Description
Prerequisites
- I have searched for duplicate or closed issues
- I can recreate the issue with all plugins disabled
Describe the issue
I have configured Roundcube and Authelia to authenticate via OAuth.
When clicking the button to login im redirected to Authelia server so I authenticate and get the authorization code.
That code is then sent to the callback url:
But that url simply reloads the login form.
I have checked old issues like these ones...
- 1.6.1 breaks oauth/openid token request #8878
- Oauth (xoauth) redirect uri #8191
- Oauth login redirects to login page #9652
... and i've been checking the PATH_INFO value that should be sent from the reverse proxy (Nginx).
It wasnt being sent but i have fixed Nginx config so now its sent. Confirmed it adding some code in iniset.php:
//################# ADDED ##########################
if (!empty($_SERVER['PATH_INFO']))
{
echo("PATH_INFO is not empty:<br>");
echo("<b>".$_SERVER['PATH_INFO']."</b><br><br>");
}
else
{
echo("PATH_INFO is empty<br><br>");
}
if (!preg_match('!^/([a-z]+)/([a-z]+)$!', $_SERVER['PATH_INFO'], $m))
{
echo("Regex does not match");
}
//##################################################
// translate PATH_INFO to _task and _action GET parameters
if (!empty($_SERVER['PATH_INFO']) && preg_match('!^/([a-z]+)/([a-z]+)$!', $_SERVER['PATH_INFO'], $m)) {
var_dump($m);
if (!isset($_GET['_task'])) {
$_GET['_task'] = $m[1];
}
if (!isset($_GET['_action'])) {
$_GET['_action'] = $m[2];
}
}
But the regex to get the values of task and action does not match.
An example PATH_INFO value is:
/login/oauth?code=authelia_ac_L9KzngWKNxo-kOAZojD3tDDAe0IMoj9hZBSYbEhZA3A.AshxhxcyQ-cnxZPE7WDmXQDJVD5Bc4XS_BbnLjPyyO0&iss=https%3A%2F%2Fmyauthelia.mydomain.com&scope=email+profile+openid&state=J30MJuQGlckb
Is the problem related with this?
Or could be anything else?
What browser(s) are you seeing the problem on?
Brave 1.75, Firefox 135.0.1
What version of PHP are you using?
v8.3.9
What version of Roundcube are you using?
Tested in 1.6.5 and 1.6.10