rommapp
[Bug] Internal Service Error OIDC via Authentik
RomM version 3.7.2
Describe the bug Logging in via authentik will cause a Internal Service Error, attempting to login again seems to work.
To Reproduce Steps to reproduce the behavior:
- Go to login.
- Click on authentik login
- Login via authentik
- See error
Expected behavior Login with authentik without error.
Additional context
[2025-01-12 16:44:30 +0000] [23] [ERROR] Exception in ASGI application Traceback (most recent call last): File "/src/.venv/lib/python3.12/site-packages/uvicorn/protocols/http/h11_impl.py", line 407, in run_asgi result = await app( # type: ignore[func-returns-value] ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ File "/src/.venv/lib/python3.12/site-packages/uvicorn/middleware/proxy_headers.py", line 69, in call return await self.app(scope, receive, send) ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ File "/src/.venv/lib/python3.12/site-packages/fastapi/applications.py", line 1054, in call await super().call(scope, receive, send) File "/src/.venv/lib/python3.12/site-packages/sentry_sdk/integrations/starlette.py", line 409, in _sentry_patched_asgi_app return await middleware(scope, receive, send) ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ File "/src/.venv/lib/python3.12/site-packages/sentry_sdk/integrations/asgi.py", line 161, in _run_asgi3 return await self._run_app(scope, receive, send, asgi_version=3) ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ File "/src/.venv/lib/python3.12/site-packages/sentry_sdk/integrations/asgi.py", line 262, in _run_app raise exc from None File "/src/.venv/lib/python3.12/site-packages/sentry_sdk/integrations/asgi.py", line 257, in _run_app return await self.app( ^^^^^^^^^^^^^^^ File "/src/.venv/lib/python3.12/site-packages/starlette/applications.py", line 113, in call await self.middleware_stack(scope, receive, send) File "/src/.venv/lib/python3.12/site-packages/sentry_sdk/integrations/starlette.py", line 200, in _create_span_call return await old_call(app, scope, new_receive, new_send, **kwargs) ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ File "/src/.venv/lib/python3.12/site-packages/starlette/middleware/errors.py", line 187, in call raise exc File "/src/.venv/lib/python3.12/site-packages/starlette/middleware/errors.py", line 165, in call await self.app(scope, receive, _send) File "/src/.venv/lib/python3.12/site-packages/sentry_sdk/integrations/starlette.py", line 200, in _create_span_call return await old_call(app, scope, new_receive, new_send, **kwargs) ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ File "/src/.venv/lib/python3.12/site-packages/starlette/middleware/base.py", line 185, in call with collapse_excgroups(): ^^^^^^^^^^^^^^^^^^^^ File "/usr/lib/python3.12/contextlib.py", line 158, in exit self.gen.throw(value) File "/src/.venv/lib/python3.12/site-packages/starlette/_utils.py", line 82, in collapse_excgroups raise exc File "/src/.venv/lib/python3.12/site-packages/starlette/middleware/base.py", line 187, in call response = await self.dispatch_func(request, call_next) ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ File "/backend/utils/context.py", line 41, in set_context_middleware return await call_next(request) ^^^^^^^^^^^^^^^^^^^^^^^^ File "/src/.venv/lib/python3.12/site-packages/starlette/middleware/base.py", line 163, in call_next raise app_exc File "/src/.venv/lib/python3.12/site-packages/starlette/middleware/base.py", line 149, in coro await self.app(scope, receive_or_disconnect, send_no_error) File "/src/.venv/lib/python3.12/site-packages/sentry_sdk/integrations/starlette.py", line 200, in _create_span_call return await old_call(app, scope, new_receive, new_send, **kwargs) ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ File "/backend/handler/auth/middleware.py", line 147, in call await self.app(scope, receive, send_wrapper) File "/src/.venv/lib/python3.12/site-packages/sentry_sdk/integrations/starlette.py", line 348, in _sentry_authenticationmiddleware_call await old_call(self, scope, receive, send) File "/src/.venv/lib/python3.12/site-packages/sentry_sdk/integrations/starlette.py", line 200, in _create_span_call return await old_call(app, scope, new_receive, new_send, **kwargs) ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ File "/src/.venv/lib/python3.12/site-packages/starlette/middleware/authentication.py", line 48, in call await self.app(scope, receive, send) File "/src/.venv/lib/python3.12/site-packages/sentry_sdk/integrations/starlette.py", line 200, in _create_span_call return await old_call(app, scope, new_receive, new_send, **kwargs) ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ File "/backend/handler/auth/middleware.py", line 19, in call await super().call(scope, receive, send) File "/src/.venv/lib/python3.12/site-packages/starlette_csrf/middleware.py", line 72, in call await self.app(scope, receive, send) File "/src/.venv/lib/python3.12/site-packages/sentry_sdk/integrations/starlette.py", line 200, in _create_span_call return await old_call(app, scope, new_receive, new_send, **kwargs) ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ File "/src/.venv/lib/python3.12/site-packages/starlette/middleware/cors.py", line 85, in call await self.app(scope, receive, send) File "/src/.venv/lib/python3.12/site-packages/sentry_sdk/integrations/starlette.py", line 298, in _sentry_exceptionmiddleware_call await old_call(self, scope, receive, send) File "/src/.venv/lib/python3.12/site-packages/sentry_sdk/integrations/starlette.py", line 200, in _create_span_call return await old_call(app, scope, new_receive, new_send, **kwargs) ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ File "/src/.venv/lib/python3.12/site-packages/starlette/middleware/exceptions.py", line 62, in call await wrap_app_handling_exceptions(self.app, conn)(scope, receive, send) File "/src/.venv/lib/python3.12/site-packages/starlette/_exception_handler.py", line 53, in wrapped_app raise exc File "/src/.venv/lib/python3.12/site-packages/starlette/_exception_handler.py", line 42, in wrapped_app await app(scope, receive, sender) File "/src/.venv/lib/python3.12/site-packages/starlette/routing.py", line 715, in call await self.middleware_stack(scope, receive, send) File "/src/.venv/lib/python3.12/site-packages/starlette/routing.py", line 735, in app await route.handle(scope, receive, send) File "/src/.venv/lib/python3.12/site-packages/starlette/routing.py", line 288, in handle await self.app(scope, receive, send) File "/src/.venv/lib/python3.12/site-packages/starlette/routing.py", line 76, in app await wrap_app_handling_exceptions(app, request)(scope, receive, send) File "/src/.venv/lib/python3.12/site-packages/starlette/_exception_handler.py", line 53, in wrapped_app raise exc File "/src/.venv/lib/python3.12/site-packages/starlette/_exception_handler.py", line 42, in wrapped_app await app(scope, receive, sender) File "/src/.venv/lib/python3.12/site-packages/starlette/routing.py", line 73, in app response = await f(request) ^^^^^^^^^^^^^^^^ File "/src/.venv/lib/python3.12/site-packages/sentry_sdk/integrations/fastapi.py", line 143, in _sentry_app return await old_app(*args, **kwargs) ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ File "/src/.venv/lib/python3.12/site-packages/fastapi/routing.py", line 301, in app raw_response = await run_endpoint_function( ^^^^^^^^^^^^^^^^^^^^^^^^^^^^ File "/src/.venv/lib/python3.12/site-packages/fastapi/routing.py", line 212, in run_endpoint_function return await dependant.call(**values) ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ File "/backend/endpoints/auth.py", line 254, in auth_openid token = await oauth.openid.authorize_access_token(request) ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ File "/src/.venv/lib/python3.12/site-packages/authlib/integrations/starlette_client/apps.py", line 80, in authorize_access_token params = self._format_state_params(state_data, params) ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ File "/src/.venv/lib/python3.12/site-packages/authlib/integrations/base_client/sync_app.py", line 234, in _format_state_params raise MismatchingStateError() authlib.integrations.base_client.errors.MismatchingStateError: mismatching_state: CSRF Warning! State not equal in request and response.
Also seeing the same here with Authentik, same stacktrace in the logs. My docker-compose config:
# Authentication config
DISABLE_USERPASS_LOGIN: "false"
OIDC_CLIENT_ID: "clientId"
OIDC_CLIENT_SECRET: "clientSecret"
OIDC_ENABLED: "true"
OIDC_PROVIDER: "Authentik"
OIDC_REDIRECT_URI: "https://romm.example.com/api/oauth/openid"
OIDC_SERVER_APPLICATION_URL: "https://romm.example.com/application/o/romm/"
Posting logs, I have a similar stacktrace but actually a different error:
ValueError: Invalid key set format
[2025-01-21 03:51:43 +1300] [24] [ERROR] Exception in ASGI application
Traceback (most recent call last):
File "/src/.venv/lib/python3.12/site-packages/uvicorn/protocols/http/h11_impl.py", line 407, in run_asgi
result = await app( # type: ignore[func-returns-value]
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
File "/src/.venv/lib/python3.12/site-packages/uvicorn/middleware/proxy_headers.py", line 69, in __call__
return await self.app(scope, receive, send)
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
File "/src/.venv/lib/python3.12/site-packages/fastapi/applications.py", line 1054, in __call__
await super().__call__(scope, receive, send)
File "/src/.venv/lib/python3.12/site-packages/sentry_sdk/integrations/starlette.py", line 409, in _sentry_patched_asgi_app
return await middleware(scope, receive, send)
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
File "/src/.venv/lib/python3.12/site-packages/sentry_sdk/integrations/asgi.py", line 161, in _run_asgi3
return await self._run_app(scope, receive, send, asgi_version=3)
