mirror of
https://github.com/actualbudget/actual.git
synced 2026-07-16 15:14:02 -05:00
[GH-ISSUE #7241] [Bug]: Node.js API authentication fails with "Invalid redirect URL" when OpenID is configured alongside password auth #117400
Open
opened 2026-06-11 12:24:27 -05:00 by GiteaMirror
·
3 comments
No Branch/Tag Specified
master
claude/verify-migration-guardrails-i82c8m
cross-version-sync-stage2
api-browser-custom-data-dir
dependabot/npm_and_yarn/npm_and_yarn-cd62b4b37a
tabedzki/feat/replacing-month-picker-with-day-picker
delay-initial-sync-until-loaded
jfdoming/mobile-app-build
cross-version-sync-compat
jfdoming/api-tokens-part-1
jfdoming/api-tokens-part-2
jfdoming/api-tokens-part-3
jfdoming/mobile-app-updates
claude/budget-version-migration-compat-151jlr
claude/worker-error-serialization-9iqtl7
claude/react-table-library-research-afx83z
claude/issue-8401-regression-test-9nw9l3
jfdoming/mobile-app-foundation-part-1
jfdoming/mobile-app-scaffold
release
ai-fix-cleanup-def-8290
claude/relaxed-shannon-jusywa
claude/fervent-keller-s6f2fq
claude/determined-feynman-st1y9z
claude/wizardly-einstein-vi2wce
claude/sweet-albattani-7nseio
feat/bank-sync-per-budget-file
claude/affectionate-cannon-y0kc82
claude/dependabot-findings-m9pgmb
claude/mac-app-ios-publish-zjs1lz
claude/vigilant-tesla-aiiyos
depot-migrate-secrets-1781296330308
claude/quirky-cerf-v5qck7
claude/animation-removal-alternative-2etfh1
claude/netlify-preview-comments-consolidate-9XPYa
osc/7391-error-boundaries-reports
claude/pensive-dijkstra-7DYui
claude/server-app-version-mismatch-HTCGv
claude/pr-8027-review-feedback-mELuO
claude/zealous-wozniak-e5pO0
claude/intelligent-heisenberg-BSHJq
claude/translation-download-refactor-jFRsO
claude/mobile-performance-ideas-G9PAO
claude/github-issue-7988-5A5ly
blacksmith-migration-ff70d2d
claude/great-mayer-KRvOk
claude/react-native-ios-compilation-fcJh5
claude/serene-goldberg-58xv0
claude/kind-euler-LVG3K
release-automation/edge-nightly
7710-bundle-migrations
claude/fix-docker-build-error-WMfed
claude/llm-compatible-release-notes-t20Nr
7710-tests-tdd
cursor/transaction-table-rewrite-f077
claude/plan-ci-secure-context-OtEe1
claude/fix-issue-7667-DPXi3
cursor/resolve-pr-7449-ee11
claude/fix-typescript-build-error-JPtZ5
copilot/add-repository-configs-to-packages
worktree-compressed-drifting-ritchie
claude/api-consumer-verification-kfz1K
pr-7454
claude/fix-issue-7410-LLLQ4
revert-7281-generate-icons
react-query-useSchedules
copilot/sub-pr-6140
package-upgrades
v26.7.0
v26.6.0
v26.5.2
v26.5.1
v26.5.0
v26.4.0
v26.3.0
v26.2.1
v26.2.0
v26.1.0
v25.12.0
v25.11.0
v25.10.0
v25.9.0
v25.8.0
v25.7.1
v25.7.0
v25.6.1
v25.6.0
v25.5.0
v25.4.0
v25.3.1
v25.3.0
v25.2.1
v25.2.0
v25.1.0
v24.12.0
v24.11.0
v24.10.1
v24.10.0
v24.9.0
v24.8.0
v24.7.0
v24.6.0
v24.5.0
v24.4.0
v24.3.0
v24.2.0
v24.1.0
v23.12.0
v23.11.0
v23.10.0
v23.9.0
v23.8.1
v23.8.0
v23.7.2
v23.7.1
v23.7.0
v23.6.0
v23.5.0
v23.4.2
v23.4.1
v23.4.0
v23.3.2
v23.3.0
v23.2.9
v23.2.5
v23.1.12
v22.12.9
Labels
Clear labels
AI generated
API
bank sync
budgeting
bug
can’t replicate
dependencies
docker
documentation
electron
experimental feature
feature
feedback
goal templates
good first issue
help wanted
importers
maintenance
needs info
needs testing
needs triage
needs votes
openid
payees
pull-request
regression
reports
responsive
rules
schedules
server
✨ merged
split transactions
tech debt
tech-support
theme
transaction import
transaction reconciliation
transactions
translations
upstream
user interface
✅ approved
wontfix
Mirrored from GitHub Pull Request
Milestone
No items
No Milestone
Projects
Clear projects
No project
No Assignees
Notifications
Due Date
No due date set.
Dependencies
No dependencies set.
Reference: github-starred/actual#117400
Reference in New Issue
Block a user
Blocking a user prevents them from interacting with repositories, such as opening or commenting on pull requests or issues. Learn more about blocking a user.
Delete Branch "%!s()"
Deleting a branch is permanent. Although the deleted branch may continue to exist for a short time before it actually gets removed, it CANNOT be undone in most cases. Continue?
Originally created by @carlos-otero on GitHub (Mar 20, 2026).
Original GitHub issue: https://github.com/actualbudget/actual/issues/7241
What happened?
When OpenID is configured via environment variables (ACTUAL_OPENID_*) and ACTUAL_LOGIN_METHOD=password + ACTUAL_ALLOWED_LOGIN_METHODS=password,openid are set to allow both methods, the Node.js API (@actual-app/api) fails to authenticate with password, returning Authentication failed: Invalid redirect URL.
How can we reproduce the issue?
Expected behavior:
Password authentication should work as a fallback when ACTUAL_OPENID_ENFORCE=false and allowedLoginMethods includes password.
Actual behavior:
The server returns Authentication failed: Invalid redirect URL — the OpenID redirect flow is triggered even when explicitly requesting password auth via the Node.js API.
Workaround:
Remove all ACTUAL_OPENID_* env vars. The budget then becomes inaccessible because it was created under the OpenID user. The only working solution found was to disable OpenID entirely.
Where are you hosting Actual?
Docker
What browsers are you seeing the problem on?
Chrome
Operating System
Windows 11
@EKCJ commented on GitHub (Apr 20, 2026):
I've set up OpenID via the web GUI and am also getting the "Invalid redirect URI" error message when trying to login with OpenID, but password login still works fine (and allows me to access my budgets or restore them from backup if necessary).
Using Authelia and v26.4.0
lmk if I can share any useful diagnostics - the container logs look unremarkable.
@iamwillbar commented on GitHub (Apr 27, 2026):
I'm hitting the same problem.
@j-inc commented on GitHub (May 14, 2026):
I can confirm the same issue with Authentik 2026.2.2
I had configured oauth via the UI, however. I found that by spinning down the container and adding the oauth configuration to the compose file, I could circumvent this bug.