I
Immich2y ago
damon

ERROR [AuthService] Unable to complete OAuth login: RPError: failed to validate JWT signature

Trying to setup Oauth with Authelia and I am getting this error Authelia setup: http://upload.montague.im/u/6JjMkY.png Immich setup: http://upload.montague.im/u/atj8yJ.png
41 Replies
damon
damonOP2y ago
bump
Allram
Allram2y ago
Do you have these 3 in redirect uris? 
redirect_uris:
          - app.immich:/
          - https://photos.DOMAIN/auth/login
          - https://photos.DOMAIN/user-settings
redirect_uris:
          - app.immich:/
          - https://photos.DOMAIN/auth/login
          - https://photos.DOMAIN/user-settings
damon
damonOP2y ago
yep
Allram
Allram2y ago
And have you set Authelia up as a oidc? https://www.authelia.com/configuration/identity-providers/open-id-connect/
Authelia
OpenID Connect - Configuration
OpenID Connect Configuration
damon
damonOP2y ago
yep its here
Allram
Allram2y ago
It does not seems so from your config. You don't have any config after oidc: You are missing all the keys and the rest of the oidc config Then you should have clients: immich: etc etc
jrasm91
jrasm912y ago
I think you might need to specify a signing algorithm Do you mind posting the error here?
damon
damonOP2y ago
Sorry didnt see these I got oauth working with portainer so idk the deal with immich, i was having an issue wher eit didnt recognize authelias secrets so i trying one in plain text sto see if it works i did, i put none even with rs256 no dice 
[Nest] 7  - 10/22/2023, 5:57:40 AM   ERROR [AuthService] Unable to complete OAuth login: RPError: failed to validate JWT signature
RPError: failed to validate JWT signature
    at Client.validateJWT (/usr/src/app/node_modules/openid-client/lib/client.js:1055:11)
    at process.processTicksAndRejections (node:internal/process/task_queues:95:5)
    at async Client.validateIdToken (/usr/src/app/node_modules/openid-client/lib/client.js:745:49)
    at async Client.callback (/usr/src/app/node_modules/openid-client/lib/client.js:488:7)
    at async AuthService.getOAuthProfile (/usr/src/app/dist/domain/auth/auth.service.js:222:28)
    at async AuthService.callback (/usr/src/app/dist/domain/auth/auth.service.js:163:25)
    at async OAuthController.callback (/usr/src/app/dist/immich/controllers/oauth.controller.js:39:38)
    at async /usr/src/app/node_modules/@nestjs/core/router/router-execution-context.js:46:28
    at async /usr/src/app/node_modules/@nestjs/core/router/router-proxy.js:9:17
[Nest] 7  - 10/22/2023, 5:57:40 AM   ERROR [AuthService] Unable to complete OAuth login: RPError: failed to validate JWT signature
RPError: failed to validate JWT signature
    at Client.validateJWT (/usr/src/app/node_modules/openid-client/lib/client.js:1055:11)
    at process.processTicksAndRejections (node:internal/process/task_queues:95:5)
    at async Client.validateIdToken (/usr/src/app/node_modules/openid-client/lib/client.js:745:49)
    at async Client.callback (/usr/src/app/node_modules/openid-client/lib/client.js:488:7)
    at async AuthService.getOAuthProfile (/usr/src/app/dist/domain/auth/auth.service.js:222:28)
    at async AuthService.callback (/usr/src/app/dist/domain/auth/auth.service.js:163:25)
    at async OAuthController.callback (/usr/src/app/dist/immich/controllers/oauth.controller.js:39:38)
    at async /usr/src/app/node_modules/@nestjs/core/router/router-execution-context.js:46:28
    at async /usr/src/app/node_modules/@nestjs/core/router/router-proxy.js:9:17
here is the error
schuhbacca
schuhbacca2y ago
You don't have Grant type listed in your config?
jrasm91
jrasm912y ago
I was going to say that next - you need authorization type auth code
damon
damonOP2y ago
okay ill give that a try 
    clients:
      - id: immich
        description: Immich
        secret: X
        public: false
        authorization_policy: one_factor
        pre_configured_consent_duration: 1y
        consent_mode: auto
        scopes: ["openid", "profile", "email", "groups"]
        redirect_uris: ["https://immich.montague.im/auth/login", "https://immich.montague.im/user-settings", "app.immich:/"]
        grant_types: ["refresh_token", "authorization_code"]
        response_types: ["code"]
        response_modes: ["form_post", "query", "fragment"]
        userinfo_signing_algorithm: none
    clients:
      - id: immich
        description: Immich
        secret: X
        public: false
        authorization_policy: one_factor
        pre_configured_consent_duration: 1y
        consent_mode: auto
        scopes: ["openid", "profile", "email", "groups"]
