[GH-ISSUE #410 ] OAuth login failed: No profile #265

Author

Owner

@kamtschatka commented on GitHub (Sep 23, 2024):

this happens, when authelia does not provide an email address or a name for the user you are using: https://github.com/hoarder-app/hoarder/blob/main/apps/web/server/auth.ts#L150

you'll have to check on authelia side to fill those in.

@kamtschatka commented on GitHub (Sep 23, 2024): this happens, when authelia does not provide an email address or a name for the user you are using: https://github.com/hoarder-app/hoarder/blob/main/apps/web/server/auth.ts#L150 you'll have to check on authelia side to fill those in.

kerem commented

Author

Owner

@MohamedBassem commented on GitHub (Sep 23, 2024):

@kamtschatka I think we should probably remove the name restriction. If it's empty, we can just use the email and not fail the login on it.

@MohamedBassem commented on GitHub (Sep 23, 2024): @kamtschatka I think we should probably remove the name restriction. If it's empty, we can just use the email and not fail the login on it.

kerem commented

Author

Owner

@chain710 commented on GitHub (Sep 24, 2024):

this happens, when authelia does not provide an email address or a name for the user you are using: https://github.com/hoarder-app/hoarder/blob/main/apps/web/server/auth.ts#L150

you'll have to check on authelia side to fill those in.

You're right! I double-checked my Authelia configuration and discovered that the display name attribute was missing.

Thank you for your awesome work!

@chain710 commented on GitHub (Sep 24, 2024): > this happens, when authelia does not provide an email address or a name for the user you are using: https://github.com/hoarder-app/hoarder/blob/main/apps/web/server/auth.ts#L150 > > you'll have to check on authelia side to fill those in. You're right! I double-checked my Authelia configuration and discovered that the display name attribute was missing. Thank you for your awesome work!

kerem commented

Author

Owner

@mirisbowring commented on GitHub (Oct 5, 2024):

Hi, I just tried to install hoarder today and wanted to connect it to my authentik install.
I experience the same behavior like OP.

I first tried release (which points to 17.1) and also latest but none of them fixed the issue.

Side Note: all fields in my OIDC Profile are set. There is a name, a username, an email, etc. so in theory this should work independent of the fix from above, no? :)

Thank you very much!

@mirisbowring commented on GitHub (Oct 5, 2024): Hi, I just tried to install hoarder today and wanted to connect it to my authentik install. I experience the same behavior like OP. I first tried `release` (which points to 17.1) and also `latest` but none of them fixed the issue. Side Note: all fields in my OIDC Profile are set. There is a name, a username, an email, etc. so in theory this should work independent of the fix from above, no? :) Thank you very much!

kerem commented

Author

Owner

@MohamedBassem commented on GitHub (Oct 5, 2024):

@mirisbowring what kind of error did you get? No profile as well?

@MohamedBassem commented on GitHub (Oct 5, 2024): @mirisbowring what kind of error did you get? `No profile` as well?

kerem commented

Author

Owner

@mirisbowring commented on GitHub (Oct 5, 2024):

Yep:

@mirisbowring commented on GitHub (Oct 5, 2024): Yep: <img width="391" alt="image" src="https://github.com/user-attachments/assets/970a8cd7-60cd-4a4f-bfce-f8e35d5e628a">

kerem commented

Author

Owner

@MohamedBassem commented on GitHub (Oct 5, 2024):

@mirisbowring yeah, that's weird indeed. Did you by any chance change the OAUTH_SCOPE value?

