-
-
Notifications
You must be signed in to change notification settings - Fork 795
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
[BUG] - OIDC token exchange fails with "invalid client_secret" when using Dex #4633
Comments
Have you tried changing |
Your Dex logs give you a pretty good error.
Mealie is sending the the wrong client_secret to your IdP. This can either be because you've entered it wrong, or it might have an invalid character in the string. Double check that you've entered the correct client_secret into Mealie and that it matches what Dex expects and check that the client secret doesn't contain any |
My token contained a slash ( |
Mealie (or rather Authlib) sends the client secret as a url parameter, which is valid per the spec, but it means the secret needs to be url safe. Definitely worth a mention in the doc |
Strange, the secret is definitely URL safe and the secret being sent matches the one Dex is storing. I'll try changing the claim name over to email shortly 👍 |
That definitely should have worked, by what the .well-known spec suggests. But it doesn't look like it has. |
Hm, I was actually using Authelia, but had the exact same error messages as you and figured it might be related. Sorry that that didn't work out for you. One particular thing I noticed: Authlib used the exact same error message returned by my IdP portal, as opposed to your errors. Did you try tracing the error where exactly it originates from? Maybe that will give you a clue. |
I was trying to add some debug logging so it was easier to see if we're missing claims or something similar on the mealie side. Is there anything holding up that pr? |
This issue has been automatically marked as stale because it has not had recent activity. It will be closed if no further activity occurs. Thank you for your contributions. |
Description
When using Mealie v2.3.0 with Dex as an OIDC provider, the authentication flow fails during the token exchange step. The initial authentication with the identity provider (Google through Dex) succeeds, but Mealie fails to exchange the authorization code for tokens.
Environment
Configuration
Environment variables set:
Error Messages
Dex logs:
Mealie logs:
Expected Behavior
The token exchange should succeed, allowing the user to complete the OIDC authentication flow and log in to Mealie.
Actual Behavior
The token exchange fails with a 401 Unauthorized error, indicating an issue with the client secret handling during the token exchange phase.
Additional Context
The text was updated successfully, but these errors were encountered: