Authelia Authentication does not work #3508

adorakalb · 2024-04-22T13:30:19Z

adorakalb
Apr 22, 2024

Hi, I have a working mealie installation where I can login with local users.
Today I tried to configure Single Sign-On via Authelia. T
he "Login with Authelia" Button is visible on the login screen, and I get correctly redirected to Authelia, can login there and get redirected back to Mealie. But I don't get logged in, i still get the login screen and I can repeat it as long as I wish without any change in behaviour.

I've seen the Guide in #3338, but the configuration doesn't work (https://www.authelia.com/integration/openid-connect/mealie/)

I would appreciate any help <3

Mealie Config:

services:
  mealie:
    image: ghcr.io/mealie-recipes/mealie:v1.5.1
    container_name: mealie
    restart: always
    expose:
      - 9000
    deploy:
      resources:
        limits:
          memory: 500M
    volumes:
      - /opt/mealie/data:/app/data/
    environment:
      ALLOW_SIGNUP: false
      PUID: 1000
      PGID: 1000
      TZ: Europe/Berlin
      MAX_WORKERS: 1
      WEB_CONCURRENCY: 1
      BASE_URL: https://mealie.example.com

      OIDC_AUTH_ENABLED: true
      OIDC_SIGNUP_ENABLED: true
      OIDC_CONFIGURATION_URL: https://sso.example.com/.well-known/openid-configuration
      OIDC_CLIENT_ID: 'mealie'
      OIDC_USER_GROUP: 'Mealie'
      OIDC_ADMIN_GROUP: 'Mealie-Admin'
      OIDC_AUTO_REDIRECT: false
      OIDC_PROVIDER_NAME: 'Authelia (Single Sign-On)'

      LOG_LEVEL: DEBUG

Authelia Config:

      - client_id: 'mealie'
        client_name: 'Mealie (https://mealie.example.com)'
        public: true
        authorization_policy: custom_ldap
        pkce_challenge_method: S256
        grant_types:
          - authorization_code
        scopes:
          - openid
          - profile
          - groups
          - email
        redirect_uris:
          - https://mealie.example.com/login
        pre_configured_consent_duration: '1y'
        require_pkce: true
        userinfo_signed_response_alg: 'none'
        token_endpoint_auth_method: 'none'

Mealie Logs during Login:

mealie  | INFO     2024-04-22T15:17:11 - [172.18.10.2:0] 200 OK "GET /api/app/about HTTP/1.1"
mealie  | INFO     2024-04-22T15:17:12 - [172.18.10.2:0] 304 Not Modified "GET /sw.js HTTP/1.1"
mealie  | INFO     2024-04-22T15:17:13 - [172.18.10.2:0] 307 Temporary Redirect "GET /login?code=authelia_ac_<...>&iss=https%3A%2F%2Fsso.example.com&scope=openid+profile+email+groups&state=Kbya7Yyw7G HTTP/1.1"
mealie  | INFO     2024-04-22T15:17:13 - [172.18.10.2:0] 200 OK "GET /login/?code=authelia_ac_<...>&iss=https%3A%2F%2Fsso.example.com&scope=openid+profile+email+groups&state=Kbya7Yyw7G HTTP/1.1"
mealie  | INFO     2024-04-22T15:17:14 - [172.18.10.2:0] 304 Not Modified "GET /sw.js HTTP/1.1"
mealie  | INFO     2024-04-22T15:17:14 - [172.18.10.2:0] 200 OK "GET /api/app/about/startup-info HTTP/1.1"

Answered by adorakalb

Apr 23, 2024

Alright, it's fixed.

I had the following errors:

SSO-Redirect works, Login in Authelia works, redirect back to Mealie works too, but not logged in. Browser Network logs show CORS errors.
- Fixed by setting allowed_origins_from_client_redirect_uris: true in Authelia config
After fixing the above, I got a redirect loop and error messages in mealie debug log that it can't connect to the internet.
- Fixed by attaching more than just the traefik network to the container in docker compose. My traefik network can't speak to the internet.