@MohamedBassem commented on GitHub (Oct 5, 2024): @mirisbowring yeah, that's weird indeed. Did you by any chance change the `OAUTH_SCOPE` value?

kerem commented

Author

Owner

@mirisbowring commented on GitHub (Oct 5, 2024):

I've just set it to the defaults:

OAUTH_SCOPE="openid email profile"

Also commented this line out and still the same behaviour 😊

@mirisbowring commented on GitHub (Oct 5, 2024): I've just set it to the defaults: ```yaml OAUTH_SCOPE="openid email profile" ``` Also commented this line out and still the same behaviour 😊

kerem commented

Author

Owner

@mirisbowring commented on GitHub (Oct 5, 2024):

I also checked the available fields resulting from https://auth.domain.tld/application/o/userinfo/

@mirisbowring commented on GitHub (Oct 5, 2024): ![image](https://github.com/user-attachments/assets/331950f8-98a2-4158-8510-129bd4c09850) I also checked the available fields resulting from `https://auth.domain.tld/application/o/userinfo/`

kerem commented

Author

Owner

@mirisbowring commented on GitHub (Nov 8, 2024):

Hi, since this issue persists, can we reopen this issue?

@mirisbowring commented on GitHub (Nov 8, 2024): Hi, since this issue persists, can we reopen this issue?

kerem commented

Author

Owner

@eapetitfils commented on GitHub (Dec 25, 2024):

I am getting the same issue on a fresh install of hoarder using authentik (link for configuration here: https://docs.goauthentik.io/integrations/services/hoarder/).

I can confirm in the logs of authentik that the email is part of the response. I tried with the username having no existing native account in hoarder, and with an existing one, also with various configurations of OAUTH_ALLOW_DANGEROUS_EMAIL_ACCOUNT_LINKING

{ "pk": 7, "email": "correct email", "username": "correct username" }

@eapetitfils commented on GitHub (Dec 25, 2024): I am getting the same issue on a fresh install of hoarder using authentik (link for configuration here: https://docs.goauthentik.io/integrations/services/hoarder/). I can confirm in the logs of authentik that the email is part of the response. I tried with the username having no existing native account in hoarder, and with an existing one, also with various configurations of OAUTH_ALLOW_DANGEROUS_EMAIL_ACCOUNT_LINKING `{ "pk": 7, "email": "correct email", "username": "correct username" }`

kerem commented

Author

Owner

@flavienbwk commented on GitHub (Dec 26, 2024):

For Keycloak, I just had to have emails set for my users.

@flavienbwk commented on GitHub (Dec 26, 2024): For Keycloak, I just had to have emails set for my users.

kerem commented

Author

Owner

@0dragosh commented on GitHub (Mar 16, 2025):

I still have this issue, can we reopen?

@0dragosh commented on GitHub (Mar 16, 2025): I still have this issue, can we reopen?

kerem commented

Author

Owner

@petrm commented on GitHub (Mar 18, 2025):

I upgraded authelia to 4.39 and this issue appeared. Never had it before. Hoarder config in authelia allows openid profile groups email, exactly like before. Other applications don't seem to have this problem.

Edit: I found other applications that have a problem and will be opening a bug in authelia. Rolling back to 4.38 fixes the issue.

@petrm commented on GitHub (Mar 18, 2025): I upgraded authelia to 4.39 and this issue appeared. Never had it before. Hoarder config in authelia allows openid profile groups email, exactly like before. Other applications don't seem to have this problem. Edit: I found other applications that have a problem and will be opening a bug in authelia. Rolling back to 4.38 fixes the issue.

kerem commented

Author

Owner

@0dragosh commented on GitHub (Mar 18, 2025):

Also had this problem with authelia 4.39. This is the issue. Authelia 4.39.1 is now out which fixes it.

@0dragosh commented on GitHub (Mar 18, 2025): Also had this problem with authelia 4.39. This is the [issue](https://github.com/authelia/authelia/issues/8979). Authelia 4.39.1 is now out which fixes it.

kerem commented

Author

Owner

@petrm commented on GitHub (Mar 18, 2025):

I still see it with 4.39.1.

On Tue, Mar 18, 2025, 08:43 ʀᴜɴᴛɪᴍᴇ ( Dʀᴀɢᴏsʜ ) @.***>
wrote:

Also had this problem with authelia 4.39. This is the issue
https://github.com/authelia/authelia/issues/8979. Authelia 4.39.1 is
now out which fixes it.

