H
Homarr2mo ago
Randoh

Authentik OIDC - Internal Server Error

Constantly getting an Internal Server Error on OIDC with Authentik. I've dug through some of the GitHub issues as well as the threads here and can't seem to get past the block. Any help is appreciated! Symptoms: - Navigating to admin.domain.tld (where Homarr is surfaced through Nginx) worked get with credential auth. Switching to OIDC: Gray screen with "Internal Server Error" no matter the different configurations I've tried. - Logs state "Invalid URL" on both NEXTAUTH_URL and AUTH_OIDC_URI (have tried numerous variations of these) Redirect URI in Authentik: https://admin.domain.tld/api/auth/callback/oidc (also tried this as auth.) Current Compose:
homarr:
container_name: homarr
image: ghcr.io/ajnart/homarr:0.15.3
volumes:
- ${CONTAINER_FOLDER}/homarr/configs:/data/configs
- ${CONTAINER_FOLDER}/homarr/icons:/app/public/icons
- ${CONTAINER_FOLDER}/homarr/data:/data
- ${CONTAINER_FOLDER}/graphics:/app/public/graphics
ports:
- '7575:7575'
environment:
- AUTH_PROVIDER=oidc
- BASE_URL="admin.domain.tld"
- NEXTAUTH_URL="admin.domain.tld"
- AUTH_OIDC_URI="https://auth.domain.tld/application/o/homarr" # Have also tried admin. here instead of auth.
- AUTH_OIDC_CLIENT_ID="ID"
- AUTH_OIDC_CLIENT_SECRET="SECRET"
- AUTH_OIDC_CLIENT_NAME="AUTHENTIK"
- AUTH_OIDC_ADMIN_GROUP="authentik Admin"
- AUTH_OIDC_OWNER_GROUP="authentik Admin"
- AUTH_OIDC_AUTO_LOGIN=true
networks:
- frontend
restart: unless-stopped
homarr:
container_name: homarr
image: ghcr.io/ajnart/homarr:0.15.3
volumes:
- ${CONTAINER_FOLDER}/homarr/configs:/data/configs
- ${CONTAINER_FOLDER}/homarr/icons:/app/public/icons
- ${CONTAINER_FOLDER}/homarr/data:/data
- ${CONTAINER_FOLDER}/graphics:/app/public/graphics
ports:
- '7575:7575'
environment:
- AUTH_PROVIDER=oidc
- BASE_URL="admin.domain.tld"
- NEXTAUTH_URL="admin.domain.tld"
- AUTH_OIDC_URI="https://auth.domain.tld/application/o/homarr" # Have also tried admin. here instead of auth.
- AUTH_OIDC_CLIENT_ID="ID"
- AUTH_OIDC_CLIENT_SECRET="SECRET"
- AUTH_OIDC_CLIENT_NAME="AUTHENTIK"
- AUTH_OIDC_ADMIN_GROUP="authentik Admin"
- AUTH_OIDC_OWNER_GROUP="authentik Admin"
- AUTH_OIDC_AUTO_LOGIN=true
networks:
- frontend
restart: unless-stopped
Example Log Errors:
❌ Invalid environment variables: { NEXTAUTH_URL: [ 'Invalid url' ], AUTH_OIDC_URI: [ 'Invalid url' ] }
❌ Invalid environment variables: { NEXTAUTH_URL: [ 'Invalid url' ], AUTH_OIDC_URI: [ 'Invalid url' ] }
❌ Invalid environment variables: { NEXTAUTH_URL: [ 'Invalid url' ], AUTH_OIDC_URI: [ 'Invalid url' ] }
❌ Invalid environment variables: { NEXTAUTH_URL: [ 'Invalid url' ], AUTH_OIDC_URI: [ 'Invalid url' ] }
Error: connect ECONNREFUSED IP:36703
at TCPConnectWrap.afterConnect [as oncomplete] (node:net:1571:16) {
errno: -111,
code: 'ECONNREFUSED',
syscall: 'connect',
address: 'IP',
port: 36703
}
Error: connect ECONNREFUSED IP:36703
at TCPConnectWrap.afterConnect [as oncomplete] (node:net:1571:16) {
errno: -111,
code: 'ECONNREFUSED',
syscall: 'connect',
address: 'IP',
port: 36703
}
26 Replies
Cakey Bot
Cakey Bot2mo ago
Thank you for submitting a support request. Depending on the volume of requests, our team should get in contact with you shortly.
