OpenID invalid_request #9538
-
|
@jrasm91 tagged per your request in [BUG] Failed to finish oauth #6400 discussion. Currently writing a guide to setup up OpenID on Truecharts and would appreciate some help. The guide on Authelia's website seems to be outdated and doesn't include any information about the Signing Algorithm that seems to be required in Immich since 1.95.1. I tried leaving the field empty or set OPError: invalid_client (Client authentication failed (e.g., unknown client, no client authentication included, or unsupported authentication method).)I tried to setup RS256 but I'm always getting this error no matter what I'm trying; [Nest] 8 - 05/16/2024, 12:34:34 PM ERROR [ImmichServer] [OPError: invalid_request (The request is missing a required parameter, includes an invalid parameter value, includes a parameter more than once, or is otherwise malformed. Clients must include a 'code_challenge' when performing the authorize code flow, but it is missing.)
at Client.callback (/usr/src/app/node_modules/openid-client/lib/client.js:443:13)
at AuthService.getOAuthProfile (/usr/src/app/dist/services/auth.service.js:221:41)
at process.processTicksAndRejections (node:internal/process/task_queues:95:5)
at async AuthService.callback (/usr/src/app/dist/services/auth.service.js:154:25)
at async OAuthController.finishOAuth (/usr/src/app/dist/controllers/oauth.controller.js:39:22)] OPError: invalid_request (The request is missing a required parameter, includes an invalid parameter value, includes a parameter more than once, or is otherwise malformed. Clients must include a 'code_challenge' when performing the authorize code flow, but it is missing.) |
Beta Was this translation helpful? Give feedback.
Replies: 4 comments 8 replies
-
|
Can you share the configuration you are using in authelia for the immich provider? |
Beta Was this translation helpful? Give feedback.
-
Sure! As I said I'm writing a guide for Truecharts which runs in TrueNAS Scale. All of the configuration must be passed through a gui, but there's quite a lot of options in there. I tried a lot of configurations so I'll share here the one that was advised in Authelia's documentation. First I generated a secret in Authelia pod shell with this command and used the Digest string.
Then in Authelia app configuration I've set those values. ID/Name* Description* Secret* Authorization Policy Consent Mode Userinfo Signing Algorithm Audience Scopes redirect_uris grant_types response_types response_modes token_endpoint_auth_method ** Require PKCE ** (checkbox) PKCE Challange Method Hope this helps and thank you for helping me out! |
Beta Was this translation helpful? Give feedback.
-
|
Grant type should be authorization_code |
Beta Was this translation helpful? Give feedback.
-
|
Unfortunately that didn't work. Hope we can sort this out, thank you for helping! Here's the error with Userinfo Signing Algorithm set to [Nest] 8 - 05/17/2024, 12:55:25 AM ERROR [ImmichServer] [OPError: invalid_client (Client authentication failed (e.g., unknown client, no client authentication included, or unsupported authentication method).)
at processResponse (/usr/src/app/node_modules/openid-client/lib/helpers/process_response.js:38:13)
at Client.grant (/usr/src/app/node_modules/openid-client/lib/client.js:1354:22)
at process.processTicksAndRejections (node:internal/process/task_queues:95:5)
at async Client.callback (/usr/src/app/node_modules/openid-client/lib/client.js:493:24)
at async AuthService.getOAuthProfile (/usr/src/app/dist/services/auth.service.js:221:28)
at async AuthService.callback (/usr/src/app/dist/services/auth.service.js:154:25)
at async OAuthController.finishOAuth (/usr/src/app/dist/controllers/oauth.controller.js:39:22)] Failed to finish oauth
[Nest] 8 - 05/17/2024, 12:55:25 AM ERROR [ImmichServer] [OPError: invalid_client (Client authentication failed (e.g., unknown client, no client authentication included, or unsupported authentication method).)
at processResponse (/usr/src/app/node_modules/openid-client/lib/helpers/process_response.js:38:13)
at Client.grant (/usr/src/app/node_modules/openid-client/lib/client.js:1354:22)
at process.processTicksAndRejections (node:internal/process/task_queues:95:5)
at async Client.callback (/usr/src/app/node_modules/openid-client/lib/client.js:493:24)
at async AuthService.getOAuthProfile (/usr/src/app/dist/services/auth.service.js:221:28)
at async AuthService.callback (/usr/src/app/dist/services/auth.service.js:154:25)
at async OAuthController.finishOAuth (/usr/src/app/dist/controllers/oauth.controller.js:39:22)] OPError: invalid_client (Client authentication failed (e.g., unknown client, no client authentication included, or unsupported authentication method).)Here's the error with Userinfo Signing Algorithm set to [Nest] 8 - 05/17/2024, 1:11:09 AM ERROR [ImmichServer] [OPError: invalid_client (Client authentication failed (e.g., unknown client, no client authentication included, or unsupported authentication method).)
at processResponse (/usr/src/app/node_modules/openid-client/lib/helpers/process_response.js:38:13)
at Client.grant (/usr/src/app/node_modules/openid-client/lib/client.js:1354:22)
at process.processTicksAndRejections (node:internal/process/task_queues:95:5)
at async Client.callback (/usr/src/app/node_modules/openid-client/lib/client.js:493:24)
at async AuthService.getOAuthProfile (/usr/src/app/dist/services/auth.service.js:221:28)
at async AuthService.callback (/usr/src/app/dist/services/auth.service.js:154:25)
at async OAuthController.finishOAuth (/usr/src/app/dist/controllers/oauth.controller.js:39:22)] Failed to finish oauth
[Nest] 8 - 05/17/2024, 1:11:09 AM ERROR [ImmichServer] [OPError: invalid_client (Client authentication failed (e.g., unknown client, no client authentication included, or unsupported authentication method).)
at processResponse (/usr/src/app/node_modules/openid-client/lib/helpers/process_response.js:38:13)
at Client.grant (/usr/src/app/node_modules/openid-client/lib/client.js:1354:22)
at process.processTicksAndRejections (node:internal/process/task_queues:95:5)
at async Client.callback (/usr/src/app/node_modules/openid-client/lib/client.js:493:24)
at async AuthService.getOAuthProfile (/usr/src/app/dist/services/auth.service.js:221:28)
at async AuthService.callback (/usr/src/app/dist/services/auth.service.js:154:25)
at async OAuthController.finishOAuth (/usr/src/app/dist/controllers/oauth.controller.js:39:22)] OPError: invalid_client (Client authentication failed (e.g., unknown client, no client authentication included, or unsupported authentication method).) |
Beta Was this translation helpful? Give feedback.
-
|
Hey ! If you want, this is my actual Authelia configuration and I declare the immich config, immich-config.json, in the helm chart (app-template). |
Beta Was this translation helpful? Give feedback.
-
|
Thank for replying, unfortunately I already tried a similar configuration and it's not working. What version of Immich are you on? Because I see you haven't bothered with RS256. |
Beta Was this translation helpful? Give feedback.
-
|
I think I might have made a mistake setting up the actual settings in Immich itself. I was wondering if I had to replace
|
Beta Was this translation helpful? Give feedback.
-
|
On my side, I don't have the .well-known... |
Beta Was this translation helpful? Give feedback.
-
|
It's not working unfortunately. [Nest] 8 - 05/17/2024, 10:08:25 AM ERROR [ImmichServer] [OPError: invalid_client (Client authentication failed (e.g., unknown client, no client authentication included, or unsupported authentication method).)
at processResponse (/usr/src/app/node_modules/openid-client/lib/helpers/process_response.js:38:13)
at Client.grant (/usr/src/app/node_modules/openid-client/lib/client.js:1354:22)
at process.processTicksAndRejections (node:internal/process/task_queues:95:5)
at async Client.callback (/usr/src/app/node_modules/openid-client/lib/client.js:493:24)
at async AuthService.getOAuthProfile (/usr/src/app/dist/services/auth.service.js:221:28)
at async AuthService.callback (/usr/src/app/dist/services/auth.service.js:154:25)
at async OAuthController.finishOAuth (/usr/src/app/dist/controllers/oauth.controller.js:39:22)] Failed to finish oauth
[Nest] 8 - 05/17/2024, 10:08:25 AM ERROR [ImmichServer] [OPError: invalid_client (Client authentication failed (e.g., unknown client, no client authentication included, or unsupported authentication method).)
at processResponse (/usr/src/app/node_modules/openid-client/lib/helpers/process_response.js:38:13)
at Client.grant (/usr/src/app/node_modules/openid-client/lib/client.js:1354:22)
at process.processTicksAndRejections (node:internal/process/task_queues:95:5)
at async Client.callback (/usr/src/app/node_modules/openid-client/lib/client.js:493:24)
at async AuthService.getOAuthProfile (/usr/src/app/dist/services/auth.service.js:221:28)
at async AuthService.callback (/usr/src/app/dist/services/auth.service.js:154:25)
at async OAuthController.finishOAuth (/usr/src/app/dist/controllers/oauth.controller.js:39:22)] OPError: invalid_client (Client authentication failed (e.g., unknown client, no client authentication included, or unsupported authentication method).)What do you have in
|
Beta Was this translation helpful? Give feedback.
-
|
Oh, I think you need to set the clear secret not the hashed one with argon generated as: authelia crypto hash generate pbkdf2 --variant sha512 --random --random.length 72 --random.charset rfc3986The clear one for immich, the one starting with |
Beta Was this translation helpful? Give feedback.
-
|
MY SAVIOR! Thank you so much. I literally spent the past 3 days trying to get this working. You probably found the issue I had for all of my other applications as well. Will have to test! |
Beta Was this translation helpful? Give feedback.
-
This needs to be highlighted on both sides of documentation, Authelia and Immich! Thank you! |
Beta Was this translation helpful? Give feedback.
Oh, I think you need to set the clear secret not the hashed one with argon generated as:
authelia crypto hash generate pbkdf2 --variant sha512 --random --random.length 72 --random.charset rfc3986The clear one for immich, the one starting with
$argon2idfor authelia.