[OIDC] Infinite redirects to homarr

I tried to setup OIDC with homarr with less than optimal success. The docs are sadly also either outdated or flat out wrong in some aspects For example AUTH_PROVIDER has to be oidc without quotation marks. Else homarr will complain that this method does not exist. Given the searched together configuration i found on this discord i have the following env vars defined now:
AUTH_PROVIDER=oidc
AUTH_OIDC_URI=https://auth.hammerclock.net
AUTH_OIDC_ISSUER=https://auth.hammerclock.net/application/o/homarr
AUTH_OIDC_CLIENT_SECRET=xxx
AUTH_OIDC_CLIENT_ID=xxx
AUTH_OIDC_CLIENT_NAME=Authentik
AUTH_OIDC_ADMIN_GROUP=admin
AUTH_OIDC_OWNER_GROUP=admin
NEXTAUTH_URL=https://homarr.hammerclock.net
NEXTAUTH_SECRET=xxx
BASE_URL=https://homarr.hammerclock.net
AUTH_PROVIDER=oidc
AUTH_OIDC_URI=https://auth.hammerclock.net
AUTH_OIDC_ISSUER=https://auth.hammerclock.net/application/o/homarr
AUTH_OIDC_CLIENT_SECRET=xxx
AUTH_OIDC_CLIENT_ID=xxx
AUTH_OIDC_CLIENT_NAME=Authentik
AUTH_OIDC_ADMIN_GROUP=admin
AUTH_OIDC_OWNER_GROUP=admin
NEXTAUTH_URL=https://homarr.hammerclock.net
NEXTAUTH_SECRET=xxx
BASE_URL=https://homarr.hammerclock.net
And the following Nix OCI Container setup:
{config, ...}: {
age.secrets.homarr.file = ../../secrets/homarr.age; # This is the file containing the env vars

virtualisation.oci-containers.containers.homarr = {
image = "ghcr.io/ajnart/homarr:latest";
ports = [
"7575:7575"
];
volumes = [
"/var/run/docker.sock:/var/run/docker.sock"
"/var/lib/homarr/configs:/app/data/configs"
"/var/lib/homarr/icons:/app/public/icons"
"/var/lib/homarr/data:/data"
];
extraOptions = ["--pull=always"];
environmentFiles = [
config.age.secrets.homarr.path
];
};
}
{config, ...}: {
age.secrets.homarr.file = ../../secrets/homarr.age; # This is the file containing the env vars

virtualisation.oci-containers.containers.homarr = {
image = "ghcr.io/ajnart/homarr:latest";
ports = [
"7575:7575"
];
volumes = [
"/var/run/docker.sock:/var/run/docker.sock"
"/var/lib/homarr/configs:/app/data/configs"
"/var/lib/homarr/icons:/app/public/icons"
"/var/lib/homarr/data:/data"
];
extraOptions = ["--pull=always"];
environmentFiles = [
config.age.secrets.homarr.path
];
};
}
If you go on to my site https://homarr.hammerclock.net you will see that it just infinitely redirects to itself. The logs spams the following error:
Sep 02 15:33:26 xenon docker-homarr-start[2179285]: [next-auth][error][SIGNIN_OAUTH_ERROR]
Sep 02 15:33:26 xenon docker-homarr-start[2179285]: https://next-auth.js.org/errors#signin_oauth_error expected 200 OK, got: 404 Not Found {
Sep 02 15:33:26 xenon docker-homarr-start[2179285]: error: {
Sep 02 15:33:26 xenon docker-homarr-start[2179285]: message: 'expected 200 OK, got: 404 Not Found',
Sep 02 15:33:26 xenon docker-homarr-start[2179285]: stack: 'OPError: expected 200 OK, got: 404 Not Found\n' +
Sep 02 15:33:26 xenon docker-homarr-start[2179285]: ' at processResponse (/app/node_modules/openid-client/lib/helpers/process_response.js:41:11)\n' +
Sep 02 15:33:26 xenon docker-homarr-start[2179285]: ' at Issuer.discover (/app/node_modules/openid-client/lib/issuer.js:152:20)\n' +
Sep 02 15:33:26 xenon docker-homarr-start[2179285]: ' at process.processTicksAndRejections (node:internal/process/task_queues:95:5)\n' +
Sep 02 15:33:26 xenon docker-homarr-start[2179285]: ' at async openidClient (/app/node_modules/next-auth/core/lib/oauth/client.js:16:14)\n' +
