[Bug]: Multiple authentication methods in Device Auth flow -> rejected by Authelia #830
Description
Preflight Checklist
- I could not find a solution in the documentation, the existing issues or discussions
- I have joined the ZITADEL chat
Version
v3.45.1
Describe the problem caused by this bug
Original issue in Perses: perses/perses#3774
Authelia config:
access_control:
default_policy: deny
rules:
- domain:
- alerts.home.yawn.io
policy: one_factor
- domain:
- filebrowser.home.yawn.io
policy: one_factor
- domain:
- graf.home.yawn.io
policy: one_factor
- domain:
- perses.home.yawn.io
policy: bypass
- domain:
- prom.home.yawn.io
policy: one_factor
authentication_backend:
file:
path: /run/derived-secrets/authelia_users.json
password_reset:
disable: true
default_2fa_method: ''
identity_providers:
oidc:
clients:
- authorization_policy: one_factor
client_id: 4guwUub8JViSDX~HIjtshmlnStejSe-tL5g.IqyqHm1CTJz2lVekSkCKiwczqxG645bucmFE
client_name: Perses
client_secret: '{{- fileContent "/run/agenix/authelia-perses-client-secret-hash"
| trim }}'
grant_types:
- authorization_code
- refresh_token
- urn:ietf:params:oauth:grant-type:device_code
redirect_uris:
- https://perses.home.yawn.io/api/auth/providers/oidc/authelia/callback
scopes:
- openid
- profile
- email
- offline_access
token_endpoint_auth_method: client_secret_basic
log:
file_path: null
format: json
keep_stdout: false
level: debug
notifier:
filesystem:
filename: /var/lib/authelia-main/notification.txt
server:
address: tcp://:9092/
session:
cookies:
- authelia_url: https://auth.home.yawn.io
domain: home.yawn.io
name: session
storage:
local:
path: /var/lib/authelia-main/db.sqlite3
telemetry:
metrics:
address: tcp://127.0.0.1:9959
enabled: false
theme: lightPerses config:
{
"security": {
"authentication": {
"providers": {
"oidc": [
{
"client_id": "4guwUub8JViSDX~HIjtshmlnStejSe-tL5g.IqyqHm1CTJz2lVekSkCKiwczqxG645bucmFE",
"client_secret_file": "/run/agenix/authelia-perses-client-secret",
"issuer": "https://auth.home.yawn.io",
"name": "Authelia",
"redirect_uri": "https://perses.home.yawn.io/api/auth/providers/oidc/authelia/callback",
"scopes": [
"openid",
"profile",
"email"
],
"slug_id": "authelia"
}
]
}
},
"cookie": {
"secure": true
},
"enable_auth": true,
"encryption_key_file": "/run/agenix/perses-encryption-key"
}
}With this set up the browser based auth works fine. But:
❯❯ percli login https://perses.home.yawn.io
Go to https://auth.home.yawn.io/consent/openid/device-authorization and enter this user code: VKNFSCSB
Waiting for user to authorize the application...
Error: something wrong happened with the request to the API. Error: oauth2: "invalid_request" "The request is missing a required parameter, includes an invalid parameter value, includes a parameter more than once, or is otherwise malformed. Client Authentication failed with more than one known authentication method included in the request which is not permitted."
I won't paste the logs since I'm not knowledgeable enough to redact the secrets correctly but I'm pretty sure I confirmed in tcpdump that Authelia is telling the truth, i.e. Perses uses the Basic authorization header and also sets the client_secret in the POST body.
I think this is basically violating https://datatracker.ietf.org/doc/html/rfc6749#section-2.3 which says "The client MUST NOT use more than one authentication method in each request". However, I came to that conclusion based on talking to an LLM, not from any actual knowledge of this auth thing so it could be nonsense.
I also got the AI to try fixing the issue, it generated this: bjackman@e5b8aa8
IMO the vibes are off there, it looks like the patch itself is slop. But, I confirmed that it fixes my issue, it does seem like the AI had the right basic idea in terms of correct behaviour for the protocol.
To reproduce
- Run Perses using this library
- Run Authelia with a config like the one I showed
- Use
percli loginto exercise the Device Auth flow
Screenshots
No response
Expected behavior
OIDC Device Auth flow would work
Additional Context
No response