Comments (16)
si458
commented on July 22, 2024
can you run the meshcentral with debug for authlog and share the logs?
add to you .env this ARGS=--debug authlog and restart then check the console output
OR
set "logs": "authlog" inside of settings in your config.json and check the log.txt file that gets created
p.s: simply visiting https://mesh.example.com/auth-oidc-callback will produce the LOGIN FAILED: REQUEST CONTAINS NO USER OR SID message because you havent passed it any codes or auth etc which is correct
from meshcentral.
xcsdm
commented on July 22, 2024
All logs are during an authentication/login attempt.
from docker compose logs:
meshcentral | Missing Modules: passport, openid-client, connect-flash
meshcentral | Installing modules [ 'passport', 'openid-client', 'connect-flash' ]
meshcentral | NPM Command Line: /usr/bin/node /usr/bin/npm install --save-exact --no-audit --omit=optional --no-fund passport openid-client connect-flash
meshcentral | MeshCentral HTTP redirection server running on port 80.
meshcentral | AUTHLOG: Server listening on 0.0.0.0 port 80.
meshcentral | MeshCentral v1.1.24, Hybrid (LAN + WAN) mode, Production mode.
meshcentral | MeshCentral Intel(R) AMT server running on mesh.example.com:4433.
meshcentral | AUTHLOG: Server listening on 0.0.0.0 port 4433.
meshcentral | AUTHLOG: OIDC: Setting up strategy for domain:
meshcentral | AUTHLOG: OIDC: Discovering Issuer Endpoints: https://auth.example.com/application/o/meshcentral/
meshcentral | Loaded web certificate from "https://mesh.example.com", host: "mesh.example.com"
meshcentral | SHA384 cert hash: REDACTED
meshcentral | SHA384 key hash: REDACTED
meshcentral | AUTHLOG: OIDC: Adding Issuer Metadata: {"issuer":"https://auth.example.com/application/o/meshcentral/","authorization_endpoint":"https://auth.example.com/application/o/authorize/","token_endpoint":"https://auth.example.com/application/o/token/","end_session_endpoint":"https://auth.example.com/application/o/meshcentral/end-session/","jwks_uri":"https://auth.example.com/application/o/meshcentral/jwks/"}
meshcentral | AUTHLOG: OIDC: Setup Complete
meshcentral | AUTHLOG: Setting up authentication strategies login and callback URLs for root domain.
meshcentral | AUTHLOG: OIDC: Authorization URL: /auth-oidc
meshcentral | AUTHLOG: OIDC: Callback URL: /auth-oidc-callback
meshcentral | MeshCentral HTTP server running on port 443.
From authlog.log
Jun 3 20:45:31 meshcentral http[29]: Server listening on 0.0.0.0 port 80.
Jun 3 20:45:32 meshcentral mps[29]: Server listening on 0.0.0.0 port 4433.
Jun 3 20:45:32 meshcentral setupDomainAuthStrategy[29]: OIDC: Setting up strategy for domain:
Jun 3 20:45:32 meshcentral setupDomainAuthStrategy[29]: OIDC: Discovering Issuer Endpoints: https://auth.example.com/application/o/meshcentral/
Jun 3 20:45:33 meshcentral setupDomainAuthStrategy[29]: OIDC: Adding Issuer Metadata: {"issuer":"https://auth.example.com/application/o/meshcentral/","authorization_endpoint":"https://auth.example.com/application/o/authorize/","token_endpoint":"https://auth.example.com/application/o/token/","end_session_endpoint":"https://auth.example.com/application/o/meshcentral/end-session/","jwks_uri":"https://auth.example.com/application/o/meshcentral/jwks/"}
Jun 3 20:45:33 meshcentral setupDomainAuthStrategy[29]: OIDC: Setup Complete
Jun 3 20:45:33 meshcentral setupHTTPHandlers[29]: Setting up authentication strategies login and callback URLs for root domain.
Jun 3 20:45:33 meshcentral setupHTTPHandlers[29]: OIDC: Authorization URL: /auth-oidc
Jun 3 20:45:33 meshcentral setupHTTPHandlers[29]: OIDC: Callback URL: /auth-oidc-callback
In case it is relevant, my nginx reverse proxy config:
# HTTPS server.
server {
listen 10.0.42.253:443 ssl;
include /etc/nginx/ssl.conf;
server_name mesh.example.com;
# MeshCentral uses long standing web socket connections, set longer timeouts.
proxy_send_timeout 330s;
proxy_read_timeout 330s;
location / {
proxy_pass http://10.0.42.253:8086/;
proxy_http_version 1.1;
# Allows websockets over HTTPS.
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection "upgrade";
proxy_set_header Host $host;
# Inform MeshCentral about the real host, port and protocol
proxy_set_header X-Forwarded-Host $host:$server_port;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
}
}
from meshcentral.
si458
commented on July 22, 2024
ok thanks, what about when you try logging in? it should give more logs
from meshcentral.
xcsdm
commented on July 22, 2024
Login as local meshcentral user admin successful
Login with OIDC from Authentik, nothing additional logged
Including the event from authentik logs
From authentik:
{
"user": {
"pk": 3,
"email": "[email protected]",
"username": "myuser"
},
"action": "authorize_application",
"app": "authentik.providers.oauth2.views.authorize",
"context": {
"flow": "869ba41c7bec4b44849724e84e6b2c4e",
"scopes": "profile openid email",
"http_request": {
"args": {
"scope": "openid profile email",
"state": "i_8im2_gB3EbV35-kspNFIhkab-C-fo7gO5HJ23e7NY",
"client_id": "REDACTED",
"failureFlash": "true",
"redirect_uri": "https://mesh.example.com/auth-oidc-callback",
"response_type": "code",
"code_challenge": "zYQRpZ4Tgjkze0PmkoHRCaKyPNkxmRgV9uyxypknuT8",
"failureRedirect": "/",
"code_challenge_method": "S256"
},
"path": "/api/v3/flows/executor/example-application-authorization/",
"method": "GET",
"user_agent": "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/124.0.0.0 Safari/537.36"
},
"authorized_application": {
"pk": "1f2ac4234b1e426086767200e45184cd",
"app": "authentik_core",
"name": "MeshCentral-old",
"model_name": "application"
}
},
"client_ip": "10.0.42.142",
"expires": "2025-06-03T20:59:59.453Z",
"brand": {
"pk": "698fbc6b80a74477a56f504509558c60",
"app": "authentik_brands",
"name": "Default brand",
"model_name": "brand"
}
}
From docker compose
sudo docker compose up -d && sudo docker compose logs meshcentral -f
[+] Running 3/3
✔ Network meshcentral_meshcentral-tier Created 0.1s
✔ Container mongodb Started 0.6s
✔ Container meshcentral Started 0.7s
meshcentral | Missing Modules: passport, openid-client, connect-flash
meshcentral | Installing modules [ 'passport', 'openid-client', 'connect-flash' ]
meshcentral | NPM Command Line: /usr/bin/node /usr/bin/npm install --save-exact --no-audit --omit=optional --no-fund passport openid-client connect-flash
meshcentral | MeshCentral HTTP redirection server running on port 80.
meshcentral | AUTHLOG: Server listening on 0.0.0.0 port 80.
meshcentral | MeshCentral v1.1.24, Hybrid (LAN + WAN) mode, Production mode.
meshcentral | MeshCentral Intel(R) AMT server running on mesh.example.com:4433.
meshcentral | AUTHLOG: Server listening on 0.0.0.0 port 4433.
meshcentral | AUTHLOG: OIDC: Setting up strategy for domain:
meshcentral | AUTHLOG: OIDC: Discovering Issuer Endpoints: https://auth.example.com/application/o/meshcentral/
meshcentral | Loaded web certificate from "https://mesh.example.com", host: "mesh.example.com"
meshcentral | SHA384 cert hash: 2a2d2e8b92d3c69e6ea937016c3dd638a3f6fe5c0c86f3a17ec2fe063d6f640a8643d4085c1e264164b5341323cfef19
meshcentral | SHA384 key hash: 4700277a409aa747e0b1ac2922a010da2099c20a269b1c6cd97a4001cc1505709a6470b8ad5526d16fd41d272bf2b256
meshcentral | AUTHLOG: OIDC: Adding Issuer Metadata: {"issuer":"https://auth.example.com/application/o/meshcentral/","authorization_endpoint":"https://auth.example.com/application/o/authorize/","token_endpoint":"https://auth.example.com/application/o/token/","end_session_endpoint":"https://auth.example.com/application/o/meshcentral/end-session/","jwks_uri":"https://auth.example.com/application/o/meshcentral/jwks/"}
meshcentral | AUTHLOG: OIDC: Setup Complete
meshcentral | AUTHLOG: Setting up authentication strategies login and callback URLs for root domain.
meshcentral | AUTHLOG: OIDC: Authorization URL: /auth-oidc
meshcentral | AUTHLOG: OIDC: Callback URL: /auth-oidc-callback
meshcentral | MeshCentral HTTP server running on port 443.
meshcentral | AUTHLOG: Accepted password for admin from 10.0.42.1 port 51034, SessionID: QE+mGIwN, Browser: Chrome/124.0.0.0, OS: Windows/10
meshcentral | AUTHLOG: User admin logout from 10.0.42.1 port 54152, SessionID: QE+mGIwN, Browser: Chrome/124.0.0.0, OS: Windows/10
from meshcentral.
si458
commented on July 22, 2024
very strange? works perfectly fine here?
MeshCentral HTTPS server running on mc.mydomain.com:443.
AUTHLOG: User Authorized: {"strategy":"oidc","sid":"~oidc:a1b2c3d4e5xxxxxxxxxxxxx","name":"authentik Default Admin","email":"[email protected]","emailVerified":true,"groups":["authentik Admins"],"preset":null}
AUTHLOG: OIDC: LOGIN SUCCESS: USER: "~oidc:a1b2c3d4e5xxxxxxxxxxxxx"
i have spotted a few issues with your config.json which you could try fixing to see if it makes a difference?
- remove
"cert": "*.example.com"as that shouldnt be there - remove
"minify": trueas the could be a problem with the minify code - change
"NewAccounts": falseto"NewAccounts": true
this needs to be true otherwise accounts cant be created from your oidc provider
edit:
have you tried pulling the master docker image again as i changed a few things 2 days ago
https://github.com/Ylianst/MeshCentral/pkgs/container/meshcentral/223949079?tag=master
from meshcentral.
xcsdm
commented on July 22, 2024
I made the config.json changes, but they did not fix the issue.
I have removed and re-pulled the master image a few times.
This is my access.log from nginx for the auth sessions. Both authentik and meshcentral run through the same reverse proxy. authentik is on a different host internally. meshcentral is on the same host as the nginx reverse proxy
10.0.42.149 - - [03/Jun/2024:17:53:14 -0400] "GET /auth-oidc HTTP/2.0" 302 0 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:126.0) Gecko/20100101 Firefox/126.0"
10.0.42.149 - - [03/Jun/2024:17:53:14 -0400] "GET /application/o/authorize/?client_id=MYCLIENTIDHERE&scope=openid%20profile%20email&response_type=code&redirect_uri=https%3A%2F%2Fmesh.example.com%2Fauth-oidc-callback&state=6w482FKAhvdBjLin-xSGE_kS8fSeb5vV7DEiyQsPYG4&failureRedirect=%2F&failureFlash=true&code_challenge=j_vf4K19nWrcgYn76WoxCSCcAAmbCY02MwQtV3ZLZdA&code_challenge_method=S256 HTTP/2.0" 302 23 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:126.0) Gecko/20100101 Firefox/126.0"
10.0.42.149 - - [03/Jun/2024:17:53:14 -0400] "GET /ws/client/ HTTP/1.1" 101 0 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:126.0) Gecko/20100101 Firefox/126.0"
10.0.42.149 - - [03/Jun/2024:17:53:14 -0400] "GET /if/flow/example-application-authorization/?client_id=MYCLIENTIDHERE&scope=openid+profile+email&response_type=code&redirect_uri=https%3A%2F%2Fmesh.example.com%2Fauth-oidc-callback&state=6w482FKAhvdBjLin-xSGE_kS8fSeb5vV7DEiyQsPYG4&failureRedirect=%2F&failureFlash=true&code_challenge=j_vf4K19nWrcgYn76WoxCSCcAAmbCY02MwQtV3ZLZdA&code_challenge_method=S256 HTTP/2.0" 200 1179 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:126.0) Gecko/20100101 Firefox/126.0"
10.0.42.149 - - [03/Jun/2024:17:53:15 -0400] "GET /api/v3/root/config/ HTTP/2.0" 200 274 "https://auth.example.com/if/flow/example-application-authorization/?client_id=MYCLIENTIDHERE&scope=openid+profile+email&response_type=code&redirect_uri=https%3A%2F%2Fmesh.example.com%2Fauth-oidc-callback&state=6w482FKAhvdBjLin-xSGE_kS8fSeb5vV7DEiyQsPYG4&failureRedirect=%2F&failureFlash=true&code_challenge=j_vf4K19nWrcgYn76WoxCSCcAAmbCY02MwQtV3ZLZdA&code_challenge_method=S256" "Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:126.0) Gecko/20100101 Firefox/126.0"
10.0.42.149 - - [03/Jun/2024:17:53:15 -0400] "GET /api/v3/core/brands/current/ HTTP/2.0" 200 236 "https://auth.example.com/if/flow/example-application-authorization/?client_id=MYCLIENTIDHERE&scope=openid+profile+email&response_type=code&redirect_uri=https%3A%2F%2Fmesh.example.com%2Fauth-oidc-callback&state=6w482FKAhvdBjLin-xSGE_kS8fSeb5vV7DEiyQsPYG4&failureRedirect=%2F&failureFlash=true&code_challenge=j_vf4K19nWrcgYn76WoxCSCcAAmbCY02MwQtV3ZLZdA&code_challenge_method=S256" "Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:126.0) Gecko/20100101 Firefox/126.0"
10.0.42.149 - - [03/Jun/2024:17:53:15 -0400] "GET /api/v3/root/config/ HTTP/2.0" 200 274 "https://auth.example.com/if/flow/example-application-authorization/?client_id=MYCLIENTIDHERE&scope=openid+profile+email&response_type=code&redirect_uri=https%3A%2F%2Fmesh.example.com%2Fauth-oidc-callback&state=6w482FKAhvdBjLin-xSGE_kS8fSeb5vV7DEiyQsPYG4&failureRedirect=%2F&failureFlash=true&code_challenge=j_vf4K19nWrcgYn76WoxCSCcAAmbCY02MwQtV3ZLZdA&code_challenge_method=S256" "Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:126.0) Gecko/20100101 Firefox/126.0"
10.0.42.149 - - [03/Jun/2024:17:53:15 -0400] "GET /if/flow/example-application-authorization/assets/fonts/RedHatDisplay/RedHatDisplay-Medium.woff2 HTTP/2.0" 200 28661 "https://auth.example.com/if/flow/example-application-authorization/?client_id=MYCLIENTIDHERE&scope=openid+profile+email&response_type=code&redirect_uri=https%3A%2F%2Fmesh.example.com%2Fauth-oidc-callback&state=6w482FKAhvdBjLin-xSGE_kS8fSeb5vV7DEiyQsPYG4&failureRedirect=%2F&failureFlash=true&code_challenge=j_vf4K19nWrcgYn76WoxCSCcAAmbCY02MwQtV3ZLZdA&code_challenge_method=S256" "Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:126.0) Gecko/20100101 Firefox/126.0"
10.0.42.149 - - [03/Jun/2024:17:53:15 -0400] "GET /media/public/flow-backgrounds/SpaceInvaders_LGB2VfI.jpg HTTP/2.0" 499 0 "https://auth.example.com/if/flow/example-application-authorization/?client_id=MYCLIENTIDHERE&scope=openid+profile+email&response_type=code&redirect_uri=https%3A%2F%2Fmesh.example.com%2Fauth-oidc-callback&state=6w482FKAhvdBjLin-xSGE_kS8fSeb5vV7DEiyQsPYG4&failureRedirect=%2F&failureFlash=true&code_challenge=j_vf4K19nWrcgYn76WoxCSCcAAmbCY02MwQtV3ZLZdA&code_challenge_method=S256" "Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:126.0) Gecko/20100101 Firefox/126.0"
10.0.42.149 - - [03/Jun/2024:17:53:15 -0400] "GET /api/v3/core/brands/current/ HTTP/2.0" 200 236 "https://auth.example.com/if/flow/example-application-authorization/?client_id=MYCLIENTIDHERE&scope=openid+profile+email&response_type=code&redirect_uri=https%3A%2F%2Fmesh.example.com%2Fauth-oidc-callback&state=6w482FKAhvdBjLin-xSGE_kS8fSeb5vV7DEiyQsPYG4&failureRedirect=%2F&failureFlash=true&code_challenge=j_vf4K19nWrcgYn76WoxCSCcAAmbCY02MwQtV3ZLZdA&code_challenge_method=S256" "Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:126.0) Gecko/20100101 Firefox/126.0"
10.0.42.149 - - [03/Jun/2024:17:53:15 -0400] "GET /api/v3/flows/executor/example-application-authorization/?query=client_id%3DMYCLIENTIDHERE%26scope%3Dopenid%2Bprofile%2Bemail%26response_type%3Dcode%26redirect_uri%3Dhttps%253A%252F%252Fmesh.example.com%252Fauth-oidc-callback%26state%3D6w482FKAhvdBjLin-xSGE_kS8fSeb5vV7DEiyQsPYG4%26failureRedirect%3D%252F%26failureFlash%3Dtrue%26code_challenge%3Dj_vf4K19nWrcgYn76WoxCSCcAAmbCY02MwQtV3ZLZdA%26code_challenge_method%3DS256 HTTP/2.0" 200 195 "https://auth.example.com/if/flow/example-application-authorization/?client_id=MYCLIENTIDHERE&scope=openid+profile+email&response_type=code&redirect_uri=https%3A%2F%2Fmesh.example.com%2Fauth-oidc-callback&state=6w482FKAhvdBjLin-xSGE_kS8fSeb5vV7DEiyQsPYG4&failureRedirect=%2F&failureFlash=true&code_challenge=j_vf4K19nWrcgYn76WoxCSCcAAmbCY02MwQtV3ZLZdA&code_challenge_method=S256" "Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:126.0) Gecko/20100101 Firefox/126.0"
10.0.42.149 - - [03/Jun/2024:17:53:15 -0400] "GET /media/blue-alien/BAlien32.png HTTP/2.0" 499 0 "https://auth.example.com/if/flow/example-application-authorization/?client_id=MYCLIENTIDHERE&scope=openid+profile+email&response_type=code&redirect_uri=https%3A%2F%2Fmesh.example.com%2Fauth-oidc-callback&state=6w482FKAhvdBjLin-xSGE_kS8fSeb5vV7DEiyQsPYG4&failureRedirect=%2F&failureFlash=true&code_challenge=j_vf4K19nWrcgYn76WoxCSCcAAmbCY02MwQtV3ZLZdA&code_challenge_method=S256" "Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:126.0) Gecko/20100101 Firefox/126.0"
10.0.42.149 - - [03/Jun/2024:17:53:15 -0400] "GET /ws/client/ HTTP/1.1" 101 4 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:126.0) Gecko/20100101 Firefox/126.0"
172.26.0.3 - MYCLIENTIDHERE [03/Jun/2024:17:53:15 -0400] "POST /application/o/token/ HTTP/1.1" 200 2007 "-" "openid-client/5.6.5 (https://github.com/panva/node-openid-client)"
10.0.42.149 - - [03/Jun/2024:17:53:15 -0400] "GET /auth-oidc-callback?code=58fff0170700493384ddd0416ba4e136&state=6w482FKAhvdBjLin-xSGE_kS8fSeb5vV7DEiyQsPYG4 HTTP/2.0" 302 46 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:126.0) Gecko/20100101 Firefox/126.0"
from meshcentral.
si458
commented on July 22, 2024
i think the is an issue with your reverse proxy (nginx)?
from the looks of those logs /auth-oidc-callback?code=xxxxxxxx is returning a 302 status which is a page redirect
BUT
we dont send a 302?
we just build a HTML page with a redirect/refresh on it which would return a 200
res.set('Content-Type', 'text/html');
res.end('<html><head><meta http-equiv="refresh" content=0;url="' + domain.url + '"></head><body></body></html>');
from meshcentral.
si458
commented on July 22, 2024
also check the redirect url inside authentik
ignore my /oidctest/ as i use the multi-tenant for my testing
from meshcentral.
si458
commented on July 22, 2024
i think ive found the issue and also discovered another bug too!
im checking domain.id but thats not present if your using authstrategies on the base domain domain ""!
also the redirect url isnt filling in correctly IF you use aliasPort which i am in my case,
so i can run mesh on 127.0.0.1:12346 but using port 443 in docker
from meshcentral.
si458
commented on July 22, 2024
OK fixed the aliasport issue, but turns out the domain.id isn't the issue? So I really do think ur issue is because ur reverse proxy is returning 302 rather than forwarding the server url correctly.
One thing u can try is check the redirect_url in the url is correct when it loads up the authentik login page
Another thing is to also copy the url u found in the logs and try pasting it manually in ur browser and see if u see any logs in meshcentral authlog
from meshcentral.
xcsdm
commented on July 22, 2024
What is strange is that reverting back to 1.1.21 works. I have to change the callback url from auth-oidc-callback to oidc-callback and swap to the old format config.json, but it works with the same reverse proxy setup.
The 302 is coming from failureRedirect, but I cannot locate the failure
Something is triggering the failureRedirect instead of just authenticating at line 6789 of webserver.js
If I change the failureRedirect path, the changed path is what is loading.
access.log with original failureRedirect /
10.0.42.149 - - [04/Jun/2024:07:30:07 -0400] "GET /oidc-callback?code=528055ca7c2f4b47a84f7e5f53c8b366&state=soYFEvsnzPm5rg06XAvRWaU1PLz7kIPDDgP0VrcEFXA HTTP/2.0" 302 46 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:126.0) Gecko/20100101 Firefox/126.0"
10.0.42.149 - - [04/Jun/2024:07:30:08 -0400] "GET / HTTP/2.0" 200 10954 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:126.0) Gecko/20100101 Firefox/126.0"
access.log with modified failureRedirect /testurl/
10.0.42.149 - - [04/Jun/2024:07:31:45 -0400] "GET /oidc-callback?code=91a439c0286a410ca4d39085daf1ece9&state=Liv0e5J9Vjkdd2Ox9eS9C_UHf-uv6kb3jZgalJ68EYA HTTP/2.0" 302 62 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:126.0) Gecko/20100101 Firefox/126.0"
10.0.42.149 - - [04/Jun/2024:07:31:45 -0400] "GET /testurl/ HTTP/2.0" 404 847 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:126.0) Gecko/20100101 Firefox/126.0"
from meshcentral.
si458
commented on July 22, 2024
one thing you can try for me is to check the output from the request BEFORE it heads into handleStrategyLogin
so line 6758 of webserver.js just under var domain = getDomain(req);
is put console.log('oidccallbackurl', domain.passport, req.session);
then restart container and try logging in and watch the console output on your server
you should see a LOT of json output,
can you share it? (might need to hide secret info in it)
from meshcentral.
xcsdm
commented on July 22, 2024
Bingo!
It is working.
I had not configured my OIDC connection on the Authentik side to sign the response
This portion of the log was critical. I'm unsure if it would be easily output from MeshCentral, but it immediately took me to the answer.
meshcentral | flash: {
meshcentral | error: [
meshcentral | 'unexpected JWT alg received, expected RS256, got: HS256',
meshcentral | 'unexpected JWT alg received, expected RS256, got: HS256',
meshcentral | 'unexpected JWT alg received, expected RS256, got: HS256',
meshcentral | 'unexpected JWT alg received, expected RS256, got: HS256',
meshcentral | 'unexpected JWT alg received, expected RS256, got: HS256',
meshcentral | 'unexpected JWT alg received, expected RS256, got: HS256',
meshcentral | 'unexpected JWT alg received, expected RS256, got: HS256'
meshcentral | ]
meshcentral | },
The whole output in case it helps anyone:
meshcentral | oidccallbackurl Authenticator {
meshcentral | _key: 'passport',
meshcentral | _strategies: {
meshcentral | session: SessionStrategy {
meshcentral | name: 'session',
meshcentral | _key: 'passport',
meshcentral | _deserializeUser: [Function: bound ]
meshcentral | },
meshcentral | 'oidc-': OpenIDConnectStrategy {
meshcentral | _client: Client {
meshcentral | authorization_signed_response_alg: 'RS256',
meshcentral | client_id: 'REDACTED',
meshcentral | client_secret: 'REDACTED',
meshcentral | grant_types: [
meshcentral | 'authorization_code'
meshcentral | ],
meshcentral | id_token_signed_response_alg: 'RS256',
meshcentral | introspection_endpoint_auth_method: 'client_secret_basic',
meshcentral | post_logout_redirect_uri: 'https://mesh.example.com/login',
meshcentral | redirect_uris: [
meshcentral | 'https://mesh.example.com/auth-oidc-callback'
