Synology SSO -- client secret error

[yieldhog]

Version

v4.38.9

Deployment Method

Docker

Reverse Proxy

SWAG

Reverse Proxy Version

2.11.0

Description

I have successfully deployed OIDC/SSO for all of my external facing applications, which is awesome, but, having errors w/ Synology DSM.

I have checked 3 times, and the client_secret is the same in my configuration as well as Synology DSM. I have followed the DSM integration steps. The Authelia logs indicate an issue where the client_secret does not match (I have checked and I know it does). Any help is appreciated, apologies in advance if this has been covered, I couldn't find the same issue.

Receiving the following bug--

Reproduction

Followed Synology DSM integration steps

Expectations

No response

Configuration (Authelia)

identity_providers:
  oidc:
    hmac_secret: ":>)"
    jwks:
      - key: {{ secret "/config/secrets/oidc/jwks/private_authelia.pem" | mindent 10 "|" | msquote }}
    enforce_pkce: public_clients_only
    cors:
      endpoints:
        - userinfo
        - authorization
        - token
        - revocation
        - introspection
      allowed_origins:
        - "https://syno.mydomain.com"
      allowed_origins_from_client_redirect_uris: false
      
    clients:
      - client_id: "synology-dsm"
        client_name: "Synology DSM"
        client_secret: "$pbkdf2-sha512$310000$5mGOdX4G98UJd9uhh/hHPg$PG0YHf/iMnqvTYXdRQvqzjCw4djACKw7DM9SMMOJMj842sQqcWI2NsrO6pkxxRCT1IcP40Sk8oZhEzQ0qhZXJw"
        public: false
        authorization_policy: "two_factor"
        redirect_uris:
          - "https://syno.mydomain.com"
        scopes:
          - "openid"
          - "email"
          - "profile"
          - "groups"
        userinfo_signed_response_alg: "none"
        token_endpoint_auth_method: 'client_secret_post'

Build Information

NA

Logs (Authelia)

time="2024-06-16T14:50:08Z" level=debug msg="Authorization Request with id '64132f00-b73f-431a-97fa-b54beb978448' on client with id 'synology-dsm' is being processed" method=GET path=/api/oidc/authorization remote_ip=174.29.84.XXX
time="2024-06-16T14:50:08Z" level=debug msg="Authorization Request with id '64132f00-b73f-431a-97fa-b54beb978448' on client with id 'synology-dsm' using consent mode 'explicit' proceeding to generate a new consent session" method=GET path=/api/oidc/authorization remote_ip=174.29.84.XXX
time="2024-06-16T14:50:09Z" level=debug msg="Authorization Request with id '64132f00-b73f-431a-97fa-b54beb978448' on client with id 'synology-dsm' using consent mode 'explicit' authentication level 'two_factor' is sufficient for client level 'two_factor'" method=GET path=/api/oidc/authorization remote_ip=174.29.84.XXX
time="2024-06-16T14:50:09Z" level=debug msg="Authorization Request with id '64132f00-b73f-431a-97fa-b54beb978448' on client with id 'synology-dsm' using consent mode 'explicit' is being redirected to 'https://auth.mydomain.com/consent?id=4a03504e-8acc-4c63-a6aa-6ff496731f9f'" method=GET path=/api/oidc/authorization remote_ip=174.29.84.XXX
time="2024-06-16T14:50:12Z" level=debug msg="Authorization Request with id '61c101d3-da11-4267-85f9-d4c92e9c09b1' on client with id 'synology-dsm' is being processed" method=GET path=/api/oidc/authorization remote_ip=174.29.84.XXX
time="2024-06-16T14:50:12Z" level=debug msg="Authorization Request with id '61c101d3-da11-4267-85f9-d4c92e9c09b1' on client with id 'synology-dsm' was successfully processed, proceeding to build Authorization Response" method=GET path=/api/oidc/authorization remote_ip=174.29.84.XXX
time="2024-06-16T14:50:16Z" level=error msg="Access Request failed with error: Client authentication failed (e.g., unknown client, no client authentication included, or unsupported authentication method). The provided client secret did not match the registered client secret." method=POST path=/api/oidc/token remote_ip=174.29.84.XXX stack="github.com/authelia/authelia/v4/internal/handlers/handler_oidc_token.go:25                   OpenIDConnectTokenPOST\ngithub.com/authelia/authelia/v4/internal/middlewares/http_to_authelia_handler_adaptor.go:114 handleRouter.NewHTTPToAutheliaHandlerAdaptor.func25\ngithub.com/authelia/authelia/v4/internal/middlewares/bridge.go:54                            handleRouter.(*BridgeBuilder).Build.func16.1\ngithub.com/authelia/authelia/v4/internal/middlewares/headers.go:91                           SecurityHeadersNoStore.func1\ngithub.com/valyala/fasthttp@v1.54.0/userdata.go:57                                           (*userData).Get\ngithub.com/authelia/authelia/v4/internal/middlewares/headers.go:30                           SecurityHeadersBase.func1\ngithub.com/authelia/authelia/v4/internal/middlewares/cors.go:216                             handleRouter.(*CORSPolicy).Middleware.func26\ngithub.com/fasthttp/router@v1.5.1/router.go:441                                              (*Router).Handler\ngithub.com/authelia/authelia/v4/internal/middlewares/log_request.go:14                       handleRouter.LogRequest.func40\ngithub.com/authelia/authelia/v4/internal/middlewares/strip_path.go:23                        handleRouter.StripPath.func41.1\ngithub.com/authelia/authelia/v4/internal/middlewares/errors.go:38                            RecoverPanic.func1\ngithub.com/valyala/fasthttp@v1.54.0/server.go:2379                                           (*Server).serveConn\ngithub.com/valyala/fasthttp@v1.54.0/workerpool.go:224                                        (*workerPool).workerFunc\ngithub.com/valyala/fasthttp@v1.54.0/workerpool.go:196                                        (*workerPool).getCh.func1\nruntime/asm_amd64.s:1695                                                                     goexit"

Logs (Proxy / Application)

No response

Documentation

No response

Pre-Submission Checklist

• I agree to follow the Code of Conduct

• This is a bug report and not a support request

• I have read the security policy and this bug report is not a security issue or security related issue

• I have either included the complete configuration file or I am sure it's unrelated to the configuration

• I have either included the complete debug / trace logs or the output of the build-info command if the logs are not relevant

• I have provided all of the required information in full with the only alteration being reasonable sanitization in accordance with the Troubleshooting Sanitization reference guide

• I have checked for related proxy or application logs and included them if available

• I have checked for related issues and checked the documentation

[glime-ai]

Please note this response was created using generative AI leveraging previously available information from the repository. This information may be helpful however it is our strong recommendation that you carefully consider the information before blindly applying it.

---

It seems like you're encountering an issue where the client secret for your Synology DSM integration with Authelia is not being recognized correctly. This issue has been reported by other users as well, and it appears to be related to how the client secret is being parsed or stored.

Here are a few steps you can take to troubleshoot and potentially resolve this issue:

1. Verify Client Secret: Ensure that the client secret in your Synology DSM configuration exactly matches the one in your Authelia configuration. Even a small discrepancy can cause authentication to fail.

2. Check for Cleartext Warning: If you see a warning about the client secret being in cleartext, it might indicate that Authelia is not recognizing the hashed secret correctly. You can refer to the Generating a Random Password Hash guide for instructions on generating and hashing the client secret properly.

3. Update Authelia Configuration: Make sure your Authelia configuration is up-to-date and follows the latest guidelines. Sometimes, configuration formats or requirements change between versions.

4. Review Logs: The logs you provided indicate that the client secret did not match. Double-check the logs for any additional clues or errors that might help diagnose the issue.

5. Consult Documentation: Refer to the Authelia OpenID Connect documentation for any specific notes or updates related to Synology DSM integration.

6. Community Support: If the issue persists, consider reaching out to the Authelia community or checking existing discussions and issues on their GitHub repository for similar problems and potential solutions.

If you have verified all the above and the issue still persists, it might be a bug or a specific edge case. In that case, providing detailed logs and configuration to the Authelia team via their GitHub issues page might help in getting a more targeted solution.

This comment was generated by Glime.

[yieldhog]

I figured it out, if anyone sees this -- it wasn't obvious to me, but, instead of using a hashed generated secret for Synology, use a shorter secret such as "mysecretpasswordis12345" etc