October 31, 2025Oct 31 Hi, hat schon jemand erfolgreich die OIDC Konfig mit Authentik umgesetzt?Ich bin nach der Anleitung gegangen ( OIDC Provider Setup | Unraid Docs ) konnte aber noch keine erfolgreiche Authentifizierung hin bekommen.Umleitung zu Authentik funktioniert und auch die Call-Back URL wird richtig aufgerufen. Danach kommt aber "Authentication failed".Wenn jemand es am laufen hat, würde ich mich über eine Zusammenfassung der Einrichtung freuen.Hier noch mehr Infos und Log Files.Im OIDC Log stehen Sachen drin, die ich nicht verstehe.Wenn ich den OIDC Provider speichere kommt das hier:[14:10:18 INFO OidcValidationService]: Starting discovery for provider authentik {"apiVersion":"4.25.3","logger":"OidcValidationService","context":"OidcValidationService"} [14:10:18 INFO OidcValidationService]: Discovery URL: https://authentik.<DOMAIN>/application/o/unraid/.well-known/openid-configuration {"apiVersion":"4.25.3","logger":"OidcValidationService","context":"OidcValidationService"} [14:10:18 INFO OidcValidationService]: Client ID: I7P8mij2Wm1x4ZNVjMA7ramoUaGjrEt7rmUxfOyO {"apiVersion":"4.25.3","logger":"OidcValidationService","context":"OidcValidationService"} [14:10:18 INFO OidcValidationService]: Client secret configured: Yes {"apiVersion":"4.25.3","logger":"OidcValidationService","context":"OidcValidationService"} [14:10:18 ERROR OidcValidationService]: Discovery failed for authentik at https://authentik.<DOMAIN>/application/o/unraid/.well-known/openid-configuration {"apiVersion":"4.25.3","logger":"OidcValidationService","context":"OidcValidationService"} [14:10:18 ERROR OidcValidationService]: Discovery error: {"code":"OAUTH_JSON_ATTRIBUTE_COMPARISON_FAILED","name":"ClientError"} {"apiVersion":"4.25.3","logger":"OidcValidationService","context":"OidcValidationService"} [14:10:18 INFO OidcValidationService]: Raw discovery error for authentik: discovered metadata issuer does not match the expected issuer {"apiVersion":"4.25.3","logger":"OidcValidationService","context":"OidcValidationService"} [14:10:18 INFO OidcErrorHelper]: Error type: ClientError {"apiVersion":"4.25.3","logger":"OidcErrorHelper","context":"OidcErrorHelper"} [14:10:18 DEBUG OidcErrorHelper]: Stack trace: ClientError: discovered metadata issuer does not match the expected issuer at async OidcValidationService.performDiscovery (file:///usr/local/unraid-api/dist/assets/plugin.module-rWiK5SGP.js:17049:28) at async OidcValidationService.validateProvider (file:///usr/local/unraid-api/dist/assets/plugin.module-rWiK5SGP.js:17001:13) at async UnifiedSettingsResolver.updateSettings (file:///usr/local/unraid-api/dist/assets/plugin.module-rWiK5SGP.js:19122:45) {"apiVersion":"4.25.3","logger":"OidcErrorHelper","context":"OidcErrorHelper"} [14:10:18 ERROR OidcValidationService]: Validation failed for provider authentik: discovered metadata issuer does not match the expected issuer {"apiVersion":"4.25.3","logger":"OidcValidationService","context":"OidcValidationService"} [14:10:18 DEBUG ConfigFilePersister:oidc.json]: Cleared OIDC client configuration cache after provider update {"apiVersion":"4.25.3","logger":"ConfigFilePersister:oidc.json","context":"ConfigFilePersister:oidc.json"}Wenn ich dann versuche mit anzumelden, sind diese Einträge im Log:[14:10:43 DEBUG OidcRestController]: Validated redirect_uri: https://cube.<DOMAIN>/graphql/api/auth/oidc/callback {"apiVersion":"4.25.3","logger":"OidcRestController","context":"OidcRestController"} [14:10:43 DEBUG OidcRestController]: Authorization request - Provider: authentik {"apiVersion":"4.25.3","logger":"OidcRestController","context":"OidcRestController"} [14:10:43 DEBUG OidcRestController]: Authorization request - Full URL: https://cube.<DOMAIN>/graphql/api/auth/oidc/authorize/authentik?state=420384eeec88e0d19a312a09ddf9922426d26423eff440925f5acc4b86093fe8&redirect_uri=https%3A%2F%2Fcube.<DOMAIN>%2Fgraphql%2Fapi%2Fauth%2Foidc%2Fcallback {"apiVersion":"4.25.3","logger":"OidcRestController","context":"OidcRestController"} [14:10:43 DEBUG OidcRestController]: Authorization request - Redirect URI: https://cube.<DOMAIN>/graphql/api/auth/oidc/callback {"apiVersion":"4.25.3","logger":"OidcRestController","context":"OidcRestController"} [14:10:43 DEBUG OidcRedirectUriService]: OIDC Config loaded: {"hasConfig":true,"allowedOrigins":[]} {"apiVersion":"4.25.3","logger":"OidcRedirectUriService","context":"OidcRedirectUriService"} [14:10:43 DEBUG OidcRedirectUriService]: Validating redirect URI: https://cube.<DOMAIN>/graphql/api/auth/oidc/callback against host: https://cube.<DOMAIN> {"apiVersion":"4.25.3","logger":"OidcRedirectUriService","context":"OidcRedirectUriService"} [14:10:43 DEBUG OidcRedirectUriService]: Allowed origins from config: [] {"apiVersion":"4.25.3","logger":"OidcRedirectUriService","context":"OidcRedirectUriService"} [14:10:43 DEBUG OidcRedirectUriService]: Validated redirect_uri: https://cube.<DOMAIN>/graphql/api/auth/oidc/callback {"apiVersion":"4.25.3","logger":"OidcRedirectUriService","context":"OidcRedirectUriService"} [14:10:43 DEBUG OidcRedirectUriService]: Using validated redirect URI: https://cube.<DOMAIN>/graphql/api/auth/oidc/callback {"apiVersion":"4.25.3","logger":"OidcRedirectUriService","context":"OidcRedirectUriService"} [14:10:43 DEBUG OidcService]: Using redirect URI for authorization: https://cube.<DOMAIN>/graphql/api/auth/oidc/callback {"apiVersion":"4.25.3","logger":"OidcService","context":"OidcService"} [14:10:43 DEBUG OidcService]: Request origin was: https://cube.<DOMAIN>/graphql/api/auth/oidc/callback {"apiVersion":"4.25.3","logger":"OidcService","context":"OidcService"} [14:10:43 DEBUG OidcStateService]: Storing state with key: oidc_state:6c50dc8f007c2ab15bed61fc77d24eae, TTL: 600000ms {"apiVersion":"4.25.3","logger":"OidcStateService","context":"OidcStateService"} [14:10:43 DEBUG OidcStateService]: State successfully stored and verified for key: oidc_state:6c50dc8f007c2ab15bed61fc77d24eae {"apiVersion":"4.25.3","logger":"OidcStateService","context":"OidcStateService"} [14:10:43 DEBUG OidcStateService]: Generated secure state for provider authentik with nonce 6c50dc8f007c2ab15bed61fc77d24eae {"apiVersion":"4.25.3","logger":"OidcStateService","context":"OidcStateService"} [14:10:43 DEBUG OidcStateService]: Instance #1, HMAC secret first 8 chars: 26639fcd {"apiVersion":"4.25.3","logger":"OidcStateService","context":"OidcStateService"} [14:10:43 DEBUG OidcStateService]: Stored redirectUri: https://cube.<DOMAIN>/graphql/api/auth/oidc/callback {"apiVersion":"4.25.3","logger":"OidcStateService","context":"OidcStateService"} [14:10:43 DEBUG OidcService]: Built authorization URL for provider authentik {"apiVersion":"4.25.3","logger":"OidcService","context":"OidcService"} [14:10:43 DEBUG OidcService]: Authorization parameters: client_id=I7P8mij2Wm1x4ZNVjMA7ramoUaGjrEt7rmUxfOyO, redirect_uri=https://cube.<DOMAIN>/graphql/api/auth/oidc/callback, scope=openid profile email, response_type=code {"apiVersion":"4.25.3","logger":"OidcService","context":"OidcService"} [14:10:43 INFO OidcRestController]: Redirecting to OIDC provider: https://authentik.<DOMAIN>/application/o/authorize/?client_id=I7P8mij2Wm1x4ZNVjMA7ramoUaGjrEt7rmUxfOyO&redirect_uri=https%3A%2F%2Fcube.<DOMAIN>%2Fgraphql%2Fapi%2Fauth%2Foidc%2Fcallback&scope=openid+profile+email&state=authentik%3A6c50dc8f007c2ab15bed61fc77d24eae.1761920803203.fdb11801c896b86171ea70d844a880c488a083cc591854e0797849e813788b0d&response_type=code {"apiVersion":"4.25.3","logger":"OidcRestController","context":"OidcRestController"} [14:10:45 DEBUG OidcRestController]: Callback request - Provider: authentik {"apiVersion":"4.25.3","logger":"OidcRestController","context":"OidcRestController"} [14:10:45 DEBUG OidcRestController]: Callback request - Full URL: https://cube.<DOMAIN>/graphql/api/auth/oidc/callback?code=dd2865e65b8e43f893d1bbc497e87315&state=authentik%3A6c50dc8f007c2ab15bed61fc77d24eae.1761920803203.fdb11801c896b86171ea70d844a880c488a083cc591854e0797849e813788b0d {"apiVersion":"4.25.3","logger":"OidcRestController","context":"OidcRestController"} [14:10:45 DEBUG OidcRestController]: Redirect URI will be retrieved from encrypted state {"apiVersion":"4.25.3","logger":"OidcRestController","context":"OidcRestController"} [14:10:45 DEBUG OidcStateService]: Looking for nonce 6c50dc8f007c2ab15bed61fc77d24eae in cache with key: oidc_state:6c50dc8f007c2ab15bed61fc77d24eae {"apiVersion":"4.25.3","logger":"OidcStateService","context":"OidcStateService"} [14:10:45 DEBUG OidcStateService]: Instance #1, HMAC secret first 8 chars: 26639fcd {"apiVersion":"4.25.3","logger":"OidcStateService","context":"OidcStateService"} [14:10:45 DEBUG OidcStateService]: Cache manager type: Object {"apiVersion":"4.25.3","logger":"OidcStateService","context":"OidcStateService"} [14:10:45 DEBUG OidcStateService]: State validation successful for provider authentik {"apiVersion":"4.25.3","logger":"OidcStateService","context":"OidcStateService"} [14:10:45 DEBUG OidcService]: Using stored redirect URI from state: https://cube.<DOMAIN>/graphql/api/auth/oidc/callback {"apiVersion":"4.25.3","logger":"OidcService","context":"OidcService"} [14:10:45 DEBUG OidcClientConfigService]: Attempting discovery for authentik at https://authentik.<DOMAIN>/application/o/unraid {"apiVersion":"4.25.3","logger":"OidcClientConfigService","context":"OidcClientConfigService"} [14:10:45 INFO OidcValidationService]: Starting discovery for provider authentik {"apiVersion":"4.25.3","logger":"OidcValidationService","context":"OidcValidationService"} [14:10:45 INFO OidcValidationService]: Discovery URL: https://authentik.<DOMAIN>/application/o/unraid/.well-known/openid-configuration {"apiVersion":"4.25.3","logger":"OidcValidationService","context":"OidcValidationService"} [14:10:45 INFO OidcValidationService]: Client ID: I7P8mij2Wm1x4ZNVjMA7ramoUaGjrEt7rmUxfOyO {"apiVersion":"4.25.3","logger":"OidcValidationService","context":"OidcValidationService"} [14:10:45 INFO OidcValidationService]: Client secret configured: Yes {"apiVersion":"4.25.3","logger":"OidcValidationService","context":"OidcValidationService"} [14:10:45 ERROR OidcValidationService]: Discovery failed for authentik at https://authentik.<DOMAIN>/application/o/unraid/.well-known/openid-configuration {"apiVersion":"4.25.3","logger":"OidcValidationService","context":"OidcValidationService"} [14:10:45 ERROR OidcValidationService]: Discovery error: {"code":"OAUTH_JSON_ATTRIBUTE_COMPARISON_FAILED","name":"ClientError"} {"apiVersion":"4.25.3","logger":"OidcValidationService","context":"OidcValidationService"} [14:10:45 WARN OidcClientConfigService]: Discovery failed for authentik: discovered metadata issuer does not match the expected issuer {"apiVersion":"4.25.3","logger":"OidcClientConfigService","context":"OidcClientConfigService"} [14:10:45 DEBUG OidcClientConfigService]: Discovery URL attempted: https://authentik.<DOMAIN>/application/o/unraid/.well-known/openid-configuration {"apiVersion":"4.25.3","logger":"OidcClientConfigService","context":"OidcClientConfigService"} [14:10:45 ERROR OidcClientConfigService]: Error type: ClientError {"apiVersion":"4.25.3","logger":"OidcClientConfigService","context":"OidcClientConfigService"} [14:10:45 ERROR OidcClientConfigService]: Error message: discovered metadata issuer does not match the expected issuer {"apiVersion":"4.25.3","logger":"OidcClientConfigService","context":"OidcClientConfigService"} [14:10:45 ERROR OidcClientConfigService]: Error code: OAUTH_JSON_ATTRIBUTE_COMPARISON_FAILED {"apiVersion":"4.25.3","logger":"OidcClientConfigService","context":"OidcClientConfigService"} [14:10:45 ERROR OidcClientConfigService]: Error cause chain: {"apiVersion":"4.25.3","logger":"OidcClientConfigService","context":"OidcClientConfigService"} [14:10:45 ERROR OidcClientConfigService]: [Cause 1] object: [object Object] {"apiVersion":"4.25.3","logger":"OidcClientConfigService","context":"OidcClientConfigService"} [14:10:45 DEBUG OidcClientConfigService]: Additional error properties: {"name":"ClientError"} {"apiVersion":"4.25.3","logger":"OidcClientConfigService","context":"OidcClientConfigService"} [14:10:45 DEBUG OidcClientConfigService]: Stack trace: ClientError: discovered metadata issuer does not match the expected issuer at async OidcValidationService.performDiscovery (file:///usr/local/unraid-api/dist/assets/plugin.module-rWiK5SGP.js:17049:28) at async OidcClientConfigService.getOrCreateConfig (file:///usr/local/unraid-api/dist/assets/plugin.module-rWiK5SGP.js:17305:36) at async OidcService.handleCallback (file:///usr/local/unraid-api/dist/assets/plugin.module-rWiK5SGP.js:20217:28) at async OidcRequestHandler.handleCallback (file:///usr/local/unraid-api/dist/assets/main-BusbAuUc.js:709:29) at async RestController.oidcCallback (file:///usr/local/unraid-api/dist/assets/main-BusbAuUc.js:990:22) {"apiVersion":"4.25.3","logger":"OidcClientConfigService","context":"OidcClientConfigService"} [14:10:45 INFO OidcClientConfigService]: Using manual endpoints for authentik {"apiVersion":"4.25.3","logger":"OidcClientConfigService","context":"OidcClientConfigService"} [14:10:45 DEBUG OidcClientConfigService]: Manual configuration created for authentik {"apiVersion":"4.25.3","logger":"OidcClientConfigService","context":"OidcClientConfigService"} [14:10:45 DEBUG OidcClientConfigService]: Authorization endpoint: https://authentik.<DOMAIN>/application/o/authorize/ {"apiVersion":"4.25.3","logger":"OidcClientConfigService","context":"OidcClientConfigService"} [14:10:45 DEBUG OidcClientConfigService]: Token endpoint: https://authentik.n<DOMAIN>/application/o/token/ {"apiVersion":"4.25.3","logger":"OidcClientConfigService","context":"OidcClientConfigService"} [14:10:45 DEBUG OidcService]: Provider authentik config loaded {"apiVersion":"4.25.3","logger":"OidcService","context":"OidcService"} [14:10:45 DEBUG OidcService]: Redirect URI: https://cube.<DOMAIN>/graphql/api/auth/oidc/callback {"apiVersion":"4.25.3","logger":"OidcService","context":"OidcService"} [14:10:45 DEBUG OidcService]: Token exchange URL (matches redirect_uri): https://cube.<DOMAIN>/graphql/api/auth/oidc/callback?code=dd2865e65b8e43f893d1bbc497e87315&state=authentik%3A6c50dc8f007c2ab15bed61fc77d24eae.1761920803203.fdb11801c896b86171ea70d844a880c488a083cc591854e0797849e813788b0d&iss=https%3A%2F%2Fauthentik.<DOMAIN>%2Fapplication%2Fo%2Funraid {"apiVersion":"4.25.3","logger":"OidcService","context":"OidcService"} [14:10:45 DEBUG OidcService]: Exchanging code for tokens with provider authentik {"apiVersion":"4.25.3","logger":"OidcService","context":"OidcService"} [14:10:45 DEBUG OidcService]: Client state extracted: 420384eeec88e0d19a312a09ddf9922426d26423eff440925f5acc4b86093fe8 {"apiVersion":"4.25.3","logger":"OidcService","context":"OidcService"} [14:10:45 DEBUG OidcTokenExchangeService]: Provider authentik config loaded {"apiVersion":"4.25.3","logger":"OidcTokenExchangeService","context":"OidcTokenExchangeService"} [14:10:45 DEBUG OidcTokenExchangeService]: Redirect URI: https://cube.<DOMAIN>/graphql/api/auth/oidc/callback {"apiVersion":"4.25.3","logger":"OidcTokenExchangeService","context":"OidcTokenExchangeService"} [14:10:45 DEBUG OidcTokenExchangeService]: Token exchange URL (matches redirect_uri): https://cube.<DOMAIN>/graphql/api/auth/oidc/callback?code=dd2865e65b8e43f893d1bbc497e87315&state=420384eeec88e0d19a312a09ddf9922426d26423eff440925f5acc4b86093fe8&iss=https%3A%2F%2Fauthentik.<DOMAIN>%2Fapplication%2Fo%2Funraid {"apiVersion":"4.25.3","logger":"OidcTokenExchangeService","context":"OidcTokenExchangeService"} [14:10:45 DEBUG OidcTokenExchangeService]: Clean URL for token exchange: https://cube.<DOMAIN>/graphql/api/auth/oidc/callback?code=dd2865e65b8e43f893d1bbc497e87315&state=420384eeec88e0d19a312a09ddf9922426d26423eff440925f5acc4b86093fe8&iss=https%3A%2F%2Fauthentik.<DOMAIN>%2Fapplication%2Fo%2Funraid {"apiVersion":"4.25.3","logger":"OidcTokenExchangeService","context":"OidcTokenExchangeService"} [14:10:45 DEBUG OidcTokenExchangeService]: Starting token exchange with openid-client {"apiVersion":"4.25.3","logger":"OidcTokenExchangeService","context":"OidcTokenExchangeService"} [14:10:45 DEBUG OidcTokenExchangeService]: Config issuer: https://authentik.<DOMAIN>/application/o/unraid {"apiVersion":"4.25.3","logger":"OidcTokenExchangeService","context":"OidcTokenExchangeService"} [14:10:45 DEBUG OidcTokenExchangeService]: Config token endpoint: https://authentik.<DOMAIN>/application/o/token/ {"apiVersion":"4.25.3","logger":"OidcTokenExchangeService","context":"OidcTokenExchangeService"} [14:10:45 DEBUG OidcTokenExchangeService]: Full token endpoint URL: https://authentik.<DOMAIN>/application/o/token/ {"apiVersion":"4.25.3","logger":"OidcTokenExchangeService","context":"OidcTokenExchangeService"} [14:10:45 DEBUG OidcTokenExchangeService]: Authorization code: dd2865e65b... {"apiVersion":"4.25.3","logger":"OidcTokenExchangeService","context":"OidcTokenExchangeService"} [14:10:45 DEBUG OidcTokenExchangeService]: Redirect URI in token request: https://cube.