adityachandelgit
Login with OIDC redicrect back to the logi page.
I followed the "instructions" from https://www.youtube.com/watch?v=r6Ufh9ldF9M for authentik but after configuring it OIDC always redirects back to the login page. No error messages show.
Authentik server logs returns a valid auth:
{"auth_via": "unauthenticated", "domain_url": "authentik.mydomain.lan", "event": "/application/o/booklore/.well-known/openid-configuration", "host": "authentik.mydomain.lans", "level": "info", "logger": "authentik.asgi", "method": "GET", "pid": 46, "remote": "10.10.10.10", "request_id": "3241395e64f94982aef59e4378c7ba5d", "runtime": 201, "schema_name": "public", "scheme": "https", "status": 200, "timestamp": "2025-06-23T13:18:21.915229", "user": "", "user_agent": "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/137.0.0.0 Safari/537.36"}
{"auth_via": "unauthenticated", "domain_url": "authentik.mydomain.lan", "event": "/application/o/booklore/jwks/", "host": "authentik.mydomain.lan", "level": "info", "logger": "authentik.asgi", "method": "GET", "pid": 46, "remote": "10.10.10.10", "request_id": "e9cf473da2c84ae79b2748152fe5952f", "runtime": 193, "schema_name": "public", "scheme": "https", "status": 200, "timestamp": "2025-06-23T13:18:22.130863", "user": "", "user_agent": "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/137.0.0.0 Safari/537.36"}
Running in docker with image: booklore-app:latest Authentik Version: 2025.6.2
I have the same issue when I go to the URL directly.
I noticed that in the video, it shows them accessing the site via the link in Authentik, which actually works for me if I access it that way. If I access the site directly via URL in the browser, it doesn't work.
EDIT:
I think I've figured it out.
If I log in as the local admin user (not OIDC), I don't have any issues. If I set up this local admin account with the same information as my OIDC user, then it'll be a redirect loop when trying to log in with OIDC.
If I log into Booklore via OIDC, using another Authentik user (one that doesn't exist as a local user in Booklore), and with auto-user provisioning, I have no issues.
In my case, I've modified the local Booklore admin user account to have a different user name, full name, and email address. This way I know that the local admin user does not exist in my Authentik user directory and won't cause any loops.
@Telmo @froststevefrost
I’ve pushed a potential fix here: adityachandelgit/BookLore/pkgs/container/booklore-app/449429172?tag=f10b9a8
Please give it a try and let me know if it resolves the issue or if you run into anything else.
@adityachandelgit I've just deployed it, seems that it is forcing OIDC now; I'm not given a choice for a local user login anymore. Also, instead of looping me back to the local user login screen, it just logs me out of Booklore and drops me back at the Authentik "You've logged out of booklore." screen.
The previous loop (after clicking local user login) was from: /oauth2-callback?code=<string> --> /oauth2-callback --> /dashboard --> /login
Now, it loops through all that still but now it drops me into the authentik logout screen: https://auth.<domain>/if/flow/default-provider-invalidation-flow/?id_token_hint=<super_long_string>&post_logout_redirect_uri=https%3A%2F%2Fdev-lore.<domain>%2Foauth2-callback&inspector=available
Authentik settings:
- launch url: https://dev-lore.<domain>
- client type: public
- redirect uris:
- strict: https://dev-lore.<domain>/oauth2-callback
- regex: https://dev-lore.<domain>/*
- selected scopes:
- offline_access
- openid
- profile
- subject mode: based on user's hashed ID
- issuer url: https://auth.<domain>/application/o/dev-booklore/
- jwks url: https://auth.<domain>/application/o/dev-booklore/jwks/
I created a new stack, completely separate from my original one, and tested logging in within a private/incognito window in Firefox. Here's the docker compose file:
name: dev-booklore
services:
main:
image: ghcr.io/adityachandelgit/booklore-app:f10b9a8
#image: ghcr.io/adityachandelgit/booklore-app:v0.30.0
restart: unless-stopped
networks:
- proxy
- backend
volumes:
- /containers/dev-booklore/main:/app/data
- /media/books:/books
environment:
- TZ=${TZ}
- PUID=${PUID}
- PGID=${PGID}
- DATABASE_URL=jdbc:mariadb://mariadb:3306/booklore # Only modify this if you're familiar with JDBC and your database setup
- DATABASE_USERNAME=booklore # Must match MYSQL_USER defined in the mariadb container
- DATABASE_PASSWORD=${DB_PASS} # Use a strong password; must match MYSQL_PASSWORD defined in the mariadb container
- SWAGGER_ENABLED=false # Enable or disable Swagger UI (API docs). Set to 'true' to allow access; 'false' to block access (recommended for production).