Thank you @cmintey for helping me out here ^-^ ✨

View full answer

cmintey · 2024-04-23T01:06:50Z

cmintey
Apr 23, 2024

You may be running into a CORS error. Are there any logs in your browser console? If it is CORS, then you can configure your domain as an allowed origin in Authelia

4 replies

adorakalb Apr 23, 2024
Author

I indeed did get CORS errors!
I set allowed_origins_from_client_redirect_uris: true, now I get redirection loops with the following occurring all the time:

adorakalb Apr 23, 2024
Author

It seems mealie tries to connect to sso.lila.network but can't reach it
sso.lila.network is behind Cloudflare.
Email does seem to run into similar issues, tho I can't think of why... other docker containers on that host also can access the internet without issue with similar compose configs

mealie  | INFO     2024-04-23T10:24:29 - [172.18.10.2:0] 500 Internal Server Error "POST /api/auth/token HTTP/1.1"
mealie  | ERROR    2024-04-23T10:24:29 - Exception in ASGI application
mealie  | Traceback (most recent call last):
mealie  |   File "/opt/pysetup/.venv/lib/python3.10/site-packages/urllib3/connection.py", line 174, in _new_conn
mealie  |     conn = connection.create_connection(
mealie  |   File "/opt/pysetup/.venv/lib/python3.10/site-packages/urllib3/util/connection.py", line 72, in create_connection
mealie  |     for res in socket.getaddrinfo(host, port, family, socket.SOCK_STREAM):
mealie  |   File "/usr/local/lib/python3.10/socket.py", line 955, in getaddrinfo
mealie  |     for res in _socket.getaddrinfo(host, port, family, type, proto, flags):
mealie  | socket.gaierror: [Errno -3] Temporary failure in name resolution
mealie  |
mealie  | During handling of the above exception, another exception occurred:
mealie  |
mealie  | Traceback (most recent call last):
mealie  |   File "/opt/pysetup/.venv/lib/python3.10/site-packages/urllib3/connectionpool.py", line 703, in urlopen
mealie  |     httplib_response = self._make_request(
mealie  |   File "/opt/pysetup/.venv/lib/python3.10/site-packages/urllib3/connectionpool.py", line 386, in _make_request
mealie  |     self._validate_conn(conn)
mealie  |   File "/opt/pysetup/.venv/lib/python3.10/site-packages/urllib3/connectionpool.py", line 1042, in _validate_conn
mealie  |     conn.connect()
mealie  |   File "/opt/pysetup/.venv/lib/python3.10/site-packages/urllib3/connection.py", line 358, in connect
mealie  |     self.sock = conn = self._new_conn()
mealie  |   File "/opt/pysetup/.venv/lib/python3.10/site-packages/urllib3/connection.py", line 186, in _new_conn
mealie  |     raise NewConnectionError(
mealie  | urllib3.exceptions.NewConnectionError: <urllib3.connection.HTTPSConnection object at 0x7a5e54f7c490>: Failed to establish a new connection: [Errno -3] Temporary failure in name resolution
mealie  |
mealie  | During handling of the above exception, another exception occurred:
mealie  |
mealie  | Traceback (most recent call last):
mealie  |   File "/opt/pysetup/.venv/lib/python3.10/site-packages/requests/adapters.py", line 486, in send
mealie  |     resp = conn.urlopen(
mealie  |   File "/opt/pysetup/.venv/lib/python3.10/site-packages/urllib3/connectionpool.py", line 787, in urlopen
mealie  |     retries = retries.increment(
mealie  |   File "/opt/pysetup/.venv/lib/python3.10/site-packages/urllib3/util/retry.py", line 592, in increment
mealie  |     raise MaxRetryError(_pool, url, error or ResponseError(cause))
mealie  | urllib3.exceptions.MaxRetryError: HTTPSConnectionPool(host='sso.lila.network', port=443): Max retries exceeded with url: /.well-known/openid-configuration (Caused by NewConnectionError('<urllib3.connection.HTTPSConnection object at 0x7a5e54f7c490>: Failed to establish a new connection: [Errno -3] Temporary failure in name resolution'))
mealie  |
mealie  | During handling of the above exception, another exception occurred:
mealie  |
mealie  | Traceback (most recent call last):
mealie  |   File "/opt/pysetup/.venv/lib/python3.10/site-packages/uvicorn/protocols/http/httptools_impl.py", line 411, in run_asgi
mealie  |     result = await app(  # type: ignore[func-returns-value]
mealie  |   File "/opt/pysetup/.venv/lib/python3.10/site-packages/uvicorn/middleware/proxy_headers.py", line 69, in __call__
mealie  |     return await self.app(scope, receive, send)
