mirror of
https://github.com/actualbudget/actual.git
synced 2026-07-15 14:43:36 -05:00
Closed
opened 2026-05-29 17:16:11 -05:00 by GiteaMirror
·
6 comments
No Branch/Tag Specified
master
tabedzki/feat/replacing-month-picker-with-day-picker
enforce-append-only-migrations-ci
delay-initial-sync-until-loaded
jfdoming/mobile-app-build
cross-version-sync-compat
claude/error-codes-worker-boundary-26i5uu
jfdoming/api-tokens-part-1
jfdoming/api-tokens-part-2
jfdoming/api-tokens-part-3
jfdoming/mobile-app-updates
api-browser-custom-data-dir
claude/budget-version-migration-compat-151jlr
claude/worker-error-serialization-9iqtl7
claude/react-table-library-research-afx83z
claude/issue-8401-regression-test-9nw9l3
jfdoming/mobile-app-foundation-part-1
jfdoming/mobile-app-scaffold
release
ai-fix-cleanup-def-8290
claude/relaxed-shannon-jusywa
claude/fervent-keller-s6f2fq
claude/determined-feynman-st1y9z
claude/wizardly-einstein-vi2wce
claude/sweet-albattani-7nseio
feat/bank-sync-per-budget-file
claude/affectionate-cannon-y0kc82
claude/dependabot-findings-m9pgmb
claude/mac-app-ios-publish-zjs1lz
claude/vigilant-tesla-aiiyos
depot-migrate-secrets-1781296330308
claude/quirky-cerf-v5qck7
claude/animation-removal-alternative-2etfh1
claude/netlify-preview-comments-consolidate-9XPYa
osc/7391-error-boundaries-reports
claude/pensive-dijkstra-7DYui
claude/server-app-version-mismatch-HTCGv
claude/pr-8027-review-feedback-mELuO
claude/zealous-wozniak-e5pO0
claude/intelligent-heisenberg-BSHJq
claude/translation-download-refactor-jFRsO
claude/mobile-performance-ideas-G9PAO
claude/github-issue-7988-5A5ly
blacksmith-migration-ff70d2d
claude/great-mayer-KRvOk
claude/react-native-ios-compilation-fcJh5
claude/serene-goldberg-58xv0
claude/kind-euler-LVG3K
release-automation/edge-nightly
7710-bundle-migrations
claude/fix-docker-build-error-WMfed
claude/llm-compatible-release-notes-t20Nr
7710-tests-tdd
cursor/transaction-table-rewrite-f077
claude/plan-ci-secure-context-OtEe1
claude/fix-issue-7667-DPXi3
cursor/resolve-pr-7449-ee11
claude/fix-typescript-build-error-JPtZ5
copilot/add-repository-configs-to-packages
worktree-compressed-drifting-ritchie
claude/api-consumer-verification-kfz1K
pr-7454
claude/fix-issue-7410-LLLQ4
revert-7281-generate-icons
react-query-useSchedules
copilot/sub-pr-6140
package-upgrades
v26.7.0
v26.6.0
v26.5.2
v26.5.1
v26.5.0
v26.4.0
v26.3.0
v26.2.1
v26.2.0
v26.1.0
v25.12.0
v25.11.0
v25.10.0
v25.9.0
v25.8.0
v25.7.1
v25.7.0
v25.6.1
v25.6.0
v25.5.0
v25.4.0
v25.3.1
v25.3.0
v25.2.1
v25.2.0
v25.1.0
v24.12.0
v24.11.0
v24.10.1
v24.10.0
v24.9.0
v24.8.0
v24.7.0
v24.6.0
v24.5.0
v24.4.0
v24.3.0
v24.2.0
v24.1.0
v23.12.0
v23.11.0
v23.10.0
v23.9.0
v23.8.1
v23.8.0
v23.7.2
v23.7.1
v23.7.0
v23.6.0
v23.5.0
v23.4.2
v23.4.1
v23.4.0
v23.3.2
v23.3.0
v23.2.9
v23.2.5
v23.1.12
v22.12.9
Labels
Clear labels
AI generated
API
bank sync
budgeting
bug
can’t replicate
dependencies
docker
documentation
electron
experimental feature
feature
feedback
goal templates
good first issue
help wanted
importers
maintenance
needs info
needs testing
needs triage
needs votes
openid
payees
pull-request
regression
reports
responsive
rules
schedules
server
✨ merged
split transactions
tech debt
tech-support
theme
transaction import
transaction reconciliation
transactions
translations
upstream
user interface
✅ approved
wontfix
Mirrored from GitHub Pull Request
No Label
bug
Milestone
No items
No Milestone
Projects
Clear projects
No project
No Assignees
Notifications
Due Date
No due date set.
