Homarr•2mo ago

[OIDC] Infinite redirects to homarr

I tried to setup OIDC with homarr with less than optimal success. The docs are sadly also either outdated or flat out wrong in some aspects For example AUTH_PROVIDER has to be oidc without quotation marks. Else homarr will complain that this method does not exist. Given the searched together configuration i found on this discord i have the following env vars defined now:

AUTH_PROVIDER=oidc
AUTH_OIDC_URI=https://auth.hammerclock.net
AUTH_OIDC_ISSUER=https://auth.hammerclock.net/application/o/homarr
AUTH_OIDC_CLIENT_SECRET=xxx
AUTH_OIDC_CLIENT_ID=xxx
AUTH_OIDC_CLIENT_NAME=Authentik
AUTH_OIDC_ADMIN_GROUP=admin
AUTH_OIDC_OWNER_GROUP=admin
NEXTAUTH_URL=https://homarr.hammerclock.net
NEXTAUTH_SECRET=xxx
BASE_URL=https://homarr.hammerclock.net

AUTH_PROVIDER=oidc
AUTH_OIDC_URI=https://auth.hammerclock.net
AUTH_OIDC_ISSUER=https://auth.hammerclock.net/application/o/homarr
AUTH_OIDC_CLIENT_SECRET=xxx
AUTH_OIDC_CLIENT_ID=xxx
AUTH_OIDC_CLIENT_NAME=Authentik
AUTH_OIDC_ADMIN_GROUP=admin
AUTH_OIDC_OWNER_GROUP=admin
NEXTAUTH_URL=https://homarr.hammerclock.net
NEXTAUTH_SECRET=xxx
BASE_URL=https://homarr.hammerclock.net

And the following Nix OCI Container setup:

{config, ...}: {
  age.secrets.homarr.file = ../../secrets/homarr.age; # This is the file containing the env vars

  virtualisation.oci-containers.containers.homarr = {
    image = "ghcr.io/ajnart/homarr:latest";
    ports = [
      "7575:7575"
    ];
    volumes = [
      "/var/run/docker.sock:/var/run/docker.sock"
      "/var/lib/homarr/configs:/app/data/configs"
      "/var/lib/homarr/icons:/app/public/icons"
      "/var/lib/homarr/data:/data"
    ];
    extraOptions = ["--pull=always"];
    environmentFiles = [
      config.age.secrets.homarr.path 
    ];
  };
}

{config, ...}: {
  age.secrets.homarr.file = ../../secrets/homarr.age; # This is the file containing the env vars

  virtualisation.oci-containers.containers.homarr = {
    image = "ghcr.io/ajnart/homarr:latest";
    ports = [
      "7575:7575"
    ];
    volumes = [
      "/var/run/docker.sock:/var/run/docker.sock"
      "/var/lib/homarr/configs:/app/data/configs"
      "/var/lib/homarr/icons:/app/public/icons"
      "/var/lib/homarr/data:/data"
    ];
    extraOptions = ["--pull=always"];
    environmentFiles = [
      config.age.secrets.homarr.path 
    ];
  };
}

If you go on to my site https://homarr.hammerclock.net you will see that it just infinitely redirects to itself. The logs spams the following error:

Sep 02 15:33:26 xenon docker-homarr-start[2179285]: [next-auth][error][SIGNIN_OAUTH_ERROR]
Sep 02 15:33:26 xenon docker-homarr-start[2179285]: https://next-auth.js.org/errors#signin_oauth_error expected 200 OK, got: 404 Not Found {
Sep 02 15:33:26 xenon docker-homarr-start[2179285]:   error: {
Sep 02 15:33:26 xenon docker-homarr-start[2179285]:     message: 'expected 200 OK, got: 404 Not Found',
Sep 02 15:33:26 xenon docker-homarr-start[2179285]:     stack: 'OPError: expected 200 OK, got: 404 Not Found\n' +
Sep 02 15:33:26 xenon docker-homarr-start[2179285]:       '    at processResponse (/app/node_modules/openid-client/lib/helpers/process_response.js:41:11)\n' +
Sep 02 15:33:26 xenon docker-homarr-start[2179285]:       '    at Issuer.discover (/app/node_modules/openid-client/lib/issuer.js:152:20)\n' +
Sep 02 15:33:26 xenon docker-homarr-start[2179285]:       '    at process.processTicksAndRejections (node:internal/process/task_queues:95:5)\n' +
Sep 02 15:33:26 xenon docker-homarr-start[2179285]:       '    at async openidClient (/app/node_modules/next-auth/core/lib/oauth/client.js:16:14)\n' +
Sep 02 15:33:26 xenon docker-homarr-start[2179285]:       '    at async getAuthorizationUrl (/app/node_modules/next-auth/core/lib/oauth/authorization-url.js:70:18)\n' +
Sep 02 15:33:26 xenon docker-homarr-start[2179285]:       '    at async Object.signin (/app/node_modules/next-auth/core/routes/signin.js:38:24)\n' +
Sep 02 15:33:26 xenon docker-homarr-start[2179285]:       '    at async AuthHandler (/app/node_modules/next-auth/core/index.js:260:26)\n' +
Sep 02 15:33:26 xenon docker-homarr-start[2179285]:       '    at async NextAuthApiHandler (/app/node_modules/next-auth/next/index.js:22:19)\n' +
Sep 02 15:33:26 xenon docker-homarr-start[2179285]:       '    at async auth (/app/.next/server/pages/api/auth/[...nextauth].js:143:12)',
Sep 02 15:33:26 xenon docker-homarr-start[2179285]:     name: 'OPError'
Sep 02 15:33:26 xenon docker-homarr-start[2179285]:   },
Sep 02 15:33:26 xenon docker-homarr-start[2179285]:   providerId: 'oidc',
Sep 02 15:33:26 xenon docker-homarr-start[2179285]:   message: 'expected 200 OK, got: 404 Not Found'
Sep 02 15:33:26 xenon docker-homarr-start[2179285]: }

Sep 02 15:33:26 xenon docker-homarr-start[2179285]: [next-auth][error][SIGNIN_OAUTH_ERROR]
Sep 02 15:33:26 xenon docker-homarr-start[2179285]: https://next-auth.js.org/errors#signin_oauth_error expected 200 OK, got: 404 Not Found {
Sep 02 15:33:26 xenon docker-homarr-start[2179285]:   error: {
Sep 02 15:33:26 xenon docker-homarr-start[2179285]:     message: 'expected 200 OK, got: 404 Not Found',
Sep 02 15:33:26 xenon docker-homarr-start[2179285]:     stack: 'OPError: expected 200 OK, got: 404 Not Found\n' +
Sep 02 15:33:26 xenon docker-homarr-start[2179285]:       '    at processResponse (/app/node_modules/openid-client/lib/helpers/process_response.js:41:11)\n' +
Sep 02 15:33:26 xenon docker-homarr-start[2179285]:       '    at Issuer.discover (/app/node_modules/openid-client/lib/issuer.js:152:20)\n' +
Sep 02 15:33:26 xenon docker-homarr-start[2179285]:       '    at process.processTicksAndRejections (node:internal/process/task_queues:95:5)\n' +
Sep 02 15:33:26 xenon docker-homarr-start[2179285]:       '    at async openidClient (/app/node_modules/next-auth/core/lib/oauth/client.js:16:14)\n' +
Sep 02 15:33:26 xenon docker-homarr-start[2179285]:       '    at async getAuthorizationUrl (/app/node_modules/next-auth/core/lib/oauth/authorization-url.js:70:18)\n' +
Sep 02 15:33:26 xenon docker-homarr-start[2179285]:       '    at async Object.signin (/app/node_modules/next-auth/core/routes/signin.js:38:24)\n' +
Sep 02 15:33:26 xenon docker-homarr-start[2179285]:       '    at async AuthHandler (/app/node_modules/next-auth/core/index.js:260:26)\n' +
Sep 02 15:33:26 xenon docker-homarr-start[2179285]:       '    at async NextAuthApiHandler (/app/node_modules/next-auth/next/index.js:22:19)\n' +
Sep 02 15:33:26 xenon docker-homarr-start[2179285]:       '    at async auth (/app/.next/server/pages/api/auth/[...nextauth].js:143:12)',
Sep 02 15:33:26 xenon docker-homarr-start[2179285]:     name: 'OPError'
Sep 02 15:33:26 xenon docker-homarr-start[2179285]:   },
Sep 02 15:33:26 xenon docker-homarr-start[2179285]:   providerId: 'oidc',
Sep 02 15:33:26 xenon docker-homarr-start[2179285]:   message: 'expected 200 OK, got: 404 Not Found'
Sep 02 15:33:26 xenon docker-homarr-start[2179285]: }