mealie  |   File "/opt/pysetup/.venv/lib/python3.10/site-packages/fastapi/applications.py", line 1054, in __call__
mealie  |     await super().__call__(scope, receive, send)
mealie  |   File "/opt/pysetup/.venv/lib/python3.10/site-packages/starlette/applications.py", line 123, in __call__
mealie  |     await self.middleware_stack(scope, receive, send)
mealie  |   File "/opt/pysetup/.venv/lib/python3.10/site-packages/starlette/middleware/errors.py", line 186, in __call__
mealie  |     raise exc
mealie  |   File "/opt/pysetup/.venv/lib/python3.10/site-packages/starlette/middleware/errors.py", line 164, in __call__
mealie  |     await self.app(scope, receive, _send)
mealie  |   File "/opt/pysetup/.venv/lib/python3.10/site-packages/starlette/middleware/gzip.py", line 24, in __call__
mealie  |     await responder(scope, receive, send)
mealie  |   File "/opt/pysetup/.venv/lib/python3.10/site-packages/starlette/middleware/gzip.py", line 44, in __call__
mealie  |     await self.app(scope, receive, self.send_with_gzip)
mealie  |   File "/opt/pysetup/.venv/lib/python3.10/site-packages/starlette/middleware/exceptions.py", line 65, in __call__
mealie  |     await wrap_app_handling_exceptions(self.app, conn)(scope, receive, send)
mealie  |   File "/opt/pysetup/.venv/lib/python3.10/site-packages/starlette/_exception_handler.py", line 64, in wrapped_app
mealie  |     raise exc
mealie  |   File "/opt/pysetup/.venv/lib/python3.10/site-packages/starlette/_exception_handler.py", line 53, in wrapped_app
mealie  |     await app(scope, receive, sender)
mealie  |   File "/opt/pysetup/.venv/lib/python3.10/site-packages/starlette/routing.py", line 756, in __call__
mealie  |     await self.middleware_stack(scope, receive, send)
mealie  |   File "/opt/pysetup/.venv/lib/python3.10/site-packages/starlette/routing.py", line 776, in app
mealie  |     await route.handle(scope, receive, send)
mealie  |   File "/opt/pysetup/.venv/lib/python3.10/site-packages/starlette/routing.py", line 297, in handle
mealie  |     await self.app(scope, receive, send)
mealie  |   File "/opt/pysetup/.venv/lib/python3.10/site-packages/starlette/routing.py", line 77, in app
mealie  |     await wrap_app_handling_exceptions(app, request)(scope, receive, send)
mealie  |   File "/opt/pysetup/.venv/lib/python3.10/site-packages/starlette/_exception_handler.py", line 64, in wrapped_app
mealie  |     raise exc
mealie  |   File "/opt/pysetup/.venv/lib/python3.10/site-packages/starlette/_exception_handler.py", line 53, in wrapped_app
mealie  |     await app(scope, receive, sender)
mealie  |   File "/opt/pysetup/.venv/lib/python3.10/site-packages/starlette/routing.py", line 72, in app
mealie  |     response = await func(request)
mealie  |   File "/opt/pysetup/.venv/lib/python3.10/site-packages/fastapi/routing.py", line 278, in app
mealie  |     raw_response = await run_endpoint_function(
mealie  |   File "/opt/pysetup/.venv/lib/python3.10/site-packages/fastapi/routing.py", line 191, in run_endpoint_function
mealie  |     return await dependant.call(**values)
mealie  |   File "/app/mealie/routes/auth/auth.py", line 50, in get_token
mealie  |     auth = await auth_provider.authenticate()
mealie  |   File "/app/mealie/core/security/providers/openid_provider.py", line 31, in authenticate
mealie  |     claims = self.get_claims(settings)
mealie  |   File "/app/mealie/core/security/providers/openid_provider.py", line 83, in get_claims
mealie  |     jwks = OpenIDProvider.get_jwks()
mealie  |   File "/app/mealie/core/security/providers/openid_provider.py", line 120, in get_jwks
mealie  |     with requests.get(settings.OIDC_CONFIGURATION_URL, timeout=5) as config_response:
mealie  |   File "/opt/pysetup/.venv/lib/python3.10/site-packages/requests/api.py", line 73, in get
mealie  |     return request("get", url, params=params, **kwargs)
mealie  |   File "/opt/pysetup/.venv/lib/python3.10/site-packages/requests/api.py", line 59, in request
mealie  |     return session.request(method=method, url=url, **kwargs)
mealie  |   File "/opt/pysetup/.venv/lib/python3.10/site-packages/requests/sessions.py", line 589, in request
mealie  |     resp = self.send(prep, **send_kwargs)
mealie  |   File "/opt/pysetup/.venv/lib/python3.10/site-packages/requests/sessions.py", line 703, in send
mealie  |     r = adapter.send(request, **kwargs)
