Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[Bug] OIDC Token Verification Fails When Authentik Encrypts "id_token" #2446

Open
4 tasks done
rolestack opened this issue Feb 24, 2025 · 3 comments
Open
4 tasks done

[Bug] OIDC Token Verification Fails When Authentik Encrypts "id_token" #2446

rolestack opened this issue Feb 24, 2025 · 3 comments
Labels
bug Something isn't working OIDC OpenID Connect related issues

Comments

@rolestack
Copy link

Is this a support request?

  • This is not a support request

Is there an existing issue for this?

  • I have searched the existing issues

Current Behavior

When both the signing key and the encryption key are applied in Authentik, the following error is output:

2025-02-24T15:53:18Z ERR user msg: failed to verify id_token error="failed to verify ID token: oidc: failed to unmarshal claims: invalid character '\\x0f' looking for beginning of value" code=403

Expected Behavior

It seems that the error occurs because the OIDC code does not decrypt the encrypted token.

Steps To Reproduce

After removing the encryption key and attempting the login again, it works as expected.

Login fail

Image

Login success

Image

Environment

- Headscale version: 0.25.0
- Authentik version: 2025.2.0

config.yml

oidc:
  only_start_if_oidc_is_available: true
  issuer: "https://authentik.my.domain/application/o/headscale/"
  client_id: "------"
  client_secret: "------"

  use_expiry_from_token: false

  scope: ["openid", "profile", "email"]

  pkce:
    enabled: true
    method: S256

Runtime environment

  • Headscale is behind a (reverse) proxy
  • Headscale runs in a container

Anything else?

No response
@rolestack rolestack added the bug Something isn't working label Feb 24, 2025
@kradalby kradalby added the OIDC OpenID Connect related issues label Feb 25, 2025
@kradalby
Copy link
Collaborator

Is this a separate encryption key that is specific to Authentik? or is it part of any spec?

If it is part of a spec, we can have a look at implementing it, if it is only present in Authentik, we likely will not support it, or at least prioritise it.

@rolestack
Copy link
Author

According to the OpenID Connect Core 1.0, ID token encryption is optional.

That said, encryption is still a good idea. It helps keep the token's contents private and prevents sensitive data from being exposed. If the ID token includes anything sensitive, turning on encryption adds an extra layer of security.

So, while it’s not a requirement, enabling encryption is definitely worth considering, especially in high-security environments.

@rolestack
Copy link
Author

Authentik added JWE support for OAuth in their 2024.10.0 release.
I'm not sure if other products have implemented this feature yet.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
bug Something isn't working OIDC OpenID Connect related issues
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@kradalby @rolestack