Also important to note: Homarr does not send a single request to my auth server... i literally stopped my Authentik instance and still had the exact same issue

Solution:

Issue found.... AUTH_OIDC_URI has to be the path to the configuration: https://auth.hammerclock.net/application/o/homarr/.well-known/openid-configuration...

Jump to solution

11 Replies

Cakey Bot•2mo ago

Thank you for submitting a support request. Depending on the volume of requests, our team should get in contact with you shortly.

⚠️ Please include the following details in your post or we may reject your request without further comment: - Log (See https://homarr.dev/docs/community/faq#how-do-i-open-the-console--log) - Operating system (Unraid, TrueNAS, Ubuntu, ...) - Exact Homarr version (eg. 0.15.0, not latest) - Configuration (eg. docker-compose, screenshot or similar. Use ``your-text`` to format) - Other relevant information (eg. your devices, your browser, ...)

❓ Frequently Asked Questions | Homarr documentation

Can I install Homarr on a Raspberry Pi?

DerHammerclock•2mo ago

Homarr Version: 0.15.4 Operating System: NixOS

Manicraft1001•2mo ago

404 indicates that your OIDC URLs are incorrect. Please make sure that they are valid Authentik not logging anything indicates that a proxy in front could also be blocking / dropping your request. Please check your logs there as well

DerHammerclock•2mo ago

Absolutely positive that they are valid: https://auth.hammerclock.net/application/o/homarr/ the reverse proxy also does not show any issues from what i can gather only normal access

Manicraft1001•2mo ago

@Tag can you look into this? @DerHammerclock the log not showing anything is a sign that some component is set up incorrectly. Please wait for Tag to reply

DerHammerclock•2mo ago

What i meant is that it shows normal access

87.130.10.194 - - [02/Sep/2024:17:34:19 +0200] "GET /api/auth/providers HTTP/2.0" 304 0 "https://homarr.hammerclock.net/auth/login?callbackUrl=https%3A%2F%2Fhomarr.hammerclock.net%2F&error=OAuthSignin" "Mozilla/5.0 (X11; Linux x86_64; rv:128.0) Gecko/20100101 Firefox/128.0"
87.130.10.194 - - [02/Sep/2024:17:34:19 +0200] "GET /api/auth/csrf HTTP/2.0" 304 0 "https://homarr.hammerclock.net/auth/login?callbackUrl=https%3A%2F%2Fhomarr.hammerclock.net%2F&error=OAuthSignin" "Mozilla/5.0 (X11; Linux x86_64; rv:128.0) Gecko/20100101 Firefox/128.0"
2.201.183.147 - - [02/Sep/2024:17:34:19 +0200] "GET /.well-known/openid-configuration HTTP/1.1" 404 3504 "-" "openid-client/5.6.1 (https://github.com/panva/node-openid-client)"
87.130.10.194 - - [02/Sep/2024:17:34:19 +0200] "POST /api/auth/signin/oidc HTTP/2.0" 200 73 "https://homarr.hammerclock.net/auth/login?callbackUrl=https%3A%2F%2Fhomarr.hammerclock.net%2F&error=OAuthSignin" "Mozilla/5.0 (X11; Linux x86_64; rv:128.0) Gecko/20100101 Firefox/128.0"
87.130.10.194 - - [02/Sep/2024:17:34:19 +0200] "GET /api/auth/error?error=OAuthSignin HTTP/2.0" 302 0 "https://homarr.hammerclock.net/auth/login?callbackUrl=https%3A%2F%2Fhomarr.hammerclock.net%2F&error=OAuthSignin" "Mozilla/5.0 (X11; Linux x86_64; rv:128.0) Gecko/20100101 Firefox/128.0"
87.130.10.194 - - [02/Sep/2024:17:34:19 +0200] "GET /api/auth/signin?error=OAuthSignin HTTP/2.0" 302 0 "https://homarr.hammerclock.net/auth/login?callbackUrl=https%3A%2F%2Fhomarr.hammerclock.net%2F&error=OAuthSignin" "Mozilla/5.0 (X11; Linux x86_64; rv:128.0) Gecko/20100101 Firefox/128.0"
87.130.10.194 - - [02/Sep/2024:17:34:20 +0200] "GET /auth/login?callbackUrl=https%3A%2F%2Fhomarr.hammerclock.net%2F&error=OAuthSignin HTTP/2.0" 200 10863 "https://homarr.hammerclock.net/auth/login?callbackUrl=https%3A%2F%2Fhomarr.hammerclock.net%2F&error=OAuthSignin" "Mozilla/5.0 (X11; Linux x86_64; rv:128.0) Gecko/20100101 Firefox/128.0"
87.130.10.194 - - [02/Sep/2024:17:34:20 +0200] "GET /imgs/logo/logo.svg HTTP/2.0" 304 0 "https://homarr.hammerclock.net/auth/login?callbackUrl=https%3A%2F%2Fhomarr.hammerclock.net%2F&error=OAuthSignin" "Mozilla/5.0 (X11; Linux x86_64; rv:128.0) Gecko/20100101 Firefox/128.0"

87.130.10.194 - - [02/Sep/2024:17:34:19 +0200] "GET /api/auth/providers HTTP/2.0" 304 0 "https://homarr.hammerclock.net/auth/login?callbackUrl=https%3A%2F%2Fhomarr.hammerclock.net%2F&error=OAuthSignin" "Mozilla/5.0 (X11; Linux x86_64; rv:128.0) Gecko/20100101 Firefox/128.0"
87.130.10.194 - - [02/Sep/2024:17:34:19 +0200] "GET /api/auth/csrf HTTP/2.0" 304 0 "https://homarr.hammerclock.net/auth/login?callbackUrl=https%3A%2F%2Fhomarr.hammerclock.net%2F&error=OAuthSignin" "Mozilla/5.0 (X11; Linux x86_64; rv:128.0) Gecko/20100101 Firefox/128.0"
2.201.183.147 - - [02/Sep/2024:17:34:19 +0200] "GET /.well-known/openid-configuration HTTP/1.1" 404 3504 "-" "openid-client/5.6.1 (https://github.com/panva/node-openid-client)"
87.130.10.194 - - [02/Sep/2024:17:34:19 +0200] "POST /api/auth/signin/oidc HTTP/2.0" 200 73 "https://homarr.hammerclock.net/auth/login?callbackUrl=https%3A%2F%2Fhomarr.hammerclock.net%2F&error=OAuthSignin" "Mozilla/5.0 (X11; Linux x86_64; rv:128.0) Gecko/20100101 Firefox/128.0"
87.130.10.194 - - [02/Sep/2024:17:34:19 +0200] "GET /api/auth/error?error=OAuthSignin HTTP/2.0" 302 0 "https://homarr.hammerclock.net/auth/login?callbackUrl=https%3A%2F%2Fhomarr.hammerclock.net%2F&error=OAuthSignin" "Mozilla/5.0 (X11; Linux x86_64; rv:128.0) Gecko/20100101 Firefox/128.0"
87.130.10.194 - - [02/Sep/2024:17:34:19 +0200] "GET /api/auth/signin?error=OAuthSignin HTTP/2.0" 302 0 "https://homarr.hammerclock.net/auth/login?callbackUrl=https%3A%2F%2Fhomarr.hammerclock.net%2F&error=OAuthSignin" "Mozilla/5.0 (X11; Linux x86_64; rv:128.0) Gecko/20100101 Firefox/128.0"
87.130.10.194 - - [02/Sep/2024:17:34:20 +0200] "GET /auth/login?callbackUrl=https%3A%2F%2Fhomarr.hammerclock.net%2F&error=OAuthSignin HTTP/2.0" 200 10863 "https://homarr.hammerclock.net/auth/login?callbackUrl=https%3A%2F%2Fhomarr.hammerclock.net%2F&error=OAuthSignin" "Mozilla/5.0 (X11; Linux x86_64; rv:128.0) Gecko/20100101 Firefox/128.0"
87.130.10.194 - - [02/Sep/2024:17:34:20 +0200] "GET /imgs/logo/logo.svg HTTP/2.0" 304 0 "https://homarr.hammerclock.net/auth/login?callbackUrl=https%3A%2F%2Fhomarr.hammerclock.net%2F&error=OAuthSignin" "Mozilla/5.0 (X11; Linux x86_64; rv:128.0) Gecko/20100101 Firefox/128.0"

But i just see a 404 inbetween 0_0 imma check that rq What the hell is it even trying there It would have to be

/application/o/homarr/.well-known/openid-configuration

/application/o/homarr/.well-known/openid-configuration

what the

Solution

DerHammerclock•2mo ago

Issue found.... AUTH_OIDC_URI has to be the path to the configuration: https://auth.hammerclock.net/application/o/homarr/.well-known/openid-configuration

Tag•2mo ago

id: 'oidc',
  name: env.AUTH_OIDC_CLIENT_NAME,
  type: 'oauth',
  clientId: env.AUTH_OIDC_CLIENT_ID,
  clientSecret: env.AUTH_OIDC_CLIENT_SECRET,
  wellKnown: `${env.AUTH_OIDC_URI}/.well-known/openid-configuration`,
  authorization: {
    params: {
      scope: env.AUTH_OIDC_SCOPE_OVERWRITE,
      redirect_uri: createRedirectUri(headers, '/api/auth/callback/oidc'),
    },
  },
  idToken: true,
  httpOptions: {
    timeout: env.AUTH_OIDC_TIMEOUT,
  },

id: 'oidc',
  name: env.AUTH_OIDC_CLIENT_NAME,
  type: 'oauth',
  clientId: env.AUTH_OIDC_CLIENT_ID,
  clientSecret: env.AUTH_OIDC_CLIENT_SECRET,
  wellKnown: `${env.AUTH_OIDC_URI}/.well-known/openid-configuration`,
  authorization: {
    params: {
      scope: env.AUTH_OIDC_SCOPE_OVERWRITE,
      redirect_uri: createRedirectUri(headers, '/api/auth/callback/oidc'),
    },
  },
  idToken: true,
  httpOptions: {
    timeout: env.AUTH_OIDC_TIMEOUT,
  },

Snippet from the OIDC code, we're already appending the path ❓❓ That's the only place we use the OIDC_URI too which confuses me even more. I would understand for "https://auth.domain.tld/application/o/homarr" to work, but doubling the "/.well-known/openid-configuration" is wild that it works

pmalys•3w ago

i have similar issue but with http error code 301 Moved Permanently

$ ts-node ./migrate.ts
Done in 2.39s.
Starting production server...
Listening on port 7575 url: http://9e68d9b0f695:7575
[next-auth][error][SIGNIN_OAUTH_ERROR]
https://next-auth.js.org/errors#signin_oauth_error expected 200 OK, got: 301 Moved Permanently {
  error: {
    message: 'expected 200 OK, got: 301 Moved Permanently',
    stack: 'OPError: expected 200 OK, got: 301 Moved Permanently\n' +
      '    at processResponse (/app/node_modules/openid-client/lib/helpers/process_response.js:41:11)\n' +
      '    at Issuer.discover (/app/node_modules/openid-client/lib/issuer.js:152:20)\n' +
      '    at process.processTicksAndRejections (node:internal/process/task_queues:95:5)\n' +
      '    at async openidClient (/app/node_modules/next-auth/core/lib/oauth/client.js:16:14)\n' +
      '    at async getAuthorizationUrl (/app/node_modules/next-auth/core/lib/oauth/authorization-url.js:70:18)\n' +
      '    at async Object.signin (/app/node_modules/next-auth/core/routes/signin.js:38:24)\n' +
      '    at async AuthHandler (/app/node_modules/next-auth/core/index.js:260:26)\n' +
      '    at async NextAuthApiHandler (/app/node_modules/next-auth/next/index.js:22:19)\n' +
      '    at async auth (/app/.next/server/pages/api/auth/[...nextauth].js:143:12)',
    name: 'OPError'
  },
  providerId: 'oidc',
  message: 'expected 200 OK, got: 301 Moved Permanently'
}

$ ts-node ./migrate.ts
Done in 2.39s.
Starting production server...
Listening on port 7575 url: http://9e68d9b0f695:7575
[next-auth][error][SIGNIN_OAUTH_ERROR]
https://next-auth.js.org/errors#signin_oauth_error expected 200 OK, got: 301 Moved Permanently {
  error: {
    message: 'expected 200 OK, got: 301 Moved Permanently',
    stack: 'OPError: expected 200 OK, got: 301 Moved Permanently\n' +
      '    at processResponse (/app/node_modules/openid-client/lib/helpers/process_response.js:41:11)\n' +
      '    at Issuer.discover (/app/node_modules/openid-client/lib/issuer.js:152:20)\n' +
      '    at process.processTicksAndRejections (node:internal/process/task_queues:95:5)\n' +
      '    at async openidClient (/app/node_modules/next-auth/core/lib/oauth/client.js:16:14)\n' +
      '    at async getAuthorizationUrl (/app/node_modules/next-auth/core/lib/oauth/authorization-url.js:70:18)\n' +
      '    at async Object.signin (/app/node_modules/next-auth/core/routes/signin.js:38:24)\n' +
      '    at async AuthHandler (/app/node_modules/next-auth/core/index.js:260:26)\n' +
      '    at async NextAuthApiHandler (/app/node_modules/next-auth/next/index.js:22:19)\n' +
      '    at async auth (/app/.next/server/pages/api/auth/[...nextauth].js:143:12)',
    name: 'OPError'
  },
  providerId: 'oidc',
  message: 'expected 200 OK, got: 301 Moved Permanently'
}

    environment:
      AUTH_PROVIDER: "oidc"
      AUTH_OIDC_URI: "https://authentik.url.com/application/o/homarr"
      AUTH_OIDC_CLIENT_SECRET: "SVBbebebezN"
      AUTH_OIDC_CLIENT_ID: "obebebepr"
      AUTH_OIDC_CLIENT_NAME: "Authentik"

    environment:
      AUTH_PROVIDER: "oidc"
      AUTH_OIDC_URI: "https://authentik.url.com/application/o/homarr"
      AUTH_OIDC_CLIENT_SECRET: "SVBbebebezN"
      AUTH_OIDC_CLIENT_ID: "obebebepr"
      AUTH_OIDC_CLIENT_NAME: "Authentik"

Tag•3w ago

This looks like a different issue. This ticket is already closed though, could you open a new ticket? It's better for searching (My first assessment would be to try and add the NEXTAUTH_URL env variable if you haven't yet)

pmalys•3w ago

https://discord.com/channels/972958686051962910/1291122625317306488

Gaming

Programming

[OIDC] Infinite redirects to homarr