H
Homarr4mo ago
Randoh

Authentik OIDC - Internal Server Error

Constantly getting an Internal Server Error on OIDC with Authentik. I've dug through some of the GitHub issues as well as the threads here and can't seem to get past the block. Any help is appreciated! Symptoms: - Navigating to admin.domain.tld (where Homarr is surfaced through Nginx) worked get with credential auth. Switching to OIDC: Gray screen with "Internal Server Error" no matter the different configurations I've tried. - Logs state "Invalid URL" on both NEXTAUTH_URL and AUTH_OIDC_URI (have tried numerous variations of these) Redirect URI in Authentik: https://admin.domain.tld/api/auth/callback/oidc (also tried this as auth.) Current Compose: 
homarr:
    container_name: homarr
    image: ghcr.io/ajnart/homarr:0.15.3
    volumes:
      - ${CONTAINER_FOLDER}/homarr/configs:/data/configs
      - ${CONTAINER_FOLDER}/homarr/icons:/app/public/icons
      - ${CONTAINER_FOLDER}/homarr/data:/data
      - ${CONTAINER_FOLDER}/graphics:/app/public/graphics
    ports:
      - '7575:7575'
    environment:
      - AUTH_PROVIDER=oidc
      - BASE_URL="admin.domain.tld"
      - NEXTAUTH_URL="admin.domain.tld"
      - AUTH_OIDC_URI="https://auth.domain.tld/application/o/homarr" # Have also tried admin. here instead of auth.
      - AUTH_OIDC_CLIENT_ID="ID"
      - AUTH_OIDC_CLIENT_SECRET="SECRET"
      - AUTH_OIDC_CLIENT_NAME="AUTHENTIK"
      - AUTH_OIDC_ADMIN_GROUP="authentik Admin"
      - AUTH_OIDC_OWNER_GROUP="authentik Admin" 
      - AUTH_OIDC_AUTO_LOGIN=true
    networks:
      - frontend
    restart: unless-stopped
homarr:
    container_name: homarr
    image: ghcr.io/ajnart/homarr:0.15.3
    volumes:
      - ${CONTAINER_FOLDER}/homarr/configs:/data/configs
      - ${CONTAINER_FOLDER}/homarr/icons:/app/public/icons
      - ${CONTAINER_FOLDER}/homarr/data:/data
      - ${CONTAINER_FOLDER}/graphics:/app/public/graphics
    ports:
      - '7575:7575'
    environment:
      - AUTH_PROVIDER=oidc
      - BASE_URL="admin.domain.tld"
      - NEXTAUTH_URL="admin.domain.tld"
      - AUTH_OIDC_URI="https://auth.domain.tld/application/o/homarr" # Have also tried admin. here instead of auth.
      - AUTH_OIDC_CLIENT_ID="ID"
      - AUTH_OIDC_CLIENT_SECRET="SECRET"
      - AUTH_OIDC_CLIENT_NAME="AUTHENTIK"
      - AUTH_OIDC_ADMIN_GROUP="authentik Admin"
      - AUTH_OIDC_OWNER_GROUP="authentik Admin" 
      - AUTH_OIDC_AUTO_LOGIN=true
    networks:
      - frontend
    restart: unless-stopped
Example Log Errors: 
❌ Invalid environment variables: { NEXTAUTH_URL: [ 'Invalid url' ], AUTH_OIDC_URI: [ 'Invalid url' ] }
❌ Invalid environment variables: { NEXTAUTH_URL: [ 'Invalid url' ], AUTH_OIDC_URI: [ 'Invalid url' ] }
❌ Invalid environment variables: { NEXTAUTH_URL: [ 'Invalid url' ], AUTH_OIDC_URI: [ 'Invalid url' ] }
❌ Invalid environment variables: { NEXTAUTH_URL: [ 'Invalid url' ], AUTH_OIDC_URI: [ 'Invalid url' ] }
Error: connect ECONNREFUSED IP:36703
    at TCPConnectWrap.afterConnect [as oncomplete] (node:net:1571:16) {
  errno: -111,
  code: 'ECONNREFUSED',
  syscall: 'connect',
  address: 'IP',
  port: 36703
}
Error: connect ECONNREFUSED IP:36703
    at TCPConnectWrap.afterConnect [as oncomplete] (node:net:1571:16) {
  errno: -111,
  code: 'ECONNREFUSED',
  syscall: 'connect',
  address: 'IP',
  port: 36703
}
26 Replies
Cakey Bot
Cakey Bot4mo ago
Thank you for submitting a support request. Depending on the volume of requests, our team should get in contact with you shortly.
⚠️ Please include the following details in your post or we may reject your request without further comment: - Log (See https://homarr.dev/docs/community/faq#how-do-i-open-the-console--log) - Operating system (Unraid, TrueNAS, Ubuntu, ...) - Exact Homarr version (eg. 0.15.0, not latest) - Configuration (eg. docker-compose, screenshot or similar. Use ``your-text`` to format) - Other relevant information (eg. your devices, your browser, ...)