        redirect_uris: ["https://immich.montague.im/auth/login", "https://immich.montague.im/user-settings", "app.immich:/"]
        grant_types: ["refresh_token", "authorization_code"]
        response_types: ["code"]
        response_modes: ["form_post", "query", "fragment"]
        userinfo_signing_algorithm: none
added this still no 
time="2023-10-22T10:42:41-04:00" level=debug msg="Authorization Request with id 'babea677-b083-498c-8c61-3a8d72143f79' on client with id 'immich' is being processed" method=GET path=/api/oidc/authorization remote_ip=172.70.114.147
time="2023-10-22T10:42:41-04:00" level=debug msg="Authorization Request with id 'babea677-b083-498c-8c61-3a8d72143f79' on client with id 'immich' using consent mode 'pre-configured' attempting to discover pre-configurations with signature of client id 'immich' and subject 'ccc4fecc-c567-4308-82c9-bd8f9249aa4a' and scopes 'openid email profile groups'" method=GET path=/api/oidc/authorization remote_ip=172.70.114.147
time="2023-10-22T10:42:41-04:00" level=debug msg="Authorization Request with id 'babea677-b083-498c-8c61-3a8d72143f79' on client with id 'immich' using consent mode 'pre-configured' successfully looked up pre-configured consent with signature of client id 'immich' and subject 'ccc4fecc-c567-4308-82c9-bd8f9249aa4a' and scopes 'openid email profile groups' with id '2'" method=GET path=/api/oidc/authorization remote_ip=172.70.114.147
time="2023-10-22T10:42:41-04:00" level=debug msg="Authorization Request with id 'babea677-b083-498c-8c61-3a8d72143f79' on client with id 'immich' was successfully processed, proceeding to build Authorization Response" method=GET path=/api/oidc/authorization remote_ip=172.70.114.147
time="2023-10-22T10:42:42-04:00" level=debug msg="Access Request with id 'babea677-b083-498c-8c61-3a8d72143f79' on client with id 'immich' is being processed" method=POST path=/api/oidc/token remote_ip=172.68.150.99
time="2023-10-22T10:42:42-04:00" level=debug msg="Access Request with id 'babea677-b083-498c-8c61-3a8d72143f79' on client with id 'immich' has successfully been processed" method=POST path=/api/oidc/token remote_ip=172.68.150.99
time="2023-10-22T10:42:41-04:00" level=debug msg="Authorization Request with id 'babea677-b083-498c-8c61-3a8d72143f79' on client with id 'immich' is being processed" method=GET path=/api/oidc/authorization remote_ip=172.70.114.147
time="2023-10-22T10:42:41-04:00" level=debug msg="Authorization Request with id 'babea677-b083-498c-8c61-3a8d72143f79' on client with id 'immich' using consent mode 'pre-configured' attempting to discover pre-configurations with signature of client id 'immich' and subject 'ccc4fecc-c567-4308-82c9-bd8f9249aa4a' and scopes 'openid email profile groups'" method=GET path=/api/oidc/authorization remote_ip=172.70.114.147
time="2023-10-22T10:42:41-04:00" level=debug msg="Authorization Request with id 'babea677-b083-498c-8c61-3a8d72143f79' on client with id 'immich' using consent mode 'pre-configured' successfully looked up pre-configured consent with signature of client id 'immich' and subject 'ccc4fecc-c567-4308-82c9-bd8f9249aa4a' and scopes 'openid email profile groups' with id '2'" method=GET path=/api/oidc/authorization remote_ip=172.70.114.147
time="2023-10-22T10:42:41-04:00" level=debug msg="Authorization Request with id 'babea677-b083-498c-8c61-3a8d72143f79' on client with id 'immich' was successfully processed, proceeding to build Authorization Response" method=GET path=/api/oidc/authorization remote_ip=172.70.114.147
time="2023-10-22T10:42:42-04:00" level=debug msg="Access Request with id 'babea677-b083-498c-8c61-3a8d72143f79' on client with id 'immich' is being processed" method=POST path=/api/oidc/token remote_ip=172.68.150.99
time="2023-10-22T10:42:42-04:00" level=debug msg="Access Request with id 'babea677-b083-498c-8c61-3a8d72143f79' on client with id 'immich' has successfully been processed" method=POST path=/api/oidc/token remote_ip=172.68.150.99
looking at this it looks like things are fine on the authelia side also looking at the docs grant_types are defined by default
damon
damonOP2y ago
No description
damon
damonOP2y ago
No description
schuhbacca
schuhbacca2y ago
Inside the immich oauth config can you try using the well known endpoint for the issuer URL. And validating that the secret you created matches. Otherwise your setup is similar to mine and it works fine for me I can try and post my configs later so you can compare
martabal
martabal2y ago
martabal
martabal2y ago
here's a valid config you need to edit hmac_secret, issuer_private_key, allowed_origins, redirect_uris, and secret
damon
damonOP2y ago
---
version: '3.7'

