Hello, I've been banging my head trying to figure out why this isn't working but… I have setup vikunja and authelia, both behind a traefik reverse proxy.
When I navigate to vikunja I see the "login with authelia" button, which then takes me to authelia to grant access, but upon returning me to vikunja I get a `Could not authenticate against third party.`
In the logs for authelia I can see the following error:
> Access Request failed with error: The provided authorization grant (e.g., authorization code, resource owner credentials) or refresh token is invalid, expired, revoked, does not match the redirection URI used in the authorization request, or was issued to another client. The 'redirect_uri' from this request does not match the one from the authorize request.
Enabling debug logs in traefik I came across these logs which look suspicious:
```
2022-08-04T21:31:50.412829249Z time="2022-08-04T21:31:50Z" level=debug msg="vulcand/oxy/roundrobin/rr: begin ServeHttp on request" Request="{\"Method\":\"GET\",\"URL\":{\"Scheme\":\"\",\"Opaque\":\"\",\"User\":null,\"Host\":\"\",\"Path\":\"/api/oidc/authorization\",\"RawPath\":\"\",\"ForceQuery\":false,\"RawQuery\":\"client_id=authelia_vikunja_client_id\\u0026redirect_uri=https://vikunja.domain.com/auth/openid/authelia\\u0026response_type=code\\u0026scope=openid%20email%20profile\\u0026state=wtsv0g07dqd\",\"Fragment\":\"\",\"RawFragment\":\"\"},\"Proto\":\"HTTP/2.0\",\"ProtoMajor\":2,\"ProtoMinor\":0,\"Header\":{\"Accept\":[\"text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9\"],\"Accept-Encoding\":[\"gzip, deflate, br\"],\"Accept-Language\":[\"en-GB,en;q=0.9,en-US;q=0.8\"],\"Cookie\":[\"authelia_session=session\"],\"Referer\":[\"https://vikunja.domain.com/\"],\"Sec-Ch-Ua\":[\"\\\" Not;A Brand\\\";v=\\\"99\\\", \\\"Microsoft Edge\\\";v=\\\"103\\\", \\\"Chromium\\\";v=\\\"103\\\"\"],\"Sec-Ch-Ua-Mobile\":[\"?0\"],\"Sec-Ch-Ua-Platform\":[\"\\\"Windows\\\"\"],\"Sec-Fetch-Dest\":[\"document\"],\"Sec-Fetch-Mode\":[\"navigate\"],\"Sec-Fetch-Site\":[\"same-site\"],\"Sec-Fetch-User\":[\"?1\"],\"Upgrade-Insecure-Requests\":[\"1\"],\"User-Agent\":[\"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/103.0.5060.134 Safari/537.36 Edg/103.0.1264.77\"],\"X-Forwarded-Host\":[\"authelia.domain.com\"],\"X-Forwarded-Port\":[\"443\"],\"X-Forwarded-Proto\":[\"https\"],\"X-Forwarded-Server\":[\"aa1b32eff406\"],\"X-Real-Ip\":[\"192.168.1.44\"]},\"ContentLength\":0,\"TransferEncoding\":null,\"Host\":\"authelia.domain.com\",\"Form\":null,\"PostForm\":null,\"MultipartForm\":null,\"Trailer\":null,\"RemoteAddr\":\"192.168.1.44:63507\",\"RequestURI\":\"/api/oidc/authorization?client_id=authelia_vikunja_client_id\\u0026redirect_uri=https://vikunja.domain.com/auth/openid/authelia\\u0026response_type=code\\u0026scope=openid%20email%20profile\\u0026state=wtsv0g07dqd\",\"TLS\":null}"