❓ Frequently Asked Questions | Homarr documentation
Can I install Homarr on a Raspberry Pi?
Serenaphic
Serenaphic4mo ago
you need to replace the "=" with ":" it's docker compose, can't use =
Randoh
RandohOP4mo ago
Weird, I have 10s of compose files all using =? And according to their docs it's officially supported: https://docs.docker.com/compose/environment-variables/set-environment-variables/
Docker Documentation
Set environment variables within your container's environment
How to set, use, and manage environment variables with Compose
Serenaphic
Serenaphic4mo ago
huh, that's funny. Try not using it though, also remove the quotations Oh wait I think I actually see it You might be missing the "http"/"https" in the URL Invalid environment variables: { NEXTAUTH_URL: [ 'Invalid url' ], AUTH_OIDC_URI: [ 'Invalid url' ] } This means it doesn't recognize the value entered as a valid URL
Randoh
RandohOP4mo ago
I think I had tried it with https on there as well - will give it a retry for completeness though. And converted to :, still happening.
Serenaphic
Serenaphic4mo ago
either because of the = and quotation, or because it's actually not a URL because it's missing http/s Also base_url is useless, it hasn't been in use in a long time and you had removed the " " too?
Randoh
RandohOP4mo ago
Ugh, THOUGHT I tried it with the https... apparently not. Rookie move. So it is at least an actual screen now - giving me ye olde auth loop though. Current Compose: 
    environment:
      PGID: ${PGID}
      PUID: ${PUID}
      TZ: ${TZ}
      AUTH_PROVIDER: oidc
      BASE_URL: https://admin.domain.tld
      NEXTAUTH_URL: https://admin.domain.tld
      AUTH_OIDC_URI: https://auth.domain.tld/application/o/homarr
      AUTH_OIDC_CLIENT_ID: ID
      AUTH_OIDC_CLIENT_SECRET: SECRET
      AUTH_OIDC_CLIENT_NAME: auth
      AUTH_OIDC_ADMIN_GROUP: auth Admin
      AUTH_OIDC_OWNER_GROUP: auth Admin    
      AUTH_OIDC_AUTO_LOGIN: true
    environment:
      PGID: ${PGID}
      PUID: ${PUID}
      TZ: ${TZ}
      AUTH_PROVIDER: oidc
      BASE_URL: https://admin.domain.tld
      NEXTAUTH_URL: https://admin.domain.tld
      AUTH_OIDC_URI: https://auth.domain.tld/application/o/homarr
      AUTH_OIDC_CLIENT_ID: ID
      AUTH_OIDC_CLIENT_SECRET: SECRET
      AUTH_OIDC_CLIENT_NAME: auth
      AUTH_OIDC_ADMIN_GROUP: auth Admin
      AUTH_OIDC_OWNER_GROUP: auth Admin    
      AUTH_OIDC_AUTO_LOGIN: true
Serenaphic
Serenaphic4mo ago
edit that realy quick x)
Randoh
RandohOP4mo ago
Thx.. rookie move #2 😄
Serenaphic
Serenaphic4mo ago
the auth loop can be caused by either apps really, it's a bit of a nightmare because you need to find the right address for OIDC_URI and the right address for callback in Authentik
Randoh
RandohOP4mo ago
Thanks - will poke at those a bit and circle back as either solved or still lost.
Serenaphic
Serenaphic4mo ago
OH I remebered something The user you're trying to log in, does it have the same name or email as the original user you created in native credentials? because that causes issues basically, remove any extra users and any email linked to them. Or just delete the user database and go through onboarding again, it won't remove your boards don't worry
Randoh
RandohOP4mo ago
Different name and email. Was using a service account to manage Homarr vs using my personal creds in Authentik. Good news/bad news... I got to where my authentik instance now pops up, but it's now a dual screen loop lol. Homarr loads up, kicks me to authentik, then back to Homarr, repeat. But progress! Changed OIDC_URL to "https://auth.domain.tld/application/o/home" - forgot home is the name of the application in Authentik, not Homarr. Onto more discovery.
Serenaphic
Serenaphic4mo ago
Good luck 🙂 I find this page to have a lot of information, especially at the end of it since it's most relevant to now: https://github.com/ajnart/homarr/issues/1909 the comments saying you should use BASE_URL are outdated but since we use NEXTAUTH_URL but you're welcome to keep trying on using it.
Randoh
RandohOP4mo ago
Thanks for all the help so far! Will update if/when I get it figured out. Okay, I've tried changing a lot of things a lot of ways with different outcomes, but no successful ones. What I've gotten to, is that according to Authentik it is approving the authorization. It is then redirecting me back whatever my NEXTAUTH is, as expected, but I'm not logged in. Looking into the Homarr logs though, it's saying client authentication failed. How can that be accurate if Authentik is recording a success? 
[next-auth][error][OAUTH_CALLBACK_ERROR] 
https://next-auth.js.org/errors#oauth_callback_error invalid_client (Client authentication failed (e.g., unknown client, no client authentication included, or unsupported authentication method)) {
  error: OPError: invalid_client (Client authentication failed (e.g., unknown client, no client authentication included, or unsupported authentication method))
      at processResponse (/app/node_modules/openid-client/lib/helpers/process_response.js:38:13)
      at Client.grant (/app/node_modules/openid-client/lib/client.js:1354:22)
      at process.processTicksAndRejections (node:internal/process/task_queues:95:5)
      at async Client.callback (/app/node_modules/openid-client/lib/client.js:493:24)
      at async oAuthCallback (/app/node_modules/next-auth/core/lib/oauth/callback.js:109:16)
      at async Object.callback (/app/node_modules/next-auth/core/routes/callback.js:52:11)
      at async AuthHandler (/app/node_modules/next-auth/core/index.js:208:28)
      at async NextAuthApiHandler (/app/node_modules/next-auth/next/index.js:22:19)
      at async auth (/app/.next/server/pages/api/auth/[...nextauth].js:143:12) {
    name: 'OAuthCallbackError',
    code: undefined
  },
  providerId: 'oidc',
  message: 'invalid_client (Client authentication failed (e.g., unknown client, no client authentication included, or unsupported authentication method))'
}
[next-auth][error][OAUTH_CALLBACK_ERROR] 
https://next-auth.js.org/errors#oauth_callback_error invalid_client (Client authentication failed (e.g., unknown client, no client authentication included, or unsupported authentication method)) {
  error: OPError: invalid_client (Client authentication failed (e.g., unknown client, no client authentication included, or unsupported authentication method))
      at processResponse (/app/node_modules/openid-client/lib/helpers/process_response.js:38:13)
      at Client.grant (/app/node_modules/openid-client/lib/client.js:1354:22)
      at process.processTicksAndRejections (node:internal/process/task_queues:95:5)
      at async Client.callback (/app/node_modules/openid-client/lib/client.js:493:24)
      at async oAuthCallback (/app/node_modules/next-auth/core/lib/oauth/callback.js:109:16)
      at async Object.callback (/app/node_modules/next-auth/core/routes/callback.js:52:11)
      at async AuthHandler (/app/node_modules/next-auth/core/index.js:208:28)
      at async NextAuthApiHandler (/app/node_modules/next-auth/next/index.js:22:19)
      at async auth (/app/.next/server/pages/api/auth/[...nextauth].js:143:12) {
    name: 'OAuthCallbackError',
    code: undefined
  },
  providerId: 'oidc',
  message: 'invalid_client (Client authentication failed (e.g., unknown client, no client authentication included, or unsupported authentication method))'
}
Serenaphic
Serenaphic4mo ago
You sure you got the right ID and Secret? Because usually my ID is called homarr And you're using some random generated key for some reason
Randoh
RandohOP4mo ago
Switched to just "Homarr" for the ID, same thing. Got it though... it was the certificate. I have one produced by certbot (Linuxserver/SWAG specifically), that's the one I had assigned to the the provider. Changed to the Authentik self signed and now it's letting me in. Should that be expected? Would think using the certbot provided would be preferred.
Serenaphic
Serenaphic4mo ago
Well, I guess they would need to use the same certificate but frankly you could be using google as your SSO and it should still work so
Randoh
RandohOP4mo ago
Yea, I really don't want to have to be managing authentik specific certs (with manual renewals) when I already have a certbot on the server resolving that for my endpoints... not sure how I get it working with that cert, but that's a separate problem I suppose. Immediate problem solved.
Serenaphic
Serenaphic4mo ago
Maybe it's your authentik not running on the right cert, instead of having the self-signed one
Randoh
RandohOP4mo ago
Not quite sure I follow. Tried switching to my cert in the "brands" section as well as the provider, still no dice. I can probably hit the authentik discord for some assistance with external certs though.
Serenaphic
Serenaphic4mo ago
well you have a certbot to give out the certificate, yet you say you need to use authentik's self-signed cert in homarr to make it work, which makes me think you're not using the certbot for authentik? I may not understand your setup though
Randoh
RandohOP4mo ago
Afaik I'm using my certbot for authentik. The certs folder is passed in, it's an option on the providers and things, and authentik is behind the reverse proxy the certs are associated with. Not sure I had seen somewhere within authentik to define like a "default certificate" or anything?
Serenaphic
Serenaphic4mo ago
Yeah I'm too confused to be of any help sorry
Randoh
RandohOP4mo ago
No worries. You helped with the most vital part which was no access at all! I'll hit the authentik folks up for cert support. Thanks a bunch!
Serenaphic
Serenaphic4mo ago
Be sure to share to solution if you find one, could help others. And good luck 🙂
Want results from more Discord servers?
Add your server