H
Homarr3mo ago
pmalys

OIDC 301 HTTP error

$ ts-node ./migrate.ts
Done in 2.39s.
Starting production server...
Listening on port 7575 url: http://9e68d9b0f695:7575
[next-auth][error][SIGNIN_OAUTH_ERROR]
https://next-auth.js.org/errors#signin_oauth_error expected 200 OK, got: 301 Moved Permanently {
  error: {
    message: 'expected 200 OK, got: 301 Moved Permanently',
    stack: 'OPError: expected 200 OK, got: 301 Moved Permanently\n' +
      '    at processResponse (/app/node_modules/openid-client/lib/helpers/process_response.js:41:11)\n' +
      '    at Issuer.discover (/app/node_modules/openid-client/lib/issuer.js:152:20)\n' +
      '    at process.processTicksAndRejections (node:internal/process/task_queues:95:5)\n' +
      '    at async openidClient (/app/node_modules/next-auth/core/lib/oauth/client.js:16:14)\n' +
      '    at async getAuthorizationUrl (/app/node_modules/next-auth/core/lib/oauth/authorization-url.js:70:18)\n' +
      '    at async Object.signin (/app/node_modules/next-auth/core/routes/signin.js:38:24)\n' +
      '    at async AuthHandler (/app/node_modules/next-auth/core/index.js:260:26)\n' +
      '    at async NextAuthApiHandler (/app/node_modules/next-auth/next/index.js:22:19)\n' +
      '    at async auth (/app/.next/server/pages/api/auth/[...nextauth].js:143:12)',
    name: 'OPError'
  },
  providerId: 'oidc',
  message: 'expected 200 OK, got: 301 Moved Permanently'
}
$ ts-node ./migrate.ts
Done in 2.39s.
Starting production server...
Listening on port 7575 url: http://9e68d9b0f695:7575
[next-auth][error][SIGNIN_OAUTH_ERROR]
https://next-auth.js.org/errors#signin_oauth_error expected 200 OK, got: 301 Moved Permanently {
  error: {
    message: 'expected 200 OK, got: 301 Moved Permanently',
    stack: 'OPError: expected 200 OK, got: 301 Moved Permanently\n' +
      '    at processResponse (/app/node_modules/openid-client/lib/helpers/process_response.js:41:11)\n' +
      '    at Issuer.discover (/app/node_modules/openid-client/lib/issuer.js:152:20)\n' +
      '    at process.processTicksAndRejections (node:internal/process/task_queues:95:5)\n' +
      '    at async openidClient (/app/node_modules/next-auth/core/lib/oauth/client.js:16:14)\n' +
      '    at async getAuthorizationUrl (/app/node_modules/next-auth/core/lib/oauth/authorization-url.js:70:18)\n' +
      '    at async Object.signin (/app/node_modules/next-auth/core/routes/signin.js:38:24)\n' +
      '    at async AuthHandler (/app/node_modules/next-auth/core/index.js:260:26)\n' +
      '    at async NextAuthApiHandler (/app/node_modules/next-auth/next/index.js:22:19)\n' +
      '    at async auth (/app/.next/server/pages/api/auth/[...nextauth].js:143:12)',
    name: 'OPError'
  },
  providerId: 'oidc',
  message: 'expected 200 OK, got: 301 Moved Permanently'
}
    environment:
      AUTH_PROVIDER: "oidc"
      AUTH_OIDC_URI: "https://authentik.url.com/application/o/homarr"
      AUTH_OIDC_CLIENT_SECRET: "SVBbebebezN"
      AUTH_OIDC_CLIENT_ID: "obebebepr"
      AUTH_OIDC_CLIENT_NAME: "Authentik"
    environment:
      AUTH_PROVIDER: "oidc"
      AUTH_OIDC_URI: "https://authentik.url.com/application/o/homarr"
      AUTH_OIDC_CLIENT_SECRET: "SVBbebebezN"
      AUTH_OIDC_CLIENT_ID: "obebebepr"
      AUTH_OIDC_CLIENT_NAME: "Authentik"
Solution:
(also don't forget to set the "AUTH_OIDC_ADMIN_GROUP" env var so the right users get identified as admins directly)
Jump to solution
31 Replies
Cakey Bot
Cakey Bot3mo ago
Thank you for submitting a support request. Depending on the volume of requests, our team should get in contact with you shortly.
⚠️ Please include the following details in your post or we may reject your request without further comment: - Log (See https://homarr.dev/docs/community/faq#how-do-i-open-the-console--log) - Operating system (Unraid, TrueNAS, Ubuntu, ...) - Exact Homarr version (eg. 0.15.0, not latest) - Configuration (eg. docker-compose, screenshot or similar. Use ``your-text`` to format) - Other relevant information (eg. your devices, your browser, ...)
❓ Frequently Asked Questions | Homarr documentation
Can I install Homarr on a Raspberry Pi?
pmalys
pmalysOP3mo ago
@Tag u told me to setup env NEXTAUTH_URL but i'm not sure what to put in, OpenID conf url or just authentication url like https://authentik.example.com?
Serenaphic
Serenaphic3mo ago
NEXTAUTH_URL should be your homarr address
pmalys
pmalysOP3mo ago
oh okay
Serenaphic
Serenaphic3mo ago
so something like https://homarr.domain.tld
pmalys
pmalysOP3mo ago
redirect to authentik works but it comebacks to homarr login page 
https://panel.examp.com/auth/login
https://panel.examp.com/api/auth/callback/oidc
https://panel.examp.com/auth/login
https://panel.examp.com/api/auth/callback/oidc
not sure what to put into URIs/Origins redirect field in authentik
Serenaphic
Serenaphic3mo ago
https://homarr.domain.tld/api/auth/callback/oidc
pmalys
pmalysOP3mo ago
so i have it (second link)
Serenaphic
Serenaphic3mo ago
I know there are little changes for anthentik, but have you followed https://homarr.dev/docs/advanced/sso#configuration-1 to the best of your ability?
🙋 Single Sign On | Homarr documentation
Homarr supports multiple authentication options, from internal userbase (credentials), to LDAP (with Active directory support), and OIDC.
Serenaphic
Serenaphic3mo ago
I'll try to find the thread where authentik users debugged the whole thing
pmalys
pmalysOP3mo ago
yes i did
Serenaphic
Serenaphic3mo ago
https://github.com/ajnart/homarr/issues/1909#issuecomment-1951780147 There's a lot of info in there, not sure what point fixed it for them
pmalys
pmalysOP3mo ago
i will look into this and say it out here for others
Serenaphic
Serenaphic3mo ago
Is there a specifc URL authentik is redirecting you back to? OIDC does everything, even errors, through the URL and it's annoying but oh well
pmalys
pmalysOP3mo ago
Serenaphic
Serenaphic3mo ago
interesting.
pmalys
pmalysOP3mo ago
adding NEXTAUTH_URL removed 301 error
Serenaphic
Serenaphic3mo ago
Yeah, I expected that Now we just have to fix the OAuthAccountNotLinked issue from what I can see, you may already have another user in homarr's database using that email address
pmalys
pmalysOP3mo ago
so i should remove users from db?
Serenaphic
Serenaphic3mo ago
I suggest re-enabling credentials, login in with your original admin account, and then check the users in you management page Yes, but only in homarr's db, as the steps I gave just above
pmalys
pmalysOP3mo ago
the issue is that i have admin user with that login so i would need to rename admin
Serenaphic
Serenaphic3mo ago
That may still be fine? Otherwise, next step would be to simply delete homarr's user database (this won't remove your boards in this version so no worries there)
pmalys
pmalysOP3mo ago
admin user is no longer an admin somewhat homar made him as normal user so deleting users db is the only option as i see
Serenaphic
Serenaphic3mo ago
lol ok, it's fine. You need to delete the db.sqlite in the /data mount. restart homarr container, go through onboarding (This time give the admin a unique name) and then set your provider back to OIDC. Should be able to connect without issue then
Solution
Serenaphic
Serenaphic3mo ago
(also don't forget to set the "AUTH_OIDC_ADMIN_GROUP" env var so the right users get identified as admins directly)
pmalys
pmalysOP3mo ago
the weirdest thing is that there is no db file used find inside docker shell oh nvm okay now it works, now i need to setup this user as admin
Serenaphic
Serenaphic3mo ago
That's what I said here yeah
pmalys
pmalysOP3mo ago
sorry missed that
Serenaphic
Serenaphic3mo ago
don't manually set it up as admin, it'll get removed automatically. it needs to be recognized throught the group name
pmalys
pmalysOP3mo ago
works perfectly ❤️ tysm
Serenaphic
Serenaphic3mo ago
No problem, have fun
Want results from more Discord servers?
Add your server