LDAP group changes have no impact on OIDC access level #9677
Description
Version
v4.39.4
Deployment Method
Docker
Reverse Proxy
NGINX
Reverse Proxy Version
1.28.0
Description
- OpenLDAP as authentication backend
- Outline as OIDC client
Only users of a specific LDAP group should be able to access Outline. If the user is in the specifc group, then the user can login to Authelia and then to Outline. If the user is not in the specific group, the user can login to Authelia, but not to Outline. This works as intended.
But: If the user is removed from the group, the user is still able to access Outline. After logging out of Outline, the user even can still login again. Only if the user is logging out of Authelia and the re-login, the user cannot access Outline anymore.
I can see that Authelia is refreshing the groups of the user (refresh_interval) in the log of OpenLDAP and I see that OpenLDAP correctly returns that the user does not belong anymore to that group (only to other groups), but Authelia does not seem to care.
I've found an older similar issue: #1638
Reproduction
- Configure Outline as OIDC client requiring a specific group
- Authenticate as group member
- Remove user from group in OpenLDAP
- Wait refresh_interval duration
- Attempt Outline access without reauthentication
Expectations
When a user is removed from a group and the group is necessary for the OIDC client, then the user should be not be able to use the OIDC client after Authelia has refreshed LDAP information for that user.
Configuration (Authelia)
access_control:
default_policy: 'deny'
rules:
- domain: '*.example.com'
policy: 'one_factor'
authentication_backend:
ldap:
additional_groups_dn: 'ou=groups'
additional_users_dn: 'ou=users'
address: 'ldaps://ldap.example.com:636'
attributes:
display_name: 'cn'
distinguished_name: 'cn'
group_name: 'cn'
mail: 'mail'
member_of: 'memberOf'
username: 'uid'
base_dn: 'dc=example,dc=com'
groups_filter: '(&(member={dn})(objectClass=groupOfNames))'
group_search_mode: 'filter'
implementation: 'custom'
password: '…'
user: 'cn=search,dc=example,dc=com'
users_filter: '(&({username_attribute}={input})(objectClass=inetOrgPerson))'
refresh_interval: '5m'
identity_providers:
oidc:
authorization_policies:
outline_washabich_de:
default_policy: 'deny'
rules:
- policy: 'one_factor'
subject: 'group:outline.example.com'
clients:
- authorization_policy: 'outline_washabich_de'
client_id: '…'
client_name: 'outline.example.com'
client_secret: '…'
consent_mode: 'pre-configured'
pre_configured_consent_duration: '180d'
public: false
redirect_uris:
- 'https://outline.example.com/auth/oidc.callback'
scopes:
- 'email'
- 'openid'
- 'profile'
token_endpoint_auth_method: 'client_secret_post'
userinfo_signed_response_alg: 'none'
hmac_secret: '…'
jwks:
- key: {{ secret "/etc/ssl/private/private.pem" | mindent 10 "|" | msquote }}
lifespans:
access_token: '24h'
refresh_token: '30d'
id_token: '24h'
authorize_code: '1m'
device_code: '10m'
identity_validation:
reset_password:
jwt_secret: '…'
log:
level: 'debug'
notifier:
smtp:
address: 'smtp://mail.example.com:587'
sender: 'noreply@authelia.example.com'
server:
address: 'tcp4://:80/'
session:
cookies:
- authelia_url: 'https://authelia.example.com'
domain: 'example.com'
name: 'authelia_session'
same_site: 'lax'
expiration: '30d'
inactivity: '30d'
redis:
host: 'redis'
port: '6379'
remember_me: '180d'
secret: '…'
storage:
encryption_key: '…'
mysql:
address: 'tcp://db:3306'
database: 'authelia'
password: '…'
username: 'authelia'
totp:
issuer: 'authelia.example.com'Build Information
Last Tag: v4.39.4
State: tagged clean
Branch: v4.39.4
Commit: 3f173e1cd1acda592dcb4aa161f43823d6df1110
Build Number: 44639
Build OS: linux
Build Arch: amd64
Build Compiler: gc
Build Date: Sun, 25 May 2025 12:19:36 +1000
Extra:
Go:
Version: go1.24.3 X:nosynchashtriemap
Module Path: github.com/authelia/authelia/v4
Executable Path: github.com/authelia/authelia/v4/cmd/autheliaLogs (Authelia)
time="2025-06-15T11:27:12+02:00" level=debug msg="Loaded Configuration Sources" files="[/config/configuration.yml]" filters="[template]"
time="2025-06-15T11:27:12+02:00" level=debug msg="Logging Initialized" fields.level=debug file= format= keep_stdout=false
time="2025-06-15T11:27:12+02:00" level=debug msg="Process user information" gid=0 name=root uid=0 username=root
time="2025-06-15T11:27:12+02:00" level=info msg="Authelia v4.39.4 is starting"
time="2025-06-15T11:27:12+02:00" level=info msg="Log severity set to debug"
time="2025-06-15T11:27:12+02:00" level=debug msg="Registering OpenID Connect 1.0 client with client id '3ZXX_b_ggRwwahMufG2duXK8OZJ_OFNpnz_kJ9voaHRZLlekuIdnF6qqvjc4TSnAWTzW3PHh' and policy 'outline_washabich_de'"
time="2025-06-15T11:27:12+02:00" level=info msg="Storage schema is being checked for updates"
time="2025-06-15T11:27:12+02:00" level=info msg="Storage schema is already up to date"
time="2025-06-15T11:27:12+02:00" level=debug msg="LDAP Supported OIDs. Control Types: 2.16.840.1.113730.3.4.18, 2.16.840.1.113730.3.4.2, 1.3.6.1.4.1.4203.1.10.1, 1.3.6.1.1.22, 1.2.840.113556.1.4.319, 1.2.826.0.1.3344810.2.3, 1.3.6.1.1.13.2, 1.3.6.1.1.13.1, 1.3.6.1.1.12. Extensions: 1.3.6.1.4.1.1466.20037, 1.3.6.1.4.1.4203.1.11.1, 1.3.6.1.4.1.4203.1.11.3, 1.3.6.1.1.8, 1.3.6.1.1.21.3, 1.3.6.1.1.21.1"
time="2025-06-15T11:27:12+02:00" level=debug msg="webauthn-metadata provider: startup check skipped as it is disabled"
time="2025-06-15T11:27:12+02:00" level=info msg="Startup complete"
time="2025-06-15T11:27:12+02:00" level=info msg="Listening for non-TLS connections on '0.0.0.0:80' path '/'" server=main service=server
time="2025-06-15T11:27:26+02:00" level=debug msg="Authorization Request with id '6b963f07-72ab-4006-873f-76338d082280' on client with id '3ZXX_b_ggRwwahMufG2duXK8OZJ_OFNpnz_kJ9voaHRZLlekuIdnF6qqvjc4TSnAWTzW3PHh' is being processed" method=GET path=/api/oidc/authorization remote_ip="2a01:599:802:ce8b:bcdf:9f2e:aa69:9621"
time="2025-06-15T11:27:26+02:00" level=debug msg="Authorization Request with id '6b963f07-72ab-4006-873f-76338d082280' on client with id '3ZXX_b_ggRwwahMufG2duXK8OZJ_OFNpnz_kJ9voaHRZLlekuIdnF6qqvjc4TSnAWTzW3PHh' using consent mode 'pre-configured' attempting to discover pre-configurations with signature of client id '3ZXX_b_ggRwwahMufG2duXK8OZJ_OFNpnz_kJ9voaHRZLlekuIdnF6qqvjc4TSnAWTzW3PHh' and subject 'd071a93a-6cab-4479-bb4c-9ac9aae9fefd' and scopes 'email openid profile'" method=GET path=/api/oidc/authorization remote_ip="2a01:599:802:ce8b:bcdf:9f2e:aa69:9621"
time="2025-06-15T11:27:26+02:00" level=debug msg="Authorization Request with id '6b963f07-72ab-4006-873f-76338d082280' on client with id '3ZXX_b_ggRwwahMufG2duXK8OZJ_OFNpnz_kJ9voaHRZLlekuIdnF6qqvjc4TSnAWTzW3PHh' using consent mode 'pre-configured' successfully looked up pre-configured consent with signature of client id '3ZXX_b_ggRwwahMufG2duXK8OZJ_OFNpnz_kJ9voaHRZLlekuIdnF6qqvjc4TSnAWTzW3PHh' and subject 'd071a93a-6cab-4479-bb4c-9ac9aae9fefd' and scopes 'email openid profile' with id '1'" audience="[]" claims= client_id=3ZXX_b_ggRwwahMufG2duXK8OZJ_OFNpnz_kJ9voaHRZLlekuIdnF6qqvjc4TSnAWTzW3PHh method=GET path=/api/oidc/authorization remote_ip="2a01:599:802:ce8b:bcdf:9f2e:aa69:9621" scopes="[email openid profile]"
time="2025-06-15T11:27:26+02:00" level=debug msg="Authorization Request with id '6b963f07-72ab-4006-873f-76338d082280' on client with id '3ZXX_b_ggRwwahMufG2duXK8OZJ_OFNpnz_kJ9voaHRZLlekuIdnF6qqvjc4TSnAWTzW3PHh' is not being redirected for reauthentication" authenticated_at="2025-06-14 20:35:07 +0000 UTC" method=GET path=/api/oidc/authorization prompt= remote_ip="2a01:599:802:ce8b:bcdf:9f2e:aa69:9621" requested_at="2025-06-15 11:27:26 +0200 CEST"
time="2025-06-15T11:27:26+02:00" level=debug msg="Authorization Request with id '6b963f07-72ab-4006-873f-76338d082280' on client with id '3ZXX_b_ggRwwahMufG2duXK8OZJ_OFNpnz_kJ9voaHRZLlekuIdnF6qqvjc4TSnAWTzW3PHh' was successfully processed, proceeding to build Authorization Response" method=GET path=/api/oidc/authorization remote_ip="2a01:599:802:ce8b:bcdf:9f2e:aa69:9621"