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
File "/src/.venv/lib/python3.12/site-packages/sentry_sdk/integrations/asgi.py", line 262, in _run_app
raise exc from None
File "/src/.venv/lib/python3.12/site-packages/sentry_sdk/integrations/asgi.py", line 257, in _run_app
return await self.app(
^^^^^^^^^^^^^^^
File "/src/.venv/lib/python3.12/site-packages/starlette/applications.py", line 113, in __call__
await self.middleware_stack(scope, receive, send)
File "/src/.venv/lib/python3.12/site-packages/sentry_sdk/integrations/starlette.py", line 200, in _create_span_call
return await old_call(app, scope, new_receive, new_send, **kwargs)
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
File "/src/.venv/lib/python3.12/site-packages/starlette/middleware/errors.py", line 187, in __call__
raise exc
File "/src/.venv/lib/python3.12/site-packages/starlette/middleware/errors.py", line 165, in __call__
await self.app(scope, receive, _send)
File "/src/.venv/lib/python3.12/site-packages/sentry_sdk/integrations/starlette.py", line 200, in _create_span_call
return await old_call(app, scope, new_receive, new_send, **kwargs)
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
File "/src/.venv/lib/python3.12/site-packages/starlette/middleware/base.py", line 185, in __call__
with collapse_excgroups():
^^^^^^^^^^^^^^^^^^^^
File "/usr/lib/python3.12/contextlib.py", line 158, in __exit__
self.gen.throw(value)
File "/src/.venv/lib/python3.12/site-packages/starlette/_utils.py", line 82, in collapse_excgroups
raise exc
File "/src/.venv/lib/python3.12/site-packages/starlette/middleware/base.py", line 187, in __call__
response = await self.dispatch_func(request, call_next)
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
File "/backend/utils/context.py", line 41, in set_context_middleware
return await call_next(request)
^^^^^^^^^^^^^^^^^^^^^^^^
File "/src/.venv/lib/python3.12/site-packages/starlette/middleware/base.py", line 163, in call_next
raise app_exc
File "/src/.venv/lib/python3.12/site-packages/starlette/middleware/base.py", line 149, in coro
await self.app(scope, receive_or_disconnect, send_no_error)
File "/src/.venv/lib/python3.12/site-packages/sentry_sdk/integrations/starlette.py", line 200, in _create_span_call
return await old_call(app, scope, new_receive, new_send, **kwargs)
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
File "/backend/handler/auth/middleware.py", line 147, in __call__
await self.app(scope, receive, send_wrapper)
File "/src/.venv/lib/python3.12/site-packages/sentry_sdk/integrations/starlette.py", line 348, in _sentry_authenticationmiddleware_call
await old_call(self, scope, receive, send)
File "/src/.venv/lib/python3.12/site-packages/sentry_sdk/integrations/starlette.py", line 200, in _create_span_call
return await old_call(app, scope, new_receive, new_send, **kwargs)
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
File "/src/.venv/lib/python3.12/site-packages/starlette/middleware/authentication.py", line 48, in __call__
await self.app(scope, receive, send)
File "/src/.venv/lib/python3.12/site-packages/sentry_sdk/integrations/starlette.py", line 200, in _create_span_call
return await old_call(app, scope, new_receive, new_send, **kwargs)
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
File "/backend/handler/auth/middleware.py", line 19, in __call__
await super().__call__(scope, receive, send)
File "/src/.venv/lib/python3.12/site-packages/starlette_csrf/middleware.py", line 72, in __call__
await self.app(scope, receive, send)
File "/src/.venv/lib/python3.12/site-packages/sentry_sdk/integrations/starlette.py", line 200, in _create_span_call
return await old_call(app, scope, new_receive, new_send, **kwargs)
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
File "/src/.venv/lib/python3.12/site-packages/starlette/middleware/cors.py", line 85, in __call__
await self.app(scope, receive, send)
File "/src/.venv/lib/python3.12/site-packages/sentry_sdk/integrations/starlette.py", line 298, in _sentry_exceptionmiddleware_call
await old_call(self, scope, receive, send)
File "/src/.venv/lib/python3.12/site-packages/sentry_sdk/integrations/starlette.py", line 200, in _create_span_call
return await old_call(app, scope, new_receive, new_send, **kwargs)
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
File "/src/.venv/lib/python3.12/site-packages/starlette/middleware/exceptions.py", line 62, in __call__
await wrap_app_handling_exceptions(self.app, conn)(scope, receive, send)
File "/src/.venv/lib/python3.12/site-packages/starlette/_exception_handler.py", line 53, in wrapped_app
raise exc
File "/src/.venv/lib/python3.12/site-packages/starlette/_exception_handler.py", line 42, in wrapped_app
await app(scope, receive, sender)
File "/src/.venv/lib/python3.12/site-packages/starlette/routing.py", line 715, in __call__
await self.middleware_stack(scope, receive, send)
File "/src/.venv/lib/python3.12/site-packages/starlette/routing.py", line 735, in app
await route.handle(scope, receive, send)
File "/src/.venv/lib/python3.12/site-packages/starlette/routing.py", line 288, in handle
await self.app(scope, receive, send)
File "/src/.venv/lib/python3.12/site-packages/starlette/routing.py", line 76, in app
await wrap_app_handling_exceptions(app, request)(scope, receive, send)
File "/src/.venv/lib/python3.12/site-packages/starlette/_exception_handler.py", line 53, in wrapped_app
raise exc
File "/src/.venv/lib/python3.12/site-packages/starlette/_exception_handler.py", line 42, in wrapped_app
await app(scope, receive, sender)
File "/src/.venv/lib/python3.12/site-packages/starlette/routing.py", line 73, in app
response = await f(request)
^^^^^^^^^^^^^^^^
File "/src/.venv/lib/python3.12/site-packages/sentry_sdk/integrations/fastapi.py", line 143, in _sentry_app
return await old_app(*args, **kwargs)
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
File "/src/.venv/lib/python3.12/site-packages/fastapi/routing.py", line 301, in app
raw_response = await run_endpoint_function(
^^^^^^^^^^^^^^^^^^^^^^^^^^^^
File "/src/.venv/lib/python3.12/site-packages/fastapi/routing.py", line 212, in run_endpoint_function
return await dependant.call(**values)
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
File "/backend/endpoints/auth.py", line 254, in auth_openid
token = await oauth.openid.authorize_access_token(request)
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
File "/src/.venv/lib/python3.12/site-packages/authlib/integrations/starlette_client/apps.py", line 84, in authorize_access_token
userinfo = await self.parse_id_token(token, nonce=state_data['nonce'], claims_options=claims_options)
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
File "/src/.venv/lib/python3.12/site-packages/authlib/integrations/base_client/async_openid.py", line 69, in parse_id_token
key=JsonWebKey.import_key_set(jwk_set),
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
File "/src/.venv/lib/python3.12/site-packages/authlib/jose/rfc7517/jwk.py", line 55, in import_key_set
raise ValueError('Invalid key set format')
ValueError: Invalid key set format
@zodac Did you setup encryption in authentik? and can you remove the last forward slash in OIDC_SERVER_APPLICATION_URL: "https://romm.example.com/application/o/romm/"?
I think it tried it with both trailing and non-trailing slash, but I'll go confirm.
And I previously had a secret key but I've kept the same environment variable and value, ROMM_AUTH_SECRET_KEY. Should I remove that?
No I mean in authentik, when you setup a Provider you can select an SSL cert, or authentik will auto-generate one. Is there one in place?
Then you'll need to mount in into romm and set OIDC_TLS_CACERTFILE in your env to where it's mounted
Going to have to correct myself. I do not have encryption enabled in Authentik, and I also have removed the last slash. Same stack trace as above.
Ran again with LOGLEVEL set to debug but didn't get any more useful information. Anything else I can try to pinpoint the issue?
Facing the same issue right now. With a signing key I get "unsupported algorithm" and without "invalid signing key".
Then you'll need to mount in into romm and set OIDC_TLS_CACERTFILE in your env to where it's mounted
Is this really necessary? All other OIDC services I use do not need a certificate mounted into the container.
Facing the same issue right now. With a signing key I get "unsupported algorithm" and without "invalid signing key".
Then you'll need to mount in into romm and set OIDC_TLS_CACERTFILE in your env to where it's mounted
Is this really necessary? All other OIDC services I use do not need a certificate mounted into the container.
I too have this error, and I am using a Let's Encrypt certificate with a public chain, so I don't understand why the CERT would need to be loaded, especially if you utilize the jwks endpoint from the .well-known/openid-configuration endpoint which should be used the get the public keys of the signed JWT.
Got the same error. I don't have it on Beta version. So this is introduced by a change in code. Also i'm using Unraid can this be the point of faillure ?
Got the same error. I don't have it on Beta version. So this is introduced by a change in code. Also i'm using Unraid can this be the point of faillure ?
No, I'm not using Unraid and the issue is still there.
I'm seeing a similar error of httpx.UnsupportedProtocol: Request URL is missing an 'http://' or 'https://' protocol.
I've tried both with and without the trailing slash for the Authentik URL.
@undaunt , based on the Docker Compose configuration you shared previously, I noticed you have a typo where the environment variable is set as OIDC_REDIRECT:URI instead of OIDC_REDIRECT_URI
@adamantike Yes, I noticed that as well. I did a full down, up, etc. when it was fixed but it did not impact the result. I also tried renaming the provider in case there were any hardcoded issues with Authentik specifically.