mealie  |   File "/opt/pysetup/.venv/lib/python3.10/site-packages/requests/adapters.py", line 519, in send
mealie  |     raise ConnectionError(e, request=request)
mealie  | requests.exceptions.ConnectionError: HTTPSConnectionPool(host='sso.lila.network', port=443): Max retries exceeded with url: /.well-known/openid-configuration (Caused by NewConnectionError('<urllib3.connection.HTTPSConnection object at 0x7a5e54f7c490>: Failed to establish a new connection: [Errno -3] Temporary failure in name resolution'))
mealie  | ERROR    2024-04-23T10:24:29 - Exception in ASGI application
mealie  | Traceback (most recent call last):
mealie  |   File "/opt/pysetup/.venv/lib/python3.10/site-packages/urllib3/connection.py", line 174, in _new_conn
mealie  |     conn = connection.create_connection(
mealie  |   File "/opt/pysetup/.venv/lib/python3.10/site-packages/urllib3/util/connection.py", line 72, in create_connection
mealie  |     for res in socket.getaddrinfo(host, port, family, socket.SOCK_STREAM):
mealie  |   File "/usr/local/lib/python3.10/socket.py", line 955, in getaddrinfo
mealie  |     for res in _socket.getaddrinfo(host, port, family, type, proto, flags):
mealie  | socket.gaierror: [Errno -3] Temporary failure in name resolution
mealie  |
mealie  | During handling of the above exception, another exception occurred:
mealie  |
mealie  | Traceback (most recent call last):
mealie  |   File "/opt/pysetup/.venv/lib/python3.10/site-packages/urllib3/connectionpool.py", line 703, in urlopen
mealie  |     httplib_response = self._make_request(
mealie  |   File "/opt/pysetup/.venv/lib/python3.10/site-packages/urllib3/connectionpool.py", line 386, in _make_request
mealie  |     self._validate_conn(conn)
mealie  |   File "/opt/pysetup/.venv/lib/python3.10/site-packages/urllib3/connectionpool.py", line 1042, in _validate_conn
mealie  |     conn.connect()
mealie  |   File "/opt/pysetup/.venv/lib/python3.10/site-packages/urllib3/connection.py", line 358, in connect
mealie  |     self.sock = conn = self._new_conn()
mealie  |   File "/opt/pysetup/.venv/lib/python3.10/site-packages/urllib3/connection.py", line 186, in _new_conn
mealie  |     raise NewConnectionError(
mealie  | urllib3.exceptions.NewConnectionError: <urllib3.connection.HTTPSConnection object at 0x7a5e54f7c490>: Failed to establish a new connection: [Errno -3] Temporary failure in name resolution
mealie  |
mealie  | During handling of the above exception, another exception occurred:
mealie  |
mealie  | Traceback (most recent call last):
mealie  |   File "/opt/pysetup/.venv/lib/python3.10/site-packages/requests/adapters.py", line 486, in send
mealie  |     resp = conn.urlopen(
mealie  |   File "/opt/pysetup/.venv/lib/python3.10/site-packages/urllib3/connectionpool.py", line 787, in urlopen
mealie  |     retries = retries.increment(
mealie  |   File "/opt/pysetup/.venv/lib/python3.10/site-packages/urllib3/util/retry.py", line 592, in increment
mealie  |     raise MaxRetryError(_pool, url, error or ResponseError(cause))
mealie  | urllib3.exceptions.MaxRetryError: HTTPSConnectionPool(host='sso.lila.network', port=443): Max retries exceeded with url: /.well-known/openid-configuration (Caused by NewConnectionError('<urllib3.connection.HTTPSConnection object at 0x7a5e54f7c490>: Failed to establish a new connection: [Errno -3] Temporary failure in name resolution'))
mealie  |
mealie  | During handling of the above exception, another exception occurred:
mealie  |
mealie  | Traceback (most recent call last):
mealie  |   File "/opt/pysetup/.venv/lib/python3.10/site-packages/uvicorn/protocols/http/httptools_impl.py", line 411, in run_asgi
mealie  |     result = await app(  # type: ignore[func-returns-value]
mealie  |   File "/opt/pysetup/.venv/lib/python3.10/site-packages/uvicorn/middleware/proxy_headers.py", line 69, in __call__
mealie  |     return await self.app(scope, receive, send)
mealie  |   File "/opt/pysetup/.venv/lib/python3.10/site-packages/fastapi/applications.py", line 1054, in __call__
mealie  |     await super().__call__(scope, receive, send)
mealie  |   File "/opt/pysetup/.venv/lib/python3.10/site-packages/starlette/applications.py", line 123, in __call__
mealie  |     await self.middleware_stack(scope, receive, send)
mealie  |   File "/opt/pysetup/.venv/lib/python3.10/site-packages/starlette/middleware/errors.py", line 186, in __call__
mealie  |     raise exc