#- REMOTE_AUTH_ENABLED=true
#- REMOTE_AUTH_CREATE_NEW_USERS=true
depends_on:
mariadb:
condition: service_healthy
labels:
# WUD Tags
- wud.tag.include=^v\d+\.\d+\.\d+$$
- wud.link.template=https://github.com/adityachandelgit/BookLore/releases/tag/v$${major}.$${minor}.$${patch}
# Traefik
- traefik.enable=true
# HTTP Routers
- traefik.http.routers.dev-lore-rtr.entrypoints=https
- traefik.http.routers.dev-lore-rtr.rule=Host(`dev-lore.${DOMAIN_NAME}`)
# Middlewares
- traefik.http.routers.dev-lore-rtr.middlewares=basic@file
# HTTP Services
- traefik.http.routers.dev-lore-rtr.service=dev-lore-svc
- traefik.http.services.dev-lore-svc.loadbalancer.server.port=6060
mariadb:
image: lscr.io/linuxserver/mariadb:11.4.5
restart: unless-stopped
volumes:
- /containers/dev-booklore/db/:/config
networks:
- backend
environment:
- PUID=${PUID}
- PGID=${PGID}
- TZ=${TZ}
- MYSQL_ROOT_PASSWORD=${DB_ROOT_PASS} # Use a strong password for the database's root user, should be different from MYSQL_PASSWORD
- MYSQL_DATABASE=booklore
- MYSQL_USER=booklore # Must match DATABASE_USERNAME defined in the booklore container
- MYSQL_PASSWORD=${DB_PASS} # Use a strong password; must match DATABASE_PASSWORD defined in the booklore container
healthcheck:
test: ["CMD", "mariadb-admin", "ping", "-h", "localhost"]
interval: 5s
timeout: 5s
retries: 10
labels:
# WUD Tags
- wud.tag.include=^\d+\.\d+\.\d+$$
networks:
proxy:
external: true
backend:
external: false
still have some weird issue, I get the "Loading Booklore..." but I get a blank page afterwards and the URL is still https://booklore.<my-domain>/oauth2-callback I've tried multiple browsers in both normal and incognito with the same result. Also I am no longer able to login with username/password it always redirects me to Authentik for login.
There are no errors in the log file
2025-06-30T07:08:19.183-04:00 INFO 1 --- [booklore-api] [nio-8080-exec-1] o.s.web.servlet.DispatcherServlet : Initializing Servlet 'dispatcherServlet'
2025-06-30T07:08:19.184-04:00 INFO 1 --- [booklore-api] [nio-8080-exec-1] o.s.web.servlet.DispatcherServlet : Completed initialization in 1 ms
2025-06-30T07:09:11.602-04:00 INFO 1 --- [booklore-api] [MessageBroker-1] o.s.w.s.c.WebSocketMessageBrokerStats : WebSocketSession[1 current WS(1)-HttpStream(0)-HttpPoll(0), 1 total, 0 closed abnormally (0 connect failure, 0 send limit, 0 transport error)], stompSubProtocol[processed CONNECT(1)-CONNECTED(1)-DISCONNECT(0)], stompBrokerRelay[null], inboundChannel[pool size = 15, active threads = 0, queued tasks = 0, completed tasks = 15], outboundChannel[pool size = 1, active threads = 0, queued tasks = 0, completed tasks = 1], sockJsScheduler[pool size = 2, active threads = 1, queued tasks = 1, completed tasks = 0]
I tried with both tags latest and v0.30.1
authentik seems to be authorizing the app
Context
{
"flow": "083864bf66c945dba858dfe6019505ec",
"scopes": "offline_access openid email profile",
"http_request": {
"args": {
"nonce": "$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$",
"scope": "openid profile email offline_access",
"state": ""$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$",
"client_id": "<CLIENT_ID>",
"redirect_uri": "https://books.<MY_DOMAIN>/oauth2-callback",
"response_type": "code",
"code_challenge": "_R31fJMg1GIDtWNnvau1Sx60yGyWfX3lxV5lsGvg9N4",
"code_challenge_method": "S256"
},
"path": "/application/o/authorize/",
"method": "GET",
"request_id": "34c682f5df234c1ab32489566cf01087",
"user_agent": "Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:139.0) Gecko/20100101 Firefox/139.0"
},
"authorized_application": {
"pk": "$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$",
"app": "authentik_core",
"name": "booklore",
"model_name": "application"
}
}
@Telmo same for me.
