Skip to content
View in the app

A better way to browse. Learn more.

Unraid

A full-screen app on your home screen with push notifications, badges and more.

To install this app on iOS and iPadOS
  1. Tap the Share icon in Safari
  2. Scroll the menu and tap Add to Home Screen.
  3. Tap Add in the top-right corner.
To install this app on Android
  1. Tap the 3-dot menu (⋮) in the top-right corner of the browser.
  2. Tap Add to Home screen or Install app.
  3. Confirm by tapping Install.

OIDC Authelia: Access denied: Your account does not meet the authorization requirements

Featured Replies

  • Community Expert

Hi all,

I've been trying to setup Unraid Connect's OIDC with authelia.

It works well with the builtin Unraid.Net provider but I can't get it to work with my selfhosted Authelia instance.

I did find the documentation but it did not get me any further.

I receive this error when trying to login using Authelia OIDC (sensitive stuff redacted)

[07:09:25 INFO OidcValidationService]: Starting discovery for provider authelia {"apiVersion":"4.25.0+f4f3e3c","logger":"OidcValidationService","context":"OidcValidationService"}
[07:09:25 INFO OidcValidationService]: Discovery URL: https://authelia/.well-known/openid-configuration {"apiVersion":"4.25.0+f4f3e3c","logger":"OidcValidationService","context":"OidcValidationService"}
[07:09:25 INFO OidcValidationService]: Client ID: unraid {"apiVersion":"4.25.0+f4f3e3c","logger":"OidcValidationService","context":"OidcValidationService"}
[07:09:25 INFO OidcValidationService]: Client secret configured: Yes {"apiVersion":"4.25.0+f4f3e3c","logger":"OidcValidationService","context":"OidcValidationService"}
[07:09:25 INFO OidcValidationService]: Discovery successful for authelia {"apiVersion":"4.25.0+f4f3e3c","logger":"OidcValidationService","context":"OidcValidationService"}
[07:09:25 INFO OidcValidationService]: Discovery response metadata: {"apiVersion":"4.25.0+f4f3e3c","logger":"OidcValidationService","context":"OidcValidationService"}
[07:09:25 INFO OidcValidationService]:   - issuer: https://authelia {"apiVersion":"4.25.0+f4f3e3c","logger":"OidcValidationService","context":"OidcValidationService"}
[07:09:25 INFO OidcValidationService]:   - authorization_endpoint: https://authelia/api/oidc/authorization {"apiVersion":"4.25.0+f4f3e3c","logger":"OidcValidationService","context":"OidcValidationService"}
[07:09:25 INFO OidcValidationService]:   - token_endpoint: https://authelia/api/oidc/token {"apiVersion":"4.25.0+f4f3e3c","logger":"OidcValidationService","context":"OidcValidationService"}
[07:09:25 INFO OidcValidationService]:   - userinfo_endpoint: https://authelia/api/oidc/userinfo {"apiVersion":"4.25.0+f4f3e3c","logger":"OidcValidationService","context":"OidcValidationService"}
[07:09:25 INFO OidcValidationService]:   - jwks_uri: https://authelia/jwks.json {"apiVersion":"4.25.0+f4f3e3c","logger":"OidcValidationService","context":"OidcValidationService"}
[07:09:25 INFO OidcValidationService]:   - response_types_supported: code, id_token, token, id_token token, code id_token, code token, code id_token token {"apiVersion":"4.25.0+f4f3e3c","logger":"OidcValidationService","context":"OidcValidationService"}
[07:09:25 INFO OidcValidationService]:   - scopes_supported: offline_access, openid, profile, email, address, phone, groups {"apiVersion":"4.25.0+f4f3e3c","logger":"OidcValidationService","context":"OidcValidationService"}
[07:09:25 INFO OidcService]: Built authorization URL via discovery for provider authelia {"apiVersion":"4.25.0+f4f3e3c","logger":"OidcService","context":"OidcService"}
[07:09:25 INFO OidcService]: Authorization parameters: {"redirect_uri":"https://unraid/graphql/api/auth/oidc/callback","scope":"openid profile email groups","state":"authelia:xxx","response_type":"code"} {"apiVersion":"4.25.0+f4f3e3c","logger":"OidcService","context":"OidcService"}
[07:09:25 INFO OidcRestController]: Redirecting to OIDC provider: https://authelia/api/oidc/authorization?redirect_uri=https%3A%2F%2Funraid%2Fgraphql%2Fapi%2Fauth%2Foidc%2Fcallback&scope=openid+profile+email+groups&state=authelia%3Axxx&response_type=code&client_id=unraid {"apiVersion":"4.25.0+f4f3e3c","logger":"OidcRestController","context":"OidcRestController"}
[07:09:25 WARN OidcAuthorizationService]: Authorization failed for provider Authelia, user xxx, available claim keys: [amr, at_hash, aud, auth_time, azp, exp, iat, iss, jti, sub] {"apiVersion":"4.25.0+f4f3e3c","logger":"OidcAuthorizationService","context":"OidcAuthorizationService"}
[07:09:25 ERROR OidcService]: OAuth callback error: Access denied: Your account does not meet the authorization requirements for Authelia. {"apiVersion":"4.25.0+f4f3e3c","logger":"OidcService","context":"OidcService"}

This is my setup on the unraid side.
The Client ID and secret match what's in Authelia's configuration. Same for the scopes.
The Authorization rule is matching the email claim to the email of the Authelia user.

image.png

This is my authelia client configuration

image.png

I'm out of ideas on how to troubleshoot this.
Do you guys have any idea or tips on how to get this further?
It seems like it either can't find the email claim or it doesn't match (which i'm confident it should, I use Authelia's OIDC all over my selfhosted container instances).
Authelia's logs don't provide anything and Authelia seems to be happy, so I think things go wrong on the Unraid side.

Edited by joz

Solved by joz

  • Author
  • Community Expert
  • Solution

Allright, based on other Authelia client configurations I have, I started trial and erroring with Authelia's config for unraid.

I was missing this bit claims_policy: 'default' Which is essential getting it going.

For other people running into this, this is my working config in Authelia

identity_providers:
	oidc:
		claims_policies:
			default:
				id_token: ['groups', 'email', 'email_verified', 'alt_emails', 'preferred_username', 'name']
	clients:
		-
			client_id: 'someid'
			client_name: UnRAID
			client_secret: 'somesecret'
			public: false
			authorization_policy: two_factor
			consent_mode: implicit
			redirect_uris:
				- 'https://unraid/graphql/api/auth/oidc/callback'
			scopes:
				- openid
				- profile
				- email
				- groups
			token_endpoint_auth_method: client_secret_post
			claims_policy: 'default'

Edited by joz

  • 6 months later...

Thanks @joz adding a policy solved it for me too

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.
Note: Your post will require moderator approval before it will be visible.

Guest
Reply to this topic...

Account

Navigation

Search

Search

Configure browser push notifications

Chrome (Android)
  1. Tap the lock icon next to the address bar.
  2. Tap Permissions → Notifications.
  3. Adjust your preference.
Chrome (Desktop)
  1. Click the padlock icon in the address bar.
  2. Select Site settings.
  3. Find Notifications and adjust your preference.