2022-08-04T21:31:50.412976126Z time="2022-08-04T21:31:50Z" level=debug msg="vulcand/oxy/roundrobin/rr: Forwarding this request to URL" Request="{\"Method\":\"GET\",\"URL\":{\"Scheme\":\"\",\"Opaque\":\"\",\"User\":null,\"Host\":\"\",\"Path\":\"/api/oidc/authorization\",\"RawPath\":\"\",\"ForceQuery\":false,\"RawQuery\":\"client_id=authelia_vikunja_client_id\\u0026redirect_uri=https://vikunja.domain.com/auth/openid/authelia\\u0026response_type=code\\u0026scope=openid%20email%20profile\\u0026state=wtsv0g07dqd\",\"Fragment\":\"\",\"RawFragment\":\"\"},\"Proto\":\"HTTP/2.0\",\"ProtoMajor\":2,\"ProtoMinor\":0,\"Header\":{\"Accept\":[\"text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9\"],\"Accept-Encoding\":[\"gzip, deflate, br\"],\"Accept-Language\":[\"en-GB,en;q=0.9,en-US;q=0.8\"],\"Cookie\":[\"authelia_session=session\"],\"Referer\":[\"https://vikunja.domain.com/\"],\"Sec-Ch-Ua\":[\"\\\" Not;A Brand\\\";v=\\\"99\\\", \\\"Microsoft Edge\\\";v=\\\"103\\\", \\\"Chromium\\\";v=\\\"103\\\"\"],\"Sec-Ch-Ua-Mobile\":[\"?0\"],\"Sec-Ch-Ua-Platform\":[\"\\\"Windows\\\"\"],\"Sec-Fetch-Dest\":[\"document\"],\"Sec-Fetch-Mode\":[\"navigate\"],\"Sec-Fetch-Site\":[\"same-site\"],\"Sec-Fetch-User\":[\"?1\"],\"Upgrade-Insecure-Requests\":[\"1\"],\"User-Agent\":[\"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/103.0.5060.134 Safari/537.36 Edg/103.0.1264.77\"],\"X-Forwarded-Host\":[\"authelia.domain.com\"],\"X-Forwarded-Port\":[\"443\"],\"X-Forwarded-Proto\":[\"https\"],\"X-Forwarded-Server\":[\"aa1b32eff406\"],\"X-Real-Ip\":[\"192.168.1.44\"]},\"ContentLength\":0,\"TransferEncoding\":null,\"Host\":\"authelia.domain.com\",\"Form\":null,\"PostForm\":null,\"MultipartForm\":null,\"Trailer\":null,\"RemoteAddr\":\"192.168.1.44:63507\",\"RequestURI\":\"/api/oidc/authorization?client_id=authelia_vikunja_client_id\\u0026redirect_uri=https://vikunja.domain.com/auth/openid/authelia\\u0026response_type=code\\u0026scope=openid%20email%20profile\\u0026state=wtsv0g07dqd\",\"TLS\":null}" ForwardURL="http://172.18.0.54:9091"
2022-08-04T21:31:50.437438581Z time="2022-08-04T21:31:50Z" level=debug msg="vulcand/oxy/roundrobin/rr: completed ServeHttp on request" Request="{\"Method\":\"GET\",\"URL\":{\"Scheme\":\"\",\"Opaque\":\"\",\"User\":null,\"Host\":\"\",\"Path\":\"/api/oidc/authorization\",\"RawPath\":\"\",\"ForceQuery\":false,\"RawQuery\":\"client_id=authelia_vikunja_client_id\\u0026redirect_uri=https://vikunja.domain.com/auth/openid/authelia\\u0026response_type=code\\u0026scope=openid%20email%20profile\\u0026state=wtsv0g07dqd\",\"Fragment\":\"\",\"RawFragment\":\"\"},\"Proto\":\"HTTP/2.0\",\"ProtoMajor\":2,\"ProtoMinor\":0,\"Header\":{\"Accept\":[\"text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9\"],\"Accept-Encoding\":[\"gzip, deflate, br\"],\"Accept-Language\":[\"en-GB,en;q=0.9,en-US;q=0.8\"],\"Cookie\":[\"authelia_session=session\"],\"Referer\":[\"https://vikunja.domain.com/\"],\"Sec-Ch-Ua\":[\"\\\" Not;A