Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

5.1 SSO: Authentication via SSO rejected #325

Open
1 task done
Trapulo opened this issue Mar 19, 2024 · 10 comments
Open
1 task done

5.1 SSO: Authentication via SSO rejected #325

Trapulo opened this issue Mar 19, 2024 · 10 comments
Labels
setup Runtime environment or usage issue

Comments

@Trapulo
Copy link

Trapulo commented Mar 19, 2024

Version

5.1.0

Details & Steps to reproduce

After upgrade to 5.1.0 when I access using OID (EntraID), after the signin the system respond "Authentication via SSO rejected".

Before the upgrade it worked.

Expectation

a full access

Error & Logs

No response

Execution environment

No response

Containerization

  • Docker

Additional information

No response

@Bubka
Copy link
Owner

Bubka commented Mar 19, 2024

Hi,
This error message is shown when the provider refuses to authenticate the login request. Please check your OPENID_* env vars.
Logs may contain further information, please check them as well.

@Trapulo
Copy link
Author

Trapulo commented Mar 19, 2024

production.ERROR: No application encryption key has been specified. {"exception":"[object] (Illuminate\Encryption\MissingAppKeyException(code: 0): No application encryption key has been specified. at /srv/vendor/laravel/framework/src/Illuminate/Encryption/EncryptionServiceProvider.php:7

@Bubka
Copy link
Owner

Bubka commented Mar 20, 2024

Thx.
You have to set the APP_KEY env var.

@Bubka
Copy link
Owner

Bubka commented Mar 20, 2024

I don't understand how this is possible by the way. Running 2FAuth without APP_KEY set should return an HTTP error 500.

@Bubka Bubka added the setup Runtime environment or usage issue label Mar 21, 2024
@Trapulo
Copy link
Author

Trapulo commented Mar 21, 2024

I have APP_KEY assigned.
And it did work until the lats update to 5.1.0

@Bubka
Copy link
Owner

Bubka commented Mar 21, 2024

🤨

production.ERROR: No application encryption key has been specified. {"exception":"[object] (Illuminate\Encryption\MissingAppKeyException(code: 0): No application encryption key has been specified. at /srv/vendor/laravel/framework/src/Illuminate/Encryption/EncryptionServiceProvider.php:7

Does the time of this error match the time you tried to connect via SSO?

@Trapulo
Copy link
Author

Trapulo commented Mar 25, 2024

you are right: that error is not related to SSO problem
When I try to access using SSO I haven't any log row at all :(

@Diggen85
Copy link

I've the same Problem. Trying to Auth via Authentik OpenID Provider leads to SSO reject.

Env
OPENID_AUTHORIZE_URL=https://auth.example.de/application/o/authorize/
OPENID_TOKEN_URL=https://auth.example.de/application/o/token/
OPENID_USERINFO_URL=https://auth.example.de/application/o/userinfo/
OPENID_CLIENT_ID=LDzqB....e5
OPENID_CLIENT_SECRET=R...U

Authentik Redirect URIs
https://2fa.example.de/socialite/callback/openid

Logs
172.22.0.4 - - [14/May/2024:06:43:02 +0000] "GET /socialite/redirect/openid HTTP/1.1" 302 1394 "https://2fa.example.de/login" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/124.0.0.0 Safari/537.36"
172.22.0.4 - - [14/May/2024:06:43:03 +0000] "GET /socialite/callback/openid?code=d1...a HTTP/1.1" 302 430 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/124.0.0.0 Safari/537.36"
172.22.0.4 - - [14/May/2024:06:43:03 +0000] "GET /error?err=sso_failed HTTP/1.1" 200 2745 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/124.0.0.0 Safari/537.36"
172.22.0.4 - - [14/May/2024:06:43:17 +0000] "GET /api/v1/user HTTP/1.1" 401 41 "https://2fa.example.de/error?err=sso_failed" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/124.0.0.0 Safari/537.36"

@AntonKluge
Copy link

I had the same problem using Authentik OIDC and 2FAuth in Docker behind a Traefik reverse proxy using a self signed certificate (which is mounted into the container and trusted with SSL_CERT_FILE).

I traced the problem to /srv/vendor/laravel/socialite/src/Two/AbstractProvider.php where the method getAccessTokenResponse failed because of a connection problem in Guzzle.

Installing ca-certificates inside the docker container:

apk add \
      --no-cache \
      --repository http://dl-cdn.alpinelinux.org/alpine/v3.14/main \
      ca-certificates 

fixed the problem.

@BH-infrastructure
Copy link

We're using too Authentik OIDC and 2FAuth in Docker behind a nginx reverse proxy, with an CA signed wildcard certificate.

For the users already exists, it works properly, but for new SSO users, alway get the error "sso_email_already_used" (but it didn't exists)

10.254.18.1 - - [23/Dec/2024:11:15:55 +0000] "GET / HTTP/1.1" 200 3596 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/131.0.0.0 Safari/537.36 Edg/131.0.0.0"
10.254.18.1 - - [23/Dec/2024:11:15:55 +0000] "GET /api/v1/user HTTP/1.1" 401 41 "https://2fauth.bullhost.cloud/" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/131.0.0.0 Safari/537.36 Edg/131.0.0.0"
10.254.18.1 - - [23/Dec/2024:11:15:56 +0000] "GET /socialite/redirect/openid HTTP/1.1" 302 1430 "https://2fauth.bullhost.cloud/login" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/131.0.0.0 Safari/537.36 Edg/131.0.0.0"
10.254.18.1 - - [23/Dec/2024:11:15:59 +0000] "GET /socialite/callback/openid?code=8fd6a532e8dd478783de1acbbb72e9e9&state=0obkxzAI2AY3jGBRXALt0UfRwbAJBSF9tlMaI0Nl HTTP/1.1" 302 502 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/131.0.0.0 Safari/537.36 Edg/131.0.0.0"
10.254.18.1 - - [23/Dec/2024:11:16:00 +0000] "GET /error?err=sso_email_already_used HTTP/1.1" 200 3596 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/131.0.0.0 Safari/537.36 Edg/131.0.0.0"

We have installed the ca-certificates on the docker image, but the problem persists

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
setup Runtime environment or usage issue
Projects
None yet
Development

No branches or pull requests

5 participants