<DOMAIN>/graphql/api/auth/oidc/callback {"apiVersion":"4.25.3","logger":"OidcTokenExchangeService","context":"OidcTokenExchangeService"} [14:10:45 DEBUG OidcTokenExchangeService]: Client ID: I7P8mij2Wm1x4ZNVjMA7ramoUaGjrEt7rmUxfOyO {"apiVersion":"4.25.3","logger":"OidcTokenExchangeService","context":"OidcTokenExchangeService"} [14:10:45 DEBUG OidcTokenExchangeService]: Client secret configured: Yes {"apiVersion":"4.25.3","logger":"OidcTokenExchangeService","context":"OidcTokenExchangeService"} [14:10:45 DEBUG OidcTokenExchangeService]: Expected state value: 420384eeec88e0d19a312a09ddf9922426d26423eff440925f5acc4b86093fe8 {"apiVersion":"4.25.3","logger":"OidcTokenExchangeService","context":"OidcTokenExchangeService"} [14:10:45 DEBUG OidcTokenExchangeService]: Server supports response types: not specified {"apiVersion":"4.25.3","logger":"OidcTokenExchangeService","context":"OidcTokenExchangeService"} [14:10:45 DEBUG OidcTokenExchangeService]: Server grant types: not specified {"apiVersion":"4.25.3","logger":"OidcTokenExchangeService","context":"OidcTokenExchangeService"} [14:10:45 DEBUG OidcTokenExchangeService]: Token endpoint auth methods: not specified {"apiVersion":"4.25.3","logger":"OidcTokenExchangeService","context":"OidcTokenExchangeService"} [14:10:45 DEBUG OidcTokenExchangeService]: Executing authorizationCodeGrant with: {"apiVersion":"4.25.3","logger":"OidcTokenExchangeService","context":"OidcTokenExchangeService"} [14:10:45 DEBUG OidcTokenExchangeService]: - Clean URL: https://cube.<DOMAIN>/graphql/api/auth/oidc/callback?code=dd2865e65b8e43f893d1bbc497e87315&state=420384eeec88e0d19a312a09ddf9922426d26423eff440925f5acc4b86093fe8&iss=https%3A%2F%2Fauthentik.<DOMAIN>%2Fapplication%2Fo%2Funraid {"apiVersion":"4.25.3","logger":"OidcTokenExchangeService","context":"OidcTokenExchangeService"} [14:10:45 DEBUG OidcTokenExchangeService]: - Expected state: 420384eeec88e0d19a312a09ddf9922426d26423eff440925f5acc4b86093fe8 {"apiVersion":"4.25.3","logger":"OidcTokenExchangeService","context":"OidcTokenExchangeService"} [14:10:45 DEBUG OidcTokenExchangeService]: - Grant type: authorization_code {"apiVersion":"4.25.3","logger":"OidcTokenExchangeService","context":"OidcTokenExchangeService"} [14:10:46 ERROR OidcTokenExchangeService]: Token exchange failed {"apiVersion":"4.25.3","logger":"OidcTokenExchangeService","context":"OidcTokenExchangeService"} [14:10:46 ERROR OidcTokenExchangeService]: Error type: ClientError {"apiVersion":"4.25.3","logger":"OidcTokenExchangeService","context":"OidcTokenExchangeService"} [14:10:46 ERROR OidcTokenExchangeService]: Error message: unexpected JWT claim value encountered {"apiVersion":"4.25.3","logger":"OidcTokenExchangeService","context":"OidcTokenExchangeService"} [14:10:46 ERROR OidcTokenExchangeService]: Error code: OAUTH_JWT_CLAIM_COMPARISON_FAILED {"apiVersion":"4.25.3","logger":"OidcTokenExchangeService","context":"OidcTokenExchangeService"} [14:10:46 ERROR OidcTokenExchangeService]: Error cause chain: {"apiVersion":"4.25.3","logger":"OidcTokenExchangeService","context":"OidcTokenExchangeService"} [14:10:46 ERROR OidcTokenExchangeService]: [Cause 1] OperationProcessingError: unexpected JWT "iss" (issuer) claim value {"apiVersion":"4.25.3","logger":"OidcTokenExchangeService","context":"OidcTokenExchangeService"} [14:10:46 ERROR OidcTokenExchangeService]: [Cause 1] Code: OAUTH_JWT_CLAIM_COMPARISON_FAILED {"apiVersion":"4.25.3","logger":"OidcTokenExchangeService","context":"OidcTokenExchangeService"} [14:10:46 ERROR OidcTokenExchangeService]: [Cause 2] object: [object Object] {"apiVersion":"4.25.3","logger":"OidcTokenExchangeService","context":"OidcTokenExchangeService"} [14:10:46 DEBUG OidcTokenExchangeService]: Additional error properties: {"name":"ClientError"} {"apiVersion":"4.25.3","logger":"OidcTokenExchangeService","context":"OidcTokenExchangeService"} [14:10:46 DEBUG OidcTokenExchangeService]: Stack trace: ClientError: unexpected JWT claim value encountered at async OidcTokenExchangeService.exchangeCodeForTokens (file:///usr/local/unraid-api/dist/assets/plugin.module-rWiK5SGP.js:19465:28) at async OidcService.handleCallback (file:///usr/local/unraid-api/dist/assets/plugin.module-rWiK5SGP.js:20262:28) at async OidcRequestHandler.handleCallback (file:///usr/local/unraid-api/dist/assets/main-BusbAuUc.js:709:29) at async RestController.oidcCallback (file:///usr/local/unraid-api/dist/assets/main-BusbAuUc.js:990:22) {"apiVersion":"4.25.3","logger":"OidcTokenExchangeService","context":"OidcTokenExchangeService"} [14:10:46 ERROR OidcTokenExchangeService]: unexpected JWT claim value encountered during token validation by openid-client {"apiVersion":"4.25.3","logger":"OidcTokenExchangeService","context":"OidcTokenExchangeService"} [14:10:46 ERROR OidcTokenExchangeService]: This error typically means the 'iss' claim in the JWT doesn't match the expected issuer {"apiVersion":"4.25.3","logger":"OidcTokenExchangeService","context":"OidcTokenExchangeService"} [14:10:46 ERROR OidcTokenExchangeService]: Check that your provider's issuer URL is configured correctly {"apiVersion":"4.25.3","logger":"OidcTokenExchangeService","context":"OidcTokenExchangeService"} [14:10:46 ERROR OidcTokenExchangeService]: Expected issuer: https://authentik.<DOMAIN>/application/o/unraid {"apiVersion":"4.25.3","logger":"OidcTokenExchangeService","context":"OidcTokenExchangeService"} [14:10:46 ERROR OidcTokenExchangeService]: Provider configured issuer: https://authentik.<DOMAIN>/application/o/unraid {"apiVersion":"4.25.3","logger":"OidcTokenExchangeService","context":"OidcTokenExchangeService"} [14:10:46 ERROR OidcService]: OAuth callback error: unexpected JWT claim value encountered {"apiVersion":"4.25.3","logger":"OidcService","context":"OidcService"} [14:10:46 ERROR OidcRestController]: OIDC callback error: UnauthorizedException: Authentication failed {"apiVersion":"4.25.3","logger":"OidcRestController","context":"OidcRestController"} [14:10:46 DEBUG OidcRestController]: UnauthorizedException occurred during OIDC callback {"apiVersion":"4.25.3","logger":"OidcRestController","context":"OidcRestController"} Edited October 31, 2025Oct 31 by MDN
