Skip to content

Problem: OIDC client_secret_file variable results in malformed requests #3122

New issue
New issue
Open
Open
Problem: OIDC client_secret_file variable results in malformed requests#3122
@tim-connect

Description

@tim-connect
tim-connect
opened on Jul 2, 2025

Issue

using client_secret_file instead of client_secret results in a malformed request that cannot complete

Impact

Web-Backend (APIs)

Installation method

Docker

Database

No response

Browser

No response

Semaphore Version

semaphore:latest v2.15.0-1e13324-1749881668

Ansible Version



Logs & errors


time="2025-07-02T08:41:35Z" level=debug msg="Authorization Request with id '6f195a18-7f05-48e4-96db-57c2144107a7' on client with id 'semaphore' using consent mode 'explicit' is being redirected to 'https://auth.[HIDDEN].com/consent/openid/decision?flow=openid_connect&flow_id=ff8806c3-c60f-485b-a5b4-88e3c0b31427'" method=GET path=/api/oidc/authorization remote_ip=192.168.50.200

time="2025-07-02T08:41:38Z" level=debug msg="Authorization Request with id 'c2469dd9-b75b-482d-8a5e-fd9cd37f1612' on client with id 'semaphore' is being processed" method=GET path=/api/oidc/authorization remote_ip=192.168.50.200

time="2025-07-02T08:41:39Z" level=debug msg="Authorization Request with id 'c2469dd9-b75b-482d-8a5e-fd9cd37f1612' on client with id 'semaphore' was successfully processed, proceeding to build Authorization Response" method=GET path=/api/oidc/authorization remote_ip=192.168.50.200

time="2025-07-02T08:41:39Z" level=error msg="Access Request failed with error: The request is missing a required parameter, includes an invalid parameter value, includes a parameter more than once, or is otherwise malformed. The client credentials in the HTTP authorization header could not be parsed. Either the scheme was missing, the scheme was invalid, or the value had malformed data. The request is missing a required parameter, includes an invalid parameter value, includes a parameter more than once, or is otherwise malformed. The client secret in the HTTP request had an invalid character." method=POST path=/api/oidc/token remote_ip=172.19.0.1 stack="github.com/authelia/authelia/v4/internal/handlers/handler_oauth2_token.go:25                 OAuth2TokenPOST\ngithub.com/authelia/authelia/v4/internal/middlewares/http_to_authelia_handler_adaptor.go:114 RegisterOpenIDConnectRoutes.NewHTTPToAutheliaHandlerAdaptor.func17\ngithub.com/authelia/authelia/v4/internal/middlewares/bridge.go:66                            RegisterOpenIDConnectRoutes.(*BridgeBuilder).Build.func2.1\ngithub.com/authelia/authelia/v4/internal/middlewares/headers.go:105                          SecurityHeadersNoStore.func1\ngithub.com/valyala/[email protected]/server.go:773                                            (*RequestCtx).UserValue\ngithub.com/authelia/authelia/v4/internal/middlewares/headers.go:30                           SecurityHeadersBase.func1\ngithub.com/authelia/authelia/v4/internal/middlewares/cors.go:216                             RegisterOpenIDConnectRoutes.(*CORSPolicy).Middleware.func18\ngithub.com/fasthttp/[email protected]/router.go:441                                              (*Router).Handler\ngithub.com/authelia/authelia/v4/internal/middlewares/log_request.go:14                       handlerMain.LogRequest.func31\ngithub.com/authelia/authelia/v4/internal/middlewares/errors.go:38                            RecoverPanic.func1\ngithub.com/valyala/[email protected]/server.go:2455                                           (*Server).serveConn\ngithub.com/valyala/[email protected]/workerpool.go:225                                        (*workerPool).workerFunc\ngithub.com/valyala/[email protected]/workerpool.go:197                                        (*workerPool).getCh.func1\nruntime/asm_amd64.s:1700                                                                     goexit"


Manual installation - system information


No response


Configuration



  semaphore:
    image: semaphoreui/semaphore:latest
    ports:
      - "192.168.50.4:9999:3000"
    environment:
      - SEMAPHORE_DB_DIALECT=bolt
      - SEMAPHORE_ADMIN=admin
      - SEMAPHORE_ADMIN_PASSWORD_FILE=/live_secrets/admin_password
      - SEMAPHORE_ADMIN_NAME=Admin
      - SEMAPHORE_ADMIN_EMAIL=admin@[HIDDEN].com
      - SEMAPHORE_ACCESS_KEY_ENCRYPTION=gs72mPntFATGJs9qK0pQ0rKtfidlexiMjYCH9gWKhTU=
      - SEMAPHORE_TLS_ENABLED=false
       #"client_secret_file": "/live_secrets/oidc_password",
      - 'SEMAPHORE_OIDC_PROVIDERS={
        "authelia":
          {
            "display_name":"Authelia",
            "provider_url":"https://auth.[HIDDEN].com",
            "client_id":"semaphore",
            "client_secret_file": "/live_secrets/oidc_password",
            "redirect_url":"https://mgmt.[HIDDEN].com/api/auth/oidc/authelia/redirect",
            "scopes":["openid","profile","email"],
            "username_claim":"preferred_username",
            "email_claim":"email",
            "name_claim":"name",
            "order":1
          }
      - TZ=SAST-2
    volumes:
      - /run/live_secrets/semaphore:/live_secrets
    profiles: ["all", "ansible", "debug"]
    networks:
      - auth_internal
    logging:
      driver: "fluentd"
      options:
        fluentd-address: 192.168.90.4:24224
        tag: 'semaphore'
    healthcheck:
      test: ["CMD", "curl", "-f", "http://localhost:3000/health"]
      interval: 30s
      timeout: 10s
      retries: 5
      start_period: 20s





The error is not triggered if i use client_secret instead.


Additional information


No response
Metadata
Metadata
Assignees
No one assigned
    Labels
    No labels
    No labels
    Type
    No type
    Projects
    No projects
    Milestone
    No milestone
    Relationships
    None yet
    Development
    No branches or pull requests
    Issue actions