OS Name/Version: Debian 13
Product Name/Version: AMP 2.6.5 - 20260114.3
Problem Description:
I have been trying to add OIDC login to my AMP instance using my existing Authelia server (which works fine for all my other services) by following the guide made for Authentik but it’s giving me a lot of trouble. Whenever I try to go to AMP’s login page, I constantly get redirected back and forth repeatedly between my AMP and Authelia webpage in my browser.
Steps to reproduce:
- Configure Authelia for AMP :
- client_id: 'amp-with-oidc-login'
client_name: 'Amp'
client_secret: '$pbkdf2-sha512$very_long_secret' # The digest of 'insecure_secret'.
public: false
require_pkce: false
pkce_challenge_method: ''
consent_mode: 'pre-configured'
redirect_uris:
- 'https://amp.domain.com'
scopes:
- 'openid'
- 'profile'
- 'email'
- 'groups'
response_types:
- 'code'
grant_types:
- 'authorization_code'
access_token_signed_response_alg: 'none'
userinfo_signed_response_alg: 'none'
token_endpoint_auth_method: 'client_secret_basic'
- Configure AMP to make use of Authelia (in the GUI, but here is the config file):
Login.UseOIDC=True
Login.OIDCProviderFriendlyName=authelia
Login.OIDCClientID=enc:encoded_id
Login.OIDCClientSecret=enc:very_long_encoded_secret
Login.OIDCAuthorizeScopes=["openid","profile","email","groups"]
Login.OIDCRedirectUri=https://amp.domain.com
Login.OIDCAuthorizeEndpoint=https://auth.domain.com/api/oidc/authorization
Login.OIDCValidationEndpoint=https://auth.domain.com/api/oidc/userinfo
Login.OIDCTokenEndpoint=https://auth.domain.com/api/oidc/token
Login.OIDCUserInfoEndpoint=https://auth.domain.com/api/oidc/userinfo
Login.OIDCLogoutEndpoint=https://auth.domain.com/logout
Login.OIDCRevokeEndpoint=https://auth.domain.com/api/oidc/revocation
Login.OIDCRoleNamePrefix=AMP_
Login.OIDCUsernameClaim=preferred_name
Login.OIDCNewUsersDisabledAtCreation=False
- Try to access AMP’s login page, only to be redirected again and again. Here is the error message I get in my Authelia logs :
time="2026-01-25T16:22:23Z" level=error msg="Authorization Request failed with error: The state is missing or does not have enough characters and is therefore considered too weak. Request parameter 'state' must be at least be 8 characters long to ensure sufficient entropy." method=GET path=/api/oidc/authorization remote_ip=xxx.xxx.xxx.xxx
- Check what AMP sends to Authelia to understand what is going on :
GET
https://auth.domain.com/api/oidc/authorization?client_id=amp-with-oidc-login&response_type=code&scope=openid profile email groups&redirect_uri=https://amp.domain.com&state=&nonce=
It looks like AMP sends nothing for the “state” and “nonce”, which doesn’t make Authelia too happy. I am still trying to understand what is happening here.
Actions taken to resolve so far:
- Changing the ClientID
- Setting the “minimum_parameter_entropy: -1” parameter in Authelia which supposedly skips the state and nonce check but this doesn’t work (and it isn’t supposed to be disabled to begin with since it introduces security issues)
- Tried deleting some more setting from my Authelia client parameters
I’m at a complete loss, I don’t know what to try anymore. Help would be very much appreciated. I do not see what could be wrong with my configuration.