Closed
Description
Version:
- listmonk: v4.0.1
- OS: Docker on Ubuntu 22.04
Description of the bug and steps to reproduce:
Hi there,
I tried to integrate v4.0.1 with our OIDC IdP: Authelia. Unfortunately, the login fails with the following error:
The state is missing or does not have enough characters and is therefore considered too weak. Request parameter "state" must be at least be 8 characters long to ensure sufficient entropy.
In the Developer Tool's Network tab I can see the following choreography:
https://listmonk.<domain>/auth/oidc
https://sso.<domain>/api/oidc/authorization?client_id=listmonk&nonce=2xk25q4uKTY*****&redirect_uri=https%3A%2F%2Flistmonk.<domain>%2Fauth%2Foidc&response_type=code&scope=openid+profile+email&state=%2Fadmin
https://listmonk.<domain>/auth/oidc?error=invalid_state&error_description=The+state+is+missing+or+does+not+have+enough+characters+and+is+therefore+considered+too+weak.+Request+parameter+%27state%27+must+be+at+least+be+8+characters+long+to+ensure+sufficient+entropy.&iss=https%3A%2F%2Fsso.<domain>&state=%2Fadmin
Any ideas?
Thanks,
Thilo
Edit: Some googling later it seems that seeding the state parameter with a secure random is considered a best-practice.