-
Notifications
You must be signed in to change notification settings - Fork 27
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Getting 502 sometimes on login and always on logout #734
Comments
I do have a similiar issue. NC + Authentik. It worked once, but just stopped. Login not possible. Evertime Authentik redirect to NC I get an internal error:
|
A workaround which worked for me was unchecking "send ID token hint on logout" no more browser error for whatever reason. On another install it works flawlessly with the box checked. |
I already unchecked that option. Toggling has no effect either. |
I am getting the same issue, and it is consistent. I am unable to log in. Any other workaround? |
This issue is a bit difficult to reproduce for me as it requires a setup with Authentik. You could try to edit line 155 of throw new \Exception('Error: kid must be provided in JWT header.'); to $this->logger->warning('kid is not provided in JWT header');
return $jwks; To give a bit more context: the Firebase/JWT library used by user_oidc was complaining (crashing 😁) when decoding a JWT token because it didn't know the encryption algorithm of the JWK (encryption key provided by the discovery endpoint). Information contained in the JWT token:
So the fix we implemented was to set the missing JWK alg to the value used in the JWT token. The library was then happy and could decode the token. I guess this logic is a bit broken since the kid is not needed in the token if the JWKs are not broken. Let's find out if it works when the kid is not mandatory anymore (the change I suggested). |
I have the same problem and changed |
After changing the IdP domain I am getting a 502 after the redirection from Authentik with the link https://domain.tld/apps/user_oidc/sls?requesttoken=rjOEcLJdZwWVZWO36qJmrJn/xxxxxxxqt4avU%3D:y3LRQuocSGT3TlLbptgjxdvItdy0xxxBJLI%3D
but only sometimes on login, but i seem to be logged in because when I visit NC with the base url after that I am logged in.
But logging out always produces the 502 aswell.
The logs only show this
Fehler | user_oidc | Impossible to decode OIDC token:Error: kid must be provided in JWT header.
and
OC\Authentication\Exceptions\InvalidTokenException: Token does not exist: token does not exist
I am running NC with Authentik on another install and it is working flawlessly there. Any hints on getting it debugged further?
The console logs of Authentik and NC dont show anything interesting regarding this issue.
The text was updated successfully, but these errors were encountered: