1.43.0/http.go:154                                              (*Response).StatusCode\ngithub.com/valyala/fasthttp@v1.43.0/server.go:2338                                           (*Server).serveConn\ngithub.com/valyala/fasthttp@v1.43.0/workerpool.go:224                                        (*workerPool).workerFunc\ngithub.com/valyala/fasthttp@v1.43.0/workerpool.go:196                                        (*workerPool).getCh.func1\nruntime/asm_arm64.s:1172                                                                     goexit"
time="2023-11-17T13:58:38+01:00" level=error msg="Access Request failed with error: The request is missing a required parameter, includes an invalid parameter value, includes a parameter more than once, or is otherwise malformed. Requested audience 'devplatform' has not been whitelisted by the OAuth 2.0 Client." method=POST path=/api/oidc/token remote_ip=93.104.110.43 stack="github.com/authelia/authelia/v4/internal/handlers/handler_oidc_token.go:27                   OpenIDConnectTokenPOST\ngithub.com/authelia/authelia/v4/internal/middlewares/http_to_authelia_handler_adaptor.go:113 NewHTTPToAutheliaHandlerAdaptor.func1\ngithub.com/authelia/authelia/v4/internal/middlewares/bridge.go:54                            (*BridgeBuilder).Build.func1.1\ngithub.com/authelia/authelia/v4/internal/middlewares/headers.go:35                           SecurityHeadersNoStore.func1\ngithub.com/authelia/authelia/v4/internal/middlewares/headers.go:25                           SecurityHeadersCSPNone.func1\ngithub.com/authelia/authelia/v4/internal/middlewares/headers.go:16                           SecurityHeaders.func1\ngithub.com/authelia/authelia/v4/internal/middlewares/cors.go:216                             (*CORSPolicy).Middleware.func1\ngithub.com/fasthttp/router@v1.4.14/router.go:414                                             (*Router).Handler\ngithub.com/valyala/fasthttp@v1.43.0/http.go:154                                              (*Response).StatusCode\ngithub.com/valyala/fasthttp@v1.43.0/server.go:2338                                           (*Server).serveConn\ngithub.com/valyala/fasthttp@v1.43.0/workerpool.go:224                                        (*workerPool).workerFunc\ngithub.com/valyala/fasthttp@v1.43.0/workerpool.go:196                                        (*workerPool).getCh.func1\nruntime/asm_arm64.s:1172                                                                     goexit"
time="2023-11-17T13:58:51+01:00" level=debug msg="Authorization Request with id '6f1420cd-6e05-4820-aba0-fad47ce44789' on client with id 'devplatform' is being processed" method=GET path=/api/oidc/authorization remote_ip=93.104.110.43
time="2023-11-17T13:58:51+01:00" level=debug msg="Authorization Request with id '6f1420cd-6e05-4820-aba0-fad47ce44789' on client with id 'devplatform' using consent mode 'pre-configured' attempting to discover pre-configurations with signature of client id 'devplatform' and subject '885dcaa9-be97-4ccc-9582-43a9cb15e410' and scopes 'openid email profile groups offline_access'" method=GET path=/api/oidc/authorization remote_ip=93.104.110.43
time="2023-11-17T13:58:51+01:00" level=debug msg="Authorization Request with id '6f1420cd-6e05-4820-aba0-fad47ce44789' on client with id 'devplatform' using consent mode 'pre-configured' successfully looked up pre-configured consent with signature of client id 'devplatform' and subject '885dcaa9-be97-4ccc-9582-43a9cb15e410' and scopes 'openid email profile groups offline_access' with id '1'" method=GET path=/api/oidc/authorization remote_ip=93.104.110.43
time="2023-11-17T13:58:51+01:00" level=debug msg="Authorization Request with id '6f1420cd-6e05-4820-aba0-fad47ce44789' on client with id 'devplatform' was successfully processed, proceeding to build Authorization Response" method=GET path=/api/oidc/authorization remote_ip=93.104.110.43
time="2023-11-17T13:58:52+01:00" level=debug msg="Access Request with id '6f1420cd-6e05-4820-aba0-fad47ce44789' on client with id 'devplatform' is being processed" method=POST path=/api/oidc/token remote_ip=93.104.110.43
time="2023-11-17T13:58:52+01:00" level=debug msg="Access Request with id '6f1420cd-6e05-4820-aba0-fad47ce44789' on client with id 'devplatform' has successfully been processed" method=POST path=/api/oidc/token remote_ip=93.104.110.43
time="2023-11-17T13:59:04+01:00" level=debug msg="Authorization Request with id '8dbcd0cd-c0f7-40c8-8432-7bb8aa5430ad' on client with id 'devplatform' is being processed" method=GET path=/api/oidc/authorization remote_ip=93.104.110.43
time="2023-11-17T13:59:04+01:00" level=debug msg="Authorization Request with id '8dbcd0cd-c0f7-40c8-8432-7bb8aa5430ad' on client with id 'devplatform' using consent mode 'pre-configured' attempting to discover pre-configurations with signature of client id 'devplatform' and subject '885dcaa9-be97-4ccc-9582-43a9cb15e410' and scopes 'openid email profile groups offline_access'" method=GET path=/api/oidc/authorization remote_ip=93.104.110.43
time="2023-11-17T13:59:04+01:00" level=debug msg="Authorization Request with id '8dbcd0cd-c0f7-40c8-8432-7bb8aa5430ad' on client with id 'devplatform' using consent mode 'pre-configured' successfully looked up pre-configured consent with signature of client id 'devplatform' and subject '885dcaa9-be97-4ccc-9582-43a9cb15e410' and scopes 'openid email profile groups offline_access' with id '1'" method=GET path=/api/oidc/authorization remote_ip=93.104.110.43
time="2023-11-17T13:59:04+01:00" level=debug msg="Authorization Request with id '8dbcd0cd-c0f7-40c8-8432-7bb8aa5430ad' on client with id 'devplatform' was successfully processed, proceeding to build Authorization Response" method=GET path=/api/oidc/authorization remote_ip=93.104.110.43
time="2023-11-17T13:59:04+01:00" level=debug msg="Access Request with id '8dbcd0cd-c0f7-40c8-8432-7bb8aa5430ad' on client with id 'devplatform' is being processed" method=POST path=/api/oidc/token remote_ip=93.104.110.43
time="2023-11-17T13:59:04+01:00" level=debug msg="Access Request with id '8dbcd0cd-c0f7-40c8-8432-7bb8aa5430ad' on client with id 'devplatform' has successfully been processed" method=POST path=/api/oidc/token remote_ip=93.104.110.43
time="2023-11-17T13:59:10+01:00" level=debug msg="Authorization Request with id 'c217240b-eba5-4302-bbc6-361eec5f0a58' on client with id 'devplatform' is being processed" method=GET path=/api/oidc/authorization remote_ip=93.104.110.43
time="2023-11-17T13:59:10+01:00" level=debug msg="Authorization Request with id 'c217240b-eba5-4302-bbc6-361eec5f0a58' on client with id 'devplatform' using consent mode 'pre-configured' attempting to discover pre-configurations with signature of client id 'devplatform' and subject '885dcaa9-be97-4ccc-9582-43a9cb15e410' and scopes 'openid email profile groups offline_access'" method=GET path=/api/oidc/authorization remote_ip=93.104.110.43
time="2023-11-17T13:59:10+01:00" level=debug msg="Authorization Request with id 'c217240b-eba5-4302-bbc6-361eec5f0a58' on client with id 'devplatform' using consent mode 'pre-configured' successfully looked up pre-configured consent with signature of client id 'devplatform' and subject '885dcaa9-be97-4ccc-9582-43a9cb15e410' and scopes 'openid email profile groups offline_access' with id '1'" method=GET path=/api/oidc/authorization remote_ip=93.104.110.43
time="2023-11-17T13:59:10+01:00" level=debug msg="Authorization Request with id 'c217240b-eba5-4302-bbc6-361eec5f0a58' on client with id 'devplatform' was successfully processed, proceeding to build Authorization Response" method=GET path=/api/oidc/authorization remote_ip=93.104.110.43
time="2023-11-17T13:59:10+01:00" level=debug msg="Access Request with id 'c217240b-eba5-4302-bbc6-361eec5f0a58' on client with id 'devplatform' is being processed" method=POST path=/api/oidc/token remote_ip=93.104.110.43
time="2023-11-17T13:59:10+01:00" level=debug msg="Access Request with id 'c217240b-eba5-4302-bbc6-361eec5f0a58' on client with id 'devplatform' has successfully been processed" method=POST path=/api/oidc/token remote_ip=93.104.110.43
time="2023-11-17T13:59:18+01:00" level=debug msg="Authorization Request with id 'f01a4f33-5db1-4e62-bb00-c91378190d82' on client with id 'devplatform' is being processed" method=GET path=/api/oidc/authorization remote_ip=93.104.110.43
time="2023-11-17T13:59:18+01:00" level=debug msg="Authorization Request with id 'f01a4f33-5db1-4e62-bb00-c91378190d82' on client with id 'devplatform' using consent mode 'pre-configured' attempting to discover pre-configurations with signature of client id 'devplatform' and subject '885dcaa9-be97-4ccc-9582-43a9cb15e410' and scopes 'openid email profile groups offline_access'" method=GET path=/api/oidc/authorization remote_ip=93.104.110.43
