authentik icon indicating copy to clipboard operation
authentik copied to clipboard

Published 20 hours ago verified publisher icon goauthentik

Misleading error around "Create recovery link" interaction

Open t3chguy opened this issue 8 months ago • 9 comments

Describe the bug The error implies one thing but may be wholly wrong https://github.com/goauthentik/authentik/blob/64f1b8207d63647a26b9912e96bffda43256623c/web/src/admin/users/UserListPage.ts#L65 is used for too many cases

To Reproduce Steps to reproduce the behavior:

  1. Configure a recovery flow for the brand using https://docs.goauthentik.io/docs/add-secure-apps/flows-stages/flow/examples/flows#recovery-with-email-verification
  2. Try to generate a recovery link
  3. See error The current brand must have a recovery flow configured to use a recovery link

Expected behavior An error stating Recovery flow not applicable to user which is only visible if you dig into the network response

Screenshots If applicable, add screenshots to help explain your problem.

Logs

{"auth_via":"session","domain_url":"auth.domain","event":"/api/v3/core/users/27/recovery/","host":"auth.domain","level":"info","logger":"authentik.asgi","method":"POST","pid":59,"remote":"141.101.98.243","request_id":"6c21ea402d6348e6826b48c04d69143a","runtime":58,"schema_name":"public","scheme":"https","status":"<mark>400</mark>","timestamp":"2025-03-29T00:35:59.336159","user":"t3chguy","user_agent":"Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/134.0.0.0 Safari/537.36"}

Version and Deployment (please complete the following information):

  • authentik version: 2025.2.3
  • Deployment: docker-compose

Additional context

The example flow at the link provided is set to Require no auth, which makes it not work for generating recovery links, thus leading this confusing error.

t3chguy avatar Mar 29 '25 00:03 t3chguy

Yup, recovery links + email recovery link shows this error:

Image

Lipown avatar Apr 07 '25 08:04 Lipown

Can confirm. I ran into the same problem.

TheDuffman85 avatar Apr 09 '25 19:04 TheDuffman85

same here...

ragchuck avatar Apr 13 '25 07:04 ragchuck

It sounds to me as you didn't setup default recovery flow for the brand(as error says). Please follow this: https://github.com/goauthentik/authentik/issues/8507#issuecomment-2094345749

chf0x avatar Apr 13 '25 10:04 chf0x

@chf0x The error message also is given when the default recovery flow for the brand is setup correctly and its failing for a different reason. The example recovery flow requires a user not to be logged in. If you want to generate a recovery link you are obviously logged in. It fails and gives you the misleading error message "The current brand must have a recovery flow configured to use a recovery link".

TheDuffman85 avatar Apr 13 '25 20:04 TheDuffman85

I've the same error since I've updated to the latest version: the brand has a recovery workflow configured and is the default brand... this is what is logged:

{"auth_via": "session", "domain_url": "login.foo.it", "event": "/api/v3/core/users/19/recovery/", "host": "login.foo.it", "level": "info", "logger": "authentik.asgi", "method": "POST", "pid": 72743, "remote": "10.42.0.11", "request_id": "4d03cc98e2bc45a5995a18daee8db1c8", "runtime": 40, "schema_name": "public", "scheme": "https", "status": 400, "timestamp": "2025-04-14T19:49:19.852540", "user": "John Doe", "user_agent": "Mozilla/5.0 (X11; Linux x86_64; rv:137.0) Gecko/20100101 Firefox/137.0"}

Unfortunately I don't know if this issue started happening with the upgrade to the latest version. Ah, another detail in my case is that the recovery works from the login panel for the same domain, just not from the admin interface.

azazel75 avatar Apr 14 '25 19:04 azazel75

In 2025.4.0 the error has changed to:

Image

TheDevMinerTV avatar May 13 '25 18:05 TheDevMinerTV

Right, thanks @TheDevMinerTV for posting this, it's the same for me.

azazel75 avatar May 13 '25 20:05 azazel75

@chf0x The error message also is given when the default recovery flow for the brand is setup correctly and its failing for a different reason. The example recovery flow requires a user not to be logged in. If you want to generate a recovery link you are obviously logged in. It fails and gives you the misleading error message "The current brand must have a recovery flow configured to use a recovery link".

Can confirm this is a workaround. Setting the default recovery flow from Require no authentication to No requirement resolves the error. But still, obviously, it's a bug.

EL-File4138 avatar Jun 15 '25 17:06 EL-File4138

Hello, same here, thank you @EL-File4138 for your help,much appreciated :)

mreho avatar Jul 01 '25 13:07 mreho

Adding to this - I have two separate deployments of authentik. Both running 2025.6.2. One deployment is showing this error when using the "Create Recovery Link" but the other is not. There are no differences to the configuration between these deployments as I use blueprints for configuration.

I have set the recovery flow authentication to "no requirement" and still receive an "Internal server error: An unexpected error occurred" error

psleep avatar Jul 02 '25 09:07 psleep

There are no differences to the configuration between these deployments as I use blueprints for configuration.

can you check this? the blueprints are merging not replacing, so it might be that the blueprints applied not exactly how you expected them to

ojsef39 avatar Jul 02 '25 16:07 ojsef39

It is actually affecting both instances. We have an enterprise licence so I have opened a ticket (312) with more details

psleep avatar Jul 02 '25 17:07 psleep

Not sure if this helps, but I just created a flow and everything worked after I set it up as the default recovery flow for the brand.

Update default flows: System → Brands → authentik-default → actions: edit → default flows → recovery flow: select previously created recovery flow.

tziuhtli avatar Aug 03 '25 08:08 tziuhtli