Dependencies
No dependencies set.
Reference: github-starred/actual#99899
Reference in New Issue
Block a user
Blocking a user prevents them from interacting with repositories, such as opening or commenting on pull requests or issues. Learn more about blocking a user.
Delete Branch "%!s()"
Deleting a branch is permanent. Although the deleted branch may continue to exist for a short time before it actually gets removed, it CANNOT be undone in most cases. Continue?
Originally created by @Cheezzhead on GitHub (Sep 19, 2025).
Original GitHub issue: https://github.com/actualbudget/actual/issues/5745
Verified issue does not already exist?
What happened?
I've implemented OpenID with Authelia as OIDC provider. It all worked well, until a few minutes ago: I decided to try to log into the desktop client with my OpenID credentials, which failed with an
openid-grant-failederror, and the below log entry in Authelia:Access Request failed with error: The provided authorization grant (e.g., authorization code, resource owner credentials) or refresh token is invalid, expired, revoked, does not match the redirection URI used in the authorization request, or was issued to another client. The authorization code has already been used.If this were only the desktop client failing, I wouldn't worry much (but it would be nice to have confirmation that OpenID authentication doesn't work with the desktop client). However, from that point on any attempted login from the web also fails with the same error. In other words, I currently am unable to login into my AB account at all.
docker-compose:
oidc_authelia.env:
How can we reproduce the issue?
Where are you hosting Actual?
Docker
What browsers are you seeing the problem on?
Firefox
Operating System
Linux
@youngcw commented on GitHub (Sep 19, 2025):
Please reach out on discord for tech support
@Cheezzhead commented on GitHub (Sep 22, 2025):
...This is not tech support, this is a bug. The OIDC provider is correctly configured, AB is configured according to the documentation. After working for a few days, I'm now getting the same error just by logging into the web client. something is going wrong in the AB code
@youngcw commented on GitHub (Sep 22, 2025):
@lelemm
@lelemm commented on GitHub (Sep 23, 2025):
The desktop client (electron) creates a http server when you start the openid flow. So, the return url is the localhost url. That's probably what is going on. On authelia try to add the redirect url to accept
this is the default return url:
http://localhost:3010but if this port is in use, it will use another port that will be displayed on the dev tools console of electron. You can check the code here:753a105b3d/packages/desktop-electron/index.ts (L92C1-L111C10)@Cheezzhead commented on GitHub (Sep 23, 2025):
Good to know! I'll definitely try that out, but I should clarify at this point that the problem has progressed beyond the Desktop client - to the point where I think that was a bit of a red herring (as in, the desktop client just happened to be the thing I was trying out).
I am now getting the 'openid-grant-failed' error on every login attempt. From the (debug) logs from Authelia it seems that everything is set up correctly:
As far as I can see, the entire OIDC flow completed cleanly, however AB logs a 400 response afterwards:
Obviously I don't know anything about AB's internal OIDC flow, but it seems to me that after login, it's making a second request to its own callback endpoint with the same code that Authelia already consumed.
Here's Authelia's OIDC configuration for the Actual Budget client, for posterity:
@Cheezzhead commented on GitHub (Sep 24, 2025):
Update: I've restarted AB with a fresh config and empty sqlite database. I've also assigned a new client id to the respective OIDC client.
I'm able to log in with the server admin account so that this account becomes the server owner. However, as soon as I try to log in with any other account, the issue persists.