Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

JSONDecodeError when using authentik OpenID #17896

Open
maxkratz opened this issue Nov 3, 2024 · 1 comment
Open

JSONDecodeError when using authentik OpenID #17896

maxkratz opened this issue Nov 3, 2024 · 1 comment

Comments

@maxkratz
Copy link
Contributor

maxkratz commented Nov 3, 2024

Description

When using the official guides to connect Synapse to authentik (https://element-hq.github.io/synapse/latest/openid.html#authentik and https://docs.goauthentik.io/integrations/services/matrix-synapse/) Synapse raises a JSONDecodeError when trying to login.

Steps to reproduce:

  • Setup Synapse and authentik as described in the links above.
  • Navigate to Element-Web, click on "Login with authentik".
  • Provide valid credentials. authentik now redirects to Synapse.
  • Synapse shows an error within the web browser: "Internal Server Error".
[...]
synapse-1   | 2024-11-03T17:23:17.988935881Z 2024-11-03 17:23:17,988 - synapse.rest.client.login - 682 - INFO - GET-7 - Redirecting to https://auth.REDACTED.de/application/o/authorize/?response_type=code&client_id=WRKvT2yhGvUeSGf9AJshP3vjhgwR6tj2BtYbDVHF&redirect_uri=https%3A%2F%2Fmatrix.REDACTED.de%2F_synapse%2Fclient%2Foidc%2Fcallback&scope=openid+profile+email&state=uw0yDmOCuR1lW4dBL9BjLTBCZfSnr6&nonce=0nbfV9h07yVd9emtq54HVqrDfEs8Vy&code_challenge_method=S256&code_challenge=colWx9z0kYx1YX8ceBteeAiEVm7PAdZfXa-Ko_Iizy0
synapse-1   | 2024-11-03T17:23:17.989612259Z 2024-11-03 17:23:17,989 - synapse.access.http.8008 - 473 - INFO - GET-7 - 172.18.0.1 - 8008 - {None} Processed request: 0.004sec/-0.000sec (0.004sec, 0.000sec) (0.000sec/0.000sec/0) 0B 302 "GET /_matrix/client/v3/login/sso/redirect/oidc-authentik?redirectUrl=https%3A%2F%2Felement.REDACTED.de%2F&org.matrix.msc3824.action=login HTTP/1.1" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/18.1 Safari/605.1.15" [0 dbevts]
synapse-1   | 2024-11-03T17:23:18.659634171Z 2024-11-03 17:23:18,659 - synapse.handlers.oidc - 259 - INFO - GET-8 - Received OIDC callback for IdP oidc-authentik
synapse-1   | 2024-11-03T17:23:19.140305318Z 2024-11-03 17:23:19,137 - synapse.http.client - 428 - INFO - GET-8 - Received response to POST https://auth.REDACTED.de/application/o/token/: 405
synapse-1   | 2024-11-03T17:23:19.152399538Z 2024-11-03 17:23:19,138 - synapse.http.server - 221 - ERROR - GET-8 - Failed handle request <XForwardedForRequest at 0x7fa30e5098d0 method='GET' uri='/_synapse/client/oidc/callback?code=570eb483fd9242f5b1be01f2ba70002c&state=uw0yDmOCuR1lW4dBL9BjLTBCZfSnr6' clientproto='HTTP/1.1' site='8008'>
synapse-1   | 2024-11-03T17:23:19.152457450Z Traceback (most recent call last):
synapse-1   | 2024-11-03T17:23:19.152466090Z   File "/usr/local/lib/python3.11/site-packages/synapse/http/server.py", line 332, in _async_render_wrapper
synapse-1   | 2024-11-03T17:23:19.152473300Z     callback_return = await self._async_render(request)
synapse-1   | 2024-11-03T17:23:19.152480002Z                       ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
synapse-1   | 2024-11-03T17:23:19.152486398Z   File "/usr/local/lib/python3.11/site-packages/synapse/http/server.py", line 364, in _async_render
synapse-1   | 2024-11-03T17:23:19.152493234Z     callback_return = await raw_callback_return
synapse-1   | 2024-11-03T17:23:19.152499662Z                       ^^^^^^^^^^^^^^^^^^^^^^^^^
synapse-1   | 2024-11-03T17:23:19.152506064Z   File "/usr/local/lib/python3.11/site-packages/synapse/rest/synapse/client/oidc/callback_resource.py", line 42, in _async_render_GET
synapse-1   | 2024-11-03T17:23:19.152512890Z     await self._oidc_handler.handle_oidc_callback(request)
synapse-1   | 2024-11-03T17:23:19.152520274Z   File "/usr/local/lib/python3.11/site-packages/synapse/handlers/oidc.py", line 276, in handle_oidc_callback
synapse-1   | 2024-11-03T17:23:19.152527014Z     await oidc_provider.handle_oidc_callback(request, session_data, code)
synapse-1   | 2024-11-03T17:23:19.152533634Z   File "/usr/local/lib/python3.11/site-packages/synapse/handlers/oidc.py", line 1094, in handle_oidc_callback
synapse-1   | 2024-11-03T17:23:19.152540384Z     token = await self._exchange_code(
synapse-1   | 2024-11-03T17:23:19.152546618Z             ^^^^^^^^^^^^^^^^^^^^^^^^^^
synapse-1   | 2024-11-03T17:23:19.152552859Z   File "/usr/local/lib/python3.11/site-packages/synapse/handlers/oidc.py", line 787, in _exchange_code
synapse-1   | 2024-11-03T17:23:19.152559212Z     resp = json_decoder.decode(resp_body.decode("utf-8"))
synapse-1   | 2024-11-03T17:23:19.152565486Z            ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
synapse-1   | 2024-11-03T17:23:19.152571802Z   File "/usr/local/lib/python3.11/json/decoder.py", line 337, in decode
synapse-1   | 2024-11-03T17:23:19.152578139Z     obj, end = self.raw_decode(s, idx=_w(s, 0).end())
synapse-1   | 2024-11-03T17:23:19.152584650Z                ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
synapse-1   | 2024-11-03T17:23:19.152590962Z   File "/usr/local/lib/python3.11/json/decoder.py", line 355, in raw_decode
synapse-1   | 2024-11-03T17:23:19.152597458Z     raise JSONDecodeError("Expecting value", s, err.value) from None
synapse-1   | 2024-11-03T17:23:19.152603926Z json.decoder.JSONDecodeError: Expecting value: line 1 column 1 (char 0)
synapse-1   | 2024-11-03T17:23:19.153510452Z 2024-11-03 17:23:19,153 - synapse.access.http.8008 - 473 - INFO - GET-8 - 172.18.0.1 - 8008 - {None} Processed request: 0.495sec/-0.000sec (0.011sec, 0.000sec) (0.000sec/0.000sec/0) 167B 500 "GET /_synapse/client/oidc/callback?code=570eb483fd9242f5b1be01f2ba70002c&state=uw0yDmOCuR1lW4dBL9BjLTBCZfSnr6 HTTP/1.1" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/18.1 Safari/605.1.15" [0 dbevts]
[...]

