audiobookshelf-app icon indicating copy to clipboard operation
audiobookshelf-app copied to clipboard

Published 20 hours ago verified publisher icon advplyr

[Bug]: OAuth incorrectly requires HTTPS of the application server

Open MikeBishop opened this issue 6 months ago • 3 comments

What was the Problem?

Using HTTP to access ABS, which authenticates via Authentik (over HTTPS) throws an error on login: "SSO: The URL to the server must be https:// secured"

Steps to Reproduce the Issue

  1. Set up a local-only ABS server accessed over HTTP.
  2. Set up OIDC with Authentik or another provider
  3. Log in successfully via the browser
  4. Attempt to log in via the app and see error

What was Expected?

Redirect to Authentik for login

Phone Model

OnePlus 11

Phone OS

Android 14

Audiobookshelf App Version

Android App - 0.9.74

Installation Source

Google Play Store

Additional Notes

The code points to RFC 6749, Section 10.9, which says:

In order to prevent man-in-the-middle attacks, the authorization server MUST require the use of TLS with server authentication as defined by [RFC2818] for any request sent to the authorization and token endpoints.

While the authorization server (Authentik) must require the use of HTTPS, there are no requirements imposed on ABS (resource server) here. The indicated variable should be configurable in settings or the check removed.

MikeBishop avatar Jul 29 '24 21:07 MikeBishop