Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

introspection_endpoint missing auth signing algorithm values #3126

Open
matrixbot opened this issue Sep 10, 2024 · 1 comment
Open

introspection_endpoint missing auth signing algorithm values #3126

matrixbot opened this issue Sep 10, 2024 · 1 comment

Comments

@matrixbot
Copy link
Collaborator

This issue was originally created by @rabidpug at matrix-org/matrix-authentication-service#3126.

Hi,

I have started getting the following error and am unable to authenticate. The provider is Authelia's OIDC.

ERROR http.server.request{otel.kind="server" otel.name="GET /upstream/authorize/:provider_id" network.protocol.name="http" network.protocol.version="1.1" http.request.method="GET" url.path="/upstream/authorize/xxxxxxxxxxxx" url.scheme="http" http.route="/upstream/authorize/:provider_id" user_agent.original="Mozilla/5.0 (X11; Linux x86_64; rv:129.0) Gecko/20100101 Firefox/129.0"}:handlers.upstream_oauth2.authorize.get{upstream_oauth_provider.id=xxxxxxxxxxxxxxxxx}:metadata_cache.get{issuer=https://login.xxxxxx.xxx}:metadata_cache.fetch{issuer=https://login.xxxxxxx.xxx}: mas_handlers::upstream_oauth2::cache: crates/handlers/src/upstream_oauth2/cache.rs:195: error=introspection_endpoint missing auth signing algorithm values

Not sure if this is what it's referring to, but it appears signing alg RS256 is at least supported.

>  curl -fsSL https://login.xxxxxxxxx.xx/.well-known/openid-configuration | jq '. | with_entries(select(.key | startswith("introspection")))'
{
  "introspection_endpoint": "https://login.xxxxxxxx.xxx/api/oidc/introspection",
  "introspection_endpoint_auth_methods_supported": [
    "client_secret_basic",
    "client_secret_post",
    "client_secret_jwt",
    "private_key_jwt"
  ],
  "introspection_signing_alg_values_supported": [
    "RS256",
    "none"
  ]
}

Let me know what other information you might need to understand the issue and I'll provide it.

Thanks!
@matrixbot
Copy link
Collaborator Author

This comment was originally posted by @sandhose at matrix-org/matrix-authentication-service#3126 (comment).

This is technically an issue on Authelia's OIDC metadata. The metadata is supposed to be called introspection_endpoint_auth_signing_alg_values_supported, not introspection_signing_alg_values_supported

I think you should be able to bypass this check by setting the provider discovery_mode to insecure, e.g.

upstream_oauth2:
  providers:
    - id: ...
      issuer: https://foo/
      discovery_mode: insecure

@matrixbot matrixbot mentioned this issue Sep 10, 2024
Open
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@matrixbot