⚠️ Please include the following details in your post or we may reject your request without further comment: - Log (See https://homarr.dev/docs/community/faq#how-do-i-open-the-console--log) - Operating system (Unraid, TrueNAS, Ubuntu, ...) - Exact Homarr version (eg. 0.15.0, not latest) - Configuration (eg. docker-compose, screenshot or similar. Use ``your-text`` to format) - Other relevant information (eg. your devices, your browser, ...)
❓ Frequently Asked Questions | Homarr documentation
Can I install Homarr on a Raspberry Pi?
Tag
Tag2mo ago
you need to replace the "=" with ":" it's docker compose, can't use =
Randoh
Randoh2mo ago
Weird, I have 10s of compose files all using =? And according to their docs it's officially supported: https://docs.docker.com/compose/environment-variables/set-environment-variables/
Docker Documentation
Set environment variables within your container's environment
How to set, use, and manage environment variables with Compose
Tag
Tag2mo ago
huh, that's funny. Try not using it though, also remove the quotations Oh wait I think I actually see it You might be missing the "http"/"https" in the URL Invalid environment variables: { NEXTAUTH_URL: [ 'Invalid url' ], AUTH_OIDC_URI: [ 'Invalid url' ] } This means it doesn't recognize the value entered as a valid URL
Randoh
Randoh2mo ago
I think I had tried it with https on there as well - will give it a retry for completeness though. And converted to :, still happening.
Tag
Tag2mo ago
either because of the = and quotation, or because it's actually not a URL because it's missing http/s Also base_url is useless, it hasn't been in use in a long time and you had removed the " " too?
Randoh
Randoh2mo ago
Ugh, THOUGHT I tried it with the https... apparently not. Rookie move. So it is at least an actual screen now - giving me ye olde auth loop though. Current Compose:
environment:
PGID: ${PGID}
PUID: ${PUID}
TZ: ${TZ}
AUTH_PROVIDER: oidc
BASE_URL: https://admin.domain.tld
NEXTAUTH_URL: https://admin.domain.tld
AUTH_OIDC_URI: https://auth.domain.tld/application/o/homarr
AUTH_OIDC_CLIENT_ID: ID
AUTH_OIDC_CLIENT_SECRET: SECRET
AUTH_OIDC_CLIENT_NAME: auth
AUTH_OIDC_ADMIN_GROUP: auth Admin
AUTH_OIDC_OWNER_GROUP: auth Admin
AUTH_OIDC_AUTO_LOGIN: true
environment:
PGID: ${PGID}
PUID: ${PUID}
TZ: ${TZ}
AUTH_PROVIDER: oidc
BASE_URL: https://admin.domain.tld
NEXTAUTH_URL: https://admin.domain.tld
AUTH_OIDC_URI: https://auth.domain.tld/application/o/homarr
AUTH_OIDC_CLIENT_ID: ID
AUTH_OIDC_CLIENT_SECRET: SECRET
AUTH_OIDC_CLIENT_NAME: auth
AUTH_OIDC_ADMIN_GROUP: auth Admin
AUTH_OIDC_OWNER_GROUP: auth Admin
AUTH_OIDC_AUTO_LOGIN: true
Tag
Tag2mo ago
edit that realy quick x)
Randoh
Randoh2mo ago
Thx.. rookie move #2 😄
Tag
Tag2mo ago
the auth loop can be caused by either apps really, it's a bit of a nightmare because you need to find the right address for OIDC_URI and the right address for callback in Authentik
Randoh
Randoh2mo ago
Thanks - will poke at those a bit and circle back as either solved or still lost.
Tag
Tag2mo ago
OH I remebered something The user you're trying to log in, does it have the same name or email as the original user you created in native credentials? because that causes issues basically, remove any extra users and any email linked to them. Or just delete the user database and go through onboarding again, it won't remove your boards don't worry
Randoh
Randoh2mo ago
Different name and email. Was using a service account to manage Homarr vs using my personal creds in Authentik. Good news/bad news... I got to where my authentik instance now pops up, but it's now a dual screen loop lol. Homarr loads up, kicks me to authentik, then back to Homarr, repeat. But progress! Changed OIDC_URL to "https://auth.domain.tld/application/o/home" - forgot home is the name of the application in Authentik, not Homarr. Onto more discovery.
Tag
Tag2mo ago
Good luck 🙂 I find this page to have a lot of information, especially at the end of it since it's most relevant to now: https://github.com/ajnart/homarr/issues/1909 the comments saying you should use BASE_URL are outdated but since we use NEXTAUTH_URL but you're welcome to keep trying on using it.
Randoh
Randoh2mo ago
Thanks for all the help so far! Will update if/when I get it figured out. Okay, I've tried changing a lot of things a lot of ways with different outcomes, but no successful ones. What I've gotten to, is that according to Authentik it is approving the authorization. It is then redirecting me back whatever my NEXTAUTH is, as expected, but I'm not logged in. Looking into the Homarr logs though, it's saying client authentication failed. How can that be accurate if Authentik is recording a success?
[next-auth][error][OAUTH_CALLBACK_ERROR]
https://next-auth.js.org/errors#oauth_callback_error invalid_client (Client authentication failed (e.g., unknown client, no client authentication included, or unsupported authentication method)) {
error: OPError: invalid_client (Client authentication failed (e.g., unknown client, no client authentication included, or unsupported authentication method))
at processResponse (/app/node_modules/openid-client/lib/helpers/process_response.js:38:13)
at Client.grant (/app/node_modules/openid-client/lib/client.js:1354:22)
at process.processTicksAndRejections (node:internal/process/task_queues:95:5)
at async Client.callback (/app/node_modules/openid-client/lib/client.js:493:24)
at async oAuthCallback (/app/node_modules/next-auth/core/lib/oauth/callback.js:109:16)
at async Object.callback (/app/node_modules/next-auth/core/routes/callback.js:52:11)
at async AuthHandler (/app/node_modules/next-auth/core/index.js:208:28)
at async NextAuthApiHandler (/app/node_modules/next-auth/next/index.js:22:19)
at async auth (/app/.next/server/pages/api/auth/[...nextauth].js:143:12) {
name: 'OAuthCallbackError',
code: undefined
},
providerId: 'oidc',
message: 'invalid_client (Client authentication failed (e.g., unknown client, no client authentication included, or unsupported authentication method))'
}
[next-auth][error][OAUTH_CALLBACK_ERROR]
https://next-auth.js.org/errors#oauth_callback_error invalid_client (Client authentication failed (e.g., unknown client, no client authentication included, or unsupported authentication method)) {
error: OPError: invalid_client (Client authentication failed (e.g., unknown client, no client authentication included, or unsupported authentication method))
at processResponse (/app/node_modules/openid-client/lib/helpers/process_response.js:38:13)
at Client.grant (/app/node_modules/openid-client/lib/client.js:1354:22)
at process.processTicksAndRejections (node:internal/process/task_queues:95:5)
at async Client.callback (/app/node_modules/openid-client/lib/client.js:493:24)
at async oAuthCallback (/app/node_modules/next-auth/core/lib/oauth/callback.js:109:16)
at async Object.callback (/app/node_modules/next-auth/core/routes/callback.js:52:11)
at async AuthHandler (/app/node_modules/next-auth/core/index.js:208:28)
at async NextAuthApiHandler (/app/node_modules/next-auth/next/index.js:22:19)
at async auth (/app/.next/server/pages/api/auth/[...nextauth].js:143:12) {
name: 'OAuthCallbackError',
code: undefined
},
providerId: 'oidc',
message: 'invalid_client (Client authentication failed (e.g., unknown client, no client authentication included, or unsupported authentication method))'
}
Want results from more Discord servers?
Add your server