mealie  |   File "/opt/pysetup/.venv/lib/python3.10/site-packages/starlette/middleware/errors.py", line 164, in __call__
mealie  |     await self.app(scope, receive, _send)
mealie  |   File "/opt/pysetup/.venv/lib/python3.10/site-packages/starlette/middleware/gzip.py", line 24, in __call__
mealie  |     await responder(scope, receive, send)
mealie  |   File "/opt/pysetup/.venv/lib/python3.10/site-packages/starlette/middleware/gzip.py", line 44, in __call__
mealie  |     await self.app(scope, receive, self.send_with_gzip)
mealie  |   File "/opt/pysetup/.venv/lib/python3.10/site-packages/starlette/middleware/exceptions.py", line 65, in __call__
mealie  |     await wrap_app_handling_exceptions(self.app, conn)(scope, receive, send)
mealie  |   File "/opt/pysetup/.venv/lib/python3.10/site-packages/starlette/_exception_handler.py", line 64, in wrapped_app
mealie  |     raise exc
mealie  |   File "/opt/pysetup/.venv/lib/python3.10/site-packages/starlette/_exception_handler.py", line 53, in wrapped_app
mealie  |     await app(scope, receive, sender)
mealie  |   File "/opt/pysetup/.venv/lib/python3.10/site-packages/starlette/routing.py", line 756, in __call__
mealie  |     await self.middleware_stack(scope, receive, send)
mealie  |   File "/opt/pysetup/.venv/lib/python3.10/site-packages/starlette/routing.py", line 776, in app
mealie  |     await route.handle(scope, receive, send)
mealie  |   File "/opt/pysetup/.venv/lib/python3.10/site-packages/starlette/routing.py", line 297, in handle
mealie  |     await self.app(scope, receive, send)
mealie  |   File "/opt/pysetup/.venv/lib/python3.10/site-packages/starlette/routing.py", line 77, in app
mealie  |     await wrap_app_handling_exceptions(app, request)(scope, receive, send)
mealie  |   File "/opt/pysetup/.venv/lib/python3.10/site-packages/starlette/_exception_handler.py", line 64, in wrapped_app
mealie  |     raise exc
mealie  |   File "/opt/pysetup/.venv/lib/python3.10/site-packages/starlette/_exception_handler.py", line 53, in wrapped_app
mealie  |     await app(scope, receive, sender)
mealie  |   File "/opt/pysetup/.venv/lib/python3.10/site-packages/starlette/routing.py", line 72, in app
mealie  |     response = await func(request)
mealie  |   File "/opt/pysetup/.venv/lib/python3.10/site-packages/fastapi/routing.py", line 278, in app
mealie  |     raw_response = await run_endpoint_function(
mealie  |   File "/opt/pysetup/.venv/lib/python3.10/site-packages/fastapi/routing.py", line 191, in run_endpoint_function
mealie  |     return await dependant.call(**values)
mealie  |   File "/app/mealie/routes/auth/auth.py", line 50, in get_token
mealie  |     auth = await auth_provider.authenticate()
mealie  |   File "/app/mealie/core/security/providers/openid_provider.py", line 31, in authenticate
mealie  |     claims = self.get_claims(settings)
mealie  |   File "/app/mealie/core/security/providers/openid_provider.py", line 83, in get_claims
mealie  |     jwks = OpenIDProvider.get_jwks()
mealie  |   File "/app/mealie/core/security/providers/openid_provider.py", line 120, in get_jwks
mealie  |     with requests.get(settings.OIDC_CONFIGURATION_URL, timeout=5) as config_response:
mealie  |   File "/opt/pysetup/.venv/lib/python3.10/site-packages/requests/api.py", line 73, in get
mealie  |     return request("get", url, params=params, **kwargs)
mealie  |   File "/opt/pysetup/.venv/lib/python3.10/site-packages/requests/api.py", line 59, in request
mealie  |     return session.request(method=method, url=url, **kwargs)
mealie  |   File "/opt/pysetup/.venv/lib/python3.10/site-packages/requests/sessions.py", line 589, in request
mealie  |     resp = self.send(prep, **send_kwargs)
mealie  |   File "/opt/pysetup/.venv/lib/python3.10/site-packages/requests/sessions.py", line 703, in send
mealie  |     r = adapter.send(request, **kwargs)
mealie  |   File "/opt/pysetup/.venv/lib/python3.10/site-packages/requests/adapters.py", line 519, in send
mealie  |     raise ConnectionError(e, request=request)
mealie  | requests.exceptions.ConnectionError: HTTPSConnectionPool(host='sso.lila.network', port=443): Max retries exceeded with url: /.well-known/openid-configuration (Caused by NewConnectionError('<urllib3.connection.HTTPSConnection object at 0x7a5e54f7c490>: Failed to establish a new connection: [Errno -3] Temporary failure in name resolution'))

