mirror of
https://github.com/advplyr/audiobookshelf.git
synced 2026-05-30 23:40:40 +02:00
[Bug]: "[Auth] No data in openid callback - OPError: expected 200 OK, got: 302 Found" #2716
Assignees
adam (Adam Melkus)
Clear assignees
adam (Adam Melkus)
No Assignees
Notifications
Due Date
No due date set.
Dependencies
No dependencies set.
Reference: starred/audiobookshelf#2716
Reference in New Issue
Block a user
Delete Branch "%!s()"
Deleting a branch is permanent. Although the deleted branch may continue to exist for a short time before it actually gets removed, it CANNOT be undone in most cases. Continue?
Originally created by @Gibby503 on GitHub (Apr 19, 2025).
What happened?
"[Auth] No data in openid callback - OPError: expected 200 OK, got: 302 Found"
Getting this error when trying to sign in using a SaaS OIDC application via cloudflare, which in turn is using Authentik as its OIDC provider. The cloudflare Saas OIDC information is whats been popped in to audiobookshelf under the authentication settings.
Not sure why i'm getting this error, this setup is working with other services I host
If I don't use cloudflare to pass the authenticaiton through to authentik, and only use authentik, I get a 403 error instead -
What did you expect to happen?
sso via this cloudflare app/authentik setting in to audiobookshelf via mathched usernames
Steps to reproduce the issue
Audiobookshelf version
v2.20.0
How are you running audiobookshelf?
Docker
What OS is your Audiobookshelf server hosted from?
Other (list in "Additional Notes" box)
If the issue is being seen in the UI, what browsers are you seeing the problem on?
None
Logs
Additional Notes
Unraid Docker, using a cloudflare tunnel to pubicly host the service and this is why I would like the SSO via cloudflare/authentik
@nichwall commented on GitHub (Apr 19, 2025):
How have you configured OIDC in ABS?
@Gibby503 commented on GitHub (Apr 19, 2025):
I have it setup as an application/provider, which is linked to a cloudflare saas oidc application, the details of that are what are in abs
@nichwall commented on GitHub (Apr 19, 2025):
I mean can you log in and share a screenshot of the configuration? Don't forget to block out any domain information, but someone may may come along and help point out what is wrong. This sounds like either something is set up wrong or something is configured incorrectly outside of ABS.
The website has instructions for bypassing SSO and how to set it up in general https://www.audiobookshelf.org/guides/oidc_authentication. It looks like you have not disabled the local login due to sharing screenshots of the logs so you should be able to get to the authentication settings page.
The redirect issue sounds like an issue outside of Audiobookshelf, though. Initial searching for the 302 return code is that Cloudflare or your other SSO provider is returning the wrong thing. This could be an issue if you are mixing protocols like http and https.
@Gibby503 commented on GitHub (Apr 19, 2025):
I've setup pocketid instead of authentik now and still getting [Auth] No data in openid callback - OPError: expected 200 errors.
If I point it directly to the pocket ID instance, and if I try and route it through cloudflare, one gets me a 403 error and the other a 302 -
I followed both the ABS, and PocketID instructions - https://pocket-id.org/docs/client-examples/audiobookshelf
@advplyr commented on GitHub (Apr 19, 2025):
Make sure to restart your server any time you make changes to the auth settings. There is a known issue where settings are only applied on server init.
@Gibby503 commented on GitHub (Apr 19, 2025):
Yep, I've restarted both the auth service and the abs service and still get the error sadly - [Auth] No data in openid callback - OPError: expected 200 OK, got: 302 Found
Swapped back to using the cloudflare saas oidc application thats using pocketid.
Even added more redirect uri's for http and the local IP incase that was the issue, but no luck.
I feel like it must be some tiny thing that's causing a conflict, whether its cloudflare or something on that side, i'm not sure, as i'm having 403 errors locally even if cloudflare isn't in the picture. Although, I guess I am accessing my abs via a cloudflare tunnel'd domain, even so, I get the same errors using the service locally. On the authentik/pocketID app side, it's always happy that the connection has been authorised, and the error is on the ABS side.
@Gibby503 commented on GitHub (Apr 20, 2025):
I fixed this :).
Not sure exactly what did it, but, it works now via cloudflare with authentik and pocketid. Thank you for your input!
@caesay commented on GitHub (Apr 29, 2025):
I also have this same issue with CloudFlare (no authentik): "[Auth] No data in openid callback - OPError: expected 200 OK, got: 302 Found".
I don't think it's an issue with SSO configuration (since I use the same setup with lots of other apps) and I've tried updating and restarting everything prior to testing.
Steps to setup:
Steps to reproduce:
https://mydomain.com/audiobookshelf/auth/openid/callback?code=[somecode]&state=[somestate]- looks correct and expected to me. This was a GET request, and the response from audiobookshelf was 302 Found (location:/login?error=Unauthorized)So basically, the SSO auth was successful, the 302 redirect back to audiobookshelf was to the correct URL and contained the required access code. Why would audiobookshelf say "No data in openid callback" ?
(As an aside, I would actually prefer to not have to configure OIDC in audiobookshelf at all. My reverse proxy authenticates requests before audiobookshelf is even reached, and can supply a header containing the authenticated user's email for auto login.)
@Sapd commented on GitHub (May 16, 2025):
@caesay
You are misinterpreting it a bit. Fairly said callback in this case is confusing.
It does not mean the OpenID Callback but the passport callback - which in the end is the identity providers token endpoint.
So basically what fails is this communication:
Audiobookshelf -> Idp Token endpoint
So you cannot verify that via the network tab of your browser, as that one is between ABS and the IDP.
Like the error message says, the problem is that the token endpoint returns 302 for some reason (which is wrong). One possibility could be a http vs https problem. For example if http://idp/token is used instead of https://idp/token because of wrong headers.
@caesay commented on GitHub (May 17, 2025):
@Sapd thanks for the clarification. Cloudflare is my OIDC, so if what you're saying is that audiobookshelf code-behind (not front-end) is making a request to cloudflare, and cloudflare returns a 302, wouldn't that mean audiobookshelf should follow that redirect? Cloudflare (with the same config on both ends) works fine with every other self-hosted app I have, only audiobookshelf has issues, that leads me to believe either the request it's making is wrong or it's expected to follow. Is there any logs I can dig up that would help with further diagnosis?
@Sapd commented on GitHub (May 18, 2025):
@caesay
The handling is done by https://github.com/panva/openid-client . I think a 302 is not defined in the standard and so it does not follow it.
I think there is some kind of configuration mistake. Double check the issuer (which must be really the issuer url - so usually something without an additional path or resource) and authorization url and restart ABS if changing that.
Also make sure
X-Forwarded-Protois correctly set by your reverse proxy.Indeed it's a bit hard to debug. openid-client does not provide more advanced messages