Skip to content

🐛 OIDC Login Fails at Callback: "failed to fetch user info" #10677

Description

@Xyaren

LocalAI version:
Docker deployment, latest stable image

Environment, CPU architecture, OS, and Version:
Environment, CPU architecture, OS, and Version:
Linux server (Docker-based deployment behind HTTPS reverse proxy)
Browser: Firefox 152
Auth provider: Authentik (OIDC)

Describe the bug
OIDC login via Authentik succeeds until the callback stage, but fails at:
/api/auth/oidc/callback
with HTTP 500:

{"error":"failed to fetch user info"}

The authorization redirect and code issuance succeed, but LocalAI fails during OAuth callback processing.
IMPORTANT: No detailed error is logged explaining the actual cause.

To Reproduce
To Reproduce:

Given Authentik OIDC is setup.

  1. Open:
    https://localai.example.net/api/auth/oidc/login

  2. Authenticate via Authentik successfully

  3. Redirected to:
    https://localai.example.net/api/auth/oidc/callback?code=...&state=...

  4. Response:
    HTTP 500 {"error":"failed to fetch user info"}

Expected behavior
LocalAI should:

  • Exchange authorization code for access token
  • Retrieve user identity via /userinfo or ID token claims
  • Create authenticated session
  • Redirect user into application

Logs

INFO  HTTP request method="GET" path="/api/auth/oidc/login" status=307
DEBUG [WatchDog] Watchdog checks for busy connections
INFO  HTTP request method="GET" path="/api/auth/oidc/callback" status=500

Additional context
CRITICAL ISSUE: Missing Observability / Debug Logging

Authentication failures are completely opaque.

Missing:

  • token exchange errors
  • userinfo HTTP status + response body
  • OAuth library error details
  • network/TLS failures
  • identity provider error responses

Everything collapses into: failed to fetch user info This makes debugging impossible.

Suspected cause:

Likely one of:

  • OAuth token exchange failure (invalid_grant, PKCE mismatch, or client auth mismatch)
  • userinfo endpoint rejecting token (401/403)
  • unnecessary reliance on /userinfo when ID token already contains claims
  • insufficient error logging in OAuth callback handler

Metadata

Metadata

Assignees

No one assigned

    Labels

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions