I am currently trying to set up and use Authelia idendity providers with OpenID Connect as a single login provider for several different applications.
The first application I want to add is Nextcloud. To do this, I follow the instructions on the Authelia documentation page: https://www.authelia.com/integration/openid-connect/nextcloud
But the problem I’m facing now is that I always get an error message saying that the redirect URL I specified in the configuration is not valid, even though I used the official URL from the Authelia docs.
Authelia Error:
{
"error": "invalid_request",
"error_description": "The request is missing a required parameter,
includes an invalid parameter value, includes a parameter more than once,
or is otherwise malformed. The 'redirect_uri' parameter does not match
any of the OAuth 2.0 Client's pre-registered redirect urls."
}
Authelia Configuration:
(Replaced my server address by: "example.com")
jwt_secret: ac5Tmfbue44TxPTrCpCWNNZKm7AmvBS6
default_redirection_url: https://example.com
server:
host: 0.0.0.0
port: 9091
log:
level: debug
totp:
issuer: example.com
authentication_backend:
file:
path: /config/users_database.yml
access_control:
default_policy: one_factor
rules:
- domain: auth.example.com
policy: bypass
- domain:
- example.com
- proxy.example.com
- nextcloud.example.com
policy: one_factor
identity_providers:
oidc:
hmac_secret: GhuVkMctBBFratABE6fMUacCWKhGgNa23SuDuN62Ug6vxQhJJTsLXca3ZdXyuL7n
issuer_private_key: {KEY}
access_token_lifespan: 1h
authorize_code_lifespan: 1m
id_token_lifespan: 1h
refresh_token_lifespan: 90m
enable_client_debug_messages: false
enforce_pkce: public_clients_only
cors:
endpoints:
- authorization
- token
- revocation
- introspection
allowed_origins:
- https://example.com
allowed_origins_from_client_redirect_uris: false
clients:
- id: nextcloud
secret: nextcloud_client_secret
public: false
authorization_policy: one_factor
scopes:
- openid
- profile
- groups
redirect_uris:
- https://nextcloud.example.com/apps/oidc_login/oidc
userinfo_signing_algorithm: none
session:
name: authelia_session
secret: kHT5S9ed8ArygSwyVZWm48Pyjt4qyXg9
expiration: 3600
inactivity: 300
domain: example.com
regulation:
max_retries: 3
find_time: 120
ban_time: 300
storage:
encryption_key: nqcWgCG22YM6Uttj4GQw5eeNsWKwr4Xm
local:
path: /config/db.sqlite3
notifier:
filesystem:
filename: /config/notification.txt
Nextcloud Configuration:
(Plugin: OpenID Connect Login)
<?php
$CONFIG = array (
'htaccess.RewriteBase' => '/',
'memcache.local' => '\OC\Memcache\APCu',
'apps_paths' =>
array (
0 =>
array (
'path' => '/var/www/html/apps',
'url' => '/apps',
'writable' => false,
),
1 =>
array (
'path' => '/var/www/html/custom_apps',
'url' => '/custom_apps',
'writable' => true,
),
),
'instanceid' => 'owd1s341ok',
'passwordsalt' => 'Kt7fjLgAGjGMtAdrfdsXR4BEEz5pqzmv',
'secret' => '64kSvSXtpQ2HUMBEdQTf5NusZ9SnQhBN64kSvSXtpQ2HUe',
'trusted_domains' =>
array (
0 => 'nextcloud.example.com',
),
'datadirectory' => '/var/www/html/data',
'dbtype' => 'sqlite3',
'version' => '24.0.1.1',
'overwrite.cli.url' => 'http://nextcloud.example.com',
'installed' => true,
'allow_user_to_change_display_name' => false,
'lost_password_link' => 'disabled',
'oidc_login_provider_url' => 'https://auth.example.com',
'oidc_login_client_id' => 'nextcloud',
'oidc_login_client_secret' => 'nextcloud_client_secret',
'oidc_login_auto_redirect' => false,
'oidc_login_end_session_redirect' => false,
'oidc_login_button_text' => 'Log in with Authelia',
'oidc_login_hide_password_form' => false,
'oidc_login_use_id_token' => true,
'oidc_login_attributes' => array (
'id' => 'preferred_username',
'name' => 'name',
'mail' => 'email',
'groups' => 'groups',
),
'oidc_login_default_group' => 'oidc',
'oidc_login_use_external_storage' => false,
'oidc_login_scope' => 'openid profile groups',
'oidc_login_proxy_ldap' => false,
'oidc_login_disable_registration' => true,
'oidc_login_redir_fallback' => false,
'oidc_login_alt_login_page' => 'assets/login.php',
'oidc_login_tls_verify' => true,
'oidc_create_groups' => false,
'oidc_login_webdav_enabled' => false,
'oidc_login_password_authentication' => false,
'oidc_login_public_key_caching_time' => 86400,
'oidc_login_min_time_between_jwks_requests' => 10,
'oidc_login_well_known_caching_time' => 86400,
'oidc_login_update_avatar' => false,
);
Does anyone know how I can fix this error or what I need to change to make it work?
(I am using Nginx Proxy Manager as a reverse proxy and Docker to run Nginx Proxy Manager, Authelia and Nextcloud).
Thanks
Ypselon 🙂
-= Update =-
I noticed that when I try to log in with Authelia, I get the error page with the following URL:
https://auth.example.com/api/oidc/authorization?response_type=code&redirect_uri=http%3A%2F%nextcloud.example.com%2Fapps%2Foidc_login%2Foidc&client_id=nextcloud&nonce=9a2986f054d7044bcb3050ed3c38a1b6&state=9384d2d39924b436f8a0eb6b8bd334ad&scope=openid+profile+groups+openid
I can then simply remove the "redirect_uri" from the query parameters, reload the page and then for some magical reason I am presented with the consent request and after I accept it I get logged in.
Now I’m completely confused, but maybe someone can tell me, based on the behavior, where the problem might be.
Thanks
Ypselon 🙂
2
Answers
I ran into the same error and started from scratch with the config from here
Ran into another error later, but I hope this helps you,
I encountered the same problem and I fixed it by changing the
redirect_uristohttps://nextcloud.example.com/index.php/apps/oidc_login/oidc(mind theindex.php).If the error is based on the redirect URI’s value being invalid, check the URL of the OIDC response to see the actual redirect URI it’s trying to use.