Is your local user email account in booklore the same as the OIDC user's email? If so, drop back a version to try changing the booklore user's email address and see if it loops still.
still have some weird issue, I get the "Loading Booklore..." but I get a blank page afterwards and the URL is still
https://booklore.<my-domain>/oauth2-callbackI've tried multiple browsers in both normal and incognito with the same result. Also I am no longer able to login with username/password it always redirects me to Authentik for login.There are no errors in the log file
2025-06-30T07:08:19.183-04:00 INFO 1 --- [booklore-api] [nio-8080-exec-1] o.s.web.servlet.DispatcherServlet : Initializing Servlet 'dispatcherServlet' 2025-06-30T07:08:19.184-04:00 INFO 1 --- [booklore-api] [nio-8080-exec-1] o.s.web.servlet.DispatcherServlet : Completed initialization in 1 ms 2025-06-30T07:09:11.602-04:00 INFO 1 --- [booklore-api] [MessageBroker-1] o.s.w.s.c.WebSocketMessageBrokerStats : WebSocketSession[1 current WS(1)-HttpStream(0)-HttpPoll(0), 1 total, 0 closed abnormally (0 connect failure, 0 send limit, 0 transport error)], stompSubProtocol[processed CONNECT(1)-CONNECTED(1)-DISCONNECT(0)], stompBrokerRelay[null], inboundChannel[pool size = 15, active threads = 0, queued tasks = 0, completed tasks = 15], outboundChannel[pool size = 1, active threads = 0, queued tasks = 0, completed tasks = 1], sockJsScheduler[pool size = 2, active threads = 1, queued tasks = 1, completed tasks = 0]I tried with both tags
latestandv0.30.1authentik seems to be authorizing the app
Context { "flow": "083864bf66c945dba858dfe6019505ec", "scopes": "offline_access openid email profile", "http_request": { "args": { "nonce": "$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$", "scope": "openid profile email offline_access", "state": ""$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$", "client_id": "<CLIENT_ID>", "redirect_uri": "https://books.<MY_DOMAIN>/oauth2-callback", "response_type": "code", "code_challenge": "_R31fJMg1GIDtWNnvau1Sx60yGyWfX3lxV5lsGvg9N4", "code_challenge_method": "S256" }, "path": "/application/o/authorize/", "method": "GET", "request_id": "34c682f5df234c1ab32489566cf01087", "user_agent": "Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:139.0) Gecko/20100101 Firefox/139.0" }, "authorized_application": { "pk": "$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$", "app": "authentik_core", "name": "booklore", "model_name": "application" } }
Thanks for the detailed report.
This typically happens when the preferred_username or email returned by Authentik doesn’t match any existing user in Booklore. Please verify the following: • The preferred_username and email claims from Authentik matches the username and email of a user in Booklore. • If no match is found, Booklore can’t associate the session and will remain on a blank /oauth2-callback screen.
To help with situations like this, I’m releasing version 0.30.2, where the login page will always be shown if there’s an OIDC misconfiguration. This way, if OIDC login fails, you’ll still be able to log in with your local Booklore user and fix the OIDC settings directly from the UI, no lockout.
an update on this, I verified that the preferred_username and email claims for Authentik matches with my booklore user so I am not sure that is the issue, however after updating to booklore:latest I was loged in automatically with my user.
I then opened booklore in another browser and logged out and now "Login with Authentik" looks back to the login page. There are no errors in the log, but there are authentication errors in the browser console.
I have OIDC working with PocketID, but I think there's an issue with refresh tokens. After reading for a while, I'll be prompted to login again. When that happens, I'm sent back to the PocketID web page, rather than the book I was reading.
I'm still experiencing the same issue even with last version. No idea what's wrong since I got no logs on container and Authentik give login as succeed.
EDIT: I solved by changing Client Type from confidential to public in Authentik provide.
Can confirm that @ale-saglia 's fix above works for Authentik setups. Same OIDC username and email in Authentik and Booklore's local user, leads to login loop unless client type is set to Public.
I have this issue with the provider set to public, whether using an existing user or a new one. In the browser console I see several warnings like 'OIDC token expired, please log in again.'
