View Issue Details

Jump to NotesJump to History
IDProjectCategoryView StatusDate SubmittedLast Update
0006122SOGoBackend Generalpublic2025-05-14 19:442025-05-15 11:19
Reporterjosuetille Assigned Toqhivert  
PrioritynormalSeveritymajorReproducibilityhave not tried
Status assignedResolutionopen 
Product Version5.12.1 
Summary0006122: State missing into OIDC authentication flow
Description

When I try to authenticate with OIDC from SOGo with Authelia, Authelia refuse the authentication with this error

The state is missing or does not have enough characters and is therefore considered too weak. Request parameter 'state' must be at least be 8 characters long to ensure sufficient entropy.

It seem that SOGo redirect the browser to the OIDC server with an URL like this:
https://auth.domain.tld/api/oidc/authorization?scope=openid profile email&response_type=code&client_id=sogo-txytQqZW&redirect_uri=https://domain.tld/SOGo/

But Authelia require an additional parameter state as described into the OIDC specification like this:
https://auth.domain.tld/api/oidc/authorization?scope=openid profile email&response_type=code&client_id=sogo-txytQqZW&redirect_uri=https://domain.tld/SOGo/&state=7I6SDlHf1RQa

Steps To Reproduce

The config that I use for SOGo, in /etc/sogo/sogo.conf:

{
  WOPort = 127.0.0.1:20000;
  WOLogFile = /var/log/sogo/sogo.log;
  /* Fix Yunohost Tile */
  WODontZipResponse = YES;
  SOGoProfileURL = "mysql://sogo:16a243c2c337aef18741ede4@localhost:3306/sogo/sogo_user_profile";
  OCSFolderInfoURL = "mysql://sogo:16a243c2c337aef18741ede4@localhost:3306/sogo/sogo_folder_info";
  OCSSessionsFolderURL = "mysql://sogo:16a243c2c337aef18741ede4@localhost:3306/sogo/sogo_sessions_folder";
  NGImap4ConnectionStringSeparator = ".";
  SOGoAppointmentSendEMailNotifications = YES;
  SOGoEnablePublicAccess = YES;
  SOGoMailingMechanism = smtp;
  SOGoSMTPServer = "smtp://domain.tld:587/?tls=YES";
  SOGoSMTPAuthenticationType = PLAIN;
  SOGoTimeZone = "Europe/Zurich";
  SOGoSentFolderName = Sent;
  SOGoTrashFolderName = Trash;
  SOGoDraftsFolderName = Drafts;
  SOGoIMAPServer = "imaps://domain.tld:993";
  SOGoIMAPAclConformsToIMAPExt = YES;
  SOGoVacationEnabled = YES;
  SOGoForwardEnabled = YES;
  SOGoSieveScriptsEnabled = YES;
  SOGoSieveServer = sieve://127.0.0.1:4190;
  SOGoFirstDayOfWeek = 0;
  SOGoMailMessageCheck = every_10_minutes;
  SOGoMailAuxiliaryUserAccountsEnabled = YES;
 /* SOGoTrustProxyAuthentication = YES; */
  SOGoSuperUsernames = (yunoadmin);
  /* Default Calendar and Contacts Permissions */
  SOGoCalendarDefaultRoles = ("PublicViewer", "ConfidentialDAndTViewer");
  SOGoContactsDefaultRoles = ("ObjectViewer");

  /* OIDC */
  SOGoAuthenticationType = openid;
  SOGoXSRFValidationEnabled = NO;
  OCSOpenIdURL = "mysql://sogo:16a243c2c337aef18741ede4@localhost:3306/sogo/sogo_openid";
  SOGoOpenIdConfigUrl = "https://auth.domain.tld/.well-known/openid-configuration";
  SOGoOpenIdClient = "sogo-txytQqZW";
  SOGoOpenIdClientSecret = "xxx";
  SOGoOpenIdScope = "openid profile email";
  SOGoOpenIdLogoutEnabled = NO;

  /* LDAP authentication */
  SOGoUserSources = (
    {
      type = ldap;
      CNFieldName = cn;
      UIDFieldName = uid;
      IDFieldName = uid; // first field of the DN for direct binds
      bindFields = (uid, mail); // array of fields to use for indirect binds
      baseDN = "ou=users,dc=yunohost,dc=org";
      filter = "objectClass='posixAccount' AND permission='cn=sogo.main,ou=permission,dc=yunohost,dc=org'";
      canAuthenticate = YES;
      displayName = "Yunohost Users";
      hostname = ldap://localhost:389;
      id = directory;
      isAddressBook = YES;
    }
  );
}

In Authelia I've this config:

      - client_id: 'sogo-txytQqZW'
        client_name: 'SOGo'
        client_secret: 'xxxx'
        public: false
        authorization_policy: 'one_factor'
        redirect_uris:
          - 'https://domain.tld/oauth/callback/'
        scopes:
          - 'openid'
          - 'profile'
          - 'email'
        userinfo_signed_response_alg: 'none'
        token_endpoint_auth_method: 'client_secret_post'

Step to reproduce:

  • Login into Authelia
  • Try access to SOGo

Expected: We are logged into SOGo

Currently:

We have an infinite loop of redirection because Authelia redirect to SOGo with an URL like this: https://domain.tld/SOGo/?error=invalid_state&error_description=The state is missing or does not have enough characters and is therefore considered too weak. Request parameter 'state' must be at least be 8 characters long to ensure sufficient entropy.&iss=https://auth.domain.tld
And then SOGo as the user is not authenticated redirect to Authelia which refuse again the authentication.

Side note, ideally SOGo should probably handle the case when the authentication fail and not redirect to the Authentication server in case of an error.

TagsNo tags attached.

Activities

There are no notes attached to this issue.

Issue History

Date Modified Username Field Change
2025-05-14 19:44 josuetille New Issue
2025-05-15 11:19 qhivert Assigned To => qhivert
2025-05-15 11:19 qhivert Status new => assigned