secrets:
  JWT_SECRET:
    file: ${PWD}/authelia/secrets/JWT_SECRET
  SESSION_SECRET:
    file: ${PWD}/authelia/secrets/SESSION_SECRET
  STORAGE_ENCRYPTION_KEY:
    file: ${PWD}/authelia/secrets/STORAGE_ENCRYPTION_KEY
  SMTP_PASSWORD:
    file: ${PWD}/authelia/secrets/SMTP_PASSWORD
  OIDC_PRIVATE_KEY:
    file: ${PWD}/authelia/secrets/OIDC_PRIVATE_KEY
  HMAC_SECRET:
    file: ${PWD}/authelia/secrets/HMAC_SECRET

services:
    traefik:
        image: traefik:latest
        container_name: traefik
        restart: always
        env_file:
            - .env
        networks:
            - traefik
        ports:
            - 80:80
            - 443:443
        volumes:
            - ./traefik/traefik.yml:/etc/traefik/traefik.yml
            - ./traefik/data/letsencrypt/:/letsencrypt/
            - ./traefik/access.log:/access.log
            - /var/run/docker.sock:/var/run/docker.sock
        labels:
            traefik.enable: true
            traefik.http.routers.dashboard.rule: Host(`traefik.$PRIMARY_DOMAIN`)
            traefik.http.routers.dashboard.entrypoints: https
            traefik.http.routers.dashboard.service: api@internal
            traefik.http.routers.dashboard.middlewares: authelia@docker
            traefik.http.middlewares.global-compress.compress: true
        command: 
            - '--api'
            - '--providers.docker=true'

    authelia:
        image: authelia/authelia:v4.38.0-beta2
        container_name: authelia
        user: 1001:1001
        depends_on:
            - traefik
        volumes:
            - ./authelia:/config
        networks:
            - traefik
            - authelia
            - mail
        labels:
            - 'traefik.enable=true'
            - 'traefik.http.routers.authelia.rule=Host(`auth.$PRIMARY_DOMAIN`)'
            - 'traefik.http.routers.authelia.entrypoints=https'
            - 'traefik.http.middlewares.authelia.forwardauth.address=http://authelia:9091/api/verify?rd=https://auth.$PRIMARY_DOMAIN'  # yamllint disable-line rule:line-length
            - 'traefik.http.middlewares.authelia.forwardauth.trustForwardHeader=true'
            - 'traefik.http.middlewares.authelia.forwardauth.authResponseHeaders=Remote-User,Remote-Groups,Remote-Name,Remote-Email'  # yamllint disable-line rule:line-length
            - 'traefik.http.services.authelia.loadbalancer.server.port=9091'
        expose:
            - 9091
        restart: always
        secrets: [JWT_SECRET, SESSION_SECRET, STORAGE_ENCRYPTION_KEY, SMTP_PASSWORD, HMAC_SECRET, OIDC_PRIVATE_KEY]
        environment:
            TZ: "America/New_York"
            AUTHELIA_JWT_SECRET_FILE: /run/secrets/JWT_SECRET
            AUTHELIA_SESSION_SECRET_FILE: /run/secrets/SESSION_SECRET
            AUTHELIA_STORAGE_ENCRYPTION_KEY_FILE: /run/secrets/STORAGE_ENCRYPTION_KEY
            AUTHELIA_NOTIFIER_SMTP_PASSWORD_FILE: /run/secrets/SMTP_PASSWORD
            AUTHELIA_IDENTITY_PROVIDERS_OIDC_ISSUER_PRIVATE_KEY_FILE:  /run/secrets/OIDC_PRIVATE_KEY
            AUTHELIA_IDENTITY_PROVIDERS_OIDC_HMAC_SECRET_FILE: /run/secrets/HMAC_SECRET
        healthcheck:
            disable: true

    authelia_redis:
        image: redis:latest
        container_name: authelia-redis-cache
        restart: always
        depends_on:
            - authelia
        networks:
            - authelia

