Authentik OIDC: [ERROR] failed to exchange token: oauth2: "invalid_grant"

[psyspy1]

Hello! I have been using your service for over a week now it's been working great! Today, I tried adding OIDC to filebrowser. Here's my filebrowser config.yaml:

auth:
  methods:
    password:
      enabled: false # set to false if you only want to allow OIDC
    oidc:
      enabled: true
      clientId: "blahblah"
      clientSecret: "blahblah2"
      issuerUrl: https://authentik.server.psyspy.com/application/o/filebrowser/ 
      scopes: "email openid profile"
      userIdentifier: "email"
      logoutRedirectUrl: https://authentik.server.psyspy/com/application/o/filebrowser/end-session/

I get the following error when try loading filebrowser:

{"status":500,"message":"failed to exchange token: oauth2: \"invalid_grant\" \"The provided authorization grant or refresh token is invalid, expired, revoked, does not match the redirection URI used in the authorization request, or was issued to another client\""}

I am unable to figure out where the error is. I appreciate any help.

[gtsteffaniak]

Your FileBrowser config looks good. The error appears related to the redirect url that you configure on authentik "provider" for filebrowser callback. It should match your FileBrowser callback url.

Go to your provider in authentik and make sure the redirect url is exactly like here:

https://github.com/gtsteffaniak/filebrowser/wiki/Configuration-And-Examples#example-authelia-oidc-authentication

https://files.yourfilebrowserdomain.com/api/auth/oidc/callback

I'll update the example to wiki to be clearer for authentik.

[psyspy1]

Here's the redirect URL in the authentik provider settings:

https://filebrowser.nas.psyspy.com/api/auth/oidc/callback

When I visit https://filebrowser.nas.psyspy.com, it gets redirected to the following URL and I get the error above:

https://filebrowser.nas.psyspy.com/api/auth/oidc/callback?code=22199d674b4945268c8a40a5fb0cf160&state=j8usu2vwogeeh55v%3A

Authentik runs on my server domain, server.psyspy.com whereas filebrowser runs on my NAS domain nas.psyspy.com. Both servers are reachable.

[psyspy1]

Here's my authentik logs:

{"action":"authorize_application","auth_via":"session","client_ip":"192.168.100.112","context":{"authorized_application":{"app":"authentik_core","model_name":"application","name":"Filebrowser","pk":"blahblah"},"flow":"blah2","http_request":{"args":{"client_id":"myclientid","redirect_uri":"https://filebrowser.nas.psyspy.com/api/auth/oidc/callback","response_type":"code","scope":"email openid profile","state":"1svswg7hwmyszsp5:"},"method":"GET","path":"/application/o/authorize/","request_id":"someid","user_agent":"Mozilla"},"scopes":"profile openid email"},"domain_url":"authentik.server.psyspy.com","event":"Created Event","host":"authentik.server.psyspy.com","level":"info","logger":"authentik.events.models","pid":361709,"request_id":"someid","schema_name":"public","timestamp":"2025-06-07T05:13:11.937069","user":{"email":"psyspy@gmail.com","pk":9,"username":"psyspy"}}

{"auth_via":"session","domain_url":"authentik.server.psyspy.com","event":"Task published","host":"authentik.server.psyspy.com","level":"info","logger":"authentik.root.celery","pid":361709,"request_id":"someid","schema_name":"public","task_id":"taskid","task_name":"authentik.events.tasks.event_notification_handler","timestamp":"2025-06-07T05:13:11.982834"}

{"auth_via":"session","domain_url":"authentik.server.psyspy.com","event":"/application/o/authorize/?client_id=clientId&redirect_uri=https%3A%2F%2Ffilebrowser.nas.psyspy.com%2Fapi%2Fauth%2Foidc%2Fcallback&response_type=code&scope=email+openid+profile&state=1svswg7hwmyszsp5%3A","host":"authentik.server.psyspy.com","level":"info","logger":"authentik.asgi","method":"GET","pid":361709,"remote":"192.168.100.112","request_id":"someid","runtime":149,"schema_name":"public","scheme":"https","status":302,"timestamp":"2025-06-07T05:13:12.005145","user":"psyspy","user_agent":"Mozilla"}

{"auth_via":"oauth_client_secret","domain_url":"authentik.server.psyspy.com","event":"Missing authorization code","host":"authentik.server.psyspy.com","level":"warning","logger":"authentik.providers.oauth2.views.token","pid":361709,"request_id":"someid","schema_name":"public","timestamp":"2025-06-07T05:13:12.126333"}

{"auth_via":"oauth_client_secret","domain_url":"authentik.server.psyspy.com","event":"/application/o/token/","host":"authentik.server.psyspy.com","level":"info","logger":"authentik.asgi","method":"POST","pid":361709,"remote":"192.168.100.80","request_id":"someid","runtime":23,"schema_name":"public","scheme":"https","status":400,"timestamp":"2025-06-07T05:13:12.130669","user":"","user_agent":"Go-http-client/2.0"}

[gtsteffaniak]

I have authentik here I can configure just the same, so I am glad I can try to debug this in case something is missing.

Firstly, looks like I may have to update filebrowser redirect url's to support non-default base paths. Do you have something other than this or default in your config?

server:
  baseURL: "/"

I think that is missing support for non "/" base URLs.

Also, can you provide me with more config options. are you specifying anything special in your provider authentik setup?

Or anything configured for machine-to-machine authentication?

[psyspy1]

I appreciate your help! Here's my filebrowser config:

server:
  port: 9090
  database: "/mypool/docker/filebrowser/database.db"
  sources:
    - path: /mypool
auth:
  methods:
    password:
      enabled: false
    oidc:
      enabled: true
      clientId: "clientid"
      clientSecret: "clientSecret"
      issuerUrl: https://authentik.server.psyspy.com/application/o/filebrowser/ 
      scopes: "email openid profile"
      userIdentifier: "email"
      logoutRedirectUrl: https://authentik.server.psyspy.com/application/o/filebrowser/end-session/

Authentik URL: https://authentik.server.psyspy.com
Filebrowser URL: https://filebrowser.nas.psyspy.com

My Authentik filebrowser provider settings are identical to your screenshots.

[psyspy1]

I tried increasing the log level but couldn't find any useful debug messages. Please let me know if you need anything from me.

[gtsteffaniak]

no worries I will test and try replicating soon.

[gtsteffaniak]

yes this is indeed a regression... works in 0.7.6

[gtsteffaniak]

yep... find and replace issue I did... totally broke oidc in 0.7.7... releasing fix today.