Authelia OICD login fails due to missing state value #143
Description
I did set up OIDC with Authelia. I guess the Authelia client side is Ok as I use nearly the same config for all my OIDC Clients. When I click on Login I get the following message. (I am using Claper with Docker Compose and behind Nginx Proxy Manager.)
The site is under maintenance, we'll be back very soon!
The relevant claper-app logs show:
05:17:58.038 request_id=GDa0yE1wZSBrScMAARTh [info] GET /users/log_in
05:17:58.039 request_id=GDa0yE1wZSBrScMAARTh [info] Sent 302 in 668µs
05:17:58.319 request_id=GDa0yF42Rxu3ddAAARTx [info] GET /users/oidc
05:17:58.671 request_id=GDa0yF42Rxu3ddAAARTx [info] Sent 500 in 352ms
05:17:58.672 [error] #PID<0.8639.0> running ClaperWeb.Endpoint (connection #PID<0.8638.0>, stream id 1) terminated
Server: claper.<mydomain>.dev:80 (http)
Request: GET /users/oidc
** (exit) an exception was raised:
** (MatchError) no match of right hand side value: {:error, {:http_error, 400, %{"error" => "invalid_state", "error_description" => "The state is missing or does not have enough characters and is therefore considered too weak. Request parameter 'state' must be at least be 8 characters long to ensure sufficient entropy."}}}
(claper 2.3.1) lib/claper_web/controllers/user_oidc_auth.ex:12: ClaperWeb.UserOidcAuth.new/2
(claper 2.3.1) lib/claper_web/controllers/user_oidc_auth.ex:1: ClaperWeb.UserOidcAuth.action/2
(claper 2.3.1) lib/claper_web/controllers/user_oidc_auth.ex:1: ClaperWeb.UserOidcAuth.phoenix_controller_pipeline/2
(phoenix 1.7.11) lib/phoenix/router.ex:484: Phoenix.Router.__call__/5
(claper 2.3.1) lib/claper_web/endpoint.ex:1: ClaperWeb.Endpoint.plug_builder_call/2
(claper 2.3.1) lib/claper_web/endpoint.ex:1: ClaperWeb.Endpoint.call/2
(plug_cowboy 2.7.2) lib/plug/cowboy/handler.ex:11: Plug.Cowboy.Handler.init/2
(cowboy 2.12.0) /app/deps/cowboy/src/cowboy_handler.erl:37: :cowboy_handler.execute/2
The relevant authelia logs show:
time="2025-04-16T08:06:54+02:00" level=error msg="Pushed Authorization Request failed with error: The state is missing or does not have enough characters and is therefore considered too weak. Request parameter 'state' must be at least be 8 characters long to ensure sufficient entropy." method=POST path=/api/oidc/pushed-authorization-request remote_ip=172.18.0.1
So I guess the resulting error is:
The state is missing or does not have enough characters and is therefore considered too weak. Request parameter 'state' must be at least be 8 characters long to ensure sufficient entropy.
There is an issue at the Authelia issues (authelia/authelia#9003) which mentions the same error message. I am not into OIDC enough to fully understand it but it looks like Claper is possibly missing UserInfo Endpoint support? The same problem occured on the Homarr Issues (homarr-labs/homarr#2635) and the developer seemed to have fixed it pretty fast, so maybe this is not a huge change?
Let me add that I already tried the workaround (https://www.authelia.com/integration/openid-connect/openid-connect-1.0-claims/#restore-functionality-prior-to-claims-parameter) which would probably be fine for me but it didn't changed a thing at all.