[Bug] authentik作为sso登录提供者，登录验证报错

[dalamudx]

📦 部署环境

Docker

📌 软件版本

v1.36.31

💻 系统环境

Ubuntu

🌐 浏览器

Chrome

🐛 问题描述

使用authentik作为sso，登录时发现lobechat报错了

authentik提供程序配置

容器配置

  lobechat:
    image: reg.xxxxxx.com/lobehub/lobe-chat:latest
    container_name: lobechat
    networks:
      - traefik
    expose:
      - 3210
    environment:
      - NEXT_PUBLIC_SERVICE_MODE=server
      - NEXT_AUTH_SECRET=xxxxxxxxxxxxx
      - NEXT_AUTH_SSO_PROVIDERS=authentik
      - NEXTAUTH_URL=https://openai.xxxxxxx.com/api/auth
      - APP_URL=https://openai.xxxxxxx.com
      - KEY_VAULTS_SECRET=xxxxxxxxxxxxxxx
      - DATABASE_URL=postgres://lobechat:xxxxxxxx@postgres:5432/lobechat
      - AUTH_AUTHENTIK_ID=xxxxxxxxxxxxx
      - AUTH_AUTHENTIK_SECRET=xxxxxxxxxxxx
      - AUTH_AUTHENTIK_ISSUER=https://auth.xxxxxx.com/application/o/openai/
      - OPENAI_API_KEY=sk-xxxxxxxxxxxxxxxxxxxx
      - ACCESS_CODE=xxxxxxxxxxxxxxxxx
    volumes:
      - /etc/ssl/certs/ca-certificates.crt:/etc/ssl/certs/ca-certificates.crt

