5.1 SSO: Authentication via SSO rejected

[Trapulo]

Version

5.1.0

Details & Steps to reproduce

After upgrade to 5.1.0 when I access using OID (EntraID), after the signin the system respond "Authentication via SSO rejected".

Before the upgrade it worked.

Expectation

a full access

Error & Logs

No response

Execution environment

No response

Containerization

• Docker

Additional information

No response

[Bubka]

Hi,
This error message is shown when the provider refuses to authenticate the login request. Please check your OPENID_* env vars.
Logs may contain further information, please check them as well.

[Trapulo]

production.ERROR: No application encryption key has been specified. {"exception":"[object] (Illuminate\Encryption\MissingAppKeyException(code: 0): No application encryption key has been specified. at /srv/vendor/laravel/framework/src/Illuminate/Encryption/EncryptionServiceProvider.php:7

[Bubka]

Thx.
You have to set the APP_KEY env var.

[Bubka]

I don't understand how this is possible by the way. Running 2FAuth without APP_KEY set should return an HTTP error 500.

[Trapulo]

I have APP_KEY assigned.
And it did work until the lats update to 5.1.0

[Bubka]

🤨

production.ERROR: No application encryption key has been specified. {"exception":"[object] (Illuminate\Encryption\MissingAppKeyException(code: 0): No application encryption key has been specified. at /srv/vendor/laravel/framework/src/Illuminate/Encryption/EncryptionServiceProvider.php:7

Does the time of this error match the time you tried to connect via SSO?

[Trapulo]

you are right: that error is not related to SSO problem
When I try to access using SSO I haven't any log row at all :(

[Diggen85]

I've the same Problem. Trying to Auth via Authentik OpenID Provider leads to SSO reject.

Env
OPENID_AUTHORIZE_URL=https://auth.example.de/application/o/authorize/
OPENID_TOKEN_URL=https://auth.example.de/application/o/token/
OPENID_USERINFO_URL=https://auth.example.de/application/o/userinfo/
OPENID_CLIENT_ID=LDzqB....e5
OPENID_CLIENT_SECRET=R...U

Authentik Redirect URIs
https://2fa.example.de/socialite/callback/openid

Logs
172.22.0.4 - - [14/May/2024:06:43:02 +0000] "GET /socialite/redirect/openid HTTP/1.1" 302 1394 "https://2fa.example.de/login" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/124.0.0.0 Safari/537.36"
172.22.0.4 - - [14/May/2024:06:43:03 +0000] "GET /socialite/callback/openid?code=d1...a HTTP/1.1" 302 430 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/124.0.0.0 Safari/537.36"
172.22.0.4 - - [14/May/2024:06:43:03 +0000] "GET /error?err=sso_failed HTTP/1.1" 200 2745 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/124.0.0.0 Safari/537.36"
172.22.0.4 - - [14/May/2024:06:43:17 +0000] "GET /api/v1/user HTTP/1.1" 401 41 "https://2fa.example.de/error?err=sso_failed" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/124.0.0.0 Safari/537.36"

[AntonKluge]

I had the same problem using Authentik OIDC and 2FAuth in Docker behind a Traefik reverse proxy using a self signed certificate (which is mounted into the container and trusted with SSL_CERT_FILE).

I traced the problem to /srv/vendor/laravel/socialite/src/Two/AbstractProvider.php where the method getAccessTokenResponse failed because of a connection problem in Guzzle.

Installing ca-certificates inside the docker container:

apk add \
      --no-cache \
      --repository http://dl-cdn.alpinelinux.org/alpine/v3.14/main \
      ca-certificates 

fixed the problem.