2FAuth
2FAuth copied to clipboard
Bubka
5.1 SSO: Authentication via SSO rejected
Version
5.1.0
Details & Steps to reproduce
After upgrade to 5.1.0 when I access using OID (EntraID), after the signin the system respond "Authentication via SSO rejected".
Before the upgrade it worked.
Expectation
a full access
Error & Logs
No response
Execution environment
No response
Containerization
- [X] Docker
Additional information
No response
Hi, This error message is shown when the provider refuses to authenticate the login request. Please check your OPENID_* env vars. Logs may contain further information, please check them as well.
production.ERROR: No application encryption key has been specified. {"exception":"[object] (Illuminate\Encryption\MissingAppKeyException(code: 0): No application encryption key has been specified. at /srv/vendor/laravel/framework/src/Illuminate/Encryption/EncryptionServiceProvider.php:7
I don't understand how this is possible by the way. Running 2FAuth without APP_KEY set should return an HTTP error 500.
🤨
production.ERROR: No application encryption key has been specified. {"exception":"[object] (Illuminate\Encryption\MissingAppKeyException(code: 0): No application encryption key has been specified. at /srv/vendor/laravel/framework/src/Illuminate/Encryption/EncryptionServiceProvider.php:7
Does the time of this error match the time you tried to connect via SSO?
you are right: that error is not related to SSO problem When I try to access using SSO I haven't any log row at all :(
I've the same Problem. Trying to Auth via Authentik OpenID Provider leads to SSO reject.
Env OPENID_AUTHORIZE_URL=https://auth.example.de/application/o/authorize/ OPENID_TOKEN_URL=https://auth.example.de/application/o/token/ OPENID_USERINFO_URL=https://auth.example.de/application/o/userinfo/ OPENID_CLIENT_ID=LDzqB....e5 OPENID_CLIENT_SECRET=R...U
Authentik Redirect URIs https://2fa.example.de/socialite/callback/openid
Logs 172.22.0.4 - - [14/May/2024:06:43:02 +0000] "GET /socialite/redirect/openid HTTP/1.1" 302 1394 "https://2fa.example.de/login" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/124.0.0.0 Safari/537.36" 172.22.0.4 - - [14/May/2024:06:43:03 +0000] "GET /socialite/callback/openid?code=d1...a HTTP/1.1" 302 430 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/124.0.0.0 Safari/537.36" 172.22.0.4 - - [14/May/2024:06:43:03 +0000] "GET /error?err=sso_failed HTTP/1.1" 200 2745 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/124.0.0.0 Safari/537.36" 172.22.0.4 - - [14/May/2024:06:43:17 +0000] "GET /api/v1/user HTTP/1.1" 401 41 "https://2fa.example.de/error?err=sso_failed" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/124.0.0.0 Safari/537.36"
I had the same problem using Authentik OIDC and 2FAuth in Docker behind a Traefik reverse proxy using a self signed certificate (which is mounted into the container and trusted with SSL_CERT_FILE).
I traced the problem to /srv/vendor/laravel/socialite/src/Two/AbstractProvider.php where the method getAccessTokenResponse failed because of a connection problem in Guzzle.
Installing ca-certificates inside the docker container:
apk add \
--no-cache \
--repository http://dl-cdn.alpinelinux.org/alpine/v3.14/main \
ca-certificates
fixed the problem.