time="2023-11-17T13:59:18+01:00" level=debug msg="Authorization Request with id 'f01a4f33-5db1-4e62-bb00-c91378190d82' on client with id 'devplatform' using consent mode 'pre-configured' successfully looked up pre-configured consent with signature of client id 'devplatform' and subject '885dcaa9-be97-4ccc-9582-43a9cb15e410' and scopes 'openid email profile groups offline_access' with id '1'" method=GET path=/api/oidc/authorization remote_ip=93.104.110.43
time="2023-11-17T13:59:18+01:00" level=debug msg="Authorization Request with id 'f01a4f33-5db1-4e62-bb00-c91378190d82' on client with id 'devplatform' was successfully processed, proceeding to build Authorization Response" method=GET path=/api/oidc/authorization remote_ip=93.104.110.43
time="2023-11-17T13:59:19+01:00" level=debug msg="Access Request with id 'f01a4f33-5db1-4e62-bb00-c91378190d82' on client with id 'devplatform' is being processed" method=POST path=/api/oidc/token remote_ip=93.104.110.43
time="2023-11-17T13:59:19+01:00" level=debug msg="Access Request with id 'f01a4f33-5db1-4e62-bb00-c91378190d82' on client with id 'devplatform' has successfully been processed" method=POST path=/api/oidc/token remote_ip=93.104.110.43
time="2023-11-17T13:59:37+01:00" level=error msg="Access Request failed with error: The request is missing a required parameter, includes an invalid parameter value, includes a parameter more than once, or is otherwise malformed. Requested audience 'devplatform' has not been whitelisted by the OAuth 2.0 Client." method=POST path=/api/oidc/token remote_ip=93.104.110.43 stack="github.com/authelia/authelia/v4/internal/handlers/handler_oidc_token.go:27                   OpenIDConnectTokenPOST\ngithub.com/authelia/authelia/v4/internal/middlewares/http_to_authelia_handler_adaptor.go:113 NewHTTPToAutheliaHandlerAdaptor.func1\ngithub.com/authelia/authelia/v4/internal/middlewares/bridge.go:54                            (*BridgeBuilder).Build.func1.1\ngithub.com/authelia/authelia/v4/internal/middlewares/headers.go:35                           SecurityHeadersNoStore.func1\ngithub.com/authelia/authelia/v4/internal/middlewares/headers.go:25                           SecurityHeadersCSPNone.func1\ngithub.com/authelia/authelia/v4/internal/middlewares/headers.go:16                           SecurityHeaders.func1\ngithub.com/authelia/authelia/v4/internal/middlewares/cors.go:216                             (*CORSPolicy).Middleware.func1\ngithub.com/fasthttp/router@v1.4.14/router.go:414                                             (*Router).Handler\ngithub.com/valyala/fasthttp@v1.43.0/http.go:154                                              (*Response).StatusCode\ngithub.com/valyala/fasthttp@v1.43.0/server.go:2338                                           (*Server).serveConn\ngithub.com/valyala/fasthttp@v1.43.0/workerpool.go:224                                        (*workerPool).workerFunc\ngithub.com/valyala/fasthttp@v1.43.0/workerpool.go:196                                        (*workerPool).getCh.func1\nruntime/asm_arm64.s:1172                                                                     goexit"
time="2023-11-17T13:59:37+01:00" level=error msg="Access Request failed with error: The request is missing a required parameter, includes an invalid parameter value, includes a parameter more than once, or is otherwise malformed. Requested audience 'devplatform' has not been whitelisted by the OAuth 2.0 Client." method=POST path=/api/oidc/token remote_ip=93.104.110.43 stack="github.com/authelia/authelia/v4/internal/handlers/handler_oidc_token.go:27                   OpenIDConnectTokenPOST\ngithub.com/authelia/authelia/v4/internal/middlewares/http_to_authelia_handler_adaptor.go:113 NewHTTPToAutheliaHandlerAdaptor.func1\ngithub.com/authelia/authelia/v4/internal/middlewares/bridge.go:54                            (*BridgeBuilder).Build.func1.1\ngithub.com/authelia/authelia/v4/internal/middlewares/headers.go:35                           SecurityHeadersNoStore.func1\ngithub.com/authelia/authelia/v4/internal/middlewares/headers.go:25                           SecurityHeadersCSPNone.func1\ngithub.com/authelia/authelia/v4/internal/middlewares/headers.go:16                           SecurityHeaders.func1\ngithub.com/authelia/authelia/v4/internal/middlewares/cors.go:216                             (*CORSPolicy).Middleware.func1\ngithub.com/fasthttp/router@v1.4.14/router.go:414                                             (*Router).Handler\ngithub.com/valyala/fasthttp@v1.43.0/http.go:154                                              (*Response).StatusCode\ngithub.com/valyala/fasthttp@v1.43.0/server.go:2338                                           (*Server).serveConn\ngithub.com/valyala/fasthttp@v1.43.0/workerpool.go:224                                        (*workerPool).workerFunc\ngithub.com/valyala/fasthttp@v1.43.0/workerpool.go:196                                        (*workerPool).getCh.func1\nruntime/asm_arm64.s:1172                                                                     goexit"