日志

next auth: undefined
next auth: undefined
2024/12/17 06:49PM 30 pid=8 hostname=ceb93c2e2fd4 msg=Error in tRPC handler (lambda) on path: file.getFiles, type: query
a [TRPCError]: UNAUTHORIZED
    at /app/.next/server/chunks/93519.js:1:1932
    at f (/app/.next/server/chunks/88615.js:4:74)
    at r (/app/.next/server/chunks/88615.js:1:5810)
    at /app/.next/server/chunks/20516.js:1:7781
    at Array.map (<anonymous>)
    at g (/app/.next/server/chunks/20516.js:1:7318)
    at async _ (/app/.next/server/app/(backend)/trpc/lambda/[trpc]/route.js:1:3799)
    at async /app/node_modules/.pnpm/next@14.2.8_@babel+core@7.26.0_@opentelemetry+api@1.9.0_@playwright+test@1.49.1_react-d_1cf2c798572f9d55dae58de467e3f455/node_modules/next/dist/compiled/next-server/app-route.runtime.prod.js:6:36932
    at async eC.execute (/app/node_modules/.pnpm/next@14.2.8_@babel+core@7.26.0_@opentelemetry+api@1.9.0_@playwright+test@1.49.1_react-d_1cf2c798572f9d55dae58de467e3f455/node_modules/next/dist/compiled/next-server/app-route.runtime.prod.js:6:27548)
    at async eC.handle (/app/node_modules/.pnpm/next@14.2.8_@babel+core@7.26.0_@opentelemetry+api@1.9.0_@playwright+test@1.49.1_react-d_1cf2c798572f9d55dae58de467e3f455/node_modules/next/dist/compiled/next-server/app-route.runtime.prod.js:6:38186) {
  cause: undefined,
  code: 'UNAUTHORIZED'
}
a [TRPCError]: UNAUTHORIZED
    at /app/.next/server/chunks/93519.js:1:1932
    at f (/app/.next/server/chunks/88615.js:4:74)
    at r (/app/.next/server/chunks/88615.js:1:5810)
    at /app/.next/server/chunks/20516.js:1:7781
    at Array.map (<anonymous>)
    at g (/app/.next/server/chunks/20516.js:1:7318)
    at async _ (/app/.next/server/app/(backend)/trpc/lambda/[trpc]/route.js:1:3799)
    at async /app/node_modules/.pnpm/next@14.2.8_@babel+core@7.26.0_@opentelemetry+api@1.9.0_@playwright+test@1.49.1_react-d_1cf2c798572f9d55dae58de467e3f455/node_modules/next/dist/compiled/next-server/app-route.runtime.prod.js:6:36932
    at async eC.execute (/app/node_modules/.pnpm/next@14.2.8_@babel+core@7.26.0_@opentelemetry+api@1.9.0_@playwright+test@1.49.1_react-d_1cf2c798572f9d55dae58de467e3f455/node_modules/next/dist/compiled/next-server/app-route.runtime.prod.js:6:27548)
    at async eC.handle (/app/node_modules/.pnpm/next@14.2.8_@babel+core@7.26.0_@opentelemetry+api@1.9.0_@playwright+test@1.49.1_react-d_1cf2c798572f9d55dae58de467e3f455/node_modules/next/dist/compiled/next-server/app-route.runtime.prod.js:6:38186) {
  cause: undefined,
  code: 'UNAUTHORIZED'
}
2024/12/17 06:49PM 30 pid=8 hostname=ceb93c2e2fd4 msg=Error in tRPC handler (lambda) on path: knowledgeBase.getKnowledgeBases, type: query
[auth][error] CallbackRouteError: Read more at https://errors.authjs.dev#callbackrouteerror
[auth][cause]: r1: JWE decryption is not configured
    at iu (/app/.next/server/chunks/43505.js:368:22709)
    at nj (/app/.next/server/chunks/43505.js:368:16136)
    at process.processTicksAndRejections (node:internal/process/task_queues:105:5)
    at async nB (/app/.next/server/chunks/43505.js:368:18803)
    at async iH (/app/.next/server/chunks/43505.js:368:34416)
    at async iz (/app/.next/server/chunks/43505.js:368:40333)
    at async i0 (/app/.next/server/chunks/43505.js:368:51902)
    at async i2 (/app/.next/server/chunks/43505.js:368:56596)
    at async /app/node_modules/.pnpm/next@14.2.8_@babel+core@7.26.0_@opentelemetry+api@1.9.0_@playwright+test@1.49.1_react-d_1cf2c798572f9d55dae58de467e3f455/node_modules/next/dist/compiled/next-server/app-route.runtime.prod.js:6:36932
    at async eC.execute (/app/node_modules/.pnpm/next@14.2.8_@babel+core@7.26.0_@opentelemetry+api@1.9.0_@playwright+test@1.49.1_react-d_1cf2c798572f9d55dae58de467e3f455/node_modules/next/dist/compiled/next-server/app-route.runtime.prod.js:6:27548)
[auth][details]: {
  "0": "e",
  "1": "y",
  "2": "J",
  "3": "h",
  "4": "b",
  "5": "G",
  "6": "c",
  "7": "i",
  "8": "O",
  "9": "i",
  "10": "J",
  "11": "S",
  "12": "U",
  "13": "0",
  "14": "E",
  "15": "t",
  "16": "T",
  "17": "0",
  "18": "F",
  "19": "F",
  "20": "U",
  "21": "C",
中间有很长一部分类似日志就不贴了
  "2897": "Y",
  "2898": "s",
  "2899": "q",
  "2900": "U",
  "2901": "Y",
  "2902": "-",
  "2903": "P",
  "2904": "G",
  "2905": "e",
  "2906": "f",
  "2907": "I",
  "2908": "A",
  "provider": "authentik"
}
[NextAuth] Error: {
  cause: 'Configuration',
  message: 'Wrong configuration, make sure you have the correct environment variables set. Visit https://lobehub.com/docs/self-hosting/advanced/authentication for more details.',
  name: 'NextAuth Error'
}

📷 复现步骤

按照上述配置部署lobechat

🚦 期望结果

No response

📝 补充信息

No response

[lobehubbot]

Bot detected the issue body's language is not English, translate it automatically. 👯👭🏻🧑‍🤝‍🧑👫🧑🏿‍🤝‍🧑🏻👩🏾‍🤝‍👨🏿👬🏿