networks:
    traefik:
        name: traefik
    authelia:
        name: authelia
    mail:
        external: true
---
version: '3.7'

secrets:
  JWT_SECRET:
    file: ${PWD}/authelia/secrets/JWT_SECRET
  SESSION_SECRET:
    file: ${PWD}/authelia/secrets/SESSION_SECRET
  STORAGE_ENCRYPTION_KEY:
    file: ${PWD}/authelia/secrets/STORAGE_ENCRYPTION_KEY
  SMTP_PASSWORD:
    file: ${PWD}/authelia/secrets/SMTP_PASSWORD
  OIDC_PRIVATE_KEY:
    file: ${PWD}/authelia/secrets/OIDC_PRIVATE_KEY
  HMAC_SECRET:
    file: ${PWD}/authelia/secrets/HMAC_SECRET

services:
    traefik:
        image: traefik:latest
        container_name: traefik
        restart: always
        env_file:
            - .env
        networks:
            - traefik
        ports:
            - 80:80
            - 443:443
        volumes:
            - ./traefik/traefik.yml:/etc/traefik/traefik.yml
            - ./traefik/data/letsencrypt/:/letsencrypt/
            - ./traefik/access.log:/access.log
            - /var/run/docker.sock:/var/run/docker.sock
        labels:
            traefik.enable: true
            traefik.http.routers.dashboard.rule: Host(`traefik.$PRIMARY_DOMAIN`)
            traefik.http.routers.dashboard.entrypoints: https
            traefik.http.routers.dashboard.service: api@internal
            traefik.http.routers.dashboard.middlewares: authelia@docker
            traefik.http.middlewares.global-compress.compress: true
        command: 
            - '--api'
            - '--providers.docker=true'

    authelia:
        image: authelia/authelia:v4.38.0-beta2
        container_name: authelia
        user: 1001:1001
        depends_on:
            - traefik
        volumes:
            - ./authelia:/config
        networks:
            - traefik
            - authelia
            - mail
        labels:
            - 'traefik.enable=true'
            - 'traefik.http.routers.authelia.rule=Host(`auth.$PRIMARY_DOMAIN`)'
            - 'traefik.http.routers.authelia.entrypoints=https'
            - 'traefik.http.middlewares.authelia.forwardauth.address=http://authelia:9091/api/verify?rd=https://auth.$PRIMARY_DOMAIN'  # yamllint disable-line rule:line-length
            - 'traefik.http.middlewares.authelia.forwardauth.trustForwardHeader=true'
            - 'traefik.http.middlewares.authelia.forwardauth.authResponseHeaders=Remote-User,Remote-Groups,Remote-Name,Remote-Email'  # yamllint disable-line rule:line-length
            - 'traefik.http.services.authelia.loadbalancer.server.port=9091'
        expose:
            - 9091
        restart: always
        secrets: [JWT_SECRET, SESSION_SECRET, STORAGE_ENCRYPTION_KEY, SMTP_PASSWORD, HMAC_SECRET, OIDC_PRIVATE_KEY]
        environment:
            TZ: "America/New_York"
            AUTHELIA_JWT_SECRET_FILE: /run/secrets/JWT_SECRET
            AUTHELIA_SESSION_SECRET_FILE: /run/secrets/SESSION_SECRET
            AUTHELIA_STORAGE_ENCRYPTION_KEY_FILE: /run/secrets/STORAGE_ENCRYPTION_KEY
            AUTHELIA_NOTIFIER_SMTP_PASSWORD_FILE: /run/secrets/SMTP_PASSWORD
            AUTHELIA_IDENTITY_PROVIDERS_OIDC_ISSUER_PRIVATE_KEY_FILE:  /run/secrets/OIDC_PRIVATE_KEY
            AUTHELIA_IDENTITY_PROVIDERS_OIDC_HMAC_SECRET_FILE: /run/secrets/HMAC_SECRET
        healthcheck:
            disable: true

    authelia_redis:
        image: redis:latest
        container_name: authelia-redis-cache
        restart: always
        depends_on:
            - authelia
        networks:
            - authelia

