View Issue Details

Jump to NotesJump to History
IDProjectCategoryView StatusDate SubmittedLast Update
0006122SOGoBackend Generalpublic2025-05-14 19:442025-05-21 12:51
Reporterjosuetille Assigned Toqhivert  
PrioritynormalSeveritymajorReproducibilityhave not tried
Status resolvedResolutionfixed 
Product Version5.12.1 
Fixed in Version5.12.2 
Summary0006122: State missing into OIDC authentication flow
Description

When I try to authenticate with OIDC from SOGo with Authelia, Authelia refuse the authentication with this error

The state is missing or does not have enough characters and is therefore considered too weak. Request parameter 'state' must be at least be 8 characters long to ensure sufficient entropy.

It seem that SOGo redirect the browser to the OIDC server with an URL like this:
https://auth.domain.tld/api/oidc/authorization?scope=openid profile email&response_type=code&client_id=sogo-txytQqZW&redirect_uri=https://domain.tld/SOGo/

But Authelia require an additional parameter state as described into the OIDC specification like this:
https://auth.domain.tld/api/oidc/authorization?scope=openid profile email&response_type=code&client_id=sogo-txytQqZW&redirect_uri=https://domain.tld/SOGo/&state=7I6SDlHf1RQa

Steps To Reproduce

The config that I use for SOGo, in /etc/sogo/sogo.conf:

{
  WOPort = 127.0.0.1:20000;
  WOLogFile = /var/log/sogo/sogo.log;
  /* Fix Yunohost Tile */
  WODontZipResponse = YES;
  SOGoProfileURL = "mysql://sogo:16a243c2c337aef18741ede4@localhost:3306/sogo/sogo_user_profile";
  OCSFolderInfoURL = "mysql://sogo:16a243c2c337aef18741ede4@localhost:3306/sogo/sogo_folder_info";
  OCSSessionsFolderURL = "mysql://sogo:16a243c2c337aef18741ede4@localhost:3306/sogo/sogo_sessions_folder";
  NGImap4ConnectionStringSeparator = ".";
  SOGoAppointmentSendEMailNotifications = YES;
  SOGoEnablePublicAccess = YES;
  SOGoMailingMechanism = smtp;
  SOGoSMTPServer = "smtp://domain.tld:587/?tls=YES";
  SOGoSMTPAuthenticationType = PLAIN;
  SOGoTimeZone = "Europe/Zurich";
  SOGoSentFolderName = Sent;
  SOGoTrashFolderName = Trash;
  SOGoDraftsFolderName = Drafts;
  SOGoIMAPServer = "imaps://domain.tld:993";
  SOGoIMAPAclConformsToIMAPExt = YES;
  SOGoVacationEnabled = YES;
  SOGoForwardEnabled = YES;
  SOGoSieveScriptsEnabled = YES;
  SOGoSieveServer = sieve://127.0.0.1:4190;
  SOGoFirstDayOfWeek = 0;
  SOGoMailMessageCheck = every_10_minutes;
  SOGoMailAuxiliaryUserAccountsEnabled = YES;
 /* SOGoTrustProxyAuthentication = YES; */
  SOGoSuperUsernames = (yunoadmin);
  /* Default Calendar and Contacts Permissions */
  SOGoCalendarDefaultRoles = ("PublicViewer", "ConfidentialDAndTViewer");
  SOGoContactsDefaultRoles = ("ObjectViewer");

  /* OIDC */
  SOGoAuthenticationType = openid;
  SOGoXSRFValidationEnabled = NO;
  OCSOpenIdURL = "mysql://sogo:16a243c2c337aef18741ede4@localhost:3306/sogo/sogo_openid";
  SOGoOpenIdConfigUrl = "https://auth.domain.tld/.well-known/openid-configuration";
  SOGoOpenIdClient = "sogo-txytQqZW";
  SOGoOpenIdClientSecret = "xxx";
  SOGoOpenIdScope = "openid profile email";
  SOGoOpenIdLogoutEnabled = NO;

