Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

OIDC Login Not Supported #250

Open
Eschguy opened this issue Apr 28, 2024 · 13 comments
Open

OIDC Login Not Supported #250

Eschguy opened this issue Apr 28, 2024 · 13 comments

Comments

@Eschguy
Copy link

Eschguy commented Apr 28, 2024

I use OIDC (Authentik)and am unable to log in.

Error message:

Expected response body of the type 'class n8.b0 (Kotlin reflection is not available)' but was 'class io.ktor.utils.io.t (Kotl in reflection is not available)'
In response from 'https://DOMAIN/api/auth/token'
Response status '500'
Response header'ContentType: text/plain; charset=utf-8
Request header `Accept: application/json'
You can read how to resolve NoTransformation Found Exception at FAQ:
https://ktor.io/docs/faq. html #no-tran sformation-found-exception
@kirmanak
Copy link
Owner

kirmanak commented May 8, 2024

@Eschguy Thanks to your report I am now also running Authentik :-D But I still wasn't able to reproduce the issue. Are you still able to sign-in with username and password via Mealie UI? I'm asking because the log you attached mentions a 500 response status from Mealie which means a server error.

@Eschguy
Copy link
Author

Eschguy commented May 8, 2024

No I force Authentik use when logging into my services, so going to my mealie.domain redirects to my auth.domain to log in before redirecting back.

@kirmanak
Copy link
Owner

kirmanak commented May 8, 2024

@Eschguy Can you please elaborate on how you force the Authentik use? Are you using a reverse proxy like Traefik to achieve this?

@Eschguy
Copy link
Author

Eschguy commented May 8, 2024

I set the OIDC_AUTO_REDIRECT variable to true, as documented here: https://docs.mealie.io/documentation/getting-started/installation/backend-config/#openid-connect-oidc

@kirmanak
Copy link
Owner

kirmanak commented May 9, 2024

As far as I understand, this approach doesn't really block you from logging in with username and password, it just automatically redirects you from the login page when opened in browser. I have that variable set to true, but I am still able to sign in through the app.

The blocker in your case seems to be the 500 response from Mealie. Could you please set the log level of Mealie to debug, and attempt the sign-in again? If it fails again, please check Mealie logs as described here https://docs.mealie.io/documentation/getting-started/installation/logs/. Once you found the error, please post here the relevant part of the log and Mealie version.