Sep 02 15:33:26 xenon docker-homarr-start[2179285]: ' at async getAuthorizationUrl (/app/node_modules/next-auth/core/lib/oauth/authorization-url.js:70:18)\n' +
Sep 02 15:33:26 xenon docker-homarr-start[2179285]: ' at async Object.signin (/app/node_modules/next-auth/core/routes/signin.js:38:24)\n' +
Sep 02 15:33:26 xenon docker-homarr-start[2179285]: ' at async AuthHandler (/app/node_modules/next-auth/core/index.js:260:26)\n' +
Sep 02 15:33:26 xenon docker-homarr-start[2179285]: ' at async NextAuthApiHandler (/app/node_modules/next-auth/next/index.js:22:19)\n' +
Sep 02 15:33:26 xenon docker-homarr-start[2179285]: ' at async auth (/app/.next/server/pages/api/auth/[...nextauth].js:143:12)',
Sep 02 15:33:26 xenon docker-homarr-start[2179285]: name: 'OPError'
Sep 02 15:33:26 xenon docker-homarr-start[2179285]: },
Sep 02 15:33:26 xenon docker-homarr-start[2179285]: providerId: 'oidc',
Sep 02 15:33:26 xenon docker-homarr-start[2179285]: message: 'expected 200 OK, got: 404 Not Found'
Sep 02 15:33:26 xenon docker-homarr-start[2179285]: }
Sep 02 15:33:26 xenon docker-homarr-start[2179285]: [next-auth][error][SIGNIN_OAUTH_ERROR]
Sep 02 15:33:26 xenon docker-homarr-start[2179285]: https://next-auth.js.org/errors#signin_oauth_error expected 200 OK, got: 404 Not Found {
Sep 02 15:33:26 xenon docker-homarr-start[2179285]: error: {
Sep 02 15:33:26 xenon docker-homarr-start[2179285]: message: 'expected 200 OK, got: 404 Not Found',
Sep 02 15:33:26 xenon docker-homarr-start[2179285]: stack: 'OPError: expected 200 OK, got: 404 Not Found\n' +
Sep 02 15:33:26 xenon docker-homarr-start[2179285]: ' at processResponse (/app/node_modules/openid-client/lib/helpers/process_response.js:41:11)\n' +
Sep 02 15:33:26 xenon docker-homarr-start[2179285]: ' at Issuer.discover (/app/node_modules/openid-client/lib/issuer.js:152:20)\n' +
Sep 02 15:33:26 xenon docker-homarr-start[2179285]: ' at process.processTicksAndRejections (node:internal/process/task_queues:95:5)\n' +
Sep 02 15:33:26 xenon docker-homarr-start[2179285]: ' at async openidClient (/app/node_modules/next-auth/core/lib/oauth/client.js:16:14)\n' +
Sep 02 15:33:26 xenon docker-homarr-start[2179285]: ' at async getAuthorizationUrl (/app/node_modules/next-auth/core/lib/oauth/authorization-url.js:70:18)\n' +
Sep 02 15:33:26 xenon docker-homarr-start[2179285]: ' at async Object.signin (/app/node_modules/next-auth/core/routes/signin.js:38:24)\n' +
Sep 02 15:33:26 xenon docker-homarr-start[2179285]: ' at async AuthHandler (/app/node_modules/next-auth/core/index.js:260:26)\n' +
Sep 02 15:33:26 xenon docker-homarr-start[2179285]: ' at async NextAuthApiHandler (/app/node_modules/next-auth/next/index.js:22:19)\n' +
Sep 02 15:33:26 xenon docker-homarr-start[2179285]: ' at async auth (/app/.next/server/pages/api/auth/[...nextauth].js:143:12)',
Sep 02 15:33:26 xenon docker-homarr-start[2179285]: name: 'OPError'
Sep 02 15:33:26 xenon docker-homarr-start[2179285]: },
Sep 02 15:33:26 xenon docker-homarr-start[2179285]: providerId: 'oidc',
Sep 02 15:33:26 xenon docker-homarr-start[2179285]: message: 'expected 200 OK, got: 404 Not Found'
Sep 02 15:33:26 xenon docker-homarr-start[2179285]: }
Also important to note: Homarr does not send a single request to my auth server... i literally stopped my Authentik instance and still had the exact same issue
Solution:
Issue found.... AUTH_OIDC_URI has to be the path to the configuration: https://auth.hammerclock.net/application/o/homarr/.well-known/openid-configuration...