We will need a more complete set of reproduction steps if we want to make progress on this issue resolution. docker-compose.yml contents, Docker logs, and OIDC server configuration will be useful to start tackling it.
I also had this bug, but I somehow solved it. I changed two things:
-
In the docker compose I changed
OIDC_PROVIDER=authentiktoOIDC_PROVIDER=Authentik(with an uppercase A, which is against what is written in the wiki https://github.com/rommapp/romm/wiki/OIDC-Setup-With-Authentik#step-4-configure-romm-environment-variables. In other github issues where people got further/had other issues I saw them spell it with an uppercase A too) -
In the Authentik Provider configuration I set signing key to self signed, and encryption key to nothing:
(I have an nginx reverse proxy in front of Authentik which ofc handles https, with a valid signed lets encrypt cert)
I also had this bug, but I somehow solved it. I changed two things:
- In the docker compose I changed
OIDC_PROVIDER=authentiktoOIDC_PROVIDER=Authentik(with an uppercase A, which is against what is written in the wiki https://github.com/rommapp/romm/wiki/OIDC-Setup-With-Authentik#step-4-configure-romm-environment-variables. In other github issues where people got further/had other issues I saw them spell it with an uppercase A too)- In the Authentik Provider configuration I set signing key to self signed, and encryption key to nothing:
Just wanted to confirm that this also worked for me. Thanks @marissa999 ! :)
@zodac
Just wanted to confirm that this also worked for me. Thanks @marissa999 ! :)
Are you able to hide the normal login input fields with the env variable DISABLE_USERPASS_LOGIN=true ? That is not working for me, though i am not sure right now if this deserves its own issue or not
Just wanted to confirm that this also worked for me. Thanks @marissa999 ! :)
Are you able to hide the normal login input fields with the env variable DISABLE_USERPASS_LOGIN=true ? That is not working for me, though i am not sure right now if this deserves its own issue or not
Yes, it's working for me, though I have my environment variables configured like this:
DISABLE_USERPASS_LOGIN: "true"
Maybe try quoting it?
I also had this bug, but I somehow solved it. I changed two things:
- In the docker compose I changed
OIDC_PROVIDER=authentiktoOIDC_PROVIDER=Authentik(with an uppercase A, which is against what is written in the wiki https://github.com/rommapp/romm/wiki/OIDC-Setup-With-Authentik#step-4-configure-romm-environment-variables. In other github issues where people got further/had other issues I saw them spell it with an uppercase A too)- In the Authentik Provider configuration I set signing key to self signed, and encryption key to nothing:
The a to A didn't make a difference for me. Already had the self signed, and encrypted key to nothing. Still getting Internal Service Error. I have multiple other applications/providers setup that don't see this error. Unfortunately I don't have the time to test different things, or even write out my current setup. Multiple other people here seem to have the same issue so I'd imagine it's a bug with OIDC in RomM. I'll leave it up to them to figure it out.
I don't mind creating a new issue on this, but I'm having this exact same problem with the error "mismatching_state: CSRF Warning! State not equal in request and response." when attempting to sign in with Authelia.
We will need a more complete set of reproduction steps if we want to make progress on this issue resolution.
docker-compose.ymlcontents, Docker logs, and OIDC server configuration will be useful to start tackling it.
@adamantike
Want me to open a new issue for this with all of those details or post in here?
I'm having the same mismatching_state: CSRF Warning! State not equal in request and response error when using Pocket ID.
Okay so at least with Authentik I can shed a little light.
If you do not select a signing certificate, Authentik will generate one for you using HS256 algo, however, when you generate a certificate in Authentik (or use their precreated self-signed cert) it is created with RS256. I've had this problem occur with other projects (like Actual), where their JWT library does not support any algorithm beyond RS256. This appears to be the same issue here, so it might be worth documenting.
RomM version 3.7.3
Describe the bug Attempting to login with Authelia as an OIDC server results in an Internal Server Error. I have successfully used Authelia for multiple other applications for SSO, this is the last one that is causing me problems.
To Reproduce Steps to reproduce the behavior:
- at the login window click on the "Login with Authelia" button
- Enter credentials (tried several different accounts)
- On the Consent Request screen from Authelia click on Accept
- Browser window returns Internal Server Error
- Tried Chrome/Firefox and tried it with both private windows and clearing all caches etc
Expected behavior Successful login
Desktop (please complete the following information):
- OS: Windows 11
- Browser - Chrome 125 and Firefox 135
RomM Docker Compose File
volumes:
mysql_data:
romm_resources:
romm_redis_data:
services:
romm:
image: rommapp/romm:latest
container_name: romm
restart: unless-stopped
environment:
- DB_HOST=romm-db
- DB_NAME=[removed]
- DB_USER=[removed]
- DB_PASSWD=[removed]
- ROMM_AUTH_SECRET_KEY=[removed]
- ENABLE_SCHEDULED_UPDATE_MAME_XML=true
- SCHEDULED_UPDATE_MAME_XML_CRON="0 5 * * *"
- OIDC_ENABLED=true
- OIDC_PROVIDER=Authelia
- OIDC_CLIENT_ID=[removed]
- OIDC_CLIENT_SECRET=[removed]
- OIDC_REDIRECT_URI=http://[url]:[port]/api/oauth/openid
- OIDC_SERVER_APPLICATION_URL=https://[authurl]
volumes:
- /docker/romm/resources:/romm/resources # Resources fetched from IGDB (covers, screenshots, etc.)