@Eschguy
Copy link
Author

Eschguy commented May 9, 2024 

[INFO|httptools_impl|L481] 2024-05-09T08:28:19: 207.153.2.74:0 - "GET /api/groups/mealplans/today HTTP/1.1" 200
[DEBUG|AppriseLocale|L140] 2024-05-09T08:28:19: Language set to en
[INFO|httptools_impl|L481] 2024-05-09T08:28:19: 207.153.2.74:0 - "GET /api/groups/mealplans/today HTTP/1.1" 200
[DEBUG|multipart|L626] 2024-05-09T08:28:25: Calling on_field_start with no data
[DEBUG|multipart|L623] 2024-05-09T08:28:25: Calling on_field_name with data[0:8]
[DEBUG|multipart|L623] 2024-05-09T08:28:25: Calling on_field_data with data[9:16]
[DEBUG|multipart|L626] 2024-05-09T08:28:25: Calling on_field_end with no data
[DEBUG|multipart|L626] 2024-05-09T08:28:25: Calling on_field_start with no data
[DEBUG|multipart|L623] 2024-05-09T08:28:25: Calling on_field_name with data[17:25]
[DEBUG|multipart|L623] 2024-05-09T08:28:25: Calling on_field_data with data[26:36]
[DEBUG|multipart|L626] 2024-05-09T08:28:25: Calling on_field_end with no data
[DEBUG|multipart|L626] 2024-05-09T08:28:25: Calling on_end with no data
[INFO|httptools_impl|L481] 2024-05-09T08:28:25: 207.153.2.74:0 - "POST /api/auth/token HTTP/1.1" 500
[ERROR|httptools_impl|L416] 2024-05-09T08:28:25: Exception in ASGI application
Traceback (most recent call last):
  File "/opt/pysetup/.venv/lib/python3.10/site-packages/uvicorn/protocols/http/httptools_impl.py", line 411, in run_asgi
    result = await app(  # type: ignore[func-returns-value]
  File "/opt/pysetup/.venv/lib/python3.10/site-packages/uvicorn/middleware/proxy_headers.py", line 69, in __call__
    return await self.app(scope, receive, send)
  File "/opt/pysetup/.venv/lib/python3.10/site-packages/fastapi/applications.py", line 1054, in __call__
    await super().__call__(scope, receive, send)
  File "/opt/pysetup/.venv/lib/python3.10/site-packages/starlette/applications.py", line 123, in __call__
    await self.middleware_stack(scope, receive, send)
  File "/opt/pysetup/.venv/lib/python3.10/site-packages/starlette/middleware/errors.py", line 186, in __call__
    raise exc
  File "/opt/pysetup/.venv/lib/python3.10/site-packages/starlette/middleware/errors.py", line 164, in __call__
    await self.app(scope, receive, _send)
  File "/opt/pysetup/.venv/lib/python3.10/site-packages/starlette/middleware/gzip.py", line 24, in __call__
    await responder(scope, receive, send)
  File "/opt/pysetup/.venv/lib/python3.10/site-packages/starlette/middleware/gzip.py", line 44, in __call__
    await self.app(scope, receive, self.send_with_gzip)
  File "/opt/pysetup/.venv/lib/python3.10/site-packages/starlette/middleware/exceptions.py", line 65, in __call__
    await wrap_app_handling_exceptions(self.app, conn)(scope, receive, send)
  File "/opt/pysetup/.venv/lib/python3.10/site-packages/starlette/_exception_handler.py", line 64, in wrapped_app
    raise exc
  File "/opt/pysetup/.venv/lib/python3.10/site-packages/starlette/_exception_handler.py", line 53, in wrapped_app
    await app(scope, receive, sender)
  File "/opt/pysetup/.venv/lib/python3.10/site-packages/starlette/routing.py", line 756, in __call__
    await self.middleware_stack(scope, receive, send)
  File "/opt/pysetup/.venv/lib/python3.10/site-packages/starlette/routing.py", line 776, in app
    await route.handle(scope, receive, send)
  File "/opt/pysetup/.venv/lib/python3.10/site-packages/starlette/routing.py", line 297, in handle
    await self.app(scope, receive, send)
  File "/opt/pysetup/.venv/lib/python3.10/site-packages/starlette/routing.py", line 77, in app
    await wrap_app_handling_exceptions(app, request)(scope, receive, send)
  File "/opt/pysetup/.venv/lib/python3.10/site-packages/starlette/_exception_handler.py", line 64, in wrapped_app
    raise exc
 File "/opt/pysetup/.venv/lib/python3.10/site-packages/starlette/_exception_handler.py", line 53, in wrapped_app
    await app(scope, receive, sender)
  File "/opt/pysetup/.venv/lib/python3.10/site-packages/starlette/routing.py", line 72, in app
    response = await func(request)
  File "/opt/pysetup/.venv/lib/python3.10/site-packages/fastapi/routing.py", line 278, in app
    raw_response = await run_endpoint_function(
  File "/opt/pysetup/.venv/lib/python3.10/site-packages/fastapi/routing.py", line 191, in run_endpoint_function
    return await dependant.call(**values)
  File "/app/mealie/routes/auth/auth.py", line 50, in get_token
    auth = await auth_provider.authenticate()
  File "/app/mealie/core/security/providers/credentials_provider.py", line 40, in authenticate
    if not CredentialsProvider.verify_password(self.data.password, user.password):
  File "/app/mealie/core/security/providers/credentials_provider.py", line 57, in verify_password
    return get_hasher().verify(plain_password, hashed_password)
  File "/app/mealie/core/security/hasher.py", line 32, in verify
    return bcrypt.checkpw(password_bytes, hashed_bytes)
ValueError: Invalid salt

@kirmanak
Copy link
Owner

kirmanak commented May 9, 2024

Invalid salt sounds like a Mealie configuration issue. I don't see what I can change in the app to fix this, can you please open an issue in Mealie repository instead?

@Eschguy
Copy link
Author

Eschguy commented May 9, 2024

Sure, I can do more digging to see if I did something wrong. Since I have no issues on the web (desktop or mobile) I had assumed it was an issue with the app not supporting OIDC with 2FA.

@ericvenneker
Copy link

I am able to reproduce the issue. It indeed appears that mealie does not take the login method of the user into account and simply tries to login anyway which will fail because an oidc (or ldap) user does not have a password or salt.
That said, maybe the app is able (when requested by the user) to redirect to the configured OIDC.

@Eschguy were you able to create an issue on the mealie repo? I was not able to find a relevant issue.

@Eschguy
Copy link
Author

Eschguy commented May 12, 2024
edited
Loading

@ericvenneker

No I never did, was going to try something first but it didn't work.

@tecbeat
Copy link

tecbeat commented Jul 3, 2024

Same Authentik issue for me. The loginmask from mealie does not allow oidc users only nativ mealie users. So maybe we need the same redirect for the app login.

@0xC0ncord
Copy link

For what it's worth I tried working around this by creating an access token in Mealie for my user backed by OIDC login and then using that token as my password in Mealient, but I get the same error.

@danbracey
Copy link

I was also facing the same error, and managed to resolve this by finding my user account in 'Admin User Management' and generating a Password Reset Link. I can now login with both my new password and OIDC, and can now login into Mealient without issue, using the local password for Mealie and my normal Authentik password when using OIDC

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
6 participants
@0xC0ncord @Eschguy @danbracey @ericvenneker @kirmanak @tecbeat