---

📦 Deployment environment

Docker

📌 Software version

v1.36.31

💻 System environment

Ubuntu

🌐 Browser

Chrome

🐛 Problem description

Using authentik as sso, I found that lobechat reported an error when logging in.

authentik provider configuration

Container configuration

  lobechat:
    image: reg.dalamud.com/lobehub/lobe-chat:latest
    container_name: lobechat
    networks:
      - traefik
    expose:
      - 3210
    environment:
      - NEXT_PUBLIC_SERVICE_MODE=server
      - NEXT_AUTH_SECRET=xxxxxxxxxxxxx
      - NEXT_AUTH_SSO_PROVIDERS=authentik
      - NEXTAUTH_URL=https://openai.xxxxxxx.com/api/auth
      - APP_URL=https://openai.xxxxxxx.com
      - KEY_VAULTS_SECRET=xxxxxxxxxxxxxxx
      - DATABASE_URL=postgres://lobechat:xxxxxxxx@postgres:5432/lobechat
      - AUTH_AUTHENTIK_ID=xxxxxxxxxxxxx
      - AUTH_AUTHENTIK_SECRET=xxxxxxxxxxxx
      - AUTH_AUTHENTIK_ISSUER=https://auth.xxxxxx.com/application/o/openai/
      - OPENAI_API_KEY=sk-xxxxxxxxxxxxxxxxxxxx
      - ACCESS_CODE=xxxxxxxxxxxxxxxxx
    volumes:
      - /etc/ssl/certs/ca-certificates.crt:/etc/ssl/certs/ca-certificates.crt

