OpenID Connect error connecting with Authelia

Question

OpenID Connect error connecting with Authelia

Closed this issue 2 years ago · 6 comments

2022.11.28 10:10:16 DEBUG web[AYS8nLyKIphjjNy5AAfQ][s.n.w.p.h.HttpURLConnection] sun.net.www.MessageHeader@90867245 pairs: {GET /.well-known/openid-configuration HTTP/1.1: null}{User-Agent: SonarQube 9.7.1.62043 # 147B411E-AYSlEBJ5y64pVfZJz0Ds Java/11.0.15}{Host: authelia.XXX.cn}{Accept: text/html, image/gif, image/jpeg, *; q=.2, /; q=.2}{Connection: keep-alive}
2022.11.28 10:10:16 DEBUG web[AYS8nLyKIphjjNy5AAfQ][s.n.w.p.h.HttpURLConnection] sun.net.www.MessageHeader@71b42eef17 pairs: {null: HTTP/1.1 200 OK}{Date: Mon, 28 Nov 2022 10:10:16 GMT}{Content-Type: application/json}{Content-Length: 1450}{Vary: Accept-Encoding}{Access-Control-Allow-Origin: *}{Access-Control-Allow-Credentials: false}{Access-Control-Max-Age: 100}{Access-Control-Allow-Methods: OPTIONS, GET}{X-Content-Type-Options: nosniff}{Referrer-Policy: strict-origin-when-cross-origin}{Permissions-Policy: interest-cohort=()}{X-Frame-Options: SAMEORIGIN}{X-Xss-Protection: 1; mode=block}{Content-Security-Policy: default-src 'none';}{Pragma: no-cache}{Cache-Control: no-store}
2022.11.28 10:10:16 WARN web[AYS8nLyKIphjjNy5AAfQ][o.s.s.a.AuthenticationError] Fail to initialize authentication with provider 'oidc'
java.lang.IllegalStateException: Retrieving OpenID Connect provider metadata failed

Answer 1 · 2022-11-28T11:07:31.000Z

I hope the author can help solve the problem

Answer 2 · 2022-11-30T16:32:00.000Z

Please provide the DEBUG log entries related to the plugin as described in the troubleshooting section - the ones with the abbreviated package name of o.v.s.a.o.
From the given information I would guess that this issue is related to network restrictions (plugin is not allowed to access the identity provider).

Answer 3 · 2022-12-01T02:05:16.000Z

sonarqube_web.log

Answer 4 · 2022-12-02T17:55:18.000Z

It seems that your IdP is returning invalid provider metadata from it's well-known endpoint. So the NimbusDS SDK's metadata check fails with the error "The returned issuer doesn't match the expected...":

2022.11.28 06:10:08 WARN  web[AYS8nLyKIphjjNy5AAFh][o.s.s.a.AuthenticationError] Fail to initialize authentication with provider 'oidc'
java.lang.IllegalStateException: Retrieving OpenID Connect provider metadata failed
	at org.vaulttec.sonarqube.auth.oidc.OidcClient.getProviderMetadata(OidcClient.java:219)
	at org.vaulttec.sonarqube.auth.oidc.OidcClient.createAuthenticationRequest(OidcClient.java:88)
	at org.vaulttec.sonarqube.auth.oidc.OidcIdentityProvider.init(OidcIdentityProvider.java:79)
	at org.sonar.server.authentication.InitFilter.handleOAuth2IdentityProvider(InitFilter.java:108)
            :
Caused by: com.nimbusds.oauth2.sdk.GeneralException: The returned issuer doesn't match the expected: https://authelia.XXXXXX.cn
	at com.nimbusds.openid.connect.sdk.op.OIDCProviderMetadata.resolve(OIDCProviderMetadata.java:1792)
	at com.nimbusds.openid.connect.sdk.op.OIDCProviderMetadata.resolve(OIDCProviderMetadata.java:1745)
	at org.vaulttec.sonarqube.auth.oidc.OidcClient.getProviderMetadata(OidcClient.java:217)
	... 133 common frames omitted

You have to check with your IdP team to get this OIDC compliance issue fixed.

Answer 5 · 2022-12-02T18:05:36.000Z

This OIDC compliance issue with Authelia is similar to the one raised in #63.

Answer 6 · 2022-12-03T06:22:37.000Z

OK, thank you