November 23, 2025Nov 23 On 10/31/2025 at 3:36 PM, MDN said:Hi, hat schon jemand erfolgreich die OIDC Konfig mit Authentik umgesetzt?Ich bin nach der Anleitung gegangen ( OIDC Provider Setup | Unraid Docs ) konnte aber noch keine erfolgreiche Authentifizierung hin bekommen.Umleitung zu Authentik funktioniert und auch die Call-Back URL wird richtig aufgerufen. Danach kommt aber "Authentication failed".Wenn jemand es am laufen hat, würde ich mich über eine Zusammenfassung der Einrichtung freuen.Hier noch mehr Infos und Log Files.Im OIDC Log stehen Sachen drin, die ich nicht verstehe.Wenn ich den OIDC Provider speichere kommt das hier:[14:10:18 INFO OidcValidationService]: Starting discovery for provider authentik {"apiVersion":"4.25.3","logger":"OidcValidationService","context":"OidcValidationService"} [14:10:18 INFO OidcValidationService]: Discovery URL: https://authentik.<DOMAIN>/application/o/unraid/.well-known/openid-configuration {"apiVersion":"4.25.3","logger":"OidcValidationService","context":"OidcValidationService"} [14:10:18 INFO OidcValidationService]: Client ID: I7P8mij2Wm1x4ZNVjMA7ramoUaGjrEt7rmUxfOyO {"apiVersion":"4.25.3","logger":"OidcValidationService","context":"OidcValidationService"} [14:10:18 INFO OidcValidationService]: Client secret configured: Yes {"apiVersion":"4.25.3","logger":"OidcValidationService","context":"OidcValidationService"} [14:10:18 ERROR OidcValidationService]: Discovery failed for authentik at https://authentik.<DOMAIN>/application/o/unraid/.well-known/openid-configuration {"apiVersion":"4.25.3","logger":"OidcValidationService","context":"OidcValidationService"} [14:10:18 ERROR OidcValidationService]: Discovery error: {"code":"OAUTH_JSON_ATTRIBUTE_COMPARISON_FAILED","name":"ClientError"} {"apiVersion":"4.25.3","logger":"OidcValidationService","context":"OidcValidationService"} [14:10:18 INFO OidcValidationService]: Raw discovery error for authentik: discovered metadata issuer does not match the expected issuer {"apiVersion":"4.25.3","logger":"OidcValidationService","context":"OidcValidationService"} [14:10:18 INFO OidcErrorHelper]: Error type: ClientError {"apiVersion":"4.25.3","logger":"OidcErrorHelper","context":"OidcErrorHelper"} [14:10:18 DEBUG OidcErrorHelper]: Stack trace: ClientError: discovered metadata issuer does not match the expected issuer at async OidcValidationService.performDiscovery (file:///usr/local/unraid-api/dist/assets/plugin.module-rWiK5SGP.js:17049:28) at async OidcValidationService.validateProvider (file:///usr/local/unraid-api/dist/assets/plugin.module-rWiK5SGP.js:17001:13) at async UnifiedSettingsResolver.updateSettings (file:///usr/local/unraid-api/dist/assets/plugin.module-rWiK5SGP.js:19122:45) {"apiVersion":"4.25.3","logger":"OidcErrorHelper","context":"OidcErrorHelper"} [14:10:18 ERROR OidcValidationService]: Validation failed for provider authentik: discovered metadata issuer does not match the expected issuer {"apiVersion":"4.25.3","logger":"OidcValidationService","context":"OidcValidationService"} [14:10:18 DEBUG ConfigFilePersister:oidc.json]: Cleared OIDC client configuration cache after provider update {"apiVersion":"4.25.3","logger":"ConfigFilePersister:oidc.json","context":"ConfigFilePersister:oidc.json"}Wenn ich dann versuche mit anzumelden, sind diese Einträge im Log:[14:10:43 DEBUG OidcRestController]: Validated redirect_uri: https://cube.<DOMAIN>/graphql/api/auth/oidc/callback {"apiVersion":"4.25.3","logger":"OidcRestController","context":"OidcRestController"} [14:10:43 DEBUG OidcRestController]: Authorization request - Provider: authentik {"apiVersion":"4.25.3","logger":"OidcRestController","context":"OidcRestController"} [14:10:43 DEBUG OidcRestController]: Authorization request - Full URL: https://cube.<DOMAIN>/graphql/api/auth/oidc/authorize/authentik?state=420384eeec88e0d19a312a09ddf9922426d26423eff440925f5acc4b86093fe8&redirect_uri=https%3A%2F%2Fcube.<DOMAIN>%2Fgraphql%2Fapi%2Fauth%2Foidc%2Fcallback {"apiVersion":"4.25.3","logger":"OidcRestController","context":"OidcRestController"} [14:10:43 DEBUG OidcRestController]: Authorization request - Redirect URI: https://cube.<DOMAIN>/graphql/api/auth/oidc/callback {"apiVersion":"4.25.3","logger":"OidcRestController","context":"OidcRestController"} [14:10:43 DEBUG OidcRedirectUriService]: OIDC Config loaded: {"hasConfig":true,"allowedOrigins":[]} {"apiVersion":"4.25.3","logger":"OidcRedirectUriService","context":"OidcRedirectUriService"} [14:10:43 DEBUG OidcRedirectUriService]: Validating redirect URI: https://cube.<DOMAIN>/graphql/api/auth/oidc/callback against host: https://cube.<DOMAIN> {"apiVersion":"4.25.3","logger":"OidcRedirectUriService","context":"OidcRedirectUriService"} [14:10:43 DEBUG OidcRedirectUriService]: Allowed origins from config: [] {"apiVersion":"4.25.3","logger":"OidcRedirectUriService","context":"OidcRedirectUriService"} [14:10:43 DEBUG OidcRedirectUriService]: Validated redirect_uri: https://cube.<DOMAIN>/graphql/api/auth/oidc/callback {"apiVersion":"4.25.3","logger":"OidcRedirectUriService","context":"OidcRedirectUriService"} [14:10:43 DEBUG OidcRedirectUriService]: Using validated redirect URI: https://cube.<DOMAIN>/graphql/api/auth/oidc/callback {"apiVersion":"4.25.3","logger":"OidcRedirectUriService","context":"OidcRedirectUriService"} [14:10:43 DEBUG OidcService]: Using redirect URI for authorization: https://cube.<DOMAIN>/graphql/api/auth/oidc/callback {"apiVersion":"4.25.3","logger":"OidcService","context":"OidcService"} [14:10:43 DEBUG OidcService]: Request origin was: https://cube.<DOMAIN>/graphql/api/auth/oidc/callback {"apiVersion":"4.25.3","logger":"OidcService","context":"OidcService"} [14:10:43 DEBUG OidcStateService]: Storing state with key: oidc_state:6c50dc8f007c2ab15bed61fc77d24eae, TTL: 600000ms {"apiVersion":"4.25.3","logger":"OidcStateService","context":"OidcStateService"} [14:10:43 DEBUG OidcStateService]: State successfully stored and verified for key: oidc_state:6c50dc8f007c2ab15bed61fc77d24eae {"apiVersion":"4.25.3","logger":"OidcStateService","context":"OidcStateService"} [14:10:43 DEBUG OidcStateService]: Generated secure state for provider authentik with nonce 6c50dc8f007c2ab15bed61fc77d24eae {"apiVersion":"4.25.3","logger":"OidcStateService","context":"OidcStateService"} [14:10:43 DEBUG OidcStateService]: Instance #1, HMAC secret first 8 chars: 26639fcd {"apiVersion":"4.25.3","logger":"OidcStateService","context":"OidcStateService"} [14:10:43 DEBUG OidcStateService]: Stored redirectUri: https://cube.<DOMAIN>/graphql/api/auth/oidc/callback {"apiVersion":"4.25.3","logger":"OidcStateService","context":"OidcStateService"} [14:10:43 DEBUG OidcService]: Built authorization URL for provider authentik {"apiVersion":"4.25.3","logger":"OidcService","context":"OidcService"} [14:10:43 DEBUG OidcService]: Authorization parameters: client_id=I7P8mij2Wm1x4ZNVjMA7ramoUaGjrEt7rmUxfOyO, redirect_uri=https://cube.<DOMAIN>/graphql/api/auth/oidc/callback, scope=openid profile email, response_type=code {"apiVersion":"4.25.3","logger":"OidcService","context":"OidcService"} [14:10:43 INFO OidcRestController]: Redirecting to OIDC provider: https://authentik.<DOMAIN>/application/o/authorize/?client_id=I7P8mij2Wm1x4ZNVjMA7ramoUaGjrEt7rmUxfOyO&redirect_uri=https%3A%2F%2Fcube.<DOMAIN>%2Fgraphql%2Fapi%2Fauth%2Foidc%2Fcallback&scope=openid+profile+email&state=authentik%3A6c50dc8f007c2ab15bed61fc77d24eae.1761920803203.fdb11801c896b86171ea70d844a880c488a083cc591854e0797849e813788b0d&response_type=code {"apiVersion":"4.25.3","logger":"OidcRestController","context":"OidcRestController"} [14:10:45 DEBUG OidcRestController]: Callback request - Provider: authentik {"apiVersion":"4.25.3","logger":"OidcRestController","context":"OidcRestController"} [14:10:45 DEBUG OidcRestController]: Callback request - Full URL: https://cube.<DOMAIN>/graphql/api/auth/oidc/callback?code=dd2865e65b8e43f893d1bbc497e87315&state=authentik%3A6c50dc8f007c2ab15bed61fc77d24eae.1761920803203.fdb11801c896b86171ea70d844a880c488a083cc591854e0797849e813788b0d {"apiVersion":"4.25.3","logger":"OidcRestController","context":"OidcRestController"} [14:10:45 DEBUG OidcRestController]: Redirect URI will be retrieved from encrypted state {"apiVersion":"4.25.3","logger":"OidcRestController","context":"OidcRestController"} [14:10:45 DEBUG OidcStateService]: Looking for nonce 6c50dc8f007c2ab15bed61fc77d24eae in cache with key: oidc_state:6c50dc8f007c2ab15bed61fc77d24eae {"apiVersion":"4.25.3","logger":"OidcStateService","context":"OidcStateService"} [14:10:45 DEBUG OidcStateService]: Instance #1, HMAC secret first 8 chars: 26639fcd {"apiVersion":"4.25.3","logger":"OidcStateService","context":"OidcStateService"} [14:10:45 DEBUG OidcStateService]: Cache manager type: Object {"apiVersion":"4.25.3","logger":"OidcStateService","context":"OidcStateService"} [14:10:45 DEBUG OidcStateService]: State validation successful for provider authentik {"apiVersion":"4.25.3","logger":"OidcStateService","context":"OidcStateService"} [14:10:45 DEBUG OidcService]: Using stored redirect URI from state: https://cube.<DOMAIN>/graphql/api/auth/oidc/callback {"apiVersion":"4.25.3","logger":"OidcService","context":"OidcService"} [14:10:45 DEBUG OidcClientConfigService]: Attempting discovery for authentik at https://authentik.<DOMAIN>/application/o/unraid {"apiVersion":"4.25.3","logger":"OidcClientConfigService","context":"OidcClientConfigService"} [14:10:45 INFO OidcValidationService]: Starting discovery for provider authentik {"apiVersion":"4.25.3","logger":"OidcValidationService","context":"OidcValidationService"} [14:10:45 INFO OidcValidationService]: Discovery URL: https://authentik.<DOMAIN>/application/o/unraid/.well-known/openid-configuration {"apiVersion":"4.25.3","logger":"OidcValidationService","context":"OidcValidationService"} [14:10:45 INFO OidcValidationService]: Client ID: I7P8mij2Wm1x4ZNVjMA7ramoUaGjrEt7rmUxfOyO {"apiVersion":"4.25.3","logger":"OidcValidationService","context":"OidcValidationService"} [14:10:45 INFO OidcValidationService]: Client secret configured: Yes {"apiVersion":"4.25.3","logger":"OidcValidationService","context":"OidcValidationService"} [14:10:45 ERROR OidcValidationService]: Discovery failed for authentik at https://authentik.<DOMAIN>/application/o/unraid/.well-known/openid-configuration {"apiVersion":"4.25.3","logger":"OidcValidationService","context":"OidcValidationService"} [14:10:45 ERROR OidcValidationService]: Discovery error: {"code":"OAUTH_JSON_ATTRIBUTE_COMPARISON_FAILED","name":"ClientError"} {"apiVersion":"4.25.3","logger":"OidcValidationService","context":"OidcValidationService"} [14:10:45 WARN OidcClientConfigService]: Discovery failed for authentik: discovered metadata issuer does not match the expected issuer {"apiVersion":"4.25.3","logger":"OidcClientConfigService","context":"OidcClientConfigService"} [14:10:45 DEBUG OidcClientConfigService]: Discovery URL attempted: https://authentik.<DOMAIN>/application/o/unraid/.well-known/openid-configuration {"apiVersion":"4.25.3","logger":"OidcClientConfigService","context":"OidcClientConfigService"} [14:10:45 ERROR OidcClientConfigService]: Error type: ClientError {"apiVersion":"4.25.3","logger":"OidcClientConfigService","context":"OidcClientConfigService"} [14:10:45 ERROR OidcClientConfigService]: Error message: discovered metadata issuer does not match the expected issuer {"apiVersion":"4.25.3","logger":"OidcClientConfigService","context":"OidcClientConfigService"} [14:10:45 ERROR OidcClientConfigService]: Error code: OAUTH_JSON_ATTRIBUTE_COMPARISON_FAILED {"apiVersion":"4.25.3","logger":"OidcClientConfigService","context":"OidcClientConfigService"} [14:10:45 ERROR OidcClientConfigService]: Error cause chain: {"apiVersion":"4.25.3","logger":"OidcClientConfigService","context":"OidcClientConfigService"} [14:10:45 ERROR OidcClientConfigService]: [Cause 1] object: [object Object] {"apiVersion":"4.25.3","logger":"OidcClientConfigService","context":"OidcClientConfigService"} [14:10:45 DEBUG OidcClientConfigService]: Additional error properties: {"name":"ClientError"} {"apiVersion":"4.25.3","logger":"OidcClientConfigService","context":"OidcClientConfigService"} [14:10:45 DEBUG OidcClientConfigService]: Stack trace: ClientError: discovered metadata issuer does not match the expected issuer at async OidcValidationService.performDiscovery (file:///usr/local/unraid-api/dist/assets/plugin.module-rWiK5SGP.js:17049:28) at async OidcClientConfigService.getOrCreateConfig (file:///usr/local/unraid-api/dist/assets/plugin.module-rWiK5SGP.js:17305:36) at async OidcService.handleCallback (file:///usr/local/unraid-api/dist/assets/plugin.module-rWiK5SGP.js:20217:28) at async OidcRequestHandler.handleCallback (file:///usr/local/unraid-api/dist/assets/main-BusbAuUc.js:709:29) at async RestController.oidcCallback (file:///usr/local/unraid-api/dist/assets/main-BusbAuUc.js:990:22) {"apiVersion":"4.25.3","logger":"OidcClientConfigService","context":"OidcClientConfigService"} [14:10:45 INFO OidcClientConfigService]: Using manual endpoints for authentik {"apiVersion":"4.25.3","logger":"OidcClientConfigService","context":"OidcClientConfigService"} [14:10:45 DEBUG OidcClientConfigService]: Manual configuration created for authentik {"apiVersion":"4.25.3","logger":"OidcClientConfigService","context":"OidcClientConfigService"} [14:10:45 DEBUG OidcClientConfigService]: Authorization endpoint: https://authentik.<DOMAIN>/application/o/authorize/ {"apiVersion":"4.25.3","logger":"OidcClientConfigService","context":"OidcClientConfigService"} [14:10:45 DEBUG OidcClientConfigService]: Token endpoint: https://authentik.n<DOMAIN>/application/o/token/ {"apiVersion":"4.25.3","logger":"OidcClientConfigService","context":"OidcClientConfigService"} [14:10:45 DEBUG OidcService]: Provider authentik config loaded {"apiVersion":"4.25.3","logger":"OidcService","context":"OidcService"} [14:10:45 DEBUG OidcService]: Redirect URI: https://cube.<DOMAIN>/graphql/api/auth/oidc/callback {"apiVersion":"4.25.3","logger":"OidcService","context":"OidcService"} [14:10:45 DEBUG OidcService]: Token exchange URL (matches redirect_uri): https://cube.<DOMAIN>/graphql/api/auth/oidc/callback?code=dd2865e65b8e43f893d1bbc497e87315&state=authentik%3A6c50dc8f007c2ab15bed61fc77d24eae.1761920803203.fdb11801c896b86171ea70d844a880c488a083cc591854e0797849e813788b0d&iss=https%3A%2F%2Fauthentik.<DOMAIN>%2Fapplication%2Fo%2Funraid {"apiVersion":"4.25.3","logger":"OidcService","context":"OidcService"} [14:10:45 DEBUG OidcService]: Exchanging code for tokens with provider authentik {"apiVersion":"4.25.3","logger":"OidcService","context":"OidcService"} [14:10:45 DEBUG OidcService]: Client state extracted: 420384eeec88e0d19a312a09ddf9922426d26423eff440925f5acc4b86093fe8 {"apiVersion":"4.25.3","logger":"OidcService","context":"OidcService"} [14:10:45 DEBUG OidcTokenExchangeService]: Provider authentik config loaded {"apiVersion":"4.25.3","logger":"OidcTokenExchangeService","context":"OidcTokenExchangeService"} [14:10:45 DEBUG OidcTokenExchangeService]: Redirect URI: https://cube.<DOMAIN>/graphql/api/auth/oidc/callback {"apiVersion":"4.25.3","logger":"OidcTokenExchangeService","context":"OidcTokenExchangeService"} [14:10:45 DEBUG OidcTokenExchangeService]: Token exchange URL (matches redirect_uri): https://cube.<DOMAIN>/graphql/api/auth/oidc/callback?code=dd2865e65b8e43f893d1bbc497e87315&state=420384eeec88e0d19a312a09ddf9922426d26423eff440925f5acc4b86093fe8&iss=https%3A%2F%2Fauthentik.<DOMAIN>%2Fapplication%2Fo%2Funraid {"apiVersion":"4.25.3","logger":"OidcTokenExchangeService","context":"OidcTokenExchangeService"} [14:10:45 DEBUG OidcTokenExchangeService]: Clean URL for token exchange: https://cube.<DOMAIN>/graphql/api/auth/oidc/callback?code=dd2865e65b8e43f893d1bbc497e87315&state=420384eeec88e0d19a312a09ddf9922426d26423eff440925f5acc4b86093fe8&iss=https%3A%2F%2Fauthentik.<DOMAIN>%2Fapplication%2Fo%2Funraid {"apiVersion":"4.25.3","logger":"OidcTokenExchangeService","context":"OidcTokenExchangeService"} [14:10:45 DEBUG OidcTokenExchangeService]: Starting token exchange with openid-client {"apiVersion":"4.25.3","logger":"OidcTokenExchangeService","context":"OidcTokenExchangeService"} [14:10:45 DEBUG OidcTokenExchangeService]: Config issuer: https://authentik.<DOMAIN>/application/o/unraid {"apiVersion":"4.25.3","logger":"OidcTokenExchangeService","context":"OidcTokenExchangeService"} [14:10:45 DEBUG OidcTokenExchangeService]: Config token endpoint: https://authentik.<DOMAIN>/application/o/token/ {"apiVersion":"4.25.3","logger":"OidcTokenExchangeService","context":"OidcTokenExchangeService"} [14:10:45 DEBUG OidcTokenExchangeService]: Full token endpoint URL: https://authentik.<DOMAIN>/application/o/token/ {"apiVersion":"4.25.3","logger":"OidcTokenExchangeService","context":"OidcTokenExchangeService"} [14:10:45 DEBUG OidcTokenExchangeService]: Authorization code: dd2865e65b... {"apiVersion":"4.25.3","logger":"OidcTokenExchangeService","context":"OidcTokenExchangeService"} [14:10:45 DEBUG OidcTokenExchangeService]: Redirect URI in token request: https://cube.<DOMAIN>/graphql/api/auth/oidc/callback {"apiVersion":"4.25.3","logger":"OidcTokenExchangeService","context":"OidcTokenExchangeService"} [14:10:45 DEBUG OidcTokenExchangeService]: Client ID: I7P8mij2Wm1x4ZNVjMA7ramoUaGjrEt7rmUxfOyO {"apiVersion":"4.25.3","logger":"OidcTokenExchangeService","context":"OidcTokenExchangeService"} [14:10:45 DEBUG OidcTokenExchangeService]: Client secret configured: Yes {"apiVersion":"4.25.3","logger":"OidcTokenExchangeService","context":"OidcTokenExchangeService"} [14:10:45 DEBUG OidcTokenExchangeService]: Expected state value: 420384eeec88e0d19a312a09ddf9922426d26423eff440925f5acc4b86093fe8 {"apiVersion":"4.25.3","logger":"OidcTokenExchangeService","context":"OidcTokenExchangeService"} [14:10:45 DEBUG OidcTokenExchangeService]: Server supports response types: not specified {"apiVersion":"4.25.3","logger":"OidcTokenExchangeService","context":"OidcTokenExchangeService"} [14:10:45 DEBUG OidcTokenExchangeService]: Server grant types: not specified {"apiVersion":"4.25.3","logger":"OidcTokenExchangeService","context":"OidcTokenExchangeService"} [14:10:45 DEBUG OidcTokenExchangeService]: Token endpoint auth methods: not specified {"apiVersion":"4.25.3","logger":"OidcTokenExchangeService","context":"OidcTokenExchangeService"} [14:10:45 DEBUG OidcTokenExchangeService]: Executing authorizationCodeGrant with: {"apiVersion":"4.25.3","logger":"OidcTokenExchangeService","context":"OidcTokenExchangeService"} [14:10:45 DEBUG OidcTokenExchangeService]: - Clean URL: https://cube.<DOMAIN>/graphql/api/auth/oidc/callback?code=dd2865e65b8e43f893d1bbc497e87315&state=420384eeec88e0d19a312a09ddf9922426d26423eff440925f5acc4b86093fe8&iss=https%3A%2F%2Fauthentik.<DOMAIN>%2Fapplication%2Fo%2Funraid {"apiVersion":"4.25.3","logger":"OidcTokenExchangeService","context":"OidcTokenExchangeService"} [14:10:45 DEBUG OidcTokenExchangeService]: - Expected state: 420384eeec88e0d19a312a09ddf9922426d26423eff440925f5acc4b86093fe8 {"apiVersion":"4.25.3","logger":"OidcTokenExchangeService","context":"OidcTokenExchangeService"} [14:10:45 DEBUG OidcTokenExchangeService]: - Grant type: authorization_code {"apiVersion":"4.25.3","logger":"OidcTokenExchangeService","context":"OidcTokenExchangeService"} [14:10:46 ERROR OidcTokenExchangeService]: Token exchange failed {"apiVersion":"4.25.3","logger":"OidcTokenExchangeService","context":"OidcTokenExchangeService"} [14:10:46 ERROR OidcTokenExchangeService]: Error type: ClientError {"apiVersion":"4.25.3","logger":"OidcTokenExchangeService","context":"OidcTokenExchangeService"} [14:10:46 ERROR OidcTokenExchangeService]: Error message: unexpected JWT claim value encountered {"apiVersion":"4.25.3","logger":"OidcTokenExchangeService","context":"OidcTokenExchangeService"} [14:10:46 ERROR OidcTokenExchangeService]: Error code: OAUTH_JWT_CLAIM_COMPARISON_FAILED {"apiVersion":"4.25.3","logger":"OidcTokenExchangeService","context":"OidcTokenExchangeService"} [14:10:46 ERROR OidcTokenExchangeService]: Error cause chain: {"apiVersion":"4.25.3","logger":"OidcTokenExchangeService","context":"OidcTokenExchangeService"} [14:10:46 ERROR OidcTokenExchangeService]: [Cause 1] OperationProcessingError: unexpected JWT "iss" (issuer) claim value {"apiVersion":"4.25.3","logger":"OidcTokenExchangeService","context":"OidcTokenExchangeService"} [14:10:46 ERROR OidcTokenExchangeService]: [Cause 1] Code: OAUTH_JWT_CLAIM_COMPARISON_FAILED {"apiVersion":"4.25.3","logger":"OidcTokenExchangeService","context":"OidcTokenExchangeService"} [14:10:46 ERROR OidcTokenExchangeService]: [Cause 2] object: [object Object] {"apiVersion":"4.25.3","logger":"OidcTokenExchangeService","context":"OidcTokenExchangeService"} [14:10:46 DEBUG OidcTokenExchangeService]: Additional error properties: {"name":"ClientError"} {"apiVersion":"4.25.3","logger":"OidcTokenExchangeService","context":"OidcTokenExchangeService"} [14:10:46 DEBUG OidcTokenExchangeService]: Stack trace: ClientError: unexpected JWT claim value encountered at async OidcTokenExchangeService.exchangeCodeForTokens (file:///usr/local/unraid-api/dist/assets/plugin.module-rWiK5SGP.js:19465:28) at async OidcService.handleCallback (file:///usr/local/unraid-api/dist/assets/plugin.module-rWiK5SGP.js:20262:28) at async OidcRequestHandler.handleCallback (file:///usr/local/unraid-api/dist/assets/main-BusbAuUc.js:709:29) at async RestController.oidcCallback (file:///usr/local/unraid-api/dist/assets/main-BusbAuUc.js:990:22) {"apiVersion":"4.25.3","logger":"OidcTokenExchangeService","context":"OidcTokenExchangeService"} [14:10:46 ERROR OidcTokenExchangeService]: unexpected JWT claim value encountered during token validation by openid-client {"apiVersion":"4.25.3","logger":"OidcTokenExchangeService","context":"OidcTokenExchangeService"} [14:10:46 ERROR OidcTokenExchangeService]: This error typically means the 'iss' claim in the JWT doesn't match the expected issuer {"apiVersion":"4.25.3","logger":"OidcTokenExchangeService","context":"OidcTokenExchangeService"} [14:10:46 ERROR OidcTokenExchangeService]: Check that your provider's issuer URL is configured correctly {"apiVersion":"4.25.3","logger":"OidcTokenExchangeService","context":"OidcTokenExchangeService"} [14:10:46 ERROR OidcTokenExchangeService]: Expected issuer: https://authentik.<DOMAIN>/application/o/unraid {"apiVersion":"4.25.3","logger":"OidcTokenExchangeService","context":"OidcTokenExchangeService"} [14:10:46 ERROR OidcTokenExchangeService]: Provider configured issuer: https://authentik.<DOMAIN>/application/o/unraid {"apiVersion":"4.25.3","logger":"OidcTokenExchangeService","context":"OidcTokenExchangeService"} [14:10:46 ERROR OidcService]: OAuth callback error: unexpected JWT claim value encountered {"apiVersion":"4.25.3","logger":"OidcService","context":"OidcService"} [14:10:46 ERROR OidcRestController]: OIDC callback error: UnauthorizedException: Authentication failed {"apiVersion":"4.25.3","logger":"OidcRestController","context":"OidcRestController"} [14:10:46 DEBUG OidcRestController]: UnauthorizedException occurred during OIDC callback {"apiVersion":"4.25.3","logger":"OidcRestController","context":"OidcRestController"}Habe es gerade hinbekommenZuerst in Authentik den Provider und die Application erstellen. Die Redirect URI sollte so aussehenAlles läuft bei mir mit internen DomainsDann in Unraid bei Settings > Management Access > Unraid API Settings alles eingebenDas Funktioniert trotz der FehlermeldungIch habe ein wenig herumgebastelt als ich das alles so ausgefüllt habe, hat es funktioniert und ich konnte mich über Authentik einloggen.Alles ist bei mir auf der neuesten Stable Version.Vielleicht hat jemand noch eine andere Lösung aber wie gesagt es funktioniert bei mirbeste Grüße
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.
Note: Your post will require moderator approval before it will be visible.