New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Issues with Outline with newest version of Authelia #6884
Comments
Please note this response was created using generative AI leveraging previously available information from the repository. This information may be helpful however it is our strong recommendation that you carefully consider the information before blindly applying it. Based on the error message you provided from Outline, it seems like the issue is related to the method Authelia is using for client authentication with the OpenID Connect token endpoint. The error indicates that the request was using the This issue appears to be a compatibility problem between the version of Authelia you upgraded to (4.38.1) and your Outline server. In version 4.38.0, this issue was not present, suggesting that a change in Authelia's handling of client authentication methods in the newer version might be causing this problem. To resolve this issue, you have a few options:
Unfortunately, without access to Authelia's source code changes between versions 4.38.0 and 4.38.1, it's challenging to pinpoint the exact cause or suggest a direct fix. However, the steps mentioned above should help in finding a resolution or workaround. This comment was generated by Glime. |
Per the release notes which link to the blog post you'll need to set the token_endpoint_auth_method for the client. This is a duplicate of #6860 |
Which value do I need to set for Outline? |
The one logged in the message as being used by the client |
So I just have to replace |
You need to set this value: https://www.authelia.com/configuration/identity-providers/openid-connect/clients/#token_endpoint_auth_method |
i.e.: identity_providers:
oidc:
clients:
- client_id: outline
token_endpoint_auth_method: 'client_secret_post' |
From #6860 the promised key parts, what should be fixed in my opinion connected to the new default 'client_secret_basic'. Luckily it just fixing misleading wording/text of log message, not actual code: " time="2024-03-14T21:19:55+01:00" level=error msg="Access Request failed with error: Client authentication failed (e.g., unknown client, no client authentication included, or unsupported authentication method). -> true no question
In short, this log message is a twisted catch of 22. If the new default is the basic token which you should not specify at all in the config and my [client]id:_ is support only the very same basic, why is there an error at all. And how is my client has sent a post? Which is not supported by the Oauth 2.0 client anyway :D |
Sorry I don't understand, Please show a complete log message and the associated registered client. |
No problem. Very short version:
I did copy /paste the config and log here but somehow they not parsed correctly using code insert(Firefox - Linux), please see them in #6860 in their original form. Logically they are the same as @Mag1cByt3s posted his/her ones here in this issue. Config: The log line in question is the last line starting with `time="2024-03-14T15:47:08+01:00" level=debug msg="Authorization Request with id '0799233d-1ddb-468e-8de3-6ff887ea97ff' on client with id 'appname' is being processed" method=GET path=/api/oidc/authorization remote_ip=xx.xxx.xx.xxx stack="github.com/authelia/authelia/v4/internal/handlers/handler_oidc_token.go:25 |
Yeah, there is a bug with the client, not Authelia.
Yep, without the registered client having a value the default method the authorization server should expect (see point 3) is
You'll have to be very clear about what's unclear about the log message and how you think it'll be fixed. Thus far I'm not understanding what's unclear about it.
See the documentation on the configuration, the blog post , and the Outline OpenID Connect 1.0 Integration Documentation. |
Okay we are getting there. Your points shows the contractions of the message parts:
Let me put here the modified log message parts, which would be good in my opinion:
Please note I've replaced |
I'm sorry but OpenID Connect 1.0 is in beta, and there may be the occasional change like this, this has effectively been the only one to date. We included the important change in the release notes, We are nearing the end of the beta but we reasonably have to be able to comply with the spec where possible, if we have to introduce another major version every time we find an issue with our spec compliance that's going to become rather annoying. After it's stable we can introduce stability guarantees.
Per the spec if the client is NOT registered with a method it supports
Do not understand this I'm sorry.
This is already the case in the latest version. It came originally from the upstream library which I've already fixed. |
I got you, hard to keep up everywhere. I'm happy to contribute, anywhere I'm capable. This time I failed to find the source lines related to the log message. Based on your answer it is - at least in part - in an upstream library. Please point me in a direction. I'm late in the game, started to use Authelia 10 days ago, put together a working one with RBAC a week or so (I hate YAML configs that's for sure :) ) Changing the error message like my example can improve the invested time related to the new default around Thank you for all the good code |
This is semantics I believe. Would users have read and understood it if it was noted as a breaking change if they didn't bother to read it to begin with? I can try it in the future, pretty sure there will still be complaints. The first line of the release notes reads: It's important users check the Release Notes on the Blog as there are potential necessary changes with experimental/beta features.
I'm not satisfied the wording is better or that you're looking at the most recent wording, that's probably the first place to start. I think that since this is a wording issue then it quite clearly belongs in a discussion, as it's not really a bug. I have hard forked the library however to solve this and various other issues. See here. |
No need for discussion at all Thank you! @Mag1cByt3s I think you can close this issue yourself if you like |
I've long closed it. |
I was clearly lagging behind, sorry. |
Version
v4.38.1
Deployment Method
Docker
Reverse Proxy
Caddy
Reverse Proxy Version
2.7.6
Description
I am getting weird errors when trying to authenticate with my Outline server (getoutline.com) since Authelia 4.38.1.
Version 4.38.0 works without issues so i downgraded it for now.
Here is the error from Outline:
Here the relevant config of Outline:
I am hoping that the info I provided is enough and that this issue will get fixed soon as Outline is one of the most important services for me that i am hosting.
Reproduction
Expectations
No error should occur while loggin in
Configuration (Authelia)
Build Information
I don't have that info since i downgraded Authelia but i was using the latest tag which should be version 4.38.1. The digest i saw in Watchtower logs is 61543a0fb33d.
Logs (Authelia)
Logs (Proxy / Application)
Documentation
No response
Pre-Submission Checklist
I agree to follow the Code of Conduct
This is a bug report and not a support request
I have read the security policy and this bug report is not a security issue or security related issue
I have either included the complete configuration file or I am sure it's unrelated to the configuration
I have either included the complete debug / trace logs or the output of the build-info command if the logs are not relevant
I have provided all of the required information in full with the only alteration being reasonable sanitization in accordance with the Troubleshooting Sanitization reference guide
I have checked for related proxy or application logs and included them if available
I have checked for related issues and checked the documentation
The text was updated successfully, but these errors were encountered: