View Issue Details

Jump to NotesJump to History
IDProjectCategoryView StatusDate SubmittedLast Update
0006121SOGoBackend Generalpublic2025-05-13 05:512025-05-14 19:29
Reporterjosuetille Assigned Toqhivert  
PrioritynormalSeveritymajorReproducibilityhave not tried
Status assignedResolutionopen 
Product Version5.12.1 
Summary0006121: OIDC authentication fail with: Tried to add nil value for key 'end_session_endpoint'
Description

I tried to setup SOGo with OIDC authentication with Authelia and it seem to fail with this following exception:

May 13 07:33:38 sogod [856]: [WARN] <0x0x7f0dc3ad3bc0[WOxElemBuilder]> could not locate builders: WOxExtElemBuilder,WOxExtElemBuilder
2025-05-13 07:33:39.205 sogod[856:856] EXCEPTION: <NSException: 0x5653f05c3600> NAME:NSInvalidArgumentException REASON:Tried to add nil value for key 'end_session_endpoint' to dictionary INFO:{"authorization_endpoint" = "https://auth.domain.tld/api/oidc/authorization"; "token_endpoint" = "https://auth.domain.tld/api/oidc/token"; "userinfo_endpoint" = "https://auth.domain.tld/api/oidc/userinfo"; }

My supposition is that Authelia don't provide the end_session_endpoint (https://github.com/authelia/authelia/issues/5057) which seem expected by sogo.

Steps To Reproduce

The config that I use for SOGo, in /etc/sogo/sogo.conf:

{
  WOPort = 127.0.0.1:20000;
  WOLogFile = /var/log/sogo/sogo.log;
  /* Fix Yunohost Tile */
  WODontZipResponse = YES;
  SOGoProfileURL = "mysql://sogo:16a243c2c337aef18741ede4@localhost:3306/sogo/sogo_user_profile";
  OCSFolderInfoURL = "mysql://sogo:16a243c2c337aef18741ede4@localhost:3306/sogo/sogo_folder_info";
  OCSSessionsFolderURL = "mysql://sogo:16a243c2c337aef18741ede4@localhost:3306/sogo/sogo_sessions_folder";
  NGImap4ConnectionStringSeparator = ".";
  SOGoAppointmentSendEMailNotifications = YES;
  SOGoEnablePublicAccess = YES;
  SOGoMailingMechanism = smtp;
  SOGoSMTPServer = "smtp://domain.tld:587/?tls=YES";
  SOGoSMTPAuthenticationType = PLAIN;
  SOGoTimeZone = "Europe/Zurich";
  SOGoSentFolderName = Sent;
  SOGoTrashFolderName = Trash;
  SOGoDraftsFolderName = Drafts;
  SOGoIMAPServer = "imaps://domain.tld:993";
  SOGoIMAPAclConformsToIMAPExt = YES;
  SOGoVacationEnabled = YES;
  SOGoForwardEnabled = YES;
  SOGoSieveScriptsEnabled = YES;
  SOGoSieveServer = sieve://127.0.0.1:4190;
  SOGoFirstDayOfWeek = 0;
  SOGoMailMessageCheck = every_10_minutes;
  SOGoMailAuxiliaryUserAccountsEnabled = YES;
 /* SOGoTrustProxyAuthentication = YES; */
  SOGoSuperUsernames = (yunoadmin);
  /* Default Calendar and Contacts Permissions */
  SOGoCalendarDefaultRoles = ("PublicViewer", "ConfidentialDAndTViewer");
  SOGoContactsDefaultRoles = ("ObjectViewer");

  /* OIDC */
  SOGoAuthenticationType = openid;
  SOGoXSRFValidationEnabled = NO;
  OCSOpenIdURL = "mysql://sogo:16a243c2c337aef18741ede4@localhost:3306/sogo/sogo_openid";
  SOGoOpenIdConfigUrl = "https://auth.domain.tld/.well-known/openid-configuration";
  SOGoOpenIdClient = "sogo-txytQqZW";
  SOGoOpenIdClientSecret = "xxx";
  SOGoOpenIdScope = "openid profile email";
  SOGoOpenIdLogoutEnabled = NO;

  /* LDAP authentication */
  SOGoUserSources = (
    {
      type = ldap;
      CNFieldName = cn;
      UIDFieldName = uid;
      IDFieldName = uid; // first field of the DN for direct binds
      bindFields = (uid, mail); // array of fields to use for indirect binds
      baseDN = "ou=users,dc=yunohost,dc=org";
      filter = "objectClass='posixAccount' AND permission='cn=sogo.main,ou=permission,dc=yunohost,dc=org'";
      canAuthenticate = YES;
      displayName = "Yunohost Users";
      hostname = ldap://localhost:389;
      id = directory;
      isAddressBook = YES;
    }
  );
}

In Authelia I've this config:

      - client_id: 'sogo-txytQqZW'
        client_name: 'SOGo'
        client_secret: 'xxxx'
        public: false
        authorization_policy: 'one_factor'
        redirect_uris:
          - 'https://domain.tld/oauth/callback/'
        scopes:
          - 'openid'
          - 'profile'
          - 'email'
        userinfo_signed_response_alg: 'none'
        token_endpoint_auth_method: 'client_secret_post'

Step to reproduce:

  1. Login into Authelia
  2. Try access to SOGo

Expected: We are logged into SOGo (or maybe we have the login page)

Currently: We have this error into the browser: 501 Not Implemented

Tagsauthentication

Activities

qhivert

qhivert

2025-05-13 14:04

administrator   ~0018210

Hello, i've made a fix where end_session_endpoint is optional too -> https://github.com/Alinto/sogo/commit/c5fb3482e22f1bfc935213e8ed7208becd9bd1f4
Available in the next nightly tomorrow.
Beware to net set SOGoOpenIdLogoutEnabled to YES (default to NO)
josuetille

josuetille

2025-05-14 19:29

reporter   ~0018211

Hello,

Thank you for the quick answer. Tried again today with the last build and it seem the issue is now solved. I still have an other issue with Authelia but it's an other problem, I'll report as an other issue.

Best regards

Issue History

Date Modified Username Field Change
2025-05-13 05:51 josuetille New Issue
2025-05-13 05:51 josuetille Tag Attached: authentication
2025-05-13 08:07 qhivert Assigned To => qhivert
2025-05-13 08:07 qhivert Status new => assigned
2025-05-13 14:04 qhivert Note Added: 0018210
2025-05-13 14:04 qhivert Status assigned => feedback
2025-05-14 19:29 josuetille Note Added: 0018211
2025-05-14 19:29 josuetille Status feedback => assigned