adorakalb Apr 23, 2024
Author

Alright, it's fixed.

I had the following errors:

SSO-Redirect works, Login in Authelia works, redirect back to Mealie works too, but not logged in. Browser Network logs show CORS errors.
- Fixed by setting allowed_origins_from_client_redirect_uris: true in Authelia config
After fixing the above, I got a redirect loop and error messages in mealie debug log that it can't connect to the internet.
- Fixed by attaching more than just the traefik network to the container in docker compose. My traefik network can't speak to the internet.

Thank you @cmintey for helping me out here ^-^ ✨

Answer selected by adorakalb

boc-the-git Apr 23, 2024
Collaborator

Thanks for giving detailed info on the steps you took @adorakalb

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Authelia Authentication does not work #3508

{{title}}

Replies: 1 comment 4 replies

{{title}}

{{title}}

{{title}}

{{editor}}'s edit

{{editor}}'s edit

{{title}}

{{title}}

Select a reply

Authelia Authentication does not work #3508

adorakalb Apr 22, 2024

Replies: 1 comment · 4 replies

cmintey Apr 23, 2024

adorakalb Apr 23, 2024 Author

adorakalb Apr 23, 2024 Author

adorakalb Apr 23, 2024 Author

boc-the-git Apr 23, 2024 Collaborator

adorakalb
Apr 22, 2024

Replies: 1 comment 4 replies

cmintey
Apr 23, 2024

adorakalb Apr 23, 2024
Author

adorakalb Apr 23, 2024
Author

adorakalb Apr 23, 2024
Author

boc-the-git Apr 23, 2024
Collaborator