Preflight Checklist
Version
v3.45.1
Describe the problem caused by this bug
Original issue in Perses: perses/perses#3774
Authelia config:
access_control:
default_policy: deny
rules:
- domain:
- alerts.home.yawn.io
policy: one_factor
- domain:
- filebrowser.home.yawn.io
policy: one_factor
- domain:
- graf.home.yawn.io
policy: one_factor
- domain:
- perses.home.yawn.io
policy: bypass
- domain:
- prom.home.yawn.io
policy: one_factor
authentication_backend:
file:
path: /run/derived-secrets/authelia_users.json
password_reset:
disable: true
default_2fa_method: ''
identity_providers:
oidc:
clients:
- authorization_policy: one_factor
client_id: 4guwUub8JViSDX~HIjtshmlnStejSe-tL5g.IqyqHm1CTJz2lVekSkCKiwczqxG645bucmFE
client_name: Perses
client_secret: '{{- fileContent "/run/agenix/authelia-perses-client-secret-hash"
| trim }}'
grant_types:
- authorization_code
- refresh_token
- urn:ietf:params:oauth:grant-type:device_code
redirect_uris:
- https://perses.home.yawn.io/api/auth/providers/oidc/authelia/callback
scopes:
- openid
- profile
- email
- offline_access
token_endpoint_auth_method: client_secret_basic
log:
file_path: null
format: json
keep_stdout: false
level: debug
notifier:
filesystem:
filename: /var/lib/authelia-main/notification.txt
server:
address: tcp://:9092/
session:
cookies:
- authelia_url: https://auth.home.yawn.io
domain: home.yawn.io
name: session
storage:
local:
path: /var/lib/authelia-main/db.sqlite3
telemetry:
metrics:
address: tcp://127.0.0.1:9959
enabled: false
theme: lightPerses config:
{
"security": {
"authentication": {
"providers": {
"oidc": [
{
"client_id": "4guwUub8JViSDX~HIjtshmlnStejSe-tL5g.IqyqHm1CTJz2lVekSkCKiwczqxG645bucmFE",
"client_secret_file": "/run/agenix/authelia-perses-client-secret",
"issuer": "https://auth.home.yawn.io",
"name": "Authelia",
"redirect_uri": "https://perses.home.yawn.io/api/auth/providers/oidc/authelia/callback",
"scopes": [
"openid",
"profile",
"email"
],
"slug_id": "authelia"
}
]
}
},
"cookie": {
"secure": true
},
"enable_auth": true,
"encryption_key_file": "/run/agenix/perses-encryption-key"
}
}With this set up the browser based auth works fine. But:
❯❯ percli login https://perses.home.yawn.io
Go to https://auth.home.yawn.io/consent/openid/device-authorization and enter this user code: VKNFSCSB
Waiting for user to authorize the application...
Error: something wrong happened with the request to the API. Error: oauth2: "invalid_request" "The request is missing a required parameter, includes an invalid parameter value, includes a parameter more than once, or is otherwise malformed. Client Authentication failed with more than one known authentication method included in the request which is not permitted."
I won't paste the logs since I'm not knowledgeable enough to redact the secrets correctly but I'm pretty sure I confirmed in tcpdump that Authelia is telling the truth, i.e. Perses uses the Basic authorization header and also sets the client_secret in the POST body.
I think this is basically violating https://datatracker.ietf.org/doc/html/rfc6749#section-2.3 which says "The client MUST NOT use more than one authentication method in each request". However, I came to that conclusion based on talking to an LLM, not from any actual knowledge of this auth thing so it could be nonsense.
I also got the AI to try fixing the issue, it generated this: bjackman@e5b8aa8
IMO the vibes are off there, it looks like the patch itself is slop. But, I confirmed that it fixes my issue, it does seem like the AI had the right basic idea in terms of correct behaviour for the protocol.
To reproduce
- Run Perses using this library
- Run Authelia with a config like the one I showed
- Use
percli login to exercise the Device Auth flow
Screenshots
No response
Expected behavior
OIDC Device Auth flow would work
Additional Context
No response
Preflight Checklist
Version
v3.45.1
Describe the problem caused by this bug
Original issue in Perses: perses/perses#3774
Authelia config:
Perses config:
With this set up the browser based auth works fine. But:
I won't paste the logs since I'm not knowledgeable enough to redact the secrets correctly but I'm pretty sure I confirmed in
tcpdumpthat Authelia is telling the truth, i.e. Perses uses theBasicauthorization header and also sets theclient_secretin the POST body.I think this is basically violating https://datatracker.ietf.org/doc/html/rfc6749#section-2.3 which says "The client MUST NOT use more than one authentication method in each request". However, I came to that conclusion based on talking to an LLM, not from any actual knowledge of this auth thing so it could be nonsense.
I also got the AI to try fixing the issue, it generated this: bjackman@e5b8aa8
IMO the vibes are off there, it looks like the patch itself is slop. But, I confirmed that it fixes my issue, it does seem like the AI had the right basic idea in terms of correct behaviour for the protocol.
To reproduce
percli loginto exercise the Device Auth flowScreenshots
No response
Expected behavior
OIDC Device Auth flow would work
Additional Context
No response