—
Reply to this email directly, view it on GitHub
https://github.com/hoarder-app/hoarder/issues/410#issuecomment-2731976618,
or unsubscribe
https://github.com/notifications/unsubscribe-auth/AABS7HCCABZPANQU2NMJ7OT2U7FCTAVCNFSM6AAAAABOWJD7QWVHI2DSMVQWIX3LMV43OSLTON2WKQ3PNVWWK3TUHMZDOMZRHE3TMNRRHA
.
You are receiving this because you commented.Message ID:
@.***>
[image: 0dragosh]0dragosh left a comment (hoarder-app/hoarder#410)
https://github.com/hoarder-app/hoarder/issues/410#issuecomment-2731976618

Also had this problem with authelia 4.39. This is the issue
https://github.com/authelia/authelia/issues/8979. Authelia 4.39.1 is
now out which fixes it.

—
Reply to this email directly, view it on GitHub
https://github.com/hoarder-app/hoarder/issues/410#issuecomment-2731976618,
or unsubscribe
https://github.com/notifications/unsubscribe-auth/AABS7HCCABZPANQU2NMJ7OT2U7FCTAVCNFSM6AAAAABOWJD7QWVHI2DSMVQWIX3LMV43OSLTON2WKQ3PNVWWK3TUHMZDOMZRHE3TMNRRHA
.
You are receiving this because you commented.Message ID:
@.***>

@petrm commented on GitHub (Mar 18, 2025): I still see it with 4.39.1. On Tue, Mar 18, 2025, 08:43 ʀᴜɴᴛɪᴍᴇ ( Dʀᴀɢᴏsʜ ) ***@***.***> wrote: > Also had this problem with authelia 4.39. This is the issue > <https://github.com/authelia/authelia/issues/8979>. Authelia 4.39.1 is > now out which fixes it. > > — > Reply to this email directly, view it on GitHub > <https://github.com/hoarder-app/hoarder/issues/410#issuecomment-2731976618>, > or unsubscribe > <https://github.com/notifications/unsubscribe-auth/AABS7HCCABZPANQU2NMJ7OT2U7FCTAVCNFSM6AAAAABOWJD7QWVHI2DSMVQWIX3LMV43OSLTON2WKQ3PNVWWK3TUHMZDOMZRHE3TMNRRHA> > . > You are receiving this because you commented.Message ID: > ***@***.***> > [image: 0dragosh]*0dragosh* left a comment (hoarder-app/hoarder#410) > <https://github.com/hoarder-app/hoarder/issues/410#issuecomment-2731976618> > > Also had this problem with authelia 4.39. This is the issue > <https://github.com/authelia/authelia/issues/8979>. Authelia 4.39.1 is > now out which fixes it. > > — > Reply to this email directly, view it on GitHub > <https://github.com/hoarder-app/hoarder/issues/410#issuecomment-2731976618>, > or unsubscribe > <https://github.com/notifications/unsubscribe-auth/AABS7HCCABZPANQU2NMJ7OT2U7FCTAVCNFSM6AAAAABOWJD7QWVHI2DSMVQWIX3LMV43OSLTON2WKQ3PNVWWK3TUHMZDOMZRHE3TMNRRHA> > . > You are receiving this because you commented.Message ID: > ***@***.***> >

kerem commented

Author

Owner

@petrm commented on GitHub (Mar 19, 2025):

I figured it out. There are clearly different reasons for this issue to appear. In my case, it is caused by changes introduced in 4.39: https://www.authelia.com/integration/openid-connect/openid-connect-1.0-claims/#restore-functionality-prior-to-claims-parameter
The authelia docs have recommendation what to implement in the client or in the link above, a workaround.

