invalid_scope on OIDC Login with Authelia after upgrading from 0.23.0 to 0.24.0 (& 0.24.1) #258

Closed
opened 2025-11-01 20:52:13 -05:00 by GiteaMirror · 6 comments
Owner

Originally created by @FieldofClay on GitHub (Jul 25, 2024).

Description

I have OIDC login configured with Authelia. This has been working fine until the upgrade to 0.24.x, when I have started getting an invalid_scope message when clicking the 'Login with Authelia' button. My configuration has not changed, on either Vikunja or Authelia and the Authelia version has remained the same. Downgrading to 0.23.0 resolves the issue.

Vikunja Config:

auth:
  local:
    enabled: false
  openid:
    enabled: true
    redirecturl: https://vikunja.mydomain.com/auth/openid/
    providers:
      - name: Authelia
        authurl: https://auth.mydomain.com
        logouturl:
        clientid: vikunja
        clientsecret: ###SECRET###
        scope: openid profile email

Relevant Authelia config:

identity_providers:
  oidc:
    jwks:
      - certificate_chain: |
          -----BEGIN CERTIFICATE-----
          #####################
          -----END CERTIFICATE-----
        key: |
          -----BEGIN PRIVATE KEY-----
          #####################
          -----END PRIVATE KEY-----
    hmac_secret: ###SECRET###
    cors:
      endpoints:
        - userinfo
        - authorization
        - token
        - revocation
        - introspection
      allowed_origins:
        - https://vikunja.mydomain.com
    clients:
      - client_id: vikunja
        client_name: Vikunja
        client_secret: '###SECRET###'
        public: false
        authorization_policy: one_factor
        token_endpoint_auth_method: client_secret_post
        redirect_uris:
          - https://vikunja.mydomain.com/auth/openid/authelia
        scopes:
          - email
          - openid
          - profile

When attempting to login, this error appears in Authelia, indicating Vikunja is not sending a valid scope:

Jul 26 09:49:01 authelia authelia[26877]: time="2024-07-26T09:49:01+00:00" level=error msg="Authorization Request failed with error: The requested scope is invalid, unknown, or malformed. The OAuth 2.0 Client is not allowed to request scope 'undefined'." method=GET path=/api/oidc/authorization remote_ip="##IPV6##" stack="github.com/authelia/authelia/v4/internal/handlers/handler_oidc_authorization.go:41           OpenIDConnectAuthorization\ngithub.com/authelia/authelia/v4/internal/middlewares/http_to_authelia_handler_adaptor.go:114 handleRouter.NewHTTPToAutheliaHandlerAdaptor.func21\ngithub.com/authelia/authelia/v4/internal/middlewares/bridge.go:54                            handleRouter.(*BridgeBuilder).Build.func16.1\ngithub.com/authelia/authelia/v4/internal/middlewares/headers.go:91                           SecurityHeadersNoStore.func1\ngithub.com/valyala/fasthttp@v1.52.0/userdata.go:57                                           (*userData).Get\ngithub.com/authelia/authelia/v4/internal/middlewares/headers.go:30                           SecurityHeadersBase.func1\ngithub.com/authelia/authelia/v4/internal/middlewares/cors.go:216                             handleRouter.(*CORSPolicy).Middleware.func22\ngithub.com/fasthttp/router@v1.5.0/router.go:441                                              (*Router).Handler\ngithub.com/authelia/authelia/v4/internal/middlewares/log_request.go:14                       handleRouter.LogRequest.func40\ngithub.com/authelia/authelia/v4/internal/middlewares/errors.go:38                            RecoverPanic.func1\ngithub.com/valyala/fasthttp@v1.52.0/server.go:2374                                           (*Server).serveConn\ngithub.com/valyala/fasthttp@v1.52.0/workerpool.go:224                                        (*workerPool).workerFunc\ngithub.com/valyala/fasthttp@v1.52.0/workerpool.go:196                                        (*workerPool).getCh.func1\nruntime/asm_amd64.s:1695                                                                     goexit"

Vikunja Version

0.24.0

Browser and version

Firefox, Chrome

Can you reproduce the bug on the Vikunja demo site?

No

Screenshots

image

Originally created by @FieldofClay on GitHub (Jul 25, 2024). ### Description I have OIDC login configured with Authelia. This has been working fine until the upgrade to 0.24.x, when I have started getting an invalid_scope message when clicking the 'Login with Authelia' button. My configuration has not changed, on either Vikunja or Authelia and the Authelia version has remained the same. Downgrading to 0.23.0 resolves the issue. Vikunja Config: ``` auth: local: enabled: false openid: enabled: true redirecturl: https://vikunja.mydomain.com/auth/openid/ providers: - name: Authelia authurl: https://auth.mydomain.com logouturl: clientid: vikunja clientsecret: ###SECRET### scope: openid profile email ``` Relevant Authelia config: ``` identity_providers: oidc: jwks: - certificate_chain: | -----BEGIN CERTIFICATE----- ##################### -----END CERTIFICATE----- key: | -----BEGIN PRIVATE KEY----- ##################### -----END PRIVATE KEY----- hmac_secret: ###SECRET### cors: endpoints: - userinfo - authorization - token - revocation - introspection allowed_origins: - https://vikunja.mydomain.com clients: - client_id: vikunja client_name: Vikunja client_secret: '###SECRET###' public: false authorization_policy: one_factor token_endpoint_auth_method: client_secret_post redirect_uris: - https://vikunja.mydomain.com/auth/openid/authelia scopes: - email - openid - profile ``` When attempting to login, this error appears in Authelia, indicating Vikunja is not sending a valid scope: ``` Jul 26 09:49:01 authelia authelia[26877]: time="2024-07-26T09:49:01+00:00" level=error msg="Authorization Request failed with error: The requested scope is invalid, unknown, or malformed. The OAuth 2.0 Client is not allowed to request scope 'undefined'." method=GET path=/api/oidc/authorization remote_ip="##IPV6##" stack="github.com/authelia/authelia/v4/internal/handlers/handler_oidc_authorization.go:41 OpenIDConnectAuthorization\ngithub.com/authelia/authelia/v4/internal/middlewares/http_to_authelia_handler_adaptor.go:114 handleRouter.NewHTTPToAutheliaHandlerAdaptor.func21\ngithub.com/authelia/authelia/v4/internal/middlewares/bridge.go:54 handleRouter.(*BridgeBuilder).Build.func16.1\ngithub.com/authelia/authelia/v4/internal/middlewares/headers.go:91 SecurityHeadersNoStore.func1\ngithub.com/valyala/fasthttp@v1.52.0/userdata.go:57 (*userData).Get\ngithub.com/authelia/authelia/v4/internal/middlewares/headers.go:30 SecurityHeadersBase.func1\ngithub.com/authelia/authelia/v4/internal/middlewares/cors.go:216 handleRouter.(*CORSPolicy).Middleware.func22\ngithub.com/fasthttp/router@v1.5.0/router.go:441 (*Router).Handler\ngithub.com/authelia/authelia/v4/internal/middlewares/log_request.go:14 handleRouter.LogRequest.func40\ngithub.com/authelia/authelia/v4/internal/middlewares/errors.go:38 RecoverPanic.func1\ngithub.com/valyala/fasthttp@v1.52.0/server.go:2374 (*Server).serveConn\ngithub.com/valyala/fasthttp@v1.52.0/workerpool.go:224 (*workerPool).workerFunc\ngithub.com/valyala/fasthttp@v1.52.0/workerpool.go:196 (*workerPool).getCh.func1\nruntime/asm_amd64.s:1695 goexit" ``` ### Vikunja Version 0.24.0 ### Browser and version Firefox, Chrome ### Can you reproduce the bug on the Vikunja demo site? No ### Screenshots ![image](https://github.com/user-attachments/assets/ccd43afd-85e1-4887-bc8c-a5dbd91cf1f7)
GiteaMirror added the bug label 2025-11-01 20:52:13 -05:00
Author
Owner

@kolaente commented on GitHub (Aug 7, 2024):

Which url do you get redirected to? If you check with the browser dev tools, which requests do you see in the network tab? Are there any messages in Vikunja's logs?

@kolaente commented on GitHub (Aug 7, 2024): Which url do you get redirected to? If you check with the browser dev tools, which requests do you see in the network tab? Are there any messages in Vikunja's logs?
Author
Owner

@FieldofClay commented on GitHub (Aug 8, 2024):

The URL that I end up at is:

https://vikunja.mydomain.com/auth/openid/authelia?error=invalid_scope&error_description=The+requested+scope+is+invalid%2C+unknown%2C+or+malformed.+The+OAuth+2.0+Client+is+not+allowed+to+request+scope+%27undefined%27.&iss=https%3A%2F%2Fauth.mydomain.com&state=sp28wudtton

The noteworthy requests I see are:

303: https://auth.mydomain.com/api/oidc/authorization?client_id=vikunja&redirect_uri=https://vikunja.mydomain.com/auth/openid/authelia&response_type=code&scope=undefined&state=bx4s7yi6xv8
200: https://vikunja.mydomain.com/auth/openid/authelia?error=invalid_scope&error_description=The requested scope is invalid, unknown, or malformed. The OAuth 2.0 Client is not allowed to request scope 'undefined'.&iss=https://auth.mydomain.com&state=bx4s7yi6xv8

The only thing I get out of the logs from the api server is:

Aug 08 15:01:14 vikunja vikunja[462]: 2024-08-08T15:01:14.33178384+10:00: WEB         ▶ XXX.XXX.XXX.XXX  GET 200 / 103.005µs - Mozilla/5.0 (X11; Linux x86_64; rv:128.0) Gecko/20100101 Firefox/128.0
Aug 08 15:01:14 vikunja vikunja[462]: 2024-08-08T15:01:14.519527203+10:00: WEB         ▶ XXX.XXX.XXX.XXX  GET 200 /assets/index-BO9ASMil.css 746.091µs - Mozilla/5.0 (X11; Linux x86_64; rv:128.0) Gecko/20100101 Firefox/128.0
Aug 08 15:01:14 vikunja vikunja[462]: 2024-08-08T15:01:14.727705463+10:00: WEB         ▶ XXX.XXX.XXX.XXX  GET 200 /api/v1/info 363.948µs - Mozilla/5.0 (X11; Linux x86_64; rv:128.0) Gecko/20100101 Firefox/128.0
Aug 08 15:01:14 vikunja vikunja[462]: 2024-08-08T15:01:14.734677969+10:00: WEB         ▶ XXX.XXX.XXX.XXX  GET 200 /assets/llama-nightscape-mKZQPxXM.jpg 245.411µs - Mozilla/5.0 (X11; Linux x86_64; rv:128.0) Gecko/20100101 Firefox/128.0
Aug 08 15:01:14 vikunja vikunja[462]: 2024-08-08T15:01:14.794996327+10:00: WEB         ▶ XXX.XXX.XXX.XXX  GET 200 /assets/llama-SxB1d0EY.svg?url 136.01µs - Mozilla/5.0 (X11; Linux x86_64; rv:128.0) Gecko/20100101 Firefox/128.0
Aug 08 15:01:14 vikunja vikunja[462]: 2024-08-08T15:01:14.795594425+10:00: WEB         ▶ XXX.XXX.XXX.XXX  GET 200 /assets/no-auth-image-B3TdQwHl.jpg 489.458µs - Mozilla/5.0 (X11; Linux x86_64; rv:128.0) Gecko/20100101 Firefox/128.0
Aug 08 15:01:19 vikunja vikunja[462]: 2024-08-08T15:01:19.056353522+10:00: WEB         ▶ XXX.XXX.XXX.XXX  GET 200 /auth/openid/authelia?error=invalid_scope&error_description=The+requested+scope+is+invalid%2C+unknown%2C+or+malformed.+The+OAuth+2.0+Client+is+not+allowed+to+request+scope+%27undefined%27.&iss=https%3A%2F%2Fauth.mydomain.com&state=kju8qe3tcu 97.043µs - Mozilla/5.0 (X11; Linux x86_64; rv:128.0) Gecko/20100101 Firefox/128.0

I think it is also noteworthy to mention that I am running the manually installed binaries, using the frontend + api combo. Downgrading the frontend to 0.23.0 fixes the issue. The API server version is 0.22.1.

@FieldofClay commented on GitHub (Aug 8, 2024): The URL that I end up at is: ``` https://vikunja.mydomain.com/auth/openid/authelia?error=invalid_scope&error_description=The+requested+scope+is+invalid%2C+unknown%2C+or+malformed.+The+OAuth+2.0+Client+is+not+allowed+to+request+scope+%27undefined%27.&iss=https%3A%2F%2Fauth.mydomain.com&state=sp28wudtton ``` The noteworthy requests I see are: ``` 303: https://auth.mydomain.com/api/oidc/authorization?client_id=vikunja&redirect_uri=https://vikunja.mydomain.com/auth/openid/authelia&response_type=code&scope=undefined&state=bx4s7yi6xv8 200: https://vikunja.mydomain.com/auth/openid/authelia?error=invalid_scope&error_description=The requested scope is invalid, unknown, or malformed. The OAuth 2.0 Client is not allowed to request scope 'undefined'.&iss=https://auth.mydomain.com&state=bx4s7yi6xv8 ``` The only thing I get out of the logs from the api server is: ``` Aug 08 15:01:14 vikunja vikunja[462]: 2024-08-08T15:01:14.33178384+10:00: WEB ▶ XXX.XXX.XXX.XXX GET 200 / 103.005µs - Mozilla/5.0 (X11; Linux x86_64; rv:128.0) Gecko/20100101 Firefox/128.0 Aug 08 15:01:14 vikunja vikunja[462]: 2024-08-08T15:01:14.519527203+10:00: WEB ▶ XXX.XXX.XXX.XXX GET 200 /assets/index-BO9ASMil.css 746.091µs - Mozilla/5.0 (X11; Linux x86_64; rv:128.0) Gecko/20100101 Firefox/128.0 Aug 08 15:01:14 vikunja vikunja[462]: 2024-08-08T15:01:14.727705463+10:00: WEB ▶ XXX.XXX.XXX.XXX GET 200 /api/v1/info 363.948µs - Mozilla/5.0 (X11; Linux x86_64; rv:128.0) Gecko/20100101 Firefox/128.0 Aug 08 15:01:14 vikunja vikunja[462]: 2024-08-08T15:01:14.734677969+10:00: WEB ▶ XXX.XXX.XXX.XXX GET 200 /assets/llama-nightscape-mKZQPxXM.jpg 245.411µs - Mozilla/5.0 (X11; Linux x86_64; rv:128.0) Gecko/20100101 Firefox/128.0 Aug 08 15:01:14 vikunja vikunja[462]: 2024-08-08T15:01:14.794996327+10:00: WEB ▶ XXX.XXX.XXX.XXX GET 200 /assets/llama-SxB1d0EY.svg?url 136.01µs - Mozilla/5.0 (X11; Linux x86_64; rv:128.0) Gecko/20100101 Firefox/128.0 Aug 08 15:01:14 vikunja vikunja[462]: 2024-08-08T15:01:14.795594425+10:00: WEB ▶ XXX.XXX.XXX.XXX GET 200 /assets/no-auth-image-B3TdQwHl.jpg 489.458µs - Mozilla/5.0 (X11; Linux x86_64; rv:128.0) Gecko/20100101 Firefox/128.0 Aug 08 15:01:19 vikunja vikunja[462]: 2024-08-08T15:01:19.056353522+10:00: WEB ▶ XXX.XXX.XXX.XXX GET 200 /auth/openid/authelia?error=invalid_scope&error_description=The+requested+scope+is+invalid%2C+unknown%2C+or+malformed.+The+OAuth+2.0+Client+is+not+allowed+to+request+scope+%27undefined%27.&iss=https%3A%2F%2Fauth.mydomain.com&state=kju8qe3tcu 97.043µs - Mozilla/5.0 (X11; Linux x86_64; rv:128.0) Gecko/20100101 Firefox/128.0 ``` I think it is also noteworthy to mention that I am running the manually installed binaries, using the frontend + api combo. Downgrading the frontend to 0.23.0 fixes the issue. The API server version is 0.22.1.
Author
Owner

@kolaente commented on GitHub (Aug 8, 2024):

Does it work if you remove the scope from Vikunja's config?

@kolaente commented on GitHub (Aug 8, 2024): Does it work if you remove the `scope` from Vikunja's config?
Author
Owner

@FieldofClay commented on GitHub (Aug 8, 2024):

No, there is not behaviour change when removing the scope from vikunja's config. I also played around with removing scope from Authelia's config, same result.

Downgrading to 0.23.0 with scope missing, allowed me to login OK.

@FieldofClay commented on GitHub (Aug 8, 2024): No, there is not behaviour change when removing the scope from vikunja's config. I also played around with removing scope from Authelia's config, same result. Downgrading to 0.23.0 with scope missing, allowed me to login OK.
Author
Owner

@kolaente commented on GitHub (Aug 12, 2024):

If you check https://vikunja.mydomain.com/api/v1/info, which value does the scope attribute under the providers entry have?

@kolaente commented on GitHub (Aug 12, 2024): If you check `https://vikunja.mydomain.com/api/v1/info`, which value does the `scope` attribute under the `providers` entry have?
Author
Owner

@FieldofClay commented on GitHub (Aug 13, 2024):

Solved. When checking that endpoint I noticed that the version was still 0.22.1. Found that Arch Linux was still using the api folder on the download server (which maxes out at 0.22.1), instead of the vikunja folder. Updated (properly) to 0.24.2 and it is all working fine.

Thanks for your assistance @kolaente!

@FieldofClay commented on GitHub (Aug 13, 2024): Solved. When checking that endpoint I noticed that the version was still 0.22.1. Found that Arch Linux was still using the api folder on the download server (which maxes out at 0.22.1), instead of the vikunja folder. Updated (properly) to 0.24.2 and it is all working fine. Thanks for your assistance @kolaente!
Sign in to join this conversation.
1 Participants
Notifications
Due Date
No due date set.
Dependencies

No dependencies set.

Reference: github-starred/vikunja#258