Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Immich expects a plain JSON object instead of a signed RS256 user info OAuth object #7877

Closed
1 of 3 tasks
iamarkadyt opened this issue Mar 12, 2024 · 5 comments · Fixed by #10756
Closed
1 of 3 tasks

Immich expects a plain JSON object instead of a signed RS256 user info OAuth object #7877

iamarkadyt opened this issue Mar 12, 2024 · 5 comments · Fixed by #10756
Assignees
@jrasm91

Comments

@iamarkadyt
Copy link

iamarkadyt commented Mar 12, 2024
edited
Loading

Setup

Authelia. Immich. Both configured to use/expect signing algorithm RS256.

What's broken

Authelia redirects back to Immich after signing in with the user info object. Signed with RS256. Immich does not recognize it and fails with the error below. Basically expecting a plain JSON object.

Current workaround

Disable user info object signing in Authelia. Something interesting here is that even if I instruct Immich to expect RS256 signed info (Signing Algorithm setting in OAuth section) and send it a plain JSON object (through Authelia) it still recognizes it and allows me through. Would that be considered a security issue?

Error message from the docker container

[Nest] 8  - 03/11/2024, 11:30:28 PM   ERROR [SyntaxError: Unexpected token 'e', "eyJhbGciOi"... is not valid JSON
    at JSON.parse (<anonymous>)
    at Client.userinfo (/usr/src/app/node_modules/openid-client/lib/client.js:1291:23)
    at process.processTicksAndRejections (node:internal/process/task_queues:95:5)
    at async AuthService.callback (/usr/src/app/dist/domain/auth/auth.service.js:160:25)
    at async OAuthController.finishOAuth (/usr/src/app/dist/immich/controllers/oauth.controller.js:37:38)] Failed to finish oauth

The OS that Immich Server is running on

Linux

Version of Immich Server

v1.98.1

Version of Immich Mobile App

n/a

Platform with the issue

  • Server
  • Web
  • Mobile

Reproduction steps

1. Set up an OAuth client for Immich in Authelia.
2. Set up Client secret, id, URL and other parameters in Immich OAuth settings.
3. Set up user info signing with RS256 in both Authelia and Immich.
4. Once logged in in Authelia and redirected back to Immich, UI error shows up that says "failed to finish oauth"

Additional information

No response
@ywjdlq
Copy link

ywjdlq commented Mar 13, 2024
edited
Loading

same problem
update: setting authelia 'userinfo_signing_algorithm: none' works

@iamarkadyt
Copy link
Author

@ywjdlq sure, but then you're sending a plain object instead of signing it to verify authenticity

@jrasm91 jrasm91 self-assigned this Mar 22, 2024
@gravelfreeman
Copy link

gravelfreeman commented May 16, 2024
edited
Loading

same problem update: setting authelia 'userinfo_signing_algorithm: none' works

I'm having the same issue. @ywjdlq may I ask you if you've updated to v1.95.1? Because this version has a breaking change requesting use of RS256 which seems to be broken in Authelia or I'm unable to set it up.

I believe this is the reason why this issue is still open because @iamarkadyt is on version 1.98.1 which requires RS256 to be setup.

Immich documentation is still referencing Authelia documentation which is outdated.

I hope someone will bring the right configuration to setup RS256 with Authelia and Immich.

@iamarkadyt
Copy link
Author

iamarkadyt commented May 17, 2024
edited
Loading

@gravelfreeman I'm actually not using the RS256 signing at the moment. Enabling it breaks the Authelia <> Immich integration. Everything works after disabling it however (userinfo_signed_response_alg: 'none'). Not as secure, but works for me for now.

Regarding documentation you linked most of it is correct, but I have a few settings added:

client:
  grant_types:
     - authorization_code
     - refresh_token
  response_types:
     - code:
  response_modes:
     - form_post
     - query
     - fragment

@jrasm91 jrasm91 mentioned this issue Jul 2, 2024
Merged
3 tasks
@jrasm91
Copy link
Contributor

jrasm91 commented Jul 10, 2024

The signing algorithm setting in immich maps to id_token_signed_response_alg in the oauth specification. This is separate from userinfo_signed_response_alg. The first setting specifies to sign the id token with that algorithm. The latter is plain json by default.

I've added a new immich setting profileSigningAlgorithm, which will map to this setting. This will be "fixed" (an enhancement request really), once #10756 is merged.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@jrasm91 jrasm91

Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

feat(server): userinfo signing immich-app/immich
4 participants
@jrasm91 @ywjdlq @iamarkadyt @gravelfreeman