  /* LDAP authentication */
  SOGoUserSources = (
    {
      type = ldap;
      CNFieldName = cn;
      UIDFieldName = uid;
      IDFieldName = uid; // first field of the DN for direct binds
      bindFields = (uid, mail); // array of fields to use for indirect binds
      baseDN = "ou=users,dc=yunohost,dc=org";
      filter = "objectClass='posixAccount' AND permission='cn=sogo.main,ou=permission,dc=yunohost,dc=org'";
      canAuthenticate = YES;
      displayName = "Yunohost Users";
      hostname = ldap://localhost:389;
      id = directory;
      isAddressBook = YES;
    }
  );
}

In Authelia I've this config:

      - client_id: 'sogo-txytQqZW'
        client_name: 'SOGo'
        client_secret: 'xxxx'
        public: false
        authorization_policy: 'one_factor'
        redirect_uris:
          - 'https://domain.tld/oauth/callback/'
        scopes:
          - 'openid'
          - 'profile'
          - 'email'
        userinfo_signed_response_alg: 'none'
        token_endpoint_auth_method: 'client_secret_post'

Step to reproduce:

  • Login into Authelia
  • Try access to SOGo

Expected: We are logged into SOGo

Currently:

We have an infinite loop of redirection because Authelia redirect to SOGo with an URL like this: https://domain.tld/SOGo/?error=invalid_state&error_description=The state is missing or does not have enough characters and is therefore considered too weak. Request parameter 'state' must be at least be 8 characters long to ensure sufficient entropy.&iss=https://auth.domain.tld
And then SOGo as the user is not authenticated redirect to Authelia which refuse again the authentication.

Side note, ideally SOGo should probably handle the case when the authentication fail and not redirect to the Authentication server in case of an error.

TagsNo tags attached.

Activities

qhivert

qhivert

2025-05-16 12:29

administrator   ~0018215

Last edited: 2025-05-16 12:29

Hello,
I've made a first part fix for this, available with the nightly tomorrow. Could you test it?
qhivert

qhivert

2025-05-19 08:00

administrator   ~0018217

Sorry a little misstep, the fix will be available tomorrow Thursday the 20th
josuetille

josuetille

2025-05-20 20:15

reporter   ~0018218

hello,

Thanks for the fix.

So I still had one last minor issue. I had this error:

May 20 13:57:54 sogod [2293]: [ERROR] <0x0x563878164bf0[GCSOpenIdFolder]> -[GCSOpenIdFolder writeOpenIdSession:withOldSession:withRefreshToken:withExpire:withRefreshExpire:]: cannot write record: <MySQL4Exception: 0x56387801b090> NAME:ExecutionFailed REASON:Field 'c_access_token_expires_in' doesn't have a default value

And after just changing the DB schema to have a default value on the column sogo_openid.c_access_token_expires_in this error was fixed.

After this fix, now everything work well and also the xoauth2 to access to the mail server, so it's nice.

Thanks a lot for the fix.
qhivert

qhivert

2025-05-21 07:07

administrator   ~0018219

Hello, thanks for the feedback, I will add a default value for it when sogo creates the table (but if the table was already created you have to do it manually)

Issue History

Date Modified Username Field Change
2025-05-14 19:44 josuetille New Issue
2025-05-15 11:19 qhivert Assigned To => qhivert
2025-05-15 11:19 qhivert Status new => assigned
2025-05-16 12:29 qhivert Note Added: 0018215
2025-05-16 12:29 qhivert Status assigned => feedback
2025-05-16 12:29 qhivert Note Edited: 0018215
2025-05-19 08:00 qhivert Note Added: 0018217
2025-05-20 20:15 josuetille Note Added: 0018218
2025-05-20 20:15 josuetille Status feedback => assigned
2025-05-21 07:07 qhivert Note Added: 0018219
2025-05-21 12:51 qhivert Status assigned => resolved
2025-05-21 12:51 qhivert Resolution open => fixed
2025-05-21 12:51 qhivert Fixed in Version => 5.12.2