OIDC Login Not Supported

[Eschguy]

I use OIDC (Authentik)and am unable to log in.

Error message:

Expected response body of the type 'class n8.b0 (Kotlin reflection is not available)' but was 'class io.ktor.utils.io.t (Kotl in reflection is not available)'
In response from 'https://DOMAIN/api/auth/token'
Response status '500'
Response header'ContentType: text/plain; charset=utf-8
Request header `Accept: application/json'
You can read how to resolve NoTransformation Found Exception at FAQ:
https://ktor.io/docs/faq. html #no-tran sformation-found-exception

[kirmanak]

@Eschguy Thanks to your report I am now also running Authentik :-D But I still wasn't able to reproduce the issue. Are you still able to sign-in with username and password via Mealie UI? I'm asking because the log you attached mentions a 500 response status from Mealie which means a server error.

[Eschguy]

No I force Authentik use when logging into my services, so going to my mealie.domain redirects to my auth.domain to log in before redirecting back.

[kirmanak]

@Eschguy Can you please elaborate on how you force the Authentik use? Are you using a reverse proxy like Traefik to achieve this?

[Eschguy]

I set the OIDC_AUTO_REDIRECT variable to true, as documented here: https://docs.mealie.io/documentation/getting-started/installation/backend-config/#openid-connect-oidc

[kirmanak]

As far as I understand, this approach doesn't really block you from logging in with username and password, it just automatically redirects you from the login page when opened in browser. I have that variable set to true, but I am still able to sign in through the app.

The blocker in your case seems to be the 500 response from Mealie. Could you please set the log level of Mealie to debug, and attempt the sign-in again? If it fails again, please check Mealie logs as described here https://docs.mealie.io/documentation/getting-started/installation/logs/. Once you found the error, please post here the relevant part of the log and Mealie version.

[Eschguy]

[INFO|httptools_impl|L481] 2024-05-09T08:28:19: 207.153.2.74:0 - "GET /api/groups/mealplans/today HTTP/1.1" 200
[DEBUG|AppriseLocale|L140] 2024-05-09T08:28:19: Language set to en
[INFO|httptools_impl|L481] 2024-05-09T08:28:19: 207.153.2.74:0 - "GET /api/groups/mealplans/today HTTP/1.1" 200
[DEBUG|multipart|L626] 2024-05-09T08:28:25: Calling on_field_start with no data
[DEBUG|multipart|L623] 2024-05-09T08:28:25: Calling on_field_name with data[0:8]
[DEBUG|multipart|L623] 2024-05-09T08:28:25: Calling on_field_data with data[9:16]
[DEBUG|multipart|L626] 2024-05-09T08:28:25: Calling on_field_end with no data
[DEBUG|multipart|L626] 2024-05-09T08:28:25: Calling on_field_start with no data
[DEBUG|multipart|L623] 2024-05-09T08:28:25: Calling on_field_name with data[17:25]
[DEBUG|multipart|L623] 2024-05-09T08:28:25: Calling on_field_data with data[26:36]
[DEBUG|multipart|L626] 2024-05-09T08:28:25: Calling on_field_end with no data
[DEBUG|multipart|L626] 2024-05-09T08:28:25: Calling on_end with no data
[INFO|httptools_impl|L481] 2024-05-09T08:28:25: 207.153.2.74:0 - "POST /api/auth/token HTTP/1.1" 500
[ERROR|httptools_impl|L416] 2024-05-09T08:28:25: Exception in ASGI application
Traceback (most recent call last):
  File "/opt/pysetup/.venv/lib/python3.10/site-packages/uvicorn/protocols/http/httptools_impl.py", line 411, in run_asgi
    result = await app(  # type: ignore[func-returns-value]
  File "/opt/pysetup/.venv/lib/python3.10/site-packages/uvicorn/middleware/proxy_headers.py", line 69, in __call__
    return await self.app(scope, receive, send)
  File "/opt/pysetup/.venv/lib/python3.10/site-packages/fastapi/applications.py", line 1054, in __call__
    await super().__call__(scope, receive, send)
  File "/opt/pysetup/.venv/lib/python3.10/site-packages/starlette/applications.py", line 123, in __call__
    await self.middleware_stack(scope, receive, send)
  File "/opt/pysetup/.venv/lib/python3.10/site-packages/starlette/middleware/errors.py", line 186, in __call__
    raise exc
  File "/opt/pysetup/.venv/lib/python3.10/site-packages/starlette/middleware/errors.py", line 164, in __call__
    await self.app(scope, receive, _send)
  File "/opt/pysetup/.venv/lib/python3.10/site-packages/starlette/middleware/gzip.py", line 24, in __call__
    await responder(scope, receive, send)
  File "/opt/pysetup/.venv/lib/python3.10/site-packages/starlette/middleware/gzip.py", line 44, in __call__
    await self.app(scope, receive, self.send_with_gzip)
  File "/opt/pysetup/.venv/lib/python3.10/site-packages/starlette/middleware/exceptions.py", line 65, in __call__
    await wrap_app_handling_exceptions(self.app, conn)(scope, receive, send)
  File "/opt/pysetup/.venv/lib/python3.10/site-packages/starlette/_exception_handler.py", line 64, in wrapped_app
    raise exc
  File "/opt/pysetup/.venv/lib/python3.10/site-packages/starlette/_exception_handler.py", line 53, in wrapped_app
    await app(scope, receive, sender)
  File "/opt/pysetup/.venv/lib/python3.10/site-packages/starlette/routing.py", line 756, in __call__
    await self.middleware_stack(scope, receive, send)
  File "/opt/pysetup/.venv/lib/python3.10/site-packages/starlette/routing.py", line 776, in app
    await route.handle(scope, receive, send)
  File "/opt/pysetup/.venv/lib/python3.10/site-packages/starlette/routing.py", line 297, in handle
    await self.app(scope, receive, send)
  File "/opt/pysetup/.venv/lib/python3.10/site-packages/starlette/routing.py", line 77, in app
    await wrap_app_handling_exceptions(app, request)(scope, receive, send)
  File "/opt/pysetup/.venv/lib/python3.10/site-packages/starlette/_exception_handler.py", line 64, in wrapped_app
    raise exc
 File "/opt/pysetup/.venv/lib/python3.10/site-packages/starlette/_exception_handler.py", line 53, in wrapped_app
    await app(scope, receive, sender)
  File "/opt/pysetup/.venv/lib/python3.10/site-packages/starlette/routing.py", line 72, in app
    response = await func(request)
  File "/opt/pysetup/.venv/lib/python3.10/site-packages/fastapi/routing.py", line 278, in app
    raw_response = await run_endpoint_function(
  File "/opt/pysetup/.venv/lib/python3.10/site-packages/fastapi/routing.py", line 191, in run_endpoint_function
    return await dependant.call(**values)
  File "/app/mealie/routes/auth/auth.py", line 50, in get_token
    auth = await auth_provider.authenticate()
  File "/app/mealie/core/security/providers/credentials_provider.py", line 40, in authenticate
    if not CredentialsProvider.verify_password(self.data.password, user.password):
  File "/app/mealie/core/security/providers/credentials_provider.py", line 57, in verify_password
    return get_hasher().verify(plain_password, hashed_password)
  File "/app/mealie/core/security/hasher.py", line 32, in verify
    return bcrypt.checkpw(password_bytes, hashed_bytes)
ValueError: Invalid salt

[kirmanak]

Invalid salt sounds like a Mealie configuration issue. I don't see what I can change in the app to fix this, can you please open an issue in Mealie repository instead?

[Eschguy]

Sure, I can do more digging to see if I did something wrong. Since I have no issues on the web (desktop or mobile) I had assumed it was an issue with the app not supporting OIDC with 2FA.

[ericvenneker]

I am able to reproduce the issue. It indeed appears that mealie does not take the login method of the user into account and simply tries to login anyway which will fail because an oidc (or ldap) user does not have a password or salt.
That said, maybe the app is able (when requested by the user) to redirect to the configured OIDC.

@Eschguy were you able to create an issue on the mealie repo? I was not able to find a relevant issue.

[Eschguy]

@ericvenneker

No I never did, was going to try something first but it didn't work.