authentik icon indicating copy to clipboard operation
authentik copied to clipboard

Published 20 hours ago verified publisher icon goauthentik

Kasm OpenID Configueration failing with a "Missing access token parameter" error.

Open obadaahmar opened this issue 1 year ago • 7 comments

Describe the bug Kasm is facing an "Internal Error" whenever I try to authenticate via Authentik's OpenID setup, the logs spits out this error: "oauthlib/oauth2/rfc6749/parameters.py", line 451, in validate_token_parameters\noauthlib.oauth2.rfc6749.errors.MissingTokenError: (missing_token) Missing access token parameter."

To Reproduce Steps to reproduce the behavior:

  1. Go to 'kasm.domain.tld'
  2. Click on 'login via Authentik'
  3. Get"Internal Error" page.

Expected behavior A successful authorisation via Authentik OpenID.

Screenshots Included are the Authentik and Kasm OpenID setup: kasm_setup Screenshot 2024-03-19 at 11-03-46 Providers - Admin - authentik Screenshot 2024-03-19 at 11-04-01 Providers - Admin - authentik OIDC Mapping Screenshot_2024-03-19_at_11-04-09_Providers_-Admin-_authentik SSO Group mapping

Logs Output of docker-compose logs or kubectl logs respectively

kasm log for the error: "message": "Unhandled exception occurred\nTraceback (most recent call last):\n File \"cherrypy/_cprequest.py\", line 628, in respond\n File \"cherrypy/_cprequest.py\", line 687, in _do_respond\n File \"cherrypy/lib/encoding.py\", line 219, in __call__\n File \"cherrypy/_cpdispatch.py\", line 54, in __call__\n File \"utils.py\", line 99, in wrapper\n File \"client_api.py\", line 952, in oidc_callback\n File \"authentication/oidc/__init__.py\", line 52, in process_callback\n File \"requests_oauthlib/oauth2_session.py\", line 360, in fetch_token\n File \"oauthlib/oauth2/rfc6749/clients/base.py\", line 427, in parse_request_body_response\n File \"oauthlib/oauth2/rfc6749/parameters.py\", line 441, in parse_token_response\n File \"oauthlib/oauth2/rfc6749/parameters.py\", line 451, in validate_token_parameters\noauthlib.oauth2.rfc6749.errors.MissingTokenError: (missing_token) Missing access token parameter."

Application authroized log from Authentik:

Context
{
    "asn": {
        "asn": 43357,
        "as_org": "Owl Limited",
        "network": "103.136.147.0/24"
    },
    "geo": {
        "lat": -33.8715,
        "city": "Sydney",
        "long": 151.2006,
        "country": "AU",
        "continent": "OC"
    },
    "flow": "4a09a248d5cexxxxxxxxxxxxxxxxxxxxxx",
    "scopes": "profile email openid",
    "http_request": {
        "args": {
            "scope": "email openid profile",
            "state": "708228d4803e4907870cdbxxxxxxxxxxxxxxxxxxxxxxxxxxxxx",
            "client_id": "cGjahZGUW7dxxxxxxxxxxxxxxxxxxxxxxxxxx",
            "redirect_uri": "https://kasm.domain.tld/api/oidc_callback",
            "response_type": "code"
        },
        "path": "/api/v3/flows/executor/default-provider-authorization-implicit-consent/",
        "method": "GET",
        "user_agent": "Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:123.0) Gecko/20100101 Firefox/123.0"
    },
    "authorized_application": {
        "pk": "d2d9f364xxxxxxxx",
        "app": "authentik_core",
        "name": "Kasm",
        "model_name": "application"
    }
}
User
{
    "pk": 9,
    "email": "[email protected]",
    "username": "firstlast"
}

Version and Deployment (please complete the following information):

  • authentik version: [2024.2.2]
  • Deployment: [docker via UnRaid]

obadaahmar avatar Mar 19 '24 00:03 obadaahmar

same issue. If I browse the URL at all, I get a internal error. https://fqdn.com/api/oidc_callback Seems completely independent of Authentik or any other OIDC resource.

CrustyB avatar Mar 30 '24 20:03 CrustyB

Can confirm as well on 2023.10.3

sgtslaughta avatar Apr 06 '24 10:04 sgtslaughta

Getting this on Zitadel IdP also.

Unhandled exception occurred Traceback (most recent call last): File "cherrypy/_cprequest.py", line 628, in respond File "cherrypy/_cprequest.py", line 687, in _do_respond File "cherrypy/lib/encoding.py", line 219, in call File "cherrypy/_cpdispatch.py", line 54, in call File "utils.py", line 99, in wrapper File "client_api.py", line 947, in oidc_callback KeyError: 'state'

aldervall avatar May 17 '24 05:05 aldervall

Update

  • After some trial and error, it appears as if it was some configuration issues on both ends. If you are using something like a Cloudflare tunnel or reverse proxy, be very mindful of how each end will be accessing each other. For example, public DNS domains may not be accessible behind a reverse proxy, among other considerations. Furthermore, both applications will generate the connection strings/urls based off how you are accessing the server. For example: creating the provider in Authentik and accessing the server via https://192.168.1.10, the strings will be generated using that as the host in the URI. This may not be how Kasm is accessing Authentik.

Solution

  • Both Oauth2 and SAML tested and working, accessing Kasm via Cloudflare tunnels. We had to add Authentik as another CF tunnel endpoint so that Kasm could redirect properly (public subdomain -> public subdomain). If you don't want to expose your SSO, you could use CF Access applications to restrict access OR use LDAP for back-end auth. I am not an expert and there is probably a 'better' more 'correcter' way, but it worked for us.

sgtslaughta avatar May 17 '24 16:05 sgtslaughta