meshcentral | ],
meshcentral | response_types: [
meshcentral | 'code'
meshcentral | ],
meshcentral | revocation_endpoint_auth_method: 'client_secret_basic',
meshcentral | token_endpoint_auth_method: 'client_secret_basic'
meshcentral | },
meshcentral | _issuer: Issuer {
meshcentral | acr_values_supported: [
meshcentral | 'goauthentik.io/providers/oauth2/default'
meshcentral | ],
meshcentral | authorization_endpoint: 'https://auth.example.com/application/o/authorize/',
meshcentral | claim_types_supported: [
meshcentral | 'normal'
meshcentral | ],
meshcentral | claims_parameter_supported: false,
meshcentral | claims_supported: [
meshcentral | 'sub',
meshcentral | 'iss',
meshcentral | 'aud',
meshcentral | 'exp',
meshcentral | 'iat',
meshcentral | 'auth_time',
meshcentral | 'acr',
meshcentral | 'amr',
meshcentral | 'nonce',
meshcentral | 'email',
meshcentral | 'email_verified',
meshcentral | 'name',
meshcentral | 'given_name',
meshcentral | 'preferred_username',
meshcentral | 'nickname',
meshcentral | 'groups',
meshcentral | 'uid'
meshcentral | ],
meshcentral | code_challenge_methods_supported: [
meshcentral | 'plain',
meshcentral | 'S256'
meshcentral | ],
meshcentral | device_authorization_endpoint: 'https://auth.example.com/application/o/device/',
meshcentral | end_session_endpoint: 'https://auth.example.com/application/o/meshcentral/end-session/',
meshcentral | grant_types_supported: [
meshcentral | 'authorization_code',
meshcentral | 'refresh_token',
meshcentral | 'implicit',
meshcentral | 'client_credentials',
meshcentral | 'password',
meshcentral | 'urn:ietf:params:oauth:grant-type:device_code'
meshcentral | ],
meshcentral | id_token_signing_alg_values_supported: [
meshcentral | 'HS256'
meshcentral | ],
meshcentral | introspection_endpoint: 'https://auth.example.com/application/o/introspect/',
meshcentral | introspection_endpoint_auth_methods_supported: [
meshcentral | 'client_secret_post',
meshcentral | 'client_secret_basic'
meshcentral | ],
meshcentral | issuer: 'https://auth.example.com/application/o/meshcentral/',
meshcentral | jwks_uri: 'https://auth.example.com/application/o/meshcentral/jwks/',
meshcentral | redirect_uri: 'https://mesh.example.com/oidc-callback',
meshcentral | request_parameter_supported: false,
meshcentral | request_uri_parameter_supported: true,
meshcentral | require_request_uri_registration: false,
meshcentral | response_modes_supported: [
meshcentral | 'query',
meshcentral | 'fragment',
meshcentral | 'form_post'
meshcentral | ],
meshcentral | response_types_supported: [
meshcentral | 'code',
meshcentral | 'id_token',
meshcentral | 'id_token token',
meshcentral | 'code token',
meshcentral | 'code id_token',
meshcentral | 'code id_token token'
meshcentral | ],
meshcentral | revocation_endpoint: 'https://auth.example.com/application/o/revoke/',
meshcentral | revocation_endpoint_auth_methods_supported: [
meshcentral | 'client_secret_post',
meshcentral | 'client_secret_basic'
meshcentral | ],
meshcentral | scopes_supported: [
meshcentral | 'email',
meshcentral | 'profile',
meshcentral | 'openid'
meshcentral | ],
meshcentral | subject_types_supported: [
meshcentral | 'public'
meshcentral | ],
meshcentral | token_endpoint: 'https://auth.example.com/application/o/token/',
meshcentral | token_endpoint_auth_methods_supported: [
meshcentral | 'client_secret_post',
meshcentral | 'client_secret_basic'
meshcentral | ],
meshcentral | userinfo_endpoint: 'https://auth.example.com/application/o/userinfo/'
meshcentral | },
meshcentral | _verify: [Function: oidcCallback],
meshcentral | _passReqToCallback: false,
meshcentral | _usePKCE: 'S256',
meshcentral | _key: 'oidc-',
meshcentral | _params: [Object],
meshcentral | _extras: {},
meshcentral | name: 'auth.example.com'
meshcentral | }
meshcentral | },
meshcentral | _serializers: [ [Function (anonymous)] ],
meshcentral | _deserializers: [ [Function (anonymous)] ],
meshcentral | _infoTransformers: [],
meshcentral | _framework: {
meshcentral | initialize: [Function: initialize],
meshcentral | authenticate: [Function: authenticate]
meshcentral | },
meshcentral | _sm: SessionManager {
meshcentral | _key: 'passport',
meshcentral | _serializeUser: [Function: bound ]
meshcentral | },
meshcentral | Authenticator: [Function: Authenticator],
meshcentral | Passport: [Function: Authenticator],
meshcentral | Strategy: <ref *1> [Function: Strategy] { Strategy: [Circular *1] },
meshcentral | strategies: { SessionStrategy: [Function: SessionStrategy] },
meshcentral | _userProperty: 'user'
meshcentral | } Session {
meshcentral | flash: {
meshcentral | error: [
meshcentral | 'unexpected JWT alg received, expected RS256, got: HS256',
meshcentral | 'unexpected JWT alg received, expected RS256, got: HS256',
meshcentral | 'unexpected JWT alg received, expected RS256, got: HS256',
meshcentral | 'unexpected JWT alg received, expected RS256, got: HS256',
meshcentral | 'unexpected JWT alg received, expected RS256, got: HS256',
meshcentral | 'unexpected JWT alg received, expected RS256, got: HS256',
meshcentral | 'unexpected JWT alg received, expected RS256, got: HS256'
meshcentral | ]
meshcentral | },
meshcentral | 'oidc-': {
meshcentral | state: 'LzkRQPOPEzsQEMcSu1wZc6dwoC3myJ1xcpzYrdh2caI',
meshcentral | response_type: 'code',
meshcentral | code_verifier: 'kKB1wjl5sWpeToldqna3_2eYFkRr9bS47J4nVzBwRJk'
meshcentral | },
meshcentral | regenerate: [Function (anonymous)],
meshcentral | save: [Function (anonymous)]
meshcentral | }
meshcentral | AUTHLOG: User Authorized: {"strategy":"oidc","sid":"~oidc:[email protected]","name":"My User","email":"[email protected]","emailVerified":true,"groups":["authentik Admins","MeshCentral Users"],"preset":null}
meshcentral | AUTHLOG: OIDC: LOGIN SUCCESS: USER: "~oidc:[email protected]"
from meshcentral.
si458
commented on July 22, 2024
glad u got it fixed!
can u do me a favour tho?
can you close this issue as you have fixed it now :)
and can you ALSO open a new enhancement request and just explain in it,
can we plz display the flash errors for the external auths like saml or oidc on the login screen
currently i dont think we display any errors!
if we had the errors being displayed it would of helped this issue out alot quicker!
p.s:
my output shows this below, so yeh yours is different even tho we use the same software for auth
id_token_signing_alg_values_supported: [
'RS256'
],
p.s again:
what setting did you change in authentik? i want to replicate the issue to get it to display errors
from meshcentral.
xcsdm
commented on July 22, 2024
The authentik setting was on the Oauth2 Provider, under the Redirect URIs/Origins, I had no Signing Key selected.
This worked in 1.1.21, but with the updated libraries, it looks to be required now.
from meshcentral.
xcsdm
commented on July 22, 2024
Closing as fixed
from meshcentral.
Related Issues (20)
- Error in the MeshServer operation: meshuser.js:792 HOT 12
- "Invalid origin in HTTP request" after upgrade from 1.1.16 to 1.1.24 HOT 9
- OIDC authentication causes critical error HOT 15
- hide admin My Events with permissions HOT 5
- UNABLE TO USE GOOGLE AUTHENTICATOR APP HOT 3
- Battery Percentage no longer showing on many Laptop Types (since 1.1.23) HOT 5
- Added DBEncryption - lost a group & devices HOT 4
- SAML: User loses group permissions on login HOT 3
- MeshCentral Router Customization
- Customized macOS Agents? HOT 11
- Can't see desktop on multiple MacOS devices when "locked"
- Unable to install meshagent MAC HOT 26
- display flash errors for external auths like saml or oidc on the login screen HOT 10
- Don't require user consent if no one is signed in, PC is in the Windows logon screen HOT 3
- Disable 7 Day Power State HOT 3
- Recording files disappear
- WMIC.exe deprecation - not installed by default in Windows 11 24H2 HOT 1
- Linux installer for immutable distros HOT 1
- Add Device to Multiple Device Groups HOT 2
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from meshcentral.