- /docker/romm/romm_redis_data:/redis-data # Cached data for background tasks
- /Platforms:/romm/library
- /docker/romm/assets:/romm/assets
- /docker/romm/config:/romm/config
ports:
- [port]:8080
depends_on:
- romm-db
romm-db:
image: mariadb:latest # if you experience issues, try: linuxserver/mariadb:latest
container_name: romm-db
restart: unless-stopped
environment:
- MYSQL_ROOT_PASSWORD=[removed]
- MYSQL_DATABASE=romm
- MYSQL_USER=[removed]
- MYSQL_PASSWORD=[removed]
volumes:
- /docker/romm/mysql_data:/var/lib/mysql
Authelia Docker Compose File
services:
app:
image: authelia/authelia:latest
container_name: authelia
restart: unless-stopped
depends_on:
- database
volumes:
- /docker/authelia/config:/config
env_file:
- stack.env #I looked at these and nothing is specific to RomM - all other integrations work
#environment:
ports:
- [authport]:9091
Authelia Configuration
- client_id: [removed]
client_name: 'RomM'
client_secret: [removed]
public: false
authorization_policy: 'one_factor'
redirect_uris:
- 'http://[url]:[port]/api/oauth/openid'
scopes:
- 'openid'
- 'email'
- 'profile'
userinfo_signed_response_alg: 'none'
token_endpoint_auth_method: 'client_secret_basic'
Log from RomM
File "/src/.venv/lib/python3.12/site-packages/starlette/routing.py", line 735, in app
await route.handle(scope, receive, send)
File "/src/.venv/lib/python3.12/site-packages/starlette/routing.py", line 288, in handle
await self.app(scope, receive, send)
File "/src/.venv/lib/python3.12/site-packages/starlette/routing.py", line 76, in app
await wrap_app_handling_exceptions(app, request)(scope, receive, send)
File "/src/.venv/lib/python3.12/site-packages/starlette/_exception_handler.py", line 53, in wrapped_app
raise exc
File "/src/.venv/lib/python3.12/site-packages/starlette/_exception_handler.py", line 42, in wrapped_app
await app(scope, receive, sender)
File "/src/.venv/lib/python3.12/site-packages/starlette/routing.py", line 73, in app
response = await f(request)
^^^^^^^^^^^^^^^^
File "/src/.venv/lib/python3.12/site-packages/sentry_sdk/integrations/fastapi.py", line 143, in _sentry_app
return await old_app(*args, **kwargs)
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
File "/src/.venv/lib/python3.12/site-packages/fastapi/routing.py", line 301, in app
raw_response = await run_endpoint_function(
^^^^^^^^^^^^^^^^^^^^^^^^^^^^
File "/src/.venv/lib/python3.12/site-packages/fastapi/routing.py", line 212, in run_endpoint_function
return await dependant.call(**values)
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
File "/backend/endpoints/auth.py", line 254, in auth_openid
token = await oauth.openid.authorize_access_token(request)
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
File "/src/.venv/lib/python3.12/site-packages/authlib/integrations/starlette_client/apps.py", line 80, in authorize_access_token
params = self._format_state_params(state_data, params)
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
File "/src/.venv/lib/python3.12/site-packages/authlib/integrations/base_client/sync_app.py", line 234, in _format_state_params
raise MismatchingStateError()
authlib.integrations.base_client.errors.MismatchingStateError: mismatching_state: CSRF Warning! State not equal in request and response.
I tried pivoting to Pocket ID and was following the guide at the wiki, but I received the following error about the redirect URL having a bad format.
In the browser I received the same internal service error.