Jump to solution
11 Replies
Cakey Bot
Cakey Bot4mo ago
Thank you for submitting a support request. Depending on the volume of requests, our team should get in contact with you shortly.
⚠️ Please include the following details in your post or we may reject your request without further comment: - Log (See https://homarr.dev/docs/community/faq#how-do-i-open-the-console--log) - Operating system (Unraid, TrueNAS, Ubuntu, ...) - Exact Homarr version (eg. 0.15.0, not latest) - Configuration (eg. docker-compose, screenshot or similar. Use ``your-text`` to format) - Other relevant information (eg. your devices, your browser, ...)
❓ Frequently Asked Questions | Homarr documentation
Can I install Homarr on a Raspberry Pi?
DerHammerclock
DerHammerclockOP4mo ago
Homarr Version: 0.15.4 Operating System: NixOS
Manicraft1001
Manicraft10014mo ago
404 indicates that your OIDC URLs are incorrect. Please make sure that they are valid Authentik not logging anything indicates that a proxy in front could also be blocking / dropping your request. Please check your logs there as well
DerHammerclock
DerHammerclockOP4mo ago
Absolutely positive that they are valid: https://auth.hammerclock.net/application/o/homarr/ the reverse proxy also does not show any issues from what i can gather only normal access
Manicraft1001
Manicraft10014mo ago
@Tag can you look into this? @DerHammerclock the log not showing anything is a sign that some component is set up incorrectly. Please wait for Tag to reply
DerHammerclock
DerHammerclockOP4mo ago
What i meant is that it shows normal access
87.130.10.194 - - [02/Sep/2024:17:34:19 +0200] "GET /api/auth/providers HTTP/2.0" 304 0 "https://homarr.hammerclock.net/auth/login?callbackUrl=https%3A%2F%2Fhomarr.hammerclock.net%2F&error=OAuthSignin" "Mozilla/5.0 (X11; Linux x86_64; rv:128.0) Gecko/20100101 Firefox/128.0"
87.130.10.194 - - [02/Sep/2024:17:34:19 +0200] "GET /api/auth/csrf HTTP/2.0" 304 0 "https://homarr.hammerclock.net/auth/login?callbackUrl=https%3A%2F%2Fhomarr.hammerclock.net%2F&error=OAuthSignin" "Mozilla/5.0 (X11; Linux x86_64; rv:128.0) Gecko/20100101 Firefox/128.0"
2.201.183.147 - - [02/Sep/2024:17:34:19 +0200] "GET /.well-known/openid-configuration HTTP/1.1" 404 3504 "-" "openid-client/5.6.1 (https://github.com/panva/node-openid-client)"
87.130.10.194 - - [02/Sep/2024:17:34:19 +0200] "POST /api/auth/signin/oidc HTTP/2.0" 200 73 "https://homarr.hammerclock.net/auth/login?callbackUrl=https%3A%2F%2Fhomarr.hammerclock.net%2F&error=OAuthSignin" "Mozilla/5.0 (X11; Linux x86_64; rv:128.0) Gecko/20100101 Firefox/128.0"
87.130.10.194 - - [02/Sep/2024:17:34:19 +0200] "GET /api/auth/error?error=OAuthSignin HTTP/2.0" 302 0 "https://homarr.hammerclock.net/auth/login?callbackUrl=https%3A%2F%2Fhomarr.hammerclock.net%2F&error=OAuthSignin" "Mozilla/5.0 (X11; Linux x86_64; rv:128.0) Gecko/20100101 Firefox/128.0"
87.130.10.194 - - [02/Sep/2024:17:34:19 +0200] "GET /api/auth/signin?error=OAuthSignin HTTP/2.0" 302 0 "https://homarr.hammerclock.net/auth/login?callbackUrl=https%3A%2F%2Fhomarr.hammerclock.net%2F&error=OAuthSignin" "Mozilla/5.0 (X11; Linux x86_64; rv:128.0) Gecko/20100101 Firefox/128.0"
87.130.10.194 - - [02/Sep/2024:17:34:20 +0200] "GET /auth/login?callbackUrl=https%3A%2F%2Fhomarr.hammerclock.net%2F&error=OAuthSignin HTTP/2.0" 200 10863 "https://homarr.hammerclock.net/auth/login?callbackUrl=https%3A%2F%2Fhomarr.hammerclock.net%2F&error=OAuthSignin" "Mozilla/5.0 (X11; Linux x86_64; rv:128.0) Gecko/20100101 Firefox/128.0"
87.130.10.194 - - [02/Sep/2024:17:34:20 +0200] "GET /imgs/logo/logo.svg HTTP/2.0" 304 0 "https://homarr.hammerclock.net/auth/login?callbackUrl=https%3A%2F%2Fhomarr.hammerclock.net%2F&error=OAuthSignin" "Mozilla/5.0 (X11; Linux x86_64; rv:128.0) Gecko/20100101 Firefox/128.0"
87.130.10.194 - - [02/Sep/2024:17:34:19 +0200] "GET /api/auth/providers HTTP/2.0" 304 0 "https://homarr.hammerclock.net/auth/login?callbackUrl=https%3A%2F%2Fhomarr.hammerclock.net%2F&error=OAuthSignin" "Mozilla/5.0 (X11; Linux x86_64; rv:128.0) Gecko/20100101 Firefox/128.0"
87.130.10.194 - - [02/Sep/2024:17:34:19 +0200] "GET /api/auth/csrf HTTP/2.0" 304 0 "https://homarr.hammerclock.net/auth/login?callbackUrl=https%3A%2F%2Fhomarr.hammerclock.net%2F&error=OAuthSignin" "Mozilla/5.0 (X11; Linux x86_64; rv:128.0) Gecko/20100101 Firefox/128.0"
2.201.183.147 - - [02/Sep/2024:17:34:19 +0200] "GET /.well-known/openid-configuration HTTP/1.1" 404 3504 "-" "openid-client/5.6.1 (https://github.com/panva/node-openid-client)"
87.130.10.194 - - [02/Sep/2024:17:34:19 +0200] "POST /api/auth/signin/oidc HTTP/2.0" 200 73 "https://homarr.hammerclock.net/auth/login?callbackUrl=https%3A%2F%2Fhomarr.hammerclock.net%2F&error=OAuthSignin" "Mozilla/5.0 (X11; Linux x86_64; rv:128.0) Gecko/20100101 Firefox/128.0"
87.130.10.194 - - [02/Sep/2024:17:34:19 +0200] "GET /api/auth/error?error=OAuthSignin HTTP/2.0" 302 0 "https://homarr.hammerclock.net/auth/login?callbackUrl=https%3A%2F%2Fhomarr.hammerclock.net%2F&error=OAuthSignin" "Mozilla/5.0 (X11; Linux x86_64; rv:128.0) Gecko/20100101 Firefox/128.0"