log

next auth: undefined
next auth: undefined
2024/12/17 06:49PM 30 pid=8 hostname=ceb93c2e2fd4 msg=Error in tRPC handler (lambda) on path: file.getFiles, type: query
a [TRPCError]: UNAUTHORIZED
    at /app/.next/server/chunks/93519.js:1:1932
    at f (/app/.next/server/chunks/88615.js:4:74)
    at r (/app/.next/server/chunks/88615.js:1:5810)
    at /app/.next/server/chunks/20516.js:1:7781
    at Array.map (<anonymous>)
    at g (/app/.next/server/chunks/20516.js:1:7318)
    at async _ (/app/.next/server/app/(backend)/trpc/lambda/[trpc]/route.js:1:3799)
    at async /app/node_modules/.pnpm/next@14.2.8_@babel+core@7.26.0_@opentelemetry+api@1.9.0_@playwright+test@1.49.1_react-d _1cf2c798572f9d55dae58de467e3f455/node_modules/next/dist/compiled/next-server/app-route.runtime.prod.js:6:36932
    at async eC.execute (/app/node_modules/.pnpm/next@14.2.8_@babel+core@7.26.0_@opentelemetry+api@1.9.0_@playwright+test@1.49.1_react-d _1cf2c798572f9d55dae58de467e3f455/node_modules/next/dist/compiled/next-server/app-route.runtime.prod.js:6:27548)
    at async eC.handle (/app/node_modules/.pnpm/next@14.2.8_@babel+core@7.26.0_@opentelemetry+api@1.9.0_@playwright+test@1.49.1_react-d _1cf2c798572f9d55dae58de467e3f455/node_modules/next/dist/compiled/next-server/app-route.runtime.prod.js:6:38186) {
  cause: undefined,
  code: 'UNAUTHORIZED'
}
a [TRPCError]: UNAUTHORIZED
    at /app/.next/server/chunks/93519.js:1:1932
    at f (/app/.next/server/chunks/88615.js:4:74)
    at r (/app/.next/server/chunks/88615.js:1:5810)
    at /app/.next/server/chunks/20516.js:1:7781
    at Array.map (<anonymous>)
    at g (/app/.next/server/chunks/20516.js:1:7318)
    at async _ (/app/.next/server/app/(backend)/trpc/lambda/[trpc]/route.js:1:3799)
    at async /app/node_modules/.pnpm/next@14.2.8_@babel+core@7.26.0_@opentelemetry+api@1.9.0_@playwright+test@1.49.1_react-d _1cf2c798572f9d55dae58de467e3f455/node_modules/next/dist/compiled/next-server/app-route.runtime.prod.js:6:36932
    at async eC.execute (/app/node_modules/.pnpm/next@14.2.8_@babel+core@7.26.0_@opentelemetry+api@1.9.0_@playwright+test@1.49.1_react-d _1cf2c798572f9d55dae58de467e3f455/node_modules/next/dist/compiled/next-server/app-route.runtime.prod.js:6:27548)
    at async eC.handle (/app/node_modules/.pnpm/next@14.2.8_@babel+core@7.26.0_@opentelemetry+api@1.9.0_@playwright+test@1.49.1_react-d _1cf2c798572f9d55dae58de467e3f455/node_modules/next/dist/compiled/next-server/app-route.runtime.prod.js:6:38186) {
  cause: undefined,
  code: 'UNAUTHORIZED'
}
2024/12/17 06:49PM 30 pid=8 hostname=ceb93c2e2fd4 msg=Error in tRPC handler (lambda) on path: knowledgeBase.getKnowledgeBases, type: query
[auth][error] CallbackRouteError: Read more at https://errors.authjs.dev#callbackrouteerror
[auth][cause]: r1: JWE decryption is not configured
    at iu (/app/.next/server/chunks/43505.js:368:22709)
    at nj (/app/.next/server/chunks/43505.js:368:16136)
    at process.processTicksAndRejections (node:internal/process/task_queues:105:5)
    at async nB (/app/.next/server/chunks/43505.js:368:18803)
    at async iH (/app/.next/server/chunks/43505.js:368:34416)
    at async iz (/app/.next/server/chunks/43505.js:368:40333)
    at async i0 (/app/.next/server/chunks/43505.js:368:51902)
    at async i2 (/app/.next/server/chunks/43505.js:368:56596)
    at async /app/node_modules/.pnpm/next@14.2.8_@babel+core@7.26.0_@opentelemetry+api@1.9.0_@playwright+test@1.49.1_react-d _1cf2c798572f9d55dae58de467e3f455/node_modules/next/dist/compiled/next-server/app-route.runtime.prod.js:6:36932
    at async eC.execute (/app/node_modules/.pnpm/next@14.2.8_@babel+core@7.26.0_@opentelemetry+api@1.9.0_@playwright+test@1.49.1_react-d _1cf2c798572f9d55dae58de467e3f455/node_modules/next/dist/compiled/next-server/app-route.runtime.prod.js:6:27548)
[auth][details]: {
  "0": "e",
  "1": "y",
  "2": "J",
  "3": "h",
  "4": "b",
  "5": "G",
  "6": "c",
  "7": "i",
  "8": "O",
  "9": "i",
  "10": "J",
  "11": "S",
  "12": "U",
  "13": "0",
  "14": "E",
  "15": "t",
  "16": "T",
  "17": "0",
  "18": "F",
  "19": "F",
  "20": "U",
  "21": "C",
There is a long part of similar logs in the middle so I won’t post them.
  "2897": "Y",
  "2898": "s",
  "2899": "q",
  "2900": "U",
  "2901": "Y",
  "2902": "-",
  "2903": "P",
  "2904": "G",
  "2905": "e",
  "2906": "f",
  "2907": "I",
  "2908": "A",
  "provider": "authentik"
}
[NextAuth] Error: {
  cause: 'Configuration',
  message: 'Wrong configuration, make sure you have the correct environment variables set. Visit https://lobehub.com/docs/self-hosting/advanced/authentication for more details.',
  name: 'NextAuth Error'
}

📷 Steps to reproduce

Deploy lobechat according to the above configuration

🚦 Expected results

No response

📝 Supplementary information

No response

[lobehubbot]

👀 @dalamudx

Thank you for raising an issue. We will investigate into the matter and get back to you as soon as possible.
Please make sure you have given us as much context as possible.
非常感谢您提交 issue。我们会尽快调查此事，并尽快回复您。 请确保您已经提供了尽可能多的背景信息。

[dosubot]

@dalamudx 你好! 我是Dosu，一个可以帮助你解决bug、回答问题并成为贡献者的机器人。我会在等待人类维护者的期间帮助你。🤖

To resolve the "UNAUTHORIZED" error when using Authentik as an SSO provider for LobeChat, ensure the following configurations are properly set:

1. Verify ctx.userId: Ensure that ctx.userId is correctly set in your context. This involves verifying the authentication token and extracting the user ID from it.