time="2023-11-17T13:59:37+01:00" level=error msg="Access Request failed with error: The request is missing a required parameter, includes an invalid parameter value, includes a parameter more than once, or is otherwise malformed. Requested audience 'devplatform' has not been whitelisted by the OAuth 2.0 Client." method=POST path=/api/oidc/token remote_ip=93.104.110.43 stack="github.com/authelia/authelia/v4/internal/handlers/handler_oidc_token.go:27                   OpenIDConnectTokenPOST\ngithub.com/authelia/authelia/v4/internal/middlewares/http_to_authelia_handler_adaptor.go:113 NewHTTPToAutheliaHandlerAdaptor.func1\ngithub.com/authelia/authelia/v4/internal/middlewares/bridge.go:54                            (*BridgeBuilder).Build.func1.1\ngithub.com/authelia/authelia/v4/internal/middlewares/headers.go:35                           SecurityHeadersNoStore.func1\ngithub.com/authelia/authelia/v4/internal/middlewares/headers.go:25                           SecurityHeadersCSPNone.func1\ngithub.com/authelia/authelia/v4/internal/middlewares/headers.go:16                           SecurityHeaders.func1\ngithub.com/authelia/authelia/v4/internal/middlewares/cors.go:216                             (*CORSPolicy).Middleware.func1\ngithub.com/fasthttp/router@v1.4.14/router.go:414                                             (*Router).Handler\ngithub.com/valyala/fasthttp@v1.43.0/http.go:154                                              (*Response).StatusCode\ngithub.com/valyala/fasthttp@v1.43.0/server.go:2338                                           (*Server).serveConn\ngithub.com/valyala/fasthttp@v1.43.0/workerpool.go:224                                        (*workerPool).workerFunc\ngithub.com/valyala/fasthttp@v1.43.0/workerpool.go:196                                        (*workerPool).getCh.func1\nruntime/asm_arm64.s:1172                                                                     goexit"
time="2023-11-17T13:59:37+01:00" level=error msg="Access Request failed with error: The request is missing a required parameter, includes an invalid parameter value, includes a parameter more than once, or is otherwise malformed. Requested audience 'devplatform' has not been whitelisted by the OAuth 2.0 Client." method=POST path=/api/oidc/token remote_ip=93.104.110.43 stack="github.com/authelia/authelia/v4/internal/handlers/handler_oidc_token.go:27                   OpenIDConnectTokenPOST\ngithub.com/authelia/authelia/v4/internal/middlewares/http_to_authelia_handler_adaptor.go:113 NewHTTPToAutheliaHandlerAdaptor.func1\ngithub.com/authelia/authelia/v4/internal/middlewares/bridge.go:54                            (*BridgeBuilder).Build.func1.1\ngithub.com/authelia/authelia/v4/internal/middlewares/headers.go:35                           SecurityHeadersNoStore.func1\ngithub.com/authelia/authelia/v4/internal/middlewares/headers.go:25                           SecurityHeadersCSPNone.func1\ngithub.com/authelia/authelia/v4/internal/middlewares/headers.go:16                           SecurityHeaders.func1\ngithub.com/authelia/authelia/v4/internal/middlewares/cors.go:216                             (*CORSPolicy).Middleware.func1\ngithub.com/fasthttp/router@v1.4.14/router.go:414                                             (*Router).Handler\ngithub.com/valyala/fasthttp@v1.43.0/http.go:154                                              (*Response).StatusCode\ngithub.com/valyala/fasthttp@v1.43.0/server.go:2338                                           (*Server).serveConn\ngithub.com/valyala/fasthttp@v1.43.0/workerpool.go:224                                        (*workerPool).workerFunc\ngithub.com/valyala/fasthttp@v1.43.0/workerpool.go:196                                        (*workerPool).getCh.func1\nruntime/asm_arm64.s:1172

Logs (Proxy / Application)

No response

Documentation

No response

Pre-Submission Checklist

  • I agree to follow the Code of Conduct

  • This is a bug report and not a support request

  • I have read the security policy and this bug report is not a security issue or security related issue

  • I have either included the complete configuration file or I am sure it's unrelated to the configuration

  • I have either included the complete debug / trace logs or the output of the build-info command if the logs are not relevant

  • I have provided all of the required information in full with the only alteration being reasonable sanitization in accordance with the Troubleshooting Sanitization reference guide

  • I have checked for related proxy or application logs and included them if available

  • I have checked for related issues and checked the documentation
@StefanRichterHuber StefanRichterHuber added priority/4/normal Normal priority items status/needs-triage Issues which have not expressly been classified by a team member yet type/bug/unconfirmed Unconfirmed Bugs labels Nov 17, 2023
@StefanRichterHuber StefanRichterHuber changed the title Error using refresh_token Error using refresh_token because of missing audience although none is configured Nov 17, 2023
@james-d-elliott
Copy link
Member

Backup your config and database and give v4.38.0-beta3 a try, I think I've fixed this already.

@StefanRichterHuber
Copy link
Author

Using 4.38.0-beta3 the token refresh flow works flawlessly. Thank you for your help. When do you expect to have a full release on 4.38?

@james-d-elliott james-d-elliott added type/bug Confirmed Bugs status/resolved Issue is resolved either by user action or a fix and removed type/bug/unconfirmed Unconfirmed Bugs labels Nov 25, 2023
@james-d-elliott james-d-elliott added this to the v4.38.0 milestone Nov 25, 2023
@james-d-elliott
Copy link
Member

james-d-elliott commented Nov 25, 2023
edited

Fixed inadvertently with 9a28de5. I can't really give an ETA but see the relevant topics in Pre-Release Feedback and the 4.38: Release Information.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
priority/4/normal Normal priority items status/needs-triage Issues which have not expressly been classified by a team member yet status/resolved Issue is resolved either by user action or a fix type/bug Confirmed Bugs
Projects
None yet
Milestone
v4.38.0
Development

No branches or pull requests
2 participants
@james-d-elliott @StefanRichterHuber