Config:
OIDC_ENABLED: true
OIDC_PROVIDER: pocketid
OIDC_CLIENT_ID: ${ROMM_OIDC_ID}
OIDC_CLIENT_SECRET: ${ROMM_OIDC_SECRET}
OIDC_REDIRECT_URI: https://${SUB_ROMM}.${DOMAINNAME}/api/oauth/openid
OIDC_SERVER_APPLICATION: https://${SUB_POCKET_ID}.${DOMAINNAME}/authorize
[2025-02-19 21:54:47 -0800] [25] [ERROR] Exception in ASGI application
Traceback (most recent call last):
File "/src/.venv/lib/python3.12/site-packages/uvicorn/protocols/http/h11_impl.py", line 407, in run_asgi
result = await app( # type: ignore[func-returns-value]
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
File "/src/.venv/lib/python3.12/site-packages/uvicorn/middleware/proxy_headers.py", line 69, in __call__
return await self.app(scope, receive, send)
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
File "/src/.venv/lib/python3.12/site-packages/fastapi/applications.py", line 1054, in __call__
await super().__call__(scope, receive, send)
File "/src/.venv/lib/python3.12/site-packages/sentry_sdk/integrations/starlette.py", line 409, in _sentry_patched_asgi_app
return await middleware(scope, receive, send)
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
File "/src/.venv/lib/python3.12/site-packages/sentry_sdk/integrations/asgi.py", line 161, in _run_asgi3
return await self._run_app(scope, receive, send, asgi_version=3)
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
File "/src/.venv/lib/python3.12/site-packages/sentry_sdk/integrations/asgi.py", line 262, in _run_app
raise exc from None
File "/src/.venv/lib/python3.12/site-packages/sentry_sdk/integrations/asgi.py", line 257, in _run_app
return await self.app(
^^^^^^^^^^^^^^^
File "/src/.venv/lib/python3.12/site-packages/starlette/applications.py", line 113, in __call__
await self.middleware_stack(scope, receive, send)
File "/src/.venv/lib/python3.12/site-packages/sentry_sdk/integrations/starlette.py", line 200, in _create_span_call
return await old_call(app, scope, new_receive, new_send, **kwargs)
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
File "/src/.venv/lib/python3.12/site-packages/starlette/middleware/errors.py", line 187, in __call__
raise exc
File "/src/.venv/lib/python3.12/site-packages/starlette/middleware/errors.py", line 165, in __call__
await self.app(scope, receive, _send)
File "/src/.venv/lib/python3.12/site-packages/sentry_sdk/integrations/starlette.py", line 200, in _create_span_call
return await old_call(app, scope, new_receive, new_send, **kwargs)
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
File "/src/.venv/lib/python3.12/site-packages/starlette/middleware/base.py", line 185, in __call__
with collapse_excgroups():
^^^^^^^^^^^^^^^^^^^^
File "/usr/lib/python3.12/contextlib.py", line 158, in __exit__
self.gen.throw(value)
File "/src/.venv/lib/python3.12/site-packages/starlette/_utils.py", line 82, in collapse_excgroups
raise exc
File "/src/.venv/lib/python3.12/site-packages/starlette/middleware/base.py", line 187, in __call__
response = await self.dispatch_func(request, call_next)
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
File "/backend/utils/context.py", line 41, in set_context_middleware
return await call_next(request)
^^^^^^^^^^^^^^^^^^^^^^^^
File "/src/.venv/lib/python3.12/site-packages/starlette/middleware/base.py", line 163, in call_next
raise app_exc
File "/src/.venv/lib/python3.12/site-packages/starlette/middleware/base.py", line 149, in coro
await self.app(scope, receive_or_disconnect, send_no_error)
File "/src/.venv/lib/python3.12/site-packages/sentry_sdk/integrations/starlette.py", line 200, in _create_span_call
return await old_call(app, scope, new_receive, new_send, **kwargs)
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
File "/backend/handler/auth/middleware.py", line 156, in __call__
await self.app(scope, receive, send_wrapper)
File "/src/.venv/lib/python3.12/site-packages/sentry_sdk/integrations/starlette.py", line 348, in _sentry_authenticationmiddleware_call
await old_call(self, scope, receive, send)
File "/src/.venv/lib/python3.12/site-packages/sentry_sdk/integrations/starlette.py", line 200, in _create_span_call
return await old_call(app, scope, new_receive, new_send, **kwargs)
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
File "/src/.venv/lib/python3.12/site-packages/starlette/middleware/authentication.py", line 48, in __call__
await self.app(scope, receive, send)
File "/src/.venv/lib/python3.12/site-packages/sentry_sdk/integrations/starlette.py", line 200, in _create_span_call
return await old_call(app, scope, new_receive, new_send, **kwargs)
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
File "/backend/handler/auth/middleware.py", line 28, in __call__
await super().__call__(scope, receive, send)
File "/src/.venv/lib/python3.12/site-packages/starlette_csrf/middleware.py", line 72, in __call__
await self.app(scope, receive, send)
File "/src/.venv/lib/python3.12/site-packages/sentry_sdk/integrations/starlette.py", line 200, in _create_span_call
return await old_call(app, scope, new_receive, new_send, **kwargs)
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
File "/src/.venv/lib/python3.12/site-packages/starlette/middleware/cors.py", line 85, in __call__
