authentik
authentik copied to clipboard
goauthentik
404 errors for Flows on compose/development environment
Describe the bug
I have set up a development environment of authentik as described in the docs (https://docs.goauthentik.io/developer-docs/setup/full-dev-environment). After pulling the main branch and following the instructions, I get various 404 errors:
- http://localhost:9000/if/flow/initial-setup/ shows:
Page not found (404) No Flow matches the given query. - http://localhost:9000/ redirects to http://localhost:9000/flows/-/default/authentication/?next=/ and also shows a 404 error:
Page not found (404)
Request Method: GET
Request URL: http://localhost:9000/flows/-/default/authentication/?next=/
raised by: authentik.flows.views.executor.ToDefaultFlow
To Reproduce Steps to reproduce the behavior:
- Follow instructions on docs (https://docs.goauthentik.io/developer-docs/setup/full-dev-environment)
Expected behavior The web interface should be shown correctly
Logs ak_server_output.txt docker_compose_output.txt
Version and Deployment:
- authentik version: full dev environment based on main branch (commit 8f7fe8e)
- Deployment: none; local dev env
Additional context
I was able to run the set up the dev environment some time ago (version 2024.4). I have deleted and cloned the repository, deleted and rerun docker compose and have tried make dev-reset
I ran into this yesterday as well. I discussed with @BeryJu in Discord and we think there's a bug with how Authentik bootstraps the system & default Blueprints
The local database records all issues with system tasks in the authentik_events_systemtask table, and I was able to pull out a few notable errors (attached below).
The most common error is [ErrorDetail(string='Invalid pk \"1476efb9-e3a0-4116-a0d6-f89167ab54a6\" - object does not exist.', code='does_not_exist') which points me to an issue during Importer.apply() 🤔
Unable to create akadmin
Toggle to view error
"event": "Entry invalid: Serializer errors {'groups': [ErrorDetail(string='Invalid pk \"79c2bb83-6b76-41a9-859d-51cd3012a24b\" - object does not exist.', code='does_not_exist')]}",
"logger": "authentik.blueprints.v1.importer",
"log_level": "warning",
"timestamp": "2024-07-13T19:11:22.726612",
"attributes": {
"entry": {
"id": "admin-user",
"attrs": {
"name": "authentik Default Admin",
"email": "<authentik.blueprints.v1.common.Context object at 0x1194f32c0>",
"groups": [
"<authentik.blueprints.v1.common.KeyOf object at 0x1194f0650>"
],
"password": "<authentik.blueprints.v1.common.Context object at 0x1194f0980>"
},
"model": "authentik_core.user",
"state": "created",
"_state": {
"instance": null
},
"conditions": [],
"identifiers": {
"username": "<authentik.blueprints.v1.common.Context object at 0x1194f2c60>"
}
},
"error": "Serializer errors {'groups': [ErrorDetail(string='Invalid pk \"79c2bb83-6b76-41a9-859d-51cd3012a24b\" - object does not exist.', code='does_not_exist')]}",
Unable to create system flows
This is one of the many blueprints that failed to import. Error below is for the default-out-of-box-experience flow
Toggle to view event log
[
{
"event": "Initialised new serializer instance",
"logger": "authentik.blueprints.v1.importer",
"log_level": "debug",
"timestamp": "2024-07-13T20:58:55.099393",
"attributes": {
"slug": "initial-setup",
"model": {
"type": "Flow",
"module": "authentik.flows.models"
},
"task_id": "task-718938560d444a82beedb66a3f9f5cb7",
"domain_url": null,
"schema_name": "public"
}
},
{
"event": "Invalidating Flow cache",
"logger": "authentik.flows.signals",
"log_level": "debug",
"timestamp": "2024-07-13T20:58:55.107934",
"attributes": {
"len": 0,
"flow": {
"pk": "1a1a98cd8a314e25b59fac6a3c7e177b",
"app": "authentik_flows",
"name": "default-oobe-setup",
"model_name": "flow"
},
"task_id": "task-718938560d444a82beedb66a3f9f5cb7",
"domain_url": null,
"schema_name": "public"
}
},
{
"event": "Updated model",
"logger": "authentik.blueprints.v1.importer",
"log_level": "debug",
"timestamp": "2024-07-13T20:58:55.108001",
"attributes": {
"model": {
"pk": "1a1a98cd8a314e25b59fac6a3c7e177b",
"app": "authentik_flows",
"name": "default-oobe-setup",
"model_name": "flow"
},
"task_id": "task-718938560d444a82beedb66a3f9f5cb7",
"domain_url": null,
"schema_name": "public"
}
},
{
"event": "Initialised new serializer instance",
"logger": "authentik.blueprints.v1.importer",
"log_level": "debug",
"timestamp": "2024-07-13T20:58:55.110336",
"attributes": {
"name": "initial-setup-field-header",
"model": {
"type": "Prompt",
"module": "authentik.stages.prompt.models"
},
"task_id": "task-718938560d444a82beedb66a3f9f5cb7",
"domain_url": null,
"schema_name": "public"
}
},
{
"event": "Updated model",
"logger": "authentik.blueprints.v1.importer",
"log_level": "debug",
"timestamp": "2024-07-13T20:58:55.115493",
"attributes": {
"model": {
"pk": "1476efb9e3a04116a0d6f89167ab54a6",
"app": "authentik_stages_prompt",
"name": "initial-setup-field-header",
"model_name": "prompt"
},
"task_id": "task-718938560d444a82beedb66a3f9f5cb7",
"domain_url": null,
"schema_name": "public"
}
},
{
"event": "Initialised new serializer instance",
"logger": "authentik.blueprints.v1.importer",
"log_level": "debug",
"timestamp": "2024-07-13T20:58:55.117908",
"attributes": {
"name": "initial-setup-field-email",
"model": {
"type": "Prompt",
"module": "authentik.stages.prompt.models"
},
"task_id": "task-718938560d444a82beedb66a3f9f5cb7",
"domain_url": null,
"schema_name": "public"
}
},
{
"event": "Updated model",
"logger": "authentik.blueprints.v1.importer",
"log_level": "debug",
"timestamp": "2024-07-13T20:58:55.123029",
"attributes": {
"model": {
"pk": "8d9cd0ecc72649b9a1019b9b1e8da82e",
"app": "authentik_stages_prompt",
"name": "initial-setup-field-email",
"model_name": "prompt"
},
"task_id": "task-718938560d444a82beedb66a3f9f5cb7",
"domain_url": null,
"schema_name": "public"
}
},
{
"event": "Initialised new serializer instance",
"logger": "authentik.blueprints.v1.importer",
"log_level": "debug",
"timestamp": "2024-07-13T20:58:55.125445",
"attributes": {
"name": "initial-setup-field-password",
"model": {
"type": "Prompt",
"module": "authentik.stages.prompt.models"
},
"task_id": "task-718938560d444a82beedb66a3f9f5cb7",
"domain_url": null,
"schema_name": "public"
}
},
{
"event": "Updated model",
"logger": "authentik.blueprints.v1.importer",
"log_level": "debug",
"timestamp": "2024-07-13T20:58:55.130967",
"attributes": {
"model": {
"pk": "492d862b8abd4b3180e221eb4cf457e8",
"app": "authentik_stages_prompt",
"name": "initial-setup-field-password",
"model_name": "prompt"
},
"task_id": "task-718938560d444a82beedb66a3f9f5cb7",
"domain_url": null,
"schema_name": "public"
}
},
{
"event": "Initialised new serializer instance",
"logger": "authentik.blueprints.v1.importer",
"log_level": "debug",
"timestamp": "2024-07-13T20:58:55.133451",
"attributes": {
"name": "initial-setup-field-password-repeat",
"model": {
"type": "Prompt",
"module": "authentik.stages.prompt.models"
},
"task_id": "task-718938560d444a82beedb66a3f9f5cb7",
"domain_url": null,
"schema_name": "public"
}
},
{
"event": "Updated model",
"logger": "authentik.blueprints.v1.importer",
"log_level": "debug",
"timestamp": "2024-07-13T20:58:55.138689",
"attributes": {
"model": {
"pk": "2c5adf3c689b485ab3628168856cc566",
"app": "authentik_stages_prompt",
"name": "initial-setup-field-password-repeat",
"model_name": "prompt"
},
"task_id": "task-718938560d444a82beedb66a3f9f5cb7",
"domain_url": null,
"schema_name": "public"
}
},
{
"event": "Initialised new serializer instance",
"logger": "authentik.blueprints.v1.importer",
"log_level": "debug",
"timestamp": "2024-07-13T20:58:55.141379",
"attributes": {
"name": "default-oobe-prefill-user",
"model": {
"type": "ExpressionPolicy",
"module": "authentik.policies.expression.models"
},
"task_id": "task-718938560d444a82beedb66a3f9f5cb7",
"domain_url": null,
"schema_name": "public"
}
},
{
"event": "Updated model",
"logger": "authentik.blueprints.v1.importer",
"log_level": "debug",
"timestamp": "2024-07-13T20:58:55.148309",
"attributes": {
"model": {
"pk": "672422946ded484581f599d7d328f3d4",
"app": "authentik_policies_expression",
"name": "default-oobe-prefill-user",
"model_name": "expressionpolicy"
},
"task_id": "task-718938560d444a82beedb66a3f9f5cb7",
"domain_url": null,
"schema_name": "public"
}
},
{
"event": "Initialised new serializer instance",
"logger": "authentik.blueprints.v1.importer",
"log_level": "debug",
"timestamp": "2024-07-13T20:58:55.151157",
"attributes": {
"name": "default-oobe-password-usable",
"model": {
"type": "ExpressionPolicy",
"module": "authentik.policies.expression.models"
},
"task_id": "task-718938560d444a82beedb66a3f9f5cb7",
"domain_url": null,
"schema_name": "public"
}
},
{
"event": "Updated model",
"logger": "authentik.blueprints.v1.importer",
"log_level": "debug",
"timestamp": "2024-07-13T20:58:55.158208",
"attributes": {
"model": {
"pk": "00719c772aff4d4194fb6fda5896abae",
"app": "authentik_policies_expression",
"name": "default-oobe-password-usable",
"model_name": "expressionpolicy"
},
"task_id": "task-718938560d444a82beedb66a3f9f5cb7",
"domain_url": null,
"schema_name": "public"
}
},
{
"event": "Initialised new serializer instance",
"logger": "authentik.blueprints.v1.importer",
"log_level": "debug",
"timestamp": "2024-07-13T20:58:55.161074",
"attributes": {
"name": "default-oobe-flow-set-authentication",
"model": {
"type": "ExpressionPolicy",
"module": "authentik.policies.expression.models"
},
"task_id": "task-718938560d444a82beedb66a3f9f5cb7",
"domain_url": null,
"schema_name": "public"
}
},
{
"event": "Updated model",
"logger": "authentik.blueprints.v1.importer",
"log_level": "debug",
"timestamp": "2024-07-13T20:58:55.168294",
"attributes": {
"model": {
"pk": "67b821b139f74eb9a68b3d13e612daa0",
"app": "authentik_policies_expression",
"name": "default-oobe-flow-set-authentication",
"model_name": "expressionpolicy"
},
"task_id": "task-718938560d444a82beedb66a3f9f5cb7",
"domain_url": null,
"schema_name": "public"
}
},
{
"event": "Initialised new serializer instance",
"logger": "authentik.blueprints.v1.importer",
"log_level": "debug",
"timestamp": "2024-07-13T20:58:55.170853",
"attributes": {
"name": "stage-default-oobe-password",
"model": {
"type": "PromptStage",
"module": "authentik.stages.prompt.models"
},
"task_id": "task-718938560d444a82beedb66a3f9f5cb7",