Relevant config snippet from homeserver.yaml:

[...]
oidc_providers:
  - idp_id: authentik
    idp_name: authentik
    discover: true
    issuer: "https://auth.REDACTED.de/application/o/synapse-slug/"
    client_id: "REDACTED}"
    client_secret: "REDACTED"
    scopes:
      - "openid"
      - "profile"
      - "email"
    user_mapping_provider:
      config:
        localpart_template: "{{ user.preferred_username }}"
        display_name_template: "{{ user.name|capitalize }}"
[...]

Steps to reproduce

  • Setup Synapse and authentik as described in the links above.
  • Navigate to Element-Web, click on "Login with authentik".
  • Provide valid credentials. authentik now redirects to Synapse.
  • Synapse shows an error within the web browser: "Internal Server Error".

Homeserver

Self-hosted homeserver

Synapse Version

v1.118.0

Installation Method

Docker (matrixdotorg/synapse)

Database

PostgreSQL, single server, no ported data (fresh set up)

Workers

Single process

Platform

Debian 12 VM via Docker

Configuration

No response

Relevant log output

[...]
synapse-1   | 2024-11-03T17:23:17.988935881Z 2024-11-03 17:23:17,988 - synapse.rest.client.login - 682 - INFO - GET-7 - Redirecting to https://auth.REDACTED.de/application/o/authorize/?response_type=code&client_id=WRKvT2yhGvUeSGf9AJshP3vjhgwR6tj2BtYbDVHF&redirect_uri=https%3A%2F%2Fmatrix.REDACTED.de%2F_synapse%2Fclient%2Foidc%2Fcallback&scope=openid+profile+email&state=uw0yDmOCuR1lW4dBL9BjLTBCZfSnr6&nonce=0nbfV9h07yVd9emtq54HVqrDfEs8Vy&code_challenge_method=S256&code_challenge=colWx9z0kYx1YX8ceBteeAiEVm7PAdZfXa-Ko_Iizy0
synapse-1   | 2024-11-03T17:23:17.989612259Z 2024-11-03 17:23:17,989 - synapse.access.http.8008 - 473 - INFO - GET-7 - 172.18.0.1 - 8008 - {None} Processed request: 0.004sec/-0.000sec (0.004sec, 0.000sec) (0.000sec/0.000sec/0) 0B 302 "GET /_matrix/client/v3/login/sso/redirect/oidc-authentik?redirectUrl=https%3A%2F%2Felement.REDACTED.de%2F&org.matrix.msc3824.action=login HTTP/1.1" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/18.1 Safari/605.1.15" [0 dbevts]
synapse-1   | 2024-11-03T17:23:18.659634171Z 2024-11-03 17:23:18,659 - synapse.handlers.oidc - 259 - INFO - GET-8 - Received OIDC callback for IdP oidc-authentik
synapse-1   | 2024-11-03T17:23:19.140305318Z 2024-11-03 17:23:19,137 - synapse.http.client - 428 - INFO - GET-8 - Received response to POST https://auth.REDACTED.de/application/o/token/: 405
synapse-1   | 2024-11-03T17:23:19.152399538Z 2024-11-03 17:23:19,138 - synapse.http.server - 221 - ERROR - GET-8 - Failed handle request <XForwardedForRequest at 0x7fa30e5098d0 method='GET' uri='/_synapse/client/oidc/callback?code=570eb483fd9242f5b1be01f2ba70002c&state=uw0yDmOCuR1lW4dBL9BjLTBCZfSnr6' clientproto='HTTP/1.1' site='8008'>
synapse-1   | 2024-11-03T17:23:19.152457450Z Traceback (most recent call last):
synapse-1   | 2024-11-03T17:23:19.152466090Z   File "/usr/local/lib/python3.11/site-packages/synapse/http/server.py", line 332, in _async_render_wrapper
synapse-1   | 2024-11-03T17:23:19.152473300Z     callback_return = await self._async_render(request)
synapse-1   | 2024-11-03T17:23:19.152480002Z                       ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
synapse-1   | 2024-11-03T17:23:19.152486398Z   File "/usr/local/lib/python3.11/site-packages/synapse/http/server.py", line 364, in _async_render
