Comments (4)
Well, tangentially related it seems. If you're using the expand-env filter which were likely to deprecate then you need to quote every $
per the known limitations in the docs: https://www.authelia.com/configuration/methods/files/#expand-environment-variable-filter
We still shouldn't panic here even though it's recovered, but we'll make sure this is fixed and link it to the issue.
Further discussion about the issue that is not directly related to the panic can be had here: #6934
Due to the fact the panic is gracefully recovered the classification of the priority of this is now low.
from authelia.
Please note this response was created using generative AI leveraging previously available information from the repository. This information may be helpful however it is our strong recommendation that you carefully consider the information before blindly applying it.
Based on the detailed description and reproduction steps you've provided, it seems like the issue arises from the interaction between the expand-env
filter and the way client_secret
is handled when it's prefixed with $plaintext$
. The expand-env
filter is designed to expand environment variables in the configuration, but when it encounters the $
symbol in the client_secret
, it might be attempting to interpret it as an environment variable, leading to unexpected behavior or errors.
To address this issue, you have a couple of options:
-
Avoid Using
expand-env
with Sensitive Secrets: If your configuration relies on plaintext secrets, consider not using theexpand-env
filter for those specific secrets. This would prevent the filter from misinterpreting the$
symbol as an environment variable. -
Use Hashed Secrets: As mentioned, using hashed secrets (e.g.,
$pbkdf2-sha512$310000$...
) is a more secure practice and avoids the issue with theexpand-env
filter. Authelia supports hashing client secrets, which not only enhances security but also circumvents the problem you're encountering. -
Check for Updates or Patches: Given that this behavior could be considered unexpected, it's worth checking if there have been any updates or patches to Authelia that address this specific interaction. The Authelia team might have recognized this as a bug and provided a fix in a newer version.
-
Report the Issue: If after trying the above solutions the problem persists, and you believe this behavior is not intended or could be handled better, consider reporting it to the Authelia team. Given the detailed information you've already compiled, this would be valuable feedback for them.
For generating hashed secrets, you can refer to the Authelia documentation on generating client secrets, which provides guidance on creating secure, hashed secrets for use in your configuration.
Documentation References:
- Generating a Random Alphanumeric String: Authelia FAQ on Generating Client ID/Identifier
- Generating a Random Password Hash: Authelia FAQ on Generating Client Secrets
- Handling of
expand-env
filter and its limitations: Authelia Configuration Methods
These references should help you navigate the issue and apply the most suitable solution for your setup.
This comment was generated by Glime.
from authelia.
Hello, seems similar to #6932 that I just reported earlier today: issue parsing client_secret in the configuration file
from authelia.
It's unrelated to that issue. The issue is they have not configured a secret because they are using the expand-env
filter but didn't quote the $
causing a panic which we should be checking much earlier.
from authelia.
Related Issues (20)
- MFA not loaded, if oidc has authorization_policy with two_factor HOT 3
- Not every error needs a stacktrace HOT 2
- Missing trailing slash can lead to Authelia showing empty window HOT 15
- Server Authz Endpoints invalid configuration example HOT 2
- Using AWS' SES for password reset emails errors on latest version HOT 3
- authelia-v4.38.7-public_html.tar.gz has changed, was this intentional? HOT 4
- HA-Proxy Ingress: *.cluster.local is not under the protected domain HOT 4
- settings: identity verification hangs indefinitely instead of showing error HOT 4
- legacy totp authenticators on an account will still be considered and will block / fail for users when totp is globally disabled HOT 2
- Gmail OAuth client as notifier HOT 4
- Upgrading from 4.37.7 to 4.38.8 got the following error while trying to compose up HOT 3
- "authelia config validate" should return 1 in case of invalid config HOT 1
- Password reset fails with PUID set HOT 2
- Troubles connecting to redis with secret HOT 4
- Authelia tries to get a non-existing 'memberof' attribute from groups in LLDAP backend HOT 1
- 3rd party authentication_backend HOT 2
- Authelia fails to run migrations on empty database HOT 3
- Networks rule not allowed as part of identity_providers.oidc.clients.authorization_policies.policy.rules HOT 2
- SMTP Rate Limiting HOT 1
- Add support for Contour integration with external auth server using gRPC HOT 4
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from authelia.