Brand\\\";v=\\\"99\\\", \\\"Microsoft Edge\\\";v=\\\"103\\\", \\\"Chromium\\\";v=\\\"103\\\"\"],\"Sec-Ch-Ua-Mobile\":[\"?0\"],\"Sec-Ch-Ua-Platform\":[\"\\\"Windows\\\"\"],\"Sec-Fetch-Dest\":[\"document\"],\"Sec-Fetch-Mode\":[\"navigate\"],\"Sec-Fetch-Site\":[\"same-site\"],\"Sec-Fetch-User\":[\"?1\"],\"Upgrade-Insecure-Requests\":[\"1\"],\"User-Agent\":[\"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/103.0.5060.134 Safari/537.36 Edg/103.0.1264.77\"],\"X-Forwarded-Host\":[\"authelia.domain.com\"],\"X-Forwarded-Port\":[\"443\"],\"X-Forwarded-Proto\":[\"https\"],\"X-Forwarded-Server\":[\"aa1b32eff406\"],\"X-Real-Ip\":[\"192.168.1.44\"]},\"ContentLength\":0,\"TransferEncoding\":null,\"Host\":\"authelia.domain.com\",\"Form\":null,\"PostForm\":null,\"MultipartForm\":null,\"Trailer\":null,\"RemoteAddr\":\"192.168.1.44:63507\",\"RequestURI\":\"/api/oidc/authorization?client_id=authelia_vikunja_client_id\\u0026redirect_uri=https://vikunja.domain.com/auth/openid/authelia\\u0026response_type=code\\u0026scope=openid%20email%20profile\\u0026state=wtsv0g07dqd\",\"TLS\":null}"
```
```
2022-08-04T21:31:55.922716034Z time="2022-08-04T21:31:55Z" level=debug msg="vulcand/oxy/roundrobin/rr: begin ServeHttp on request" Request="{\"Method\":\"GET\",\"URL\":{\"Scheme\":\"\",\"Opaque\":\"\",\"User\":null,\"Host\":\"\",\"Path\":\"/api/oidc/authorization\",\"RawPath\":\"\",\"ForceQuery\":false,\"RawQuery\":\"client_id=authelia_vikunja_client_id\\u0026consent_id=1fd165f4-f2fb-48c9-8654-1982fe0187e4\\u0026redirect_uri=https%3A%2F%2Fvikunja.domain.com%2Fauth%2Fopenid%2Fauthelia\\u0026response_type=code\\u0026scope=openid+email+profile\\u0026state=wtsv0g07dqd\",\"Fragment\":\"\",\"RawFragment\":\"\"},\"Proto\":\"HTTP/2.0\",\"ProtoMajor\":2,\"ProtoMinor\":0,\"Header\":{\"Accept\":[\"text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9\"],\"Accept-Encoding\":[\"gzip, deflate, br\"],\"Accept-Language\":[\"en-GB,en;q=0.9,en-US;q=0.8\"],\"Cookie\":[\"authelia_session=session\"],\"Referer\":[\"https://authelia.domain.com/consent?consent_id=1fd165f4-f2fb-48c9-8654-1982fe0187e4\"],\"Sec-Ch-Ua\":[\"\\\" Not;A Brand\\\";v=\\\"99\\\", \\\"Microsoft Edge\\\";v=\\\"103\\\", \\\"Chromium\\\";v=\\\"103\\\"\"],\"Sec-Ch-Ua-Mobile\":[\"?0\"],\"Sec-Ch-Ua-Platform\":[\"\\\"Windows\\\"\"],\"Sec-Fetch-Dest\":[\"document\"],\"Sec-Fetch-Mode\":[\"navigate\"],\"Sec-Fetch-Site\":[\"same-origin\"],\"Sec-Fetch-User\":[\"?1\"],\"Upgrade-Insecure-Requests\":[\"1\"],\"User-Agent\":[\"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/103.0.5060.134 Safari/537.36 