[Bug]: Infinite Redirect Loop with Authentik OIDC, Undefined array key "kid"

[athiosh]

What is your set up?

Self Hosted Docker

Version

3.3.3

Describe the issue

Just deployed leantime with docker yesterday, everything is working great except setting up OIDC with Authentik. Clicking "OIDC Login" will redirect to Authentik instance then it will stuck in redirect loop. Both leantime and Authentik are behind Nginx Proxy Manager, every loop will get registered in Authentik. When opening a new tab after the loop, it will show an error 'Undefined array key "kid"'.

Authentik Application Setup

Authentik Provider Setup

leantime error

Reproduction steps

docker-compose.yml

services:
  leantime_db:
    image: mysql:8.4
    container_name: mysql_leantime
    volumes:
      - /appdata/leantime/db:/var/lib/mysql
    restart: unless-stopped
    env_file: .env
    networks:
      - leantime-net
    command: --character-set-server=UTF8MB4 --collation-server=UTF8MB4_unicode_ci

  leantime:
    image: leantime/leantime:latest
    container_name: leantime
    restart: unless-stopped
    env_file: .env
    networks:
      - leantime-net
    volumes:
      - /appdata/leantime/public_userfiles:/var/www/html/public/userfiles     # Volume to store public files, logo etc
      - /appdata/leantime/userfiles:/var/www/html/userfiles                   # Volume to store private user uploaded files
      - /appdata/leantime/plugins:/var/www/html/app/Plugins                   # Uncomment if you are planning to use plugins from the marketplace
    ports:
      - "${LEAN_PORT}:80"
    depends_on:
      - leantime_db

networks:
  leantime-net:

.env

# This is a sample configuration file with all possible configuration options.
# If you don't want to maintain a file like this you can pass in all variables via Server Variables

## Minimum Configuration, these are required for installation

LEAN_PORT = '3081'                                 # The port to expose and access Leantime
LEAN_APP_URL = 'https://project.mydomain.com'    # Base URL, needed for subfolder or proxy installs (including http:// or https://)
LEAN_APP_DIR = ''                         # Base of application without trailing slash (used for cookies), e.g, /leantime

LEAN_DEBUG = 1                                     # Debug flag

# Database - MySQL container
MYSQL_ROOT_PASSWORD = 'ovpQLwqfXetuK4ELnenr'       # MySQL root password
MYSQL_DATABASE = 'leantime'                        # Database name
MYSQL_USER = 'admin'                               # Database username
MYSQL_PASSWORD = 'gkL2...dSxzrAmj'            # Database password

# Database - leantime container
LEAN_DB_HOST = 'mysql_leantime'                    # Database host 
LEAN_DB_USER = 'admin'                             # Database username (needs to be the same as MYSQL_USER)
LEAN_DB_PASSWORD = 'gkL2...dSxzrAmj'          # Database password (needs to be the same as MYSQL_PASSWORD)
LEAN_DB_DATABASE = 'leantime'                      # Database name (needs to be the same as MYSQL_DATABASE)
LEAN_DB_PORT = '3306'                              # Database port


## Optional Configuration, you may omit these from your .env file

## Default Settings
LEAN_SITENAME = 'Leantime'                         # Name of your site, can be changed later
LEAN_LANGUAGE = 'en-US'                            # Default language
LEAN_DEFAULT_TIMEZONE = 'America/Toronto'      # Set default timezone
LEAN_LOG_PATH = ''                                 # Default Log Path (including filename), if not set /logs/error.log will be used
LEAN_DISABLE_LOGIN_FORM = false                    # If true then don't show the login form (useful only if additional auth method[s] are available)

## Session Management
LEAN_SESSION_PASSWORD = 'w8ww...TVZ25ao2a'  # Salting sessions, replace with a strong password
LEAN_SESSION_EXPIRATION = 28800                    # How many seconds after inactivity should we logout?  28800seconds = 8hours
LEAN_SESSION_SECURE = true                        # Cookies only served via https

## Look & Feel, these settings are available in the UI and can be overwritten there.
LEAN_LOGO_PATH = '/dist/images/logo.svg'           # Default logo path, can be changed later
LEAN_PRINT_LOGO_URL = '/dist/images/logo.png'      # Default logo URL use for printing (must be jpg or png format)
LEAN_DEFAULT_THEME = 'default'                     # Default theme
LEAN_PRIMARY_COLOR = '#006d9f'                     # Primary Theme color
LEAN_SECONDARY_COLOR =' #00a886'                   # Secondary Theme Color


## Fileuploads

# Local File Uploads
LEAN_USER_FILE_PATH = 'userfiles/'                 # Local relative path to store uploaded files (if not using S3)
LEAN_DB_BACKUP_PATH = 'backupdb/'                  # Local relative path to store backup files, need permission to write

## OpenID Connect
# required
LEAN_OIDC_ENABLE = true
LEAN_OIDC_CLIENT_ID=hmbTxFVhTJgrP3G3HYYZmjg34Vzuqp3j5akMpydY
LEAN_OIDC_CLIENT_SECRET=xCY3y0huwM19...9U
LEAN_OIDC_PROVIDER_URL = https://auth.mydomain.com/application/o/leantime/
LEAN_OIDC_CREATE_USER = true

Error Logs (LEANTIMEFOLDER/storage/logs)

No response

[marcelfolaron]

Thanks for reaching out. Authentik is always a little finicky for us. But it is working.

First thing is to make sure the Subject Mode is set correctly for oAuth2:

Can you try wrapping the OIDC config values in quotes? Some escape characters may cause issues with PHP and env.

Alternatively it may be an issue with the reverse proxy. Is the port 3081 set up correctly in there?

You could also join our discord server where we have various people who have authentik running (and that topic popped up so many times that I'd hope the solution is somewhere there :)

[athiosh]

Hi, thanks for the response. the subject mode is the same as your screenshot and I tried wrapping OIDC values in single quote but it is the same result. I just posted in discord, hoping i can get some other solution. Thank you.

[athiosh]

Just pulled the latest image and it is still giving the same error 'Undefined array key "kid"'. Do i need to update any of my setup?

[marcelfolaron]

Yeah so I went through the process of installing authentik + traefik + leantime in a docker environment and made sure that the leantime side is covered. I'll be writing an more in depth blog article on that.

Now the "kid" error is happening when you encrypt the jwt token in your oauth provider. Can you take out the ssl certificate in your oauth provider settings in authentik and see if that fixes the issue?

[marcelfolaron]

Closing this for now. Let me know if you are still running into issues here

[athiosh]

Hi, I just tried again and I am getting "JWT token could not be decoded" error. My provider in authentik has no Signing Key or Encryption Key setup, anything I can do for this error?