87.130.10.194 - - [02/Sep/2024:17:34:19 +0200] "GET /api/auth/signin?error=OAuthSignin HTTP/2.0" 302 0 "https://homarr.hammerclock.net/auth/login?callbackUrl=https%3A%2F%2Fhomarr.hammerclock.net%2F&error=OAuthSignin" "Mozilla/5.0 (X11; Linux x86_64; rv:128.0) Gecko/20100101 Firefox/128.0"
87.130.10.194 - - [02/Sep/2024:17:34:20 +0200] "GET /auth/login?callbackUrl=https%3A%2F%2Fhomarr.hammerclock.net%2F&error=OAuthSignin HTTP/2.0" 200 10863 "https://homarr.hammerclock.net/auth/login?callbackUrl=https%3A%2F%2Fhomarr.hammerclock.net%2F&error=OAuthSignin" "Mozilla/5.0 (X11; Linux x86_64; rv:128.0) Gecko/20100101 Firefox/128.0"
87.130.10.194 - - [02/Sep/2024:17:34:20 +0200] "GET /imgs/logo/logo.svg HTTP/2.0" 304 0 "https://homarr.hammerclock.net/auth/login?callbackUrl=https%3A%2F%2Fhomarr.hammerclock.net%2F&error=OAuthSignin" "Mozilla/5.0 (X11; Linux x86_64; rv:128.0) Gecko/20100101 Firefox/128.0"
But i just see a 404 inbetween 0_0 imma check that rq What the hell is it even trying there It would have to be
/application/o/homarr/.well-known/openid-configuration
/application/o/homarr/.well-known/openid-configuration
what the
Solution
DerHammerclock
DerHammerclock4mo ago
Issue found.... AUTH_OIDC_URI has to be the path to the configuration: https://auth.hammerclock.net/application/o/homarr/.well-known/openid-configuration
Serenaphic
Serenaphic4mo ago
id: 'oidc',
name: env.AUTH_OIDC_CLIENT_NAME,
type: 'oauth',
clientId: env.AUTH_OIDC_CLIENT_ID,
clientSecret: env.AUTH_OIDC_CLIENT_SECRET,
wellKnown: `${env.AUTH_OIDC_URI}/.well-known/openid-configuration`,
authorization: {
params: {
scope: env.AUTH_OIDC_SCOPE_OVERWRITE,
redirect_uri: createRedirectUri(headers, '/api/auth/callback/oidc'),
},
},
idToken: true,
httpOptions: {
timeout: env.AUTH_OIDC_TIMEOUT,
},
id: 'oidc',
name: env.AUTH_OIDC_CLIENT_NAME,
type: 'oauth',
clientId: env.AUTH_OIDC_CLIENT_ID,
clientSecret: env.AUTH_OIDC_CLIENT_SECRET,
wellKnown: `${env.AUTH_OIDC_URI}/.well-known/openid-configuration`,
authorization: {
params: {
scope: env.AUTH_OIDC_SCOPE_OVERWRITE,
redirect_uri: createRedirectUri(headers, '/api/auth/callback/oidc'),
},
},
idToken: true,
httpOptions: {
timeout: env.AUTH_OIDC_TIMEOUT,
},
Snippet from the OIDC code, we're already appending the path ❓❓ That's the only place we use the OIDC_URI too which confuses me even more. I would understand for "https://auth.domain.tld/application/o/homarr" to work, but doubling the "/.well-known/openid-configuration" is wild that it works
pmalys
pmalys3mo ago
i have similar issue but with http error code 301 Moved Permanently
$ ts-node ./migrate.ts
Done in 2.39s.
Starting production server...