Edg/103.0.1264.77\"],\"X-Forwarded-Host\":[\"authelia.domain.com\"],\"X-Forwarded-Port\":[\"443\"],\"X-Forwarded-Proto\":[\"https\"],\"X-Forwarded-Server\":[\"aa1b32eff406\"],\"X-Real-Ip\":[\"192.168.1.44\"]},\"ContentLength\":0,\"TransferEncoding\":null,\"Host\":\"authelia.domain.com\",\"Form\":null,\"PostForm\":null,\"MultipartForm\":null,\"Trailer\":null,\"RemoteAddr\":\"192.168.1.44:63507\",\"RequestURI\":\"/api/oidc/authorization?client_id=authelia_vikunja_client_id\\u0026consent_id=1fd165f4-f2fb-48c9-8654-1982fe0187e4\\u0026redirect_uri=https%3A%2F%2Fvikunja.domain.com%2Fauth%2Fopenid%2Fauthelia\\u0026response_type=code\\u0026scope=openid+email+profile\\u0026state=wtsv0g07dqd\",\"TLS\":null}"
2022-08-04T21:31:55.922878055Z time="2022-08-04T21:31:55Z" level=debug msg="vulcand/oxy/roundrobin/rr: Forwarding this request to URL" Request="{\"Method\":\"GET\",\"URL\":{\"Scheme\":\"\",\"Opaque\":\"\",\"User\":null,\"Host\":\"\",\"Path\":\"/api/oidc/authorization\",\"RawPath\":\"\",\"ForceQuery\":false,\"RawQuery\":\"client_id=authelia_vikunja_client_id\\u0026consent_id=1fd165f4-f2fb-48c9-8654-1982fe0187e4\\u0026redirect_uri=https%3A%2F%2Fvikunja.domain.com%2Fauth%2Fopenid%2Fauthelia\\u0026response_type=code\\u0026scope=openid+email+profile\\u0026state=wtsv0g07dqd\",\"Fragment\":\"\",\"RawFragment\":\"\"},\"Proto\":\"HTTP/2.0\",\"ProtoMajor\":2,\"ProtoMinor\":0,\"Header\":{\"Accept\":[\"text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9\"],\"Accept-Encoding\":[\"gzip, deflate, br\"],\"Accept-Language\":[\"en-GB,en;q=0.9,en-US;q=0.8\"],\"Cookie\":[\"authelia_session=session\"],\"Referer\":[\"https://authelia.domain.com/consent?consent_id=1fd165f4-f2fb-48c9-8654-1982fe0187e4\"],\"Sec-Ch-Ua\":[\"\\\" Not;A Brand\\\";v=\\\"99\\\", \\\"Microsoft Edge\\\";v=\\\"103\\\", \\\"Chromium\\\";v=\\\"103\\\"\"],\"Sec-Ch-Ua-Mobile\":[\"?0\"],\"Sec-Ch-Ua-Platform\":[\"\\\"Windows\\\"\"],\"Sec-Fetch-Dest\":[\"document\"],\"Sec-Fetch-Mode\":[\"navigate\"],\"Sec-Fetch-Site\":[\"same-origin\"],\"Sec-Fetch-User\":[\"?1\"],\"Upgrade-Insecure-Requests\":[\"1\"],\"User-Agent\":[\"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/103.0.5060.134 Safari/537.36 Edg/103.0.1264.77\"],\"X-Forwarded-Host\":[\"authelia.domain.com\"],\"X-Forwarded-Port\":[\"443\"],\"X-Forwarded-Proto\":[\"https\"],\"X-Forwarded-Server\":[\"aa1b32eff406\"],\"X-Real-Ip\":[\"192.168.1.44\"]},\"ContentLength\":0,\"TransferEncoding\":null,\"Host\":\"authelia.domain.com\",\"Form\":null,\"PostForm\":null,\"MultipartForm\":null,\"Trailer\":null,\"RemoteAddr\":\"192.168.1.44:63507\",\"RequestURI\":\"/api/oidc/authorization?client_id=authelia_vikunja_client_id\\u0026consent_id=1fd165f4-f2fb-48c9-8654-1982fe0187e4\\u0026redirect_uri=https%3A%2F%2Fvikunja.domain.com%2Fauth%2Fopenid%2Fauthelia\\u0026response_type=code\\u0026scope=openid+email+profile\\u0026state=wtsv0g07dqd\",\"TLS\":null}" ForwardURL="http://172.18.0.54:9091"