"domain_url": null,
"schema_name": "public"
}
},
{
"event": "Entry invalid: Serializer errors {'fields': [ErrorDetail(string='Invalid pk \"1476efb9-e3a0-4116-a0d6-f89167ab54a6\" - object does not exist.', code='does_not_exist')]}",
"logger": "authentik.blueprints.v1.importer",
"log_level": "warning",
"timestamp": "2024-07-13T20:58:55.176598",
"attributes": {
"entry": {
"id": "stage-default-oobe-password",
"attrs": {
"fields": [
"<authentik.blueprints.v1.common.KeyOf object at 0x10bbf9730>",
"<authentik.blueprints.v1.common.KeyOf object at 0x10bbf99d0>",
"<authentik.blueprints.v1.common.KeyOf object at 0x10bbf9880>",
"<authentik.blueprints.v1.common.KeyOf object at 0x10bbf9a00>"
],
"validation_policies": []
},
"model": "authentik_stages_prompt.promptstage",
"state": "present",
"_state": {
"instance": null
},
"conditions": [],
"identifiers": {
"name": "stage-default-oobe-password"
}
},
"error": "Serializer errors {'fields': [ErrorDetail(string='Invalid pk \"1476efb9-e3a0-4116-a0d6-f89167ab54a6\" - object does not exist.', code='does_not_exist')]}",
"task_id": "task-718938560d444a82beedb66a3f9f5cb7",
"domain_url": null,
"schema_name": "public"
}
},
{
"event": "Blueprint validation failed",
"logger": "authentik.blueprints.v1.importer",
"log_level": "warning",
"timestamp": "2024-07-13T20:58:55.176658",
"attributes": {
"task_id": "task-718938560d444a82beedb66a3f9f5cb7",
"domain_url": null,
"schema_name": "public"
}
}
]
I have this problem as well, and have tracked down the commit that introduced it using git bisect and a test case:
https://github.com/goauthentik/authentik/commit/a5467c6e1997e3d6bd4ee81748411cd4b870ce0e
We still haven't figured out why this particular commit caused it.
This issue has been automatically marked as stale because it has not had recent activity. It will be closed if no further activity occurs. Thank you for your contributions.
![authentik-automation[bot] avatar](https://avatars.githubusercontent.com/in/340695?v=4 "Published by a pub.dev verified publisher"){kind=small}
I'm not really sure what could cause this, especially since this happens in development setups (sometimes), but also on compose setups (sometimes).
In development setups the initial suspicion was related to the commit @kensternberg-authentik mentioned above, and that a request gets mis-routed and hence the validation kicks in, but in development both primary and replica are the exact same postgres instance.
We’re experiencing the same issue. As part of my work, I’m supposed to develop a feature that requires the Authentic development environment. I followed the steps outlined in the documentation. After resolving a dependency issue, I was able to install everything according to the guide. I also connected directly to the database and observed that the relevant flows were not initialized, meaning, as previously suspected, that the bootstrapping doesn’t appear to be working correctly. I tried the whole process several times and always got the same result. When I start the server with ak server, everything appears to launch correctly, but I encounter the same 404 errors as others have mentioned above. Interestingly, this doesn’t happen with the docker-compose.yml in the main directory; it only occurs when I use the compose file found in the scripts folder.
Do you have any suggestions on how to handle this? Constantly rebuilding the container locally to develop doesn’t seem very efficient.
Applying blueprints manually might resolve that issue, but I'm not entirely sure. See ak apply_blueprint --help if you want to try it
Same here. Additionaly, I can find only this error:
{
"error": "authentik starting",
"event": "failed to proxy to backend",
"level": "warning",
"logger": "authentik.router",
"timestamp": "2024-11-12T15:38:16Z"
}
this is my nginx config
map $http_upgrade $connection_upgrade_keepalive {
default upgrade;
'' '';
}
server {
listen 80;
server_name auth.local;
error_page 502 /502.html;
location /502.html {
root /opt/homebrew/etc/nginx/servers/html;
}
location / {
proxy_pass http://localhost:4005;
proxy_http_version 1.1;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header Host $http_host;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection $connection_upgrade_keepalive;
}
}
and docker compose
services:
authentik-dev:
image: ${AUTHENTIK_IMAGE:-ghcr.io/goauthentik/server}:${AUTHENTIK_TAG:-2024.10.1}
restart: unless-stopped
command: server
environment:
AUTHENTIK_REDIS__HOST: redis
AUTHENTIK_REDIS__DB: 0
AUTHENTIK_POSTGRESQL__HOST: postgres
AUTHENTIK_POSTGRESQL__USER: postgres
AUTHENTIK_POSTGRESQL__NAME: auth
AUTHENTIK_POSTGRESQL__PASSWORD: postgres_password
volumes:
- ./.docker-data/media:/media
- ./.docker-data/custom-templates:/templates
env_file:
- .env
ports:
- "${COMPOSE_PORT_HTTP:-9000}:9000"
- "${COMPOSE_PORT_HTTPS:-9443}:9443"
networks:
- global
extra_hosts:
- "host.docker.internal:host-gateway"
authentik-worker-dev:
image: ${AUTHENTIK_IMAGE:-ghcr.io/goauthentik/server}:${AUTHENTIK_TAG:-2024.10.1}
restart: unless-stopped
command: worker
environment:
AUTHENTIK_REDIS__HOST: redis
AUTHENTIK_REDIS__DB: 0
AUTHENTIK_POSTGRESQL__HOST: postgres
AUTHENTIK_POSTGRESQL__USER: postgres
AUTHENTIK_POSTGRESQL__NAME: postgres
AUTHENTIK_POSTGRESQL__PASSWORD: postgres_password
# `user: root` and the docker socket volume are optional.
# See more for the docker socket integration here:
# https://goauthentik.io/docs/outposts/integrations/docker
# Removing `user: root` also prevents the worker from fixing the permissions
# on the mounted folders, so when removing this make sure the folders have the correct UID/GID
# (1000:1000 by default)
user: root
volumes:
- /var/run/docker.sock:/var/run/docker.sock
- ./.docker-data/media:/media
- ./.docker-data/certs:/certs
- ./.docker-data/custom-templates:/templates
env_file:
- .env
networks:
- global
networks:
global:
name: global
external: true
ak apply_blueprint --help
That did not help. But I fixed my issue. The reason why this happens...Don't really know. My blueprints/defaults files where overwritten and empty. What I did was resetting the main branch to remote, deleting all dev Docker Container I already had, deleted my poetry virtual env and started from the beginning to setup the dev env with the documentation. Now it works....don't ask me what went wrong.
We also ran into this problem: When configuring read replicas on a fresh setup with an empty database, we see 404 when accessing flows. (When we configure only a single DB all works well. If we then add read replicas to the configuration and restart authentik all is still well.)
Just a hunch: Could it be, that the FailoverRouter needs to implement the allow_migrate method?
Reading through the Django docs for "automatic database routing", and specifically the part on the allow_migrate, one could get the impression:
... This method can also be used to determine the availability of a model on a given database.
makemigrations always creates migrations for model changes, but if allow_migrate() returns False, any migration operations for the model_name will be silently skipped when running migrate on the db. Changing the behavior of allow_migrate() for models that already have migrations may result in broken foreign keys, extra tables, or missing tables. When makemigrations verifies the migration history, it skips databases where no app is allowed to migrate
Authentik's settings.py introduces multiple routers:
DATABASE_ROUTERS = (
"authentik.tenants.db.FailoverRouter",
"django_tenants.routers.TenantSyncRouter",
)
So, I don't know what semantics Django implements during migration: Will it try FailoverRouter first and because that does not implement allow_migrate it tries the next one? Or will the migration "be siliently skipped" like hinted in the docs above?
It might help to make sure your reverse proxy stuff is setup correctly. In my case once I fixed my k8s nginx ingress config that issue went away. Maybe there's multiple things that could cause this. I don't know, but that fixed it for me. For anyone interested, these are my annotations for k8s ingress with nginx:
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
name: authentik
annotations:
nginx.ingress.kubernetes.io/force-ssl-redirect: "true"
nginx.ingress.kubernetes.io/backend-protocol: "HTTPS"
nginx.ingress.kubernetes.io/configuration-snippet: |
proxy_http_version 1.1;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_set_header X-Forwarded-Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header Upgrade "websocket";
proxy_set_header Connection "Upgrade";