synapse-1   | 2024-11-03T17:23:19.152493234Z     callback_return = await raw_callback_return
synapse-1   | 2024-11-03T17:23:19.152499662Z                       ^^^^^^^^^^^^^^^^^^^^^^^^^
synapse-1   | 2024-11-03T17:23:19.152506064Z   File "/usr/local/lib/python3.11/site-packages/synapse/rest/synapse/client/oidc/callback_resource.py", line 42, in _async_render_GET
synapse-1   | 2024-11-03T17:23:19.152512890Z     await self._oidc_handler.handle_oidc_callback(request)
synapse-1   | 2024-11-03T17:23:19.152520274Z   File "/usr/local/lib/python3.11/site-packages/synapse/handlers/oidc.py", line 276, in handle_oidc_callback
synapse-1   | 2024-11-03T17:23:19.152527014Z     await oidc_provider.handle_oidc_callback(request, session_data, code)
synapse-1   | 2024-11-03T17:23:19.152533634Z   File "/usr/local/lib/python3.11/site-packages/synapse/handlers/oidc.py", line 1094, in handle_oidc_callback
synapse-1   | 2024-11-03T17:23:19.152540384Z     token = await self._exchange_code(
synapse-1   | 2024-11-03T17:23:19.152546618Z             ^^^^^^^^^^^^^^^^^^^^^^^^^^
synapse-1   | 2024-11-03T17:23:19.152552859Z   File "/usr/local/lib/python3.11/site-packages/synapse/handlers/oidc.py", line 787, in _exchange_code
synapse-1   | 2024-11-03T17:23:19.152559212Z     resp = json_decoder.decode(resp_body.decode("utf-8"))
synapse-1   | 2024-11-03T17:23:19.152565486Z            ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
synapse-1   | 2024-11-03T17:23:19.152571802Z   File "/usr/local/lib/python3.11/json/decoder.py", line 337, in decode
synapse-1   | 2024-11-03T17:23:19.152578139Z     obj, end = self.raw_decode(s, idx=_w(s, 0).end())
synapse-1   | 2024-11-03T17:23:19.152584650Z                ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
synapse-1   | 2024-11-03T17:23:19.152590962Z   File "/usr/local/lib/python3.11/json/decoder.py", line 355, in raw_decode
synapse-1   | 2024-11-03T17:23:19.152597458Z     raise JSONDecodeError("Expecting value", s, err.value) from None
synapse-1   | 2024-11-03T17:23:19.152603926Z json.decoder.JSONDecodeError: Expecting value: line 1 column 1 (char 0)
synapse-1   | 2024-11-03T17:23:19.153510452Z 2024-11-03 17:23:19,153 - synapse.access.http.8008 - 473 - INFO - GET-8 - 172.18.0.1 - 8008 - {None} Processed request: 0.495sec/-0.000sec (0.011sec, 0.000sec) (0.000sec/0.000sec/0) 167B 500 "GET /_synapse/client/oidc/callback?code=570eb483fd9242f5b1be01f2ba70002c&state=uw0yDmOCuR1lW4dBL9BjLTBCZfSnr6 HTTP/1.1" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/18.1 Safari/605.1.15" [0 dbevts]
[...]

Anything else that would be useful to know?

No response

@maxkratz
Copy link
Contributor Author

maxkratz commented Nov 6, 2024

I figured it out myself - the jwt block was missing in my Synapse configuration:

[...]
jwt_config:
    enabled: true
    secret: "SAME_AS_OPENID_SECRET"
    algorithm: "RS256"
[...]

Maybe the documentation regarding authentik (https://github.com/element-hq/synapse/blob/develop/docs/openid.md#authentik) should be updated to work out of the box. If I understood it correctly, recent versions of authentik are only able to use JWTs and not plain JSON responses.

If desired, I can provide a PR.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

No branches or pull requests

1 participant