[BUG] - OIDC token exchange fails with "invalid client_secret" when using Dex

[damacus]

Description

When using Mealie v2.3.0 with Dex as an OIDC provider, the authentication flow fails during the token exchange step. The initial authentication with the identity provider (Google through Dex) succeeds, but Mealie fails to exchange the authorization code for tokens.

Environment

• Mealie version: v2.3.0
• OIDC Provider: Dex v2.41.1
• Identity Provider: Google (through Dex)
• Deployment: Kubernetes

Configuration

Environment variables set:

OIDC_AUTH_ENABLED: "true"
OIDC_SIGNUP_ENABLED: "true"
OIDC_CONFIGURATION_URL: "https://dex.example.com/.well-known/openid-configuration"
OIDC_CLIENT_ID: "mealie"
OIDC_AUTO_REDIRECT: "false"
OIDC_PROVIDER_NAME: "Dex"
OIDC_REMEMBER_ME: "false"
OIDC_SCOPES: "openid profile email groups"
OIDC_USER_CLAIM: "email"
OIDC_NAME_CLAIM: "name"
OIDC_GROUPS_CLAIM: "groups"

Error Messages

Dex logs:

{"time":"2024-11-30T21:43:39.272147263Z","level":"INFO","msg":"login successful","connector_id":"google","username":"[redacted]","preferred_username":"","email":"[redacted]","groups":null,"request_id":"105916be-ed71-4c34-9f31-e376940f934e"}
{"time":"2024-11-30T21:43:39.701309503Z","level":"INFO","msg":"invalid client_secret on token request","client_id":"mealie","request_id":"4b7d55a8-5033-4c3b-96c0-1afc8138247d"}

Mealie logs:

authlib.integrations.base_client.errors.OAuthError: invalid_client: Invalid client credentials.

Expected Behavior

The token exchange should succeed, allowing the user to complete the OIDC authentication flow and log in to Mealie.

Actual Behavior

The token exchange fails with a 401 Unauthorized error, indicating an issue with the client secret handling during the token exchange phase.

Additional Context

• The initial authentication with Google through Dex is successful
• The error occurs specifically during the token exchange step
• Other OIDC clients (like Grafana) work correctly with the same Dex configuration

[JoTec2002]

Have you tried changing OIDC_NAME_CLAIM: "name" to "email" or "username"?

[cmintey]

Your Dex logs give you a pretty good error.

invalid client_secret on token request","client_id":"mealie"

Mealie is sending the the wrong client_secret to your IdP. This can either be because you've entered it wrong, or it might have an invalid character in the string. Double check that you've entered the correct client_secret into Mealie and that it matches what Dex expects and check that the client secret doesn't contain any & characters as that can cause issues in the request

[redxef]

My token contained a slash (/) and a plus (+) - I'm not sure which of them broke the authentication flow, it might be both or either. Tokens containing those characters work fine with other clients, but not Mealie. I guess this is not standards conform. Still, maybe a hint in the documentation would be appropriate?

[cmintey]

Mealie (or rather Authlib) sends the client secret as a url parameter, which is valid per the spec, but it means the secret needs to be url safe. Definitely worth a mention in the doc

[damacus]

Strange, the secret is definitely URL safe and the secret being sent matches the one Dex is storing.

I'll try changing the claim name over to email shortly 👍
Thanks for your help on this one.

[damacus]

Strange, the secret is definitely URL safe and the secret being sent matches the one Dex is storing.

I'll try changing the claim name over to email shortly 👍 Thanks for your help on this one.

That definitely should have worked, by what the .well-known spec suggests. But it doesn't look like it has.

[redxef]

Hm, I was actually using Authelia, but had the exact same error messages as you and figured it might be related. Sorry that that didn't work out for you. One particular thing I noticed: Authlib used the exact same error message returned by my IdP portal, as opposed to your errors. Did you try tracing the error where exactly it originates from? Maybe that will give you a clue.