Listening on port 7575 url: http://9e68d9b0f695:7575
[next-auth][error][SIGNIN_OAUTH_ERROR]
https://next-auth.js.org/errors#signin_oauth_error expected 200 OK, got: 301 Moved Permanently {
error: {
message: 'expected 200 OK, got: 301 Moved Permanently',
stack: 'OPError: expected 200 OK, got: 301 Moved Permanently\n' +
' at processResponse (/app/node_modules/openid-client/lib/helpers/process_response.js:41:11)\n' +
' at Issuer.discover (/app/node_modules/openid-client/lib/issuer.js:152:20)\n' +
' at process.processTicksAndRejections (node:internal/process/task_queues:95:5)\n' +
' at async openidClient (/app/node_modules/next-auth/core/lib/oauth/client.js:16:14)\n' +
' at async getAuthorizationUrl (/app/node_modules/next-auth/core/lib/oauth/authorization-url.js:70:18)\n' +
' at async Object.signin (/app/node_modules/next-auth/core/routes/signin.js:38:24)\n' +
' at async AuthHandler (/app/node_modules/next-auth/core/index.js:260:26)\n' +
' at async NextAuthApiHandler (/app/node_modules/next-auth/next/index.js:22:19)\n' +
' at async auth (/app/.next/server/pages/api/auth/[...nextauth].js:143:12)',
name: 'OPError'
},
providerId: 'oidc',
message: 'expected 200 OK, got: 301 Moved Permanently'
}
$ ts-node ./migrate.ts
Done in 2.39s.
Starting production server...
Listening on port 7575 url: http://9e68d9b0f695:7575
[next-auth][error][SIGNIN_OAUTH_ERROR]
https://next-auth.js.org/errors#signin_oauth_error expected 200 OK, got: 301 Moved Permanently {
error: {
message: 'expected 200 OK, got: 301 Moved Permanently',
stack: 'OPError: expected 200 OK, got: 301 Moved Permanently\n' +
' at processResponse (/app/node_modules/openid-client/lib/helpers/process_response.js:41:11)\n' +
' at Issuer.discover (/app/node_modules/openid-client/lib/issuer.js:152:20)\n' +
' at process.processTicksAndRejections (node:internal/process/task_queues:95:5)\n' +
' at async openidClient (/app/node_modules/next-auth/core/lib/oauth/client.js:16:14)\n' +
' at async getAuthorizationUrl (/app/node_modules/next-auth/core/lib/oauth/authorization-url.js:70:18)\n' +
' at async Object.signin (/app/node_modules/next-auth/core/routes/signin.js:38:24)\n' +
' at async AuthHandler (/app/node_modules/next-auth/core/index.js:260:26)\n' +
' at async NextAuthApiHandler (/app/node_modules/next-auth/next/index.js:22:19)\n' +
' at async auth (/app/.next/server/pages/api/auth/[...nextauth].js:143:12)',
name: 'OPError'
},
providerId: 'oidc',
message: 'expected 200 OK, got: 301 Moved Permanently'
}
environment:
AUTH_PROVIDER: "oidc"
AUTH_OIDC_URI: "https://authentik.url.com/application/o/homarr"
AUTH_OIDC_CLIENT_SECRET: "SVBbebebezN"
AUTH_OIDC_CLIENT_ID: "obebebepr"
AUTH_OIDC_CLIENT_NAME: "Authentik"
environment:
AUTH_PROVIDER: "oidc"
AUTH_OIDC_URI: "https://authentik.url.com/application/o/homarr"
AUTH_OIDC_CLIENT_SECRET: "SVBbebebezN"
AUTH_OIDC_CLIENT_ID: "obebebepr"
AUTH_OIDC_CLIENT_NAME: "Authentik"
Serenaphic
Serenaphic3mo ago
This looks like a different issue. This ticket is already closed though, could you open a new ticket? It's better for searching (My first assessment would be to try and add the NEXTAUTH_URL env variable if you haven't yet)
Want results from more Discord servers?
Add your server