headscale icon indicating copy to clipboard operation
headscale copied to clipboard
verified publisher icon juanfont

[Bug] OIDC Token Verification Fails When Authentik Encrypts "id_token"

Open rolestack opened this issue 10 months ago • 3 comments

Is this a support request?

  • [x] This is not a support request

Is there an existing issue for this?

  • [x] I have searched the existing issues

Current Behavior

When both the signing key and the encryption key are applied in Authentik, the following error is output:

2025-02-24T15:53:18Z ERR user msg: failed to verify id_token error="failed to verify ID token: oidc: failed to unmarshal claims: invalid character '\\x0f' looking for beginning of value" code=403

Expected Behavior

It seems that the error occurs because the OIDC code does not decrypt the encrypted token.

Steps To Reproduce

After removing the encryption key and attempting the login again, it works as expected.

Login fail

Image

Login success

Image

Environment

- Headscale version: 0.25.0
- Authentik version: 2025.2.0

config.yml

oidc:
  only_start_if_oidc_is_available: true
  issuer: "https://authentik.my.domain/application/o/headscale/"
  client_id: "------"
  client_secret: "------"

  use_expiry_from_token: false

  scope: ["openid", "profile", "email"]

  pkce:
    enabled: true
    method: S256

Runtime environment

  • [x] Headscale is behind a (reverse) proxy
  • [x] Headscale runs in a container

Anything else?

No response

rolestack avatar Feb 24 '25 16:02 rolestack

Is this a separate encryption key that is specific to Authentik? or is it part of any spec?

If it is part of a spec, we can have a look at implementing it, if it is only present in Authentik, we likely will not support it, or at least prioritise it.

kradalby avatar Feb 25 '25 11:02 kradalby

According to the OpenID Connect Core 1.0, ID token encryption is optional.

That said, encryption is still a good idea. It helps keep the token's contents private and prevents sensitive data from being exposed. If the ID token includes anything sensitive, turning on encryption adds an extra layer of security.

So, while it’s not a requirement, enabling encryption is definitely worth considering, especially in high-security environments.

rolestack avatar Feb 25 '25 14:02 rolestack

Authentik added JWE support for OAuth in their 2024.10.0 release. I'm not sure if other products have implemented this feature yet.

rolestack avatar Feb 25 '25 14:02 rolestack

This issue is stale because it has been open for 90 days with no activity.

github-actions[bot] avatar May 27 '25 02:05 github-actions[bot]

This issue was closed because it has been inactive for 14 days since being marked as stale.

github-actions[bot] avatar Jun 03 '25 02:06 github-actions[bot]

Still not working on my side

headscale | 2025-09-04T08:10:51Z ERR user msg: failed to verify id_token error="failed to verify ID token: oidc: malformed jwt: unexpected signature algorithm "HS256"; expected ["RS256"]" code=403

Image

regiolis avatar Sep 04 '25 08:09 regiolis

+1 any news?

rudstone avatar Sep 11 '25 16:09 rudstone