linkding icon indicating copy to clipboard operation
linkding copied to clipboard
verified publisher icon sissbruecker

500 Error logging in with Authentik

Open codedge opened this issue 2 months ago • 3 comments

Hey 👋

I configured Authentik as my OIDC provider, but have not been able to login. When clicking the Login with ODIC button on the Linkding login page, I get the redirect, sign-in, but on the redirect back to linkding a 500 error is thrown.

2025-10-31T14:53:57.113361940+01:00 2025-10-31 13:53:57,112 ERROR Internal Server Error: /oidc/callback/
2025-10-31T14:53:57.113379955+01:00 Traceback (most recent call last):
2025-10-31T14:53:57.113385656+01:00   File "/etc/linkding/.venv/lib/python3.13/site-packages/josepy/jws.py", line 351, in from_compact
2025-10-31T14:53:57.113389113+01:00     protected, payload, signature = compact.split(b".")
2025-10-31T14:53:57.113392520+01:00     ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
2025-10-31T14:53:57.113395856+01:00 ValueError: too many values to unpack (expected 3)
2025-10-31T14:53:57.113398632+01:00 
2025-10-31T14:53:57.113401578+01:00 During handling of the above exception, another exception occurred:
2025-10-31T14:53:57.113404333+01:00 
2025-10-31T14:53:57.113407249+01:00 Traceback (most recent call last):
2025-10-31T14:53:57.113410114+01:00   File "/etc/linkding/.venv/lib/python3.13/site-packages/django/core/handlers/exception.py", line 55, in inner
2025-10-31T14:53:57.113413010+01:00     response = get_response(request)
2025-10-31T14:53:57.113416336+01:00   File "/etc/linkding/.venv/lib/python3.13/site-packages/django/core/handlers/base.py", line 197, in _get_response
2025-10-31T14:53:57.113419212+01:00     response = wrapped_callback(request, *callback_args, **callback_kwargs)
2025-10-31T14:53:57.113422027+01:00   File "/etc/linkding/.venv/lib/python3.13/site-packages/django/views/generic/base.py", line 105, in view
2025-10-31T14:53:57.113424943+01:00     return self.dispatch(request, *args, **kwargs)
2025-10-31T14:53:57.113427769+01:00            ~~~~~~~~~~~~~^^^^^^^^^^^^^^^^^^^^^^^^^^
2025-10-31T14:53:57.113430584+01:00   File "/etc/linkding/.venv/lib/python3.13/site-packages/django/views/generic/base.py", line 144, in dispatch
2025-10-31T14:53:57.113433430+01:00     return handler(request, *args, **kwargs)
2025-10-31T14:53:57.113436396+01:00   File "/etc/linkding/.venv/lib/python3.13/site-packages/mozilla_django_oidc/views.py", line 124, in get
2025-10-31T14:53:57.113439331+01:00     self.user = auth.authenticate(**kwargs)
2025-10-31T14:53:57.113442157+01:00                 ~~~~~~~~~~~~~~~~~^^^^^^^^^^
2025-10-31T14:53:57.113445293+01:00   File "/etc/linkding/.venv/lib/python3.13/site-packages/django/views/decorators/debug.py", line 75, in sensitive_variables_wrapper
2025-10-31T14:53:57.113448149+01:00     return func(*func_args, **func_kwargs)
2025-10-31T14:53:57.113451024+01:00   File "/etc/linkding/.venv/lib/python3.13/site-packages/django/contrib/auth/__init__.py", line 114, in authenticate
2025-10-31T14:53:57.113453920+01:00     user = backend.authenticate(request, **credentials)
2025-10-31T14:53:57.113456735+01:00   File "/etc/linkding/.venv/lib/python3.13/site-packages/mozilla_django_oidc/auth.py", line 321, in authenticate
2025-10-31T14:53:57.113459591+01:00     payload = self.verify_token(id_token, nonce=nonce)
2025-10-31T14:53:57.113462497+01:00   File "/etc/linkding/.venv/lib/python3.13/site-packages/mozilla_django_oidc/auth.py", line 211, in verify_token
2025-10-31T14:53:57.113465322+01:00     key = self.retrieve_matching_jwk(token)
2025-10-31T14:53:57.113475853+01:00   File "/etc/linkding/.venv/lib/python3.13/site-packages/mozilla_django_oidc/auth.py", line 170, in retrieve_matching_jwk
2025-10-31T14:53:57.113477897+01:00     jws = JWS.from_compact(token)
2025-10-31T14:53:57.113479830+01:00   File "/etc/linkding/.venv/lib/python3.13/site-packages/josepy/jws.py", line 353, in from_compact
2025-10-31T14:53:57.113481774+01:00     raise errors.DeserializationError(
2025-10-31T14:53:57.113484039+01:00         "Compact JWS serialization should comprise of exactly" " 3 dot-separated components"
2025-10-31T14:53:57.113486002+01:00     )
2025-10-31T14:53:57.113488026+01:00 josepy.errors.DeserializationError: Deserialization error: Compact JWS serialization should comprise of exactly 3 dot-separated components
2025-10-31T14:53:57.113605356+01:00 [pid: 21|app: 0|req: 164/236] ::ffff:10.42.0.109 () {60 vars in 1381 bytes} [Fri Oct 31 13:53:56 2025] GET /oidc/callback/?code=cdbf531fe6db4198a091549acdb8e9b5&state=K9pRZ6ovz1Ysj7AfVCYZWrAAAH9WpIqj => generated 145 bytes in 751 msecs (HTTP/1.1 500) 8 headers in 271 bytes (1 switches on core 1)
2025-10-31T14:53:57.159155432+01:00 [pid: 19|app: 0|req: 72/237] ::ffff:10.42.0.109 () {42 vars in 901 bytes} [Fri Oct 31 13:53:57 2025] GET /oidc/callback/?code=cdbf531fe6db4198a091549acdb8e9b5&state=K9pRZ6ovz1Ysj7AfVCYZWrAAAH9WpIqj => generated 0 bytes in 1 msecs (HTTP/1.1 302) 9 headers in 274 bytes (1 switches on core 1)
2025-10-31T14:53:57.161781483+01:00 [pid: 21|app: 0|req: 166/238] ::ffff:10.42.0.109 () {42 vars in 720 bytes} [Fri Oct 31 13:53:57 2025] GET / => generated 0 bytes in 1 msecs (HTTP/1.1 302) 9 headers in 280 bytes (1 switches on core 1)
2025-10-31T14:53:57.166402181+01:00 [pid: 21|app: 0|req: 167/239] ::ffff:10.42.0.109 () {42 vars in 732 bytes} [Fri Oct 31 13:53:57 2025] GET /login/ => generated 4867 bytes in 3 msecs (HTTP/1.1 200) 11 headers in 509 bytes (1 switches on core 1)
2025-10-31T14:53:57.168787882+01:00 [pid: 21|app: 0|req: 167/240] ::ffff:10.42.0.109 () {52 vars in 1285 bytes} [Fri Oct 31 13:53:57 2025] GET /api/bookmarks/check/?url=https%3A%2F%2Flinkding.homelab.org%2Foidc%2Fcallback%2F%3Fcode%3Dcdbf531fe6db4198a091549acdb8e9b5%26state%3DK9pRZ6ovz1Ysj7AfVCYZWrAAAH9WpIqj => generated 268 bytes in 22 msecs (HTTP/1.1 200) 9 headers in 287 bytes (1 switches on core 0)

My settings in linkding are these:

  LD_ENABLE_AUTH_PROXY: "False"
  LD_ENABLE_OIDC: "True"
  OIDC_OP_AUTHORIZATION_ENDPOINT: "https://[DOMAIN]/application/o/authorize/"
  OIDC_OP_TOKEN_ENDPOINT: "https://[DOMAIN]/application/o/token/"
  OIDC_OP_USER_ENDPOINT: "https://[DOMAIN]/application/o/userinfo/"
  OIDC_OP_JWKS_ENDPOINT: "https://[DOMAIN]/application/o/linkding/jwks/"
  OIDC_RP_SCOPE: "openid email profile"

Authentik works with other applications flawlessly, so I started to look for any config issues in/with linkding.

Any idea what this error points at?

codedge avatar Oct 31 '25 14:10 codedge

Hi @codedge,

I was getting a similar error yesterday.

In the Authentik Provider for Linkding, check the Redirect URIs. It should be similar to https://linkding.yourdomain.com/oidc/callback/

Let me know how you get on. Thanks!

camwoodhouse avatar Nov 05 '25 15:11 camwoodhouse

Hey @camwoodhouse

I checked just now: my redirect uri is set to strict https://linkding.example.com/oidc/callback/. So that seems to be correct.

codedge avatar Nov 06 '25 08:11 codedge

Hi @codedge,

Sorry the above didn't work for you. Just to note, I haven't defined the two below in my Docker config for Linkding.

LD_ENABLE_AUTH_PROXY: "False" OIDC_RP_SCOPE: "openid email profile"

The others settings are the same as yours. Thanks

camwoodhouse avatar Nov 11 '25 22:11 camwoodhouse