2. Environment Variables: Double-check the following environment variables:

   • NEXTAUTH_URL: This should be set to the callback address for Auth.js, e.g., https://your-domain/api/auth.
   • NEXT_AUTH_SECRET: Generate a secret using openssl rand -base64 32 to encrypt Auth.js session tokens.
   • NEXT_AUTH_SSO_PROVIDERS: Set this to authentik.
   • AUTH_AUTHENTIK_ID: Use the Client ID from the Authentik application provider details page.
   • AUTH_AUTHENTIK_SECRET: Use the Client Secret from the Authentik application provider details page.
   • AUTH_AUTHENTIK_ISSUER: Use the OpenID Configuration Issuer from the Authentik application provider details page.

3. Redirect URL/Origin: Ensure the Redirect URL/Origin (regex) in Authentik matches the deployed URL, e.g., https://your-domain/api/auth/callback/authentik. Replace your-domain with your actual domain name.

Additionally, the "JWE decryption is not configured" error suggests that there might be a misconfiguration related to JSON Web Encryption. Ensure that your Authentik setup supports JWE if required, or adjust the configuration to use JWT without encryption if JWE is not needed.

For more detailed guidance, you can refer to the documentation on self-hosting and authentication setup for LobeChat ^[1][2].

To continue talking to Dosu, mention @dosu.

---

^{Help Dosu learn! Give it feedback: Great Response | Irrelevant Answer | Incorrect Sources | Too Verbose | Hallucination | Other}

[dosubot]

To resolve the "UNAUTHORIZED" error and configuration issues when using Authentik as an SSO provider for Lobe Chat in a Docker environment on Ubuntu, ensure the following configurations are properly set:

1. Create an Authentik Application Provider:

   • In your Authentik instance, navigate to Admin Interface -> Applications -> Providers and create a new provider.
   • Select OAuth2/OpenID Provider as the provider type.
   • Fill in the provider name, select the authentication flow and authorization flow.
   • In the Redirect URL/Origin (regex) field, enter https://your-domain/api/auth/callback/authentik, replacing your-domain with your actual domain name.

2. Configure Environment Variables:

   • Ensure the following environment variables are correctly set:
     • NEXT_AUTH_SECRET: The secret used to encrypt Auth.js session tokens. Generate it using openssl rand -base64 32.
     • NEXT_AUTH_SSO_PROVIDERS: Set to authentik for Authentik.
     • AUTH_AUTHENTIK_ID: The Client ID from the Authentik application provider details page.
     • AUTH_AUTHENTIK_SECRET: The Client Secret from the Authentik application provider details page.
     • AUTH_AUTHENTIK_ISSUER: The OpenID Configuration Issuer from the Authentik application provider details page.
     • NEXTAUTH_URL: Specify the callback address for Auth.js, e.g., https://example.com/api/auth.

3. Verify Token and User ID:

   • Ensure that ctx.userId is correctly set in your context.
   • Check that your authentication token is being properly verified and that the user ID is extracted from the verified token and set in the context.

By following these steps, you should be able to resolve the "UNAUTHORIZED" error and configuration issues when using Authentik as an SSO provider for Lobe Chat ^[1].

To continue talking to Dosu, mention @dosu.

---

^{Help Dosu learn! Give it feedback: Great Response | Irrelevant Answer | Incorrect Sources | Too Verbose | Hallucination | Other}

[lobehubbot]

✅ @dalamudx

This issue is closed, If you have any questions, you can comment and reply.
此问题已经关闭。如果您有任何问题，可以留言并回复。