[BUG] - Redirect /login?=code... to /login/?=code... making OIDC fail about mealie HOT 9 CLOSED

You were right, i was missing proper CORS configuration in authelia.

identity_providers:
  oidc:
    cors:
      endpoints:
        - 'authorization'
        - 'token'
        - 'revocation'
        - 'introspection'

Is the configuration which works now. So i was missing a proper endpoint configuration.

It is not necessary to add CORS origins manually or set allowed_origins_from_client_redirect_uris to true to make mealie work as the default setting for authelia is to allow all https origins. This is the explanation out of the authelia default config:

## List of allowed origins.
## Any origin with https is permitted unless this option is configured or the
## allowed_origins_from_client_redirect_uris option is enabled.

I think allowed_origins_from_client_redirect_uris should ne enabled for security reasons, but the reason for my setup not working was the missing endpoint config.

Surprisingly i was running into another bug which is a new redirect loop.
I forgot to add my testuser back to the mealie and meale_admin group which leads to an infinite redirect loop.

Thanks for your help.

I think i keep this open until the authelia documentation for mealie got updated.
Does someone know which endpoint configs are at least neccessary to make mealie work? Then a short update to the authelia docs shouldnt be a problem.

from mealie.

I'm getting the same issue, also with authelia - but without nginx (it's hosted in Kubernetes w/ a cloudflare tunnel pointing directly to the load balancer port 9000)

from mealie.

Are there any logs in Authelia? Do you have Authelia also set up as forward with proxy for Mealie? Someone else encountered a similar issue that was unrelated to Mealie (#3461 (comment))

from mealie.

This is a confirmed bug. The issue is Mealie is unable to get the access token because of a CORS error when fetching the token.
You are correct that it is because of the /login/? error in the URL.

As a workaround, in your Authelia config, please set allowed_origins_from_client_redirect_uris: true in the indentity_providers.oidc section.

I have confirmed being able to sign up and log in after changing that setting.

from mealie.

Thanks.

A short test with this authelia setting

identity_providers:
  oidc:
    cors:
      allowed_origins_from_client_redirect_uris: true

shows me the same behaviour. Tomorrow i will have a closer look at it.

from mealie.

This is a confirmed bug. The issue is Mealie is unable to get the access token because of a CORS error when fetching the token.

If CORS is the reason for the error then this is not a bug but CORS working properly. It is documented that you should add the mealie domain as an allowed origin in step 3 of the setup

from mealie.

This is a confirmed bug. The issue is Mealie is unable to get the access token because of a CORS error when fetching the token.

If CORS is the reason for the error then this is not a bug but CORS working properly. It is documented that you should add the mealie domain as an allowed origin in step 3 of the setup

I don't think you understand the issue here. The issue is that Mealie is redirecting requests to /login -> /login/

The check happens after the redirect occurs.

Authelia is setup correctly. The correct redirect_uri is present. but the request fails the check because it checks the redirected (messed up) url.

from mealie.

This is a confirmed bug. The issue is Mealie is unable to get the access token because of a CORS error when fetching the token.

If CORS is the reason for the error then this is not a bug but CORS working properly. It is documented that you should add the mealie domain as an allowed origin in step 3 of the setup

I don't think you understand the issue here. The issue is that Mealie is redirecting requests to /login -> /login/

The check happens after the redirect occurs.

Authelia is setup correctly. The correct redirect_uri is present. but the request fails the check because it checks the redirected (messed up) url.

I see that same redirect happen in the logs of my Mealie. I don't think that is the issue. Have you enabled Debug logs in Mealie? Are there any errors in the browser console?

mealie     | INFO     2024-04-16T21:07:57 - [127.0.0.1:37468] 200 OK "GET /api/app/about HTTP/1.1"
mealie     | INFO     2024-04-16T21:08:02 - [10.0.2.1:0] 307 Temporary Redirect "GET /login?code=xxx&iss=https%3A%2F%2Fauth.example.com&scope=openid+profile+email+groups&state=xxx HTTP/1.1"
mealie     | INFO     2024-04-16T21:08:02 - [10.0.2.1:0] 200 OK "GET /login/?code=xxx&iss=https%3A%2F%2Fauth.example.com&scope=openid+profile+email+groups&state=xxx HTTP/1.1"
mealie     | DEBUG    2024-04-16T21:08:03 - Starting new HTTPS connection (1): auth.example.com:443
mealie     | DEBUG    2024-04-16T21:08:03 - https://auth.example.com:443 "GET /.well-known/openid-configuration HTTP/1.1" 200 2507
mealie     | DEBUG    2024-04-16T21:08:03 - Starting new HTTPS connection (1): auth.example.com:443
mealie     | DEBUG    2024-04-16T21:08:03 - https://auth.example.com:443 "GET /jwks.json HTTP/1.1" 200 773
mealie     | INFO     2024-04-16T21:08:03 - [10.0.2.1:0] 304 Not Modified "GET /sw.js HTTP/1.1"
mealie     | INFO     2024-04-16T21:08:04 - [10.0.2.1:0] 200 OK "POST /api/auth/token HTTP/1.1"
mealie     | INFO     2024-04-16T21:08:04 - [10.0.2.1:0] 200 OK "GET /api/users/self HTTP/1.1"

from mealie.

Closed because cors endpoints configuration in authelia is a general prerequisite for many integrations to work. no documentation in authelia needed.

from mealie.