networks:
    traefik:
        name: traefik
    authelia:
        name: authelia
    mail:
        external: true
i just use docker secrets i dont pass them in the cfg only thing you have tha ti dont is the cors stuff a lot of these are just the defaults you have specified
martabal
martabal2y ago
You don't need to change that much entries
damon
damonOP2y ago
ik
martabal
martabal2y ago
Do you have other services using the identity_providers ?
damon
damonOP2y ago
im just pointing out you specified things that are default yep portainer portainer works 
      - id: portainer
        description: Docker Management GUI
        secret: X
        public: false
        consent_mode: auto
        authorization_policy: two_factor
        pre_configured_consent_duration: 1y
        scopes: ["profile", "groups", "email", "openid"]
        redirect_uris: ["https://docker.montague.im"]
        userinfo_signing_algorithm: none
      - id: portainer
        description: Docker Management GUI
        secret: X
        public: false
        consent_mode: auto
        authorization_policy: two_factor
        pre_configured_consent_duration: 1y
        scopes: ["profile", "groups", "email", "openid"]
        redirect_uris: ["https://docker.montague.im"]
        userinfo_signing_algorithm: none
martabal
martabal2y ago
I have the feeling that something is wrong with your issuer_private_key or your hmac_secret
damon
damonOP2y ago
its gets through fien on the authelia side and it works with portainer why would it be any different
martabal
martabal2y ago
Does portainer check the JWT signature ?
damon
damonOP2y ago
not entirely sure
schuhbacca
schuhbacca2y ago
Yeah that's what that error means to me is that when decrypting on the immich side it's failing because the secret from authelia and immich isn't meshing. But that's me just guessing. Could try regenerating the auth and client secret again and redoing it. Sorry that's all I have
damon
damonOP2y ago
my guess was that immich doesnt like argon secrets or whatever they are called
schuhbacca
schuhbacca2y ago
I currently use pbkdf2. I may try Argon later and see if it works
damon
damonOP2y ago
how do i generate a secert using that
schuhbacca
schuhbacca2y ago
damon
damonOP2y ago
still with that encryption it didnt work idk whats going on
damon
damonOP2y ago
[Nest] 7  - 10/22/2023, 5:11:57 PM   ERROR [AuthService] Unable to complete OAuth login: RPError: failed to validate JWT signature
RPError: failed to validate JWT signature
    at Client.validateJWT (/usr/src/app/node_modules/openid-client/lib/client.js:1055:11)
    at process.processTicksAndRejections (node:internal/process/task_queues:95:5)
    at async Client.validateIdToken (/usr/src/app/node_modules/openid-client/lib/client.js:745:49)
    at async Client.callback (/usr/src/app/node_modules/openid-client/lib/client.js:488:7)
    at async AuthService.getOAuthProfile (/usr/src/app/dist/domain/auth/auth.service.js:222:28)
    at async AuthService.callback (/usr/src/app/dist/domain/auth/auth.service.js:163:25)
    at async OAuthController.callback (/usr/src/app/dist/immich/controllers/oauth.controller.js:39:38)
    at async /usr/src/app/node_modules/@nestjs/core/router/router-execution-context.js:46:28
    at async /usr/src/app/node_modules/@nestjs/core/router/router-proxy.js:9:17
[Nest] 7  - 10/22/2023, 5:11:57 PM   ERROR [AuthService] Unable to complete OAuth login: RPError: failed to validate JWT signature
RPError: failed to validate JWT signature
    at Client.validateJWT (/usr/src/app/node_modules/openid-client/lib/client.js:1055:11)
    at process.processTicksAndRejections (node:internal/process/task_queues:95:5)
    at async Client.validateIdToken (/usr/src/app/node_modules/openid-client/lib/client.js:745:49)
    at async Client.callback (/usr/src/app/node_modules/openid-client/lib/client.js:488:7)
    at async AuthService.getOAuthProfile (/usr/src/app/dist/domain/auth/auth.service.js:222:28)
    at async AuthService.callback (/usr/src/app/dist/domain/auth/auth.service.js:163:25)
    at async OAuthController.callback (/usr/src/app/dist/immich/controllers/oauth.controller.js:39:38)
    at async /usr/src/app/node_modules/@nestjs/core/router/router-execution-context.js:46:28
    at async /usr/src/app/node_modules/@nestjs/core/router/router-proxy.js:9:17
No description
jrasm91
jrasm912y ago
What signing algorithm is being used, do you know?
damon
damonOP2y ago
on the side of authelia i specified none
jrasm91
jrasm912y ago
Did you try with RS256?
damon
damonOP2y ago
YEP sorry caps
jrasm91
jrasm912y ago
And it still says failed to validate jwt?
damon
damonOP2y ago
yep :/
jrasm91
jrasm912y ago
No description
jrasm91
jrasm912y ago
It looks like this case is being skipped and an error from 1083 is being thrown. The client library we're using is pretty good so I'm pretty sure it is working as designed.
damon
damonOP2y ago
yeah i dont think its your guy's fault at all just a problem in my config, but idk wha tit is

Did you find this page helpful?