@petrm commented on GitHub (Mar 19, 2025): I figured it out. There are clearly different reasons for this issue to appear. In my case, it is caused by changes introduced in 4.39: https://www.authelia.com/integration/openid-connect/openid-connect-1.0-claims/#restore-functionality-prior-to-claims-parameter The authelia docs have recommendation what to implement in the client or in the link above, a workaround.

kerem commented

Author

Owner

@subract commented on GitHub (Mar 20, 2025):

Thank you @petrm! I implemented the linked workaround successfully after being unable to get Hoarder and Authelia to play nice for weeks now.

I agree that this issue should be reopened to track implementing the proper fix from the linked article:

We strongly recommend implementers use the standard process for obtaining the extra claims not generally intended to be included in the ID Token by using the Access Token to obtain them from the UserInfo Endpoint.

@subract commented on GitHub (Mar 20, 2025): Thank you @petrm! I implemented the linked workaround successfully after being unable to get Hoarder and Authelia to play nice for weeks now. I agree that this issue should be reopened to track implementing the proper fix from the linked article: > We strongly recommend implementers use the standard process for obtaining the extra claims not generally intended to be included in the [ID Token](https://openid.net/specs/openid-connect-core-1_0.html#IDToken) by using the [Access Token](https://datatracker.ietf.org/doc/html/rfc6749#section-1.4) to obtain them from the [UserInfo Endpoint](https://openid.net/specs/openid-connect-core-1_0.html#UserInfo).

kerem commented

Author

Owner

@scottharney commented on GitHub (Mar 20, 2025):

Wanted to confirm same with authelia. I was able to apply the linked workaround to restore the legacy claims_poicy functionaliy in the authelia configuration and that allowed hoarder to work with authelia 4.39.1.

@scottharney commented on GitHub (Mar 20, 2025): Wanted to confirm same with authelia. I was able to apply the linked workaround to restore the legacy claims_poicy functionaliy in the authelia configuration and that allowed hoarder to work with authelia 4.39.1.

kerem commented

Author

Owner

@kobusestas commented on GitHub (Apr 3, 2025):

@petrm @scottharney @subract How did you get this working in Authelia? I added this to my Authelia Config:

identity_providers:
  oidc:
    claims_policies:
      ## Creates the 'default' claims policy.
      default:
        id_token: ['rat', 'groups', 'email', 'email_verified', 'alt_emails', 'preferred_username', 'name']

and then in the "- Client_ID" section I added
claims_policy: 'default'

However I still see this error. Any chance you could help point me in the right direction to see what I'm missing?

I'm using cloudflare for DNS proxy if that matters at all. This was working previously. I do notice a bad gateway 502 error in the hoarder logs that wasn't there prior.

@kobusestas commented on GitHub (Apr 3, 2025): @petrm @scottharney @subract How did you get this working in Authelia? I added this to my Authelia Config: ``` identity_providers: oidc: claims_policies: ## Creates the 'default' claims policy. default: id_token: ['rat', 'groups', 'email', 'email_verified', 'alt_emails', 'preferred_username', 'name'] ``` and then in the "- Client_ID" section I added ` claims_policy: 'default'` However I still see this error. Any chance you could help point me in the right direction to see what I'm missing? I'm using cloudflare for DNS proxy if that matters at all. This was working previously. I do notice a bad gateway 502 error in the hoarder logs that wasn't there prior.

kerem commented

Author

Owner

@scottharney commented on GitHub (Apr 4, 2025):

I followed the link in petrm's comment above mine to authelia docs for the workaround to restore the previous functionality for the claims parameter https://www.authelia.com/integration/openid-connect/openid-connect-1.0-claims/#restore-functionality-prior-to-claims-parameter
I made the edits described there to my authelia configuration and restarted and the integration with hoarder worked again

@scottharney commented on GitHub (Apr 4, 2025): I followed the link in petrm's comment above mine to authelia docs for the workaround to restore the previous functionality for the claims parameter https://www.authelia.com/integration/openid-connect/openid-connect-1.0-claims/#restore-functionality-prior-to-claims-parameter I made the edits described there to my authelia configuration and restarted and the integration with hoarder worked again

kerem commented

Author

Owner

@petrm commented on GitHub (Apr 4, 2025):

@kobusestas
Looks like my config, except I don't have 'rat' in the list.

@petrm commented on GitHub (Apr 4, 2025): @kobusestas Looks like my config, except I don't have 'rat' in the list.

kerem commented

Author

Owner

@cything commented on GitHub (Apr 5, 2025):

You don't have to enable all of those claims. According to the logic here, only email is needed. This is what my config looks like and it works:

identity_providers:
  oidc:
    claims_policies:
      karakeep:
        id_token:
        - email
    clients:
    - client_name: Karakeep
      claims_policy: karakeep

@cything commented on GitHub (Apr 5, 2025): You don't have to enable all of those claims. According to the logic [here](https://github.com/karakeep-app/karakeep/blob/27324a963120fe7a6aeff7cfbe358db5b3fafe7a/apps/web/server/auth.ts#L159), only `email` is needed. This is what my config looks like and it works: ```yaml identity_providers: oidc: claims_policies: karakeep: id_token: - email clients: - client_name: Karakeep claims_policy: karakeep ```

kerem commented

Author

Owner

@Eragos commented on GitHub (Apr 20, 2025):

Authela worked for me version v4.39.1

Authelia config part:

      - client_id: 'karakeep'
        client_name: 'karakeep'
        client_secret: '$argon2id$v=...
        public: false
        token_endpoint_auth_method: 'client_secret_basic'
        authorization_policy: 'two_factor'
        redirect_uris:
          - 'https://karakeep.domain.com/api/auth/callback/custom'
        audience:
          - 'https://karakeep.domain.com'
        requested_audience_mode: explicit
        scopes:
          - 'openid'
          - 'email'
          - 'profile'

No special claim policy (default authelia/OICD).

And karakeep docker compose part:

[...]
    environment:
      - DISABLE_PASSWORD_AUTH=true
      - DISABLE_SIGNUPS=true
      - OAUTH_ALLOW_DANGEROUS_EMAIL_ACCOUNT_LINKING=true
      - OAUTH_CLIENT_ID=karakeep
      - OAUTH_CLIENT_SECRET=<insecure secret>
      - OAUTH_PROVIDER_NAME=Authelia
      - OAUTH_SCOPE=openid email profile
      - OAUTH_WELLKNOWN_URL=https://auth.domain.com/.well-known/openid-configuration
[...]

Best Michael

@Eragos commented on GitHub (Apr 20, 2025): Authela worked for me version _v4.39.1_ Authelia config part: ``` - client_id: 'karakeep' client_name: 'karakeep' client_secret: '$argon2id$v=... public: false token_endpoint_auth_method: 'client_secret_basic' authorization_policy: 'two_factor' redirect_uris: - 'https://karakeep.domain.com/api/auth/callback/custom' audience: - 'https://karakeep.domain.com' requested_audience_mode: explicit scopes: - 'openid' - 'email' - 'profile' ``` No special claim policy (default authelia/OICD). And karakeep docker compose part: ``` [...] environment: - DISABLE_PASSWORD_AUTH=true - DISABLE_SIGNUPS=true - OAUTH_ALLOW_DANGEROUS_EMAIL_ACCOUNT_LINKING=true - OAUTH_CLIENT_ID=karakeep - OAUTH_CLIENT_SECRET=<insecure secret> - OAUTH_PROVIDER_NAME=Authelia - OAUTH_SCOPE=openid email profile - OAUTH_WELLKNOWN_URL=https://auth.domain.com/.well-known/openid-configuration [...] ``` Best Michael

kerem commented

Author

Owner

@ryanwinter commented on GitHub (May 29, 2025):

Adding the claims policy with email in the id_token fixed it for me.

@ryanwinter commented on GitHub (May 29, 2025): Adding the claims policy with email in the id_token fixed it for me.

kerem commented

Author

Owner

@mirisbowring commented on GitHub (May 29, 2025):

@ryanwinter what exactly did you mean by this?

@mirisbowring commented on GitHub (May 29, 2025): @ryanwinter what exactly did you mean by this?

kerem commented

Author

Owner

@info-path commented on GitHub (May 31, 2025):

I had the same problem with login in authentication:
oAuth login failed: oAuthCallback

I found in the log:
message: 'failed to decode JWT (TypeError: encrypted JWTs cannot be decoded)'

In this case, the solution was to remove the value for Encryption Key in Authentik > Karakeer > Provider

Signing Key: authentik Self-signed Certificate
Encryption Key: <empty>

This helped me!

@info-path commented on GitHub (May 31, 2025): I had the same problem with login in authentication: **oAuth login failed: oAuthCallback** I found in the log: `message: 'failed to decode JWT (TypeError: encrypted JWTs cannot be decoded)'` In this case, the solution was to remove the value for Encryption Key in `Authentik > Karakeer > Provider` * `Signing Key: authentik Self-signed Certificate` * `Encryption Key: <empty>` This helped me!

kerem commented

Author

Owner

@mirisbowring commented on GitHub (Jun 1, 2025):

I figured it out. There are clearly different reasons for this issue to appear. In my case, it is caused by changes introduced in 4.39: https://www.authelia.com/integration/openid-connect/openid-connect-1.0-claims/#restore-functionality-prior-to-claims-parameter The authelia docs have recommendation what to implement in the client or in the link above, a workaround.

Actually this solved it for authentik too (even though it is not documented).
In Authentik, there is a toggle in provider > advanced protocol settings > subject mode:

It was disabled (and is for every other of my oidc providers) but enabling it for karakeep fixes this bug for me!

@mirisbowring commented on GitHub (Jun 1, 2025): > I figured it out. There are clearly different reasons for this issue to appear. In my case, it is caused by changes introduced in 4.39: https://www.authelia.com/integration/openid-connect/openid-connect-1.0-claims/#restore-functionality-prior-to-claims-parameter The authelia docs have recommendation what to implement in the client or in the link above, a workaround. Actually this solved it for authentik too (even though it is not documented). In Authentik, there is a toggle in `provider > advanced protocol settings > subject mode`: <img width="676" alt="Image" src="https://github.com/user-attachments/assets/a3afa0c4-d67b-4372-9501-8130f4ecc57c" /> It was disabled (and is for every other of my oidc providers) but enabling it for karakeep fixes this bug for me!

kerem commented

Author

Owner

@Mladia commented on GitHub (Jun 6, 2025):

Adding the claims policy with email in the id_token fixed it for me.

Also fixed for me with Authentik.
In the Provider Menu for Karakeep:

@Mladia commented on GitHub (Jun 6, 2025): > Adding the claims policy with email in the id_token fixed it for me. Also fixed for me with Authentik. In the Provider Menu for Karakeep: ![Image](https://github.com/user-attachments/assets/0358e89c-9426-447c-b77a-e2fb4f65f5f3)

kerem commented

Author

Owner

@MohamedBassem commented on GitHub (Jul 26, 2025):

For search indexing purposes, the error message that indicates this problem got changed from "OAuth login failed: No profile" to "OAuth login failed: Provider didn't provide an email during signin".

There's a bunch of examples here on how to fix the problem ^

Will try to look into if next-auth can be fixed to avoid this problem altogether

@MohamedBassem commented on GitHub (Jul 26, 2025): For search indexing purposes, the error message that indicates this problem got changed from "OAuth login failed: No profile" to "OAuth login failed: Provider didn't provide an email during signin". There's a bunch of examples here on how to fix the problem ^ Will try to look into if next-auth can be fixed to avoid this problem altogether

kerem commented