[Selfhosting] Auth errors with custom OIDC (Authelia).
I'm selfhosting a bunch of srevices, added Typebot today. I have my .env configs setup properly (hopefully), typebot finds Authelia but it's auth request gets denied as it does not contain a 'State' parameter.
The actual error from authelia logs: "Authorization Request failed with error: The state is missing or does not have enough characters and is therefore considered too weak. Request parameter 'state' must be at least be 8 characters long to ensure sufficient entropy."
I have authelia setup with other services the same way I planned to setup Typebot, and I checked the redirects in the browsers it does look like TypeBot does not add the state parameter in the URIs. Maybe this is expected as this may not be the default next-auth behaviour, but I did not find a way to customize this via env vars.
Can someone please provide some input on this? Thanks in advance! 🙂
7 Replies
Hmmm can you tell us how you set this up?
I mean I have authelia, got traefik and a bunch of other containers, most services I use don't even bother with auth, or I just disabled them and use authelia as traefik will redirect anything not authenticated anyway. As I gathered disabling it here is not an option, although I have 2FA auth setup in authelia, so I really would like to avoid another layer. I am quite confident that I have configured authelia properly as there is 2 other service that works with basically the same configs, and those do send the 'State' parameter.
This is my .env file:
NEXTAUTH_URL=https://chatbuilder.mydomain.eu
NEXT_PUBLIC_VIEWER_URL=https://chat.mydomain.eu
ADMIN_EMAIL=home.mydomain@gmail.com
CUSTOM_OAUTH_CLIENT_ID=MY_CLIENT_ID
CUSTOM_OAUTH_CLIENT_SECRET=SECRET_WAS_HERE
CUSTOM_OAUTH_ISSUER=https://auth.mydomain.eu
Typebot connects to Authelia on the auth.mydomain.eu, starts the auth process when I click the "Sign with custom oauth provider" (or sth like this) button, but then the previously mentioned error messages arrive.
I suspect its something to do with how the CUSTOM_OAUTH is setup in the project, I may be in the dark a bit here, but from what I saw there is a 'checks' property in the Provider objects that does configure this stuff in Next-Auth, and it's likely missing the 'state' item from this property, as probably the default is only 'pkce' not both.
If you check line 191 in the NextAuth's implementation for the twitter provider for example: https://github.com/nextauthjs/next-auth/blob/b4ef14ab51d26d5c9aaac757ef2155a100bc21da/packages/core/src/providers/twitter.ts
I also seen it in OKTA but probably a lot of other providers have this as a requirement. So this feature is totally supported, and I just checked the typebot's code, its very likely that this could be easily controlled with like an env.var, or just the extra 'state' check added, so it could be used by auth servers that do anticipate this parameter to exist.
GitHub
next-auth/packages/core/src/providers/twitter.ts at b4ef14ab51d26d5...
Authentication for the Web. Contribute to nextauthjs/next-auth development by creating an account on GitHub.
I may be too optimistic here and it will be more complicated, but maybe its not 😛 sadly I am quite a noob in the tech stack of your app so my last attempt was a failure to make a custom build to test this idea 😄
OK let's try!
Releasing a new
next tag: https://github.com/baptisteArno/typebot.io/actions/runs/19627162580I tested it and it works 🙂 ..had some issues with the profile attribute mappings, but thats not related to the original problem, and most likely an issue on my side 😄 thank you very much!
Great! Open a new question if you still have issue 🙂