await self.app(scope, receive, send)
File "/src/.venv/lib/python3.12/site-packages/sentry_sdk/integrations/starlette.py", line 298, in _sentry_exceptionmiddleware_call
await old_call(self, scope, receive, send)
File "/src/.venv/lib/python3.12/site-packages/sentry_sdk/integrations/starlette.py", line 200, in _create_span_call
return await old_call(app, scope, new_receive, new_send, **kwargs)
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
File "/src/.venv/lib/python3.12/site-packages/starlette/middleware/exceptions.py", line 62, in __call__
await wrap_app_handling_exceptions(self.app, conn)(scope, receive, send)
File "/src/.venv/lib/python3.12/site-packages/starlette/_exception_handler.py", line 53, in wrapped_app
raise exc
File "/src/.venv/lib/python3.12/site-packages/starlette/_exception_handler.py", line 42, in wrapped_app
await app(scope, receive, sender)
File "/src/.venv/lib/python3.12/site-packages/starlette/routing.py", line 715, in __call__
await self.middleware_stack(scope, receive, send)
File "/src/.venv/lib/python3.12/site-packages/starlette/routing.py", line 735, in app
await route.handle(scope, receive, send)
File "/src/.venv/lib/python3.12/site-packages/starlette/routing.py", line 288, in handle
await self.app(scope, receive, send)
File "/src/.venv/lib/python3.12/site-packages/starlette/routing.py", line 76, in app
await wrap_app_handling_exceptions(app, request)(scope, receive, send)
File "/src/.venv/lib/python3.12/site-packages/starlette/_exception_handler.py", line 53, in wrapped_app
raise exc
File "/src/.venv/lib/python3.12/site-packages/starlette/_exception_handler.py", line 42, in wrapped_app
await app(scope, receive, sender)
File "/src/.venv/lib/python3.12/site-packages/starlette/routing.py", line 73, in app
response = await f(request)
^^^^^^^^^^^^^^^^
File "/src/.venv/lib/python3.12/site-packages/sentry_sdk/integrations/fastapi.py", line 143, in _sentry_app
return await old_app(*args, **kwargs)
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
File "/src/.venv/lib/python3.12/site-packages/fastapi/routing.py", line 301, in app
raw_response = await run_endpoint_function(
^^^^^^^^^^^^^^^^^^^^^^^^^^^^
File "/src/.venv/lib/python3.12/site-packages/fastapi/routing.py", line 212, in run_endpoint_function
return await dependant.call(**values)
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
File "/backend/endpoints/auth.py", line 228, in login_via_openid
return await oauth.openid.authorize_redirect(request, OIDC_REDIRECT_URI)
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
File "/src/.venv/lib/python3.12/site-packages/authlib/integrations/starlette_client/apps.py", line 34, in authorize_redirect
rv = await self.create_authorization_url(redirect_uri, **kwargs)
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
File "/src/.venv/lib/python3.12/site-packages/authlib/integrations/base_client/async_app.py", line 95, in create_authorization_url
metadata = await self.load_server_metadata()
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
File "/src/.venv/lib/python3.12/site-packages/authlib/integrations/base_client/async_app.py", line 76, in load_server_metadata
resp = await client.request('GET', self._server_metadata_url, withhold_token=True)
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
File "/src/.venv/lib/python3.12/site-packages/authlib/integrations/httpx_client/oauth2_client.py", line 90, in request
return await super().request(
^^^^^^^^^^^^^^^^^^^^^^
File "/src/.venv/lib/python3.12/site-packages/httpx/_client.py", line 1585, in request
return await self.send(request, auth=auth, follow_redirects=follow_redirects)
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
File "/src/.venv/lib/python3.12/site-packages/sentry_sdk/integrations/httpx.py", line 142, in send
rv = await real_send(self, request, **kwargs)
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
File "/src/.venv/lib/python3.12/site-packages/httpx/_client.py", line 1674, in send
response = await self._send_handling_auth(
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
File "/src/.venv/lib/python3.12/site-packages/httpx/_client.py", line 1702, in _send_handling_auth
response = await self._send_handling_redirects(
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
File "/src/.venv/lib/python3.12/site-packages/httpx/_client.py", line 1739, in _send_handling_redirects
response = await self._send_single_request(request)
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
File "/src/.venv/lib/python3.12/site-packages/httpx/_client.py", line 1776, in _send_single_request
response = await transport.handle_async_request(request)
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
File "/src/.venv/lib/python3.12/site-packages/httpx/_transports/default.py", line 376, in handle_async_request
with map_httpcore_exceptions():
^^^^^^^^^^^^^^^^^^^^^^^^^
File "/usr/lib/python3.12/contextlib.py", line 158, in __exit__
self.gen.throw(value)
File "/src/.venv/lib/python3.12/site-packages/httpx/_transports/default.py", line 89, in map_httpcore_exceptions
raise mapped_exc(message) from exc
httpx.UnsupportedProtocol: Request URL is missing an 'http://' or 'https://' protocol.