Homarr•2mo ago

Cannot get SSO working with Authelia

Hi, I am trying to get SSO working with Authelia, but I keep on getting:

2025-07-04T22:57:27.129Z error: State could not be decoded. Read more at https://errors.authjs.dev#invalidcheck name="h" type="InvalidCheck" kind="error"

2025-07-04T22:57:27.129Z error: State could not be decoded. Read more at https://errors.authjs.dev#invalidcheck name="h" type="InvalidCheck" kind="error"

I can use SSO with Paperless, so it seems that there is something wrong with my homarr config. I am running homarr 1.24.0 as a container on a fedora server. I have:

Environment=SECRET_ENCRYPTION_KEY=<secret>
Environment=AUTH_PROVIDERS=oidc,credentials
Environment=AUTH_OIDC_ISSUER=https://auth.example.com
Environment=AUTH_OIDC_CLIENT_ID=homarr
Environment=AUTH_OIDC_CLIENT_SECRET=<secret>
Environment=AUTH_OIDC_CLIENT_NAME=Authelia
Environment=AUTH_OIDC_SCOPE_OVERWRITE=openid email profile groups
Environment=AUTH_OIDC_GROUPS_ATTRIBUTE=groups
Environment=AUTH_LOGOUT_REDIRECT_URL=https://auth.example.com/logout

Environment=SECRET_ENCRYPTION_KEY=<secret>
Environment=AUTH_PROVIDERS=oidc,credentials
Environment=AUTH_OIDC_ISSUER=https://auth.example.com
Environment=AUTH_OIDC_CLIENT_ID=homarr
Environment=AUTH_OIDC_CLIENT_SECRET=<secret>
Environment=AUTH_OIDC_CLIENT_NAME=Authelia
Environment=AUTH_OIDC_SCOPE_OVERWRITE=openid email profile groups
Environment=AUTH_OIDC_GROUPS_ATTRIBUTE=groups
Environment=AUTH_LOGOUT_REDIRECT_URL=https://auth.example.com/logout

And then authelia has:

      - client_id: 'homarr'
        client_name: 'Homarr'
        client_secret: '<secret_hash>'
        public: false
        authorization_policy: 'two_factor'
        require_pkce: true
        pkce_challenge_method: 'S256'
        redirect_uris:
          - 'https://homarr.example.com/api/auth/callback/oidc'
        scopes:
          - 'openid'
          - 'profile'
          - 'email'
          - 'groups'
        response_types:
          - 'code'
        grant_types:
          - 'authorization_code'
        access_token_signed_response_alg: 'none'
        userinfo_si
gned_response_alg: 'none'
        token_endpoint_auth_method: 'client_secret_basic'

      - client_id: 'homarr'
        client_name: 'Homarr'
        client_secret: '<secret_hash>'
        public: false
        authorization_policy: 'two_factor'
        require_pkce: true
        pkce_challenge_method: 'S256'
        redirect_uris:
          - 'https://homarr.example.com/api/auth/callback/oidc'
        scopes:
          - 'openid'
          - 'profile'
          - 'email'
          - 'groups'
        response_types:
          - 'code'
        grant_types:
          - 'authorization_code'
        access_token_signed_response_alg: 'none'
        userinfo_si
gned_response_alg: 'none'
        token_endpoint_auth_method: 'client_secret_basic'

message.txt

4 Replies

Cakey Bot•2mo ago

Thank you for submitting a support request. Depending on the volume of requests, our team should get in contact with you shortly.

⚠️ Please include the following details in your post or we may reject your request without further comment: - Log (See https://homarr.dev/docs/community/faq#how-do-i-open-the-console--log) - Operating system (Unraid, TrueNAS, Ubuntu, ...) - Exact Homarr version (eg. 0.15.0, not latest) - Configuration (eg. docker-compose, screenshot or similar. Use ``your-text`` to format) - Other relevant information (eg. your devices, your browser, ...)

Frequently Asked Questions | Homarr documentation

Can I install Homarr on a Raspberry Pi?

Meierschlumpf•2mo ago

You're probably missing AUTH_OIDC_FORCE_USERINFO="true" --> from v4.39 of authelia and above

OddOP•2mo ago

Sadly, still showing the same error:

message.txt

Meierschlumpf•2mo ago

Okay can you try the setting userinfo_signing_algorithm: none in your authelia configuration? Here are the docs for sso (in the example setup you find an example with authelia)

Single Sign On | Homarr documentation

Homarr supports multiple authentication options, from internal userbase (credentials), to LDAP (with Active directory support), and OIDC.

Gaming

Programming

Cannot get SSO working with Authelia

Did you find this page helpful?