time="2025-06-15T11:27:26+02:00" level=debug msg="Access Request with id '6b963f07-72ab-4006-873f-76338d082280' on client with id '3ZXX_b_ggRwwahMufG2duXK8OZJ_OFNpnz_kJ9voaHRZLlekuIdnF6qqvjc4TSnAWTzW3PHh' is being processed" method=POST path=/api/oidc/token remote_ip=172.16.40.2
time="2025-06-15T11:27:26+02:00" level=debug msg="Access Request with id '6b963f07-72ab-4006-873f-76338d082280' on client with id '3ZXX_b_ggRwwahMufG2duXK8OZJ_OFNpnz_kJ9voaHRZLlekuIdnF6qqvjc4TSnAWTzW3PHh' has successfully been processed" method=POST path=/api/oidc/token remote_ip=172.16.40.2
time="2025-06-15T11:27:26+02:00" level=debug msg="User Info Request with id '98857610-d859-4e2f-9135-c96ad4719c1f' is being processed" method=GET path=/api/oidc/userinfo remote_ip=172.16.40.2
time="2025-06-15T11:27:26+02:00" level=debug msg="User Info Request with id '98857610-d859-4e2f-9135-c96ad4719c1f' on client with id '3ZXX_b_ggRwwahMufG2duXK8OZJ_OFNpnz_kJ9voaHRZLlekuIdnF6qqvjc4TSnAWTzW3PHh' is being returned unsigned as per the registered client configuration" method=GET path=/api/oidc/userinfo remote_ip=172.16.40.2
time="2025-06-15T11:27:26+02:00" level=debug msg="User Info Request with id '98857610-d859-4e2f-9135-c96ad4719c1f' on client with id '3ZXX_b_ggRwwahMufG2duXK8OZJ_OFNpnz_kJ9voaHRZLlekuIdnF6qqvjc4TSnAWTzW3PHh' was successfully processed" method=GET path=/api/oidc/userinfo remote_ip=172.16.40.2Logs (Proxy / Application)
OpenLDAP log
The group count 31 is correct (without the group for Outline, otherwise it would be 32).
684e88f6.1b1b85f1 0x7f4cd08fa6c0 conn=18480 fd=14 ACCEPT from IP=172.16.40.2:36319 (IP=0.0.0.0:1636)
684e88f6.1b7004a5 0x7f4cd8ffe6c0 conn=18480 fd=14 TLS established tls_ssf=256 ssf=256 tls_proto=TLSv1.3 tls_cipher=TLS_AES_256_GCM_SHA384
684e88f6.1b722990 0x7f4cd13fc6c0 conn=18480 op=0 BIND dn="cn=search,dc=example,dc=com" method=128
684e88f6.1b7564c2 0x7f4cd13fc6c0 conn=18480 op=0 BIND dn="cn=search,dc=example,dc=com" mech=SIMPLE bind_ssf=0 ssf=256
684e88f6.1b76bd91 0x7f4cd13fc6c0 conn=18480 op=0 RESULT tag=97 err=0 qtime=0.000012 etime=0.000332 text=
684e88f6.1b7fb21b 0x7f4cd2dfe6c0 conn=18480 op=1 SRCH base="ou=users,dc=example,dc=com" scope=2 deref=0 filter="(&(uid=sebastian.helbig)(objectClass=inetOrgPerson))"
684e88f6.1b80a3ab 0x7f4cd2dfe6c0 conn=18480 op=1 SRCH attr=uid mail cn memberOf
684e88f6.1b84870b 0x7f4cd2dfe6c0 conn=18480 op=1 SEARCH RESULT tag=101 err=0 qtime=0.000024 etime=0.000381 nentries=1 text=
684e88f6.1b8ed7d6 0x7f4cc6dfe6c0 conn=18480 op=2 SRCH base="ou=groups,dc=example,dc=com" scope=2 deref=0 filter="(&(member=cn=sebastian helbig,ou=users,dc=example,dc=com)(objectClass=groupOfNames))"
684e88f6.1b8f6430 0x7f4cc6dfe6c0 conn=18480 op=2 SRCH attr=cn
684e88f6.1ba5915a 0x7f4cc6dfe6c0 conn=18480 op=2 SEARCH RESULT tag=101 err=0 qtime=0.000019 etime=0.001539 nentries=31 text=
684e88f6.1bb05c1b 0x7f4cd08fa6c0 conn=18480 fd=14 closed (connection lost)Documentation
No response
Generative AI
No
Pre-Submission Checklist
-
I agree to follow the Code of Conduct
-
This is a bug report and not a support request
-
I have read the security policy and this bug report is not a security issue or security related issue
-
I have either included the complete configuration file or I am sure it's unrelated to the configuration
-
I have either included the complete debug / trace logs or the output of the build-info command if the logs are not relevant
-
I have provided all of the required information in full with the only alteration being reasonable sanitization in accordance with the Troubleshooting Sanitization reference guide
-
I have checked for related proxy or application logs and included them if available
-
I have checked for related issues and checked the documentation