Cannot get SSO working with Authelia

Hi,

I am trying to get SSO working with Authelia, but I keep on getting:

2025-07-04T22:57:27.129Z error: State could not be decoded. Read more at https://errors.authjs.dev#invalidcheck name="h" type="InvalidCheck" kind="error"

2025-07-04T22:57:27.129Z error: State could not be decoded. Read more at https://errors.authjs.dev#invalidcheck name="h" type="InvalidCheck" kind="error"

I can use SSO with Paperless, so it seems that there is something wrong with my homarr config.

I am running homarr 1.24.0 as a container on a fedora server.

I have:

Environment=SECRET_ENCRYPTION_KEY=<secret>
Environment=AUTH_PROVIDERS=oidc,credentials
Environment=AUTH_OIDC_ISSUER=https://auth.example.com
Environment=AUTH_OIDC_CLIENT_ID=homarr
Environment=AUTH_OIDC_CLIENT_SECRET=<secret>
Environment=AUTH_OIDC_CLIENT_NAME=Authelia
Environment=AUTH_OIDC_SCOPE_OVERWRITE=openid email profile groups
Environment=AUTH_OIDC_GROUPS_ATTRIBUTE=groups
Environment=AUTH_LOGOUT_REDIRECT_URL=https://auth.example.com/logout

Environment=SECRET_ENCRYPTION_KEY=<secret>
Environment=AUTH_PROVIDERS=oidc,credentials
Environment=AUTH_OIDC_ISSUER=https://auth.example.com
Environment=AUTH_OIDC_CLIENT_ID=homarr
Environment=AUTH_OIDC_CLIENT_SECRET=<secret>
Environment=AUTH_OIDC_CLIENT_NAME=Authelia
Environment=AUTH_OIDC_SCOPE_OVERWRITE=openid email profile groups
Environment=AUTH_OIDC_GROUPS_ATTRIBUTE=groups
Environment=AUTH_LOGOUT_REDIRECT_URL=https://auth.example.com/logout

And then authelia has:

      - client_id: 'homarr'
        client_name: 'Homarr'
        client_secret: '<secret_hash>'
        public: false
        authorization_policy: 'two_factor'
        require_pkce: true
        pkce_challenge_method: 'S256'
        redirect_uris:
          - 'https://homarr.example.com/api/auth/callback/oidc'
        scopes:
          - 'openid'
          - 'profile'
          - 'email'
          - 'groups'
        response_types:
          - 'code'
        grant_types:
          - 'authorization_code'
        access_token_signed_response_alg: 'none'
        userinfo_si
gned_response_alg: 'none'
        token_endpoint_auth_method: 'client_secret_basic'

      - client_id: 'homarr'
        client_name: 'Homarr'
        client_secret: '<secret_hash>'
        public: false
        authorization_policy: 'two_factor'
        require_pkce: true
        pkce_challenge_method: 'S256'
        redirect_uris:
          - 'https://homarr.example.com/api/auth/callback/oidc'
        scopes:
          - 'openid'
          - 'profile'
          - 'email'
          - 'groups'
        response_types:
          - 'code'
        grant_types:
          - 'authorization_code'
        access_token_signed_response_alg: 'none'
        userinfo_si
gned_response_alg: 'none'
        token_endpoint_auth_method: 'client_secret_basic'

message.txt4.11KB

Homarr•8mo ago•

4 replies

Odd

Cannot get SSO working with Authelia

Hi,

I am trying to get SSO working with Authelia, but I keep on getting:

2025-07-04T22:57:27.129Z error: State could not be decoded. Read more at https://errors.authjs.dev#invalidcheck name="h" type="InvalidCheck" kind="error"

2025-07-04T22:57:27.129Z error: State could not be decoded. Read more at https://errors.authjs.dev#invalidcheck name="h" type="InvalidCheck" kind="error"

I can use SSO with Paperless, so it seems that there is something wrong with my homarr config.

I am running homarr 1.24.0 as a container on a fedora server.

I have:

Environment=SECRET_ENCRYPTION_KEY=<secret>
Environment=AUTH_PROVIDERS=oidc,credentials
Environment=AUTH_OIDC_ISSUER=https://auth.example.com
Environment=AUTH_OIDC_CLIENT_ID=homarr
Environment=AUTH_OIDC_CLIENT_SECRET=<secret>
Environment=AUTH_OIDC_CLIENT_NAME=Authelia
Environment=AUTH_OIDC_SCOPE_OVERWRITE=openid email profile groups
Environment=AUTH_OIDC_GROUPS_ATTRIBUTE=groups
Environment=AUTH_LOGOUT_REDIRECT_URL=https://auth.example.com/logout

Environment=SECRET_ENCRYPTION_KEY=<secret>
Environment=AUTH_PROVIDERS=oidc,credentials
Environment=AUTH_OIDC_ISSUER=https://auth.example.com
Environment=AUTH_OIDC_CLIENT_ID=homarr
Environment=AUTH_OIDC_CLIENT_SECRET=<secret>
Environment=AUTH_OIDC_CLIENT_NAME=Authelia
Environment=AUTH_OIDC_SCOPE_OVERWRITE=openid email profile groups
Environment=AUTH_OIDC_GROUPS_ATTRIBUTE=groups
Environment=AUTH_LOGOUT_REDIRECT_URL=https://auth.example.com/logout

And then authelia has:

      - client_id: 'homarr'
        client_name: 'Homarr'
        client_secret: '<secret_hash>'
        public: false
        authorization_policy: 'two_factor'
        require_pkce: true
        pkce_challenge_method: 'S256'
        redirect_uris:
          - 'https://homarr.example.com/api/auth/callback/oidc'
        scopes:
          - 'openid'
          - 'profile'
          - 'email'
          - 'groups'
        response_types:
          - 'code'
        grant_types:
          - 'authorization_code'
        access_token_signed_response_alg: 'none'
        userinfo_si
gned_response_alg: 'none'
        token_endpoint_auth_method: 'client_secret_basic'

      - client_id: 'homarr'
        client_name: 'Homarr'
        client_secret: '<secret_hash>'
        public: false
        authorization_policy: 'two_factor'
        require_pkce: true
        pkce_challenge_method: 'S256'
        redirect_uris:
          - 'https://homarr.example.com/api/auth/callback/oidc'
        scopes:
          - 'openid'
          - 'profile'
          - 'email'
          - 'groups'
        response_types:
          - 'code'
        grant_types:
          - 'authorization_code'
        access_token_signed_response_alg: 'none'
        userinfo_si
gned_response_alg: 'none'
        token_endpoint_auth_method: 'client_secret_basic'

message.txt4.11KB

Cannot get SSO working with Authelia

Similar Threads

Cannot get SSO working with Authelia

Similar Threads

Similar Threads

Similar Threads