2022-08-04T21:31:55.995926907Z time="2022-08-04T21:31:55Z" level=debug msg="vulcand/oxy/roundrobin/rr: completed ServeHttp on request" Request="{\"Method\":\"GET\",\"URL\":{\"Scheme\":\"\",\"Opaque\":\"\",\"User\":null,\"Host\":\"\",\"Path\":\"/api/oidc/authorization\",\"RawPath\":\"\",\"ForceQuery\":false,\"RawQuery\":\"client_id=authelia_vikunja_client_id\\u0026consent_id=1fd165f4-f2fb-48c9-8654-1982fe0187e4\\u0026redirect_uri=https%3A%2F%2Fvikunja.domain.com%2Fauth%2Fopenid%2Fauthelia\\u0026response_type=code\\u0026scope=openid+email+profile\\u0026state=wtsv0g07dqd\",\"Fragment\":\"\",\"RawFragment\":\"\"},\"Proto\":\"HTTP/2.0\",\"ProtoMajor\":2,\"ProtoMinor\":0,\"Header\":{\"Accept\":[\"text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9\"],\"Accept-Encoding\":[\"gzip, deflate, br\"],\"Accept-Language\":[\"en-GB,en;q=0.9,en-US;q=0.8\"],\"Cookie\":[\"authelia_session=session\"],\"Referer\":[\"https://authelia.domain.com/consent?consent_id=1fd165f4-f2fb-48c9-8654-1982fe0187e4\"],\"Sec-Ch-Ua\":[\"\\\" Not;A Brand\\\";v=\\\"99\\\", \\\"Microsoft Edge\\\";v=\\\"103\\\", \\\"Chromium\\\";v=\\\"103\\\"\"],\"Sec-Ch-Ua-Mobile\":[\"?0\"],\"Sec-Ch-Ua-Platform\":[\"\\\"Windows\\\"\"],\"Sec-Fetch-Dest\":[\"document\"],\"Sec-Fetch-Mode\":[\"navigate\"],\"Sec-Fetch-Site\":[\"same-origin\"],\"Sec-Fetch-User\":[\"?1\"],\"Upgrade-Insecure-Requests\":[\"1\"],\"User-Agent\":[\"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/103.0.5060.134 Safari/537.36 Edg/103.0.1264.77\"],\"X-Forwarded-Host\":[\"authelia.domain.com\"],\"X-Forwarded-Port\":[\"443\"],\"X-Forwarded-Proto\":[\"https\"],\"X-Forwarded-Server\":[\"aa1b32eff406\"],\"X-Real-Ip\":[\"192.168.1.44\"]},\"ContentLength\":0,\"TransferEncoding\":null,\"Host\":\"authelia.domain.com\",\"Form\":null,\"PostForm\":null,\"MultipartForm\":null,\"Trailer\":null,\"RemoteAddr\":\"192.168.1.44:63507\",\"RequestURI\":\"/api/oidc/authorization?client_id=authelia_vikunja_client_id\\u0026consent_id=1fd165f4-f2fb-48c9-8654-1982fe0187e4\\u0026redirect_uri=https%3A%2F%2Fvikunja.domain.com%2Fauth%2Fopenid%2Fauthelia\\u0026response_type=code\\u0026scope=openid+email+profile\\u0026state=wtsv0g07dqd\",\"TLS\":null}"
```
In particular the 2 `redirect_uri` parameters:
```
redirect_uri=https://vikunja.domain.com/auth/openid/authelia\\u0026response_type=code\\u0026scope=openid%20email%20profile\\u0026state=wtsv0g07dqd\
redirect_uri=https%3A%2F%2Fvikunja.domain.com%2Fauth%2Fopenid%2Fauthelia\\u0026response_type=code\\u0026scope=openid+email+profile\\u0026state=wtsv0g07dqd\
```
The second (which I think is redirected within authelia) seems to be url encoded, could it be that when first making the request the url should be url encoded?