EDIT: There is an error in the docker logs, here's the traceback
booklore | 2025-08-27T19:25:47.593-04:00 ERROR 1 --- [booklore-api] [io-8080-exec-26] c.a.b.c.s.DualJwtAuthenticationFilter : Authentication error: OIDC JWT validation failed
booklore |
booklore | com.adityachandel.booklore.exception.APIException: OIDC JWT validation failed
booklore | at com.adityachandel.booklore.exception.ApiError.createException(ApiError.java:66) ~[!/:0.0.1-SNAPSHOT]
booklore | at com.adityachandel.booklore.config.security.DualJwtAuthenticationFilter.authenticateOidcUser(DualJwtAuthenticationFilter.java:149) ~[!/:0.0.1-SNAPSHOT]
booklore | at com.adityachandel.booklore.config.security.DualJwtAuthenticationFilter.doFilterInternal(DualJwtAuthenticationFilter.java:77) ~[!/:0.0.1-SNAPSHOT]
booklore | at org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:116) ~[spring-web-6.2.8.jar!/:6.2.8]
booklore | at org.springframework.security.web.ObservationFilterChainDecorator$ObservationFilter.wrapFilter(ObservationFilterChainDecorator.java:240) ~[spring-security-web-6.5.1.jar!/:6.5.1]
booklore | at org.springframework.security.web.ObservationFilterChainDecorator$ObservationFilter.doFilter(ObservationFilterChainDecorator.java:227) ~[spring-security-web-6.5.1.jar!/:6.5.1]
booklore | at org.springframework.security.web.ObservationFilterChainDecorator$VirtualFilterChain.doFilter(ObservationFilterChainDecorator.java:137) ~[spring-security-web-6.5.1.jar!/:6.5.1]
booklore | at org.springframework.security.web.authentication.logout.LogoutFilter.doFilter(LogoutFilter.java:107) ~[spring-security-web-6.5.1.jar!/:6.5.1]
booklore | at org.springframework.security.web.authentication.logout.LogoutFilter.doFilter(LogoutFilter.java:93) ~[spring-security-web-6.5.1.jar!/:6.5.1]
booklore | at org.springframework.security.web.ObservationFilterChainDecorator$ObservationFilter.wrapFilter(ObservationFilterChainDecorator.java:240) ~[spring-security-web-6.5.1.jar!/:6.5.1]
booklore | at org.springframework.security.web.ObservationFilterChainDecorator$ObservationFilter.doFilter(ObservationFilterChainDecorator.java:227) ~[spring-security-web-6.5.1.jar!/:6.5.1]
booklore | at org.springframework.security.web.ObservationFilterChainDecorator$VirtualFilterChain.doFilter(ObservationFilterChainDecorator.java:137) ~[spring-security-web-6.5.1.jar!/:6.5.1]
booklore | at org.springframework.web.filter.CorsFilter.doFilterInternal(CorsFilter.java:91) ~[spring-web-6.2.8.jar!/:6.2.8]
booklore | at org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:116) ~[spring-web-6.2.8.jar!/:6.2.8]
booklore | at org.springframework.security.web.ObservationFilterChainDecorator$ObservationFilter.wrapFilter(ObservationFilterChainDecorator.java:240) ~[spring-security-web-6.5.1.jar!/:6.5.1]
booklore | at org.springframework.security.web.ObservationFilterChainDecorator$ObservationFilter.doFilter(ObservationFilterChainDecorator.java:227) ~[spring-security-web-6.5.1.jar!/:6.5.1]
booklore | at org.springframework.security.web.ObservationFilterChainDecorator$VirtualFilterChain.doFilter(ObservationFilterChainDecorator.java:137) ~[spring-security-web-6.5.1.jar!/:6.5.1]
booklore | at org.springframework.security.web.header.HeaderWriterFilter.doHeadersAfter(HeaderWriterFilter.java:90) ~[spring-security-web-6.5.1.jar!/:6.5.1]
booklore | at org.springframework.security.web.header.HeaderWriterFilter.doFilterInternal(HeaderWriterFilter.java:75) ~[spring-security-web-6.5.1.jar!/:6.5.1]
booklore | at org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:116) ~[spring-web-6.2.8.jar!/:6.2.8]
booklore | at org.springframework.security.web.ObservationFilterChainDecorator$ObservationFilter.wrapFilter(ObservationFilterChainDecorator.java:240) ~[spring-security-web-6.5.1.jar!/:6.5.1]
booklore | at org.springframework.security.web.ObservationFilterChainDecorator$ObservationFilter.doFilter(ObservationFilterChainDecorator.java:227) ~[spring-security-web-6.5.1.jar!/:6.5.1]
booklore | at org.springframework.security.web.ObservationFilterChainDecorator$VirtualFilterChain.doFilter(ObservationFilterChainDecorator.java:137) ~[spring-security-web-6.5.1.jar!/:6.5.1]
booklore | at org.springframework.security.web.context.SecurityContextHolderFilter.doFilter(SecurityContextHolderFilter.java:82) ~[spring-security-web-6.5.1.jar!/:6.5.1]
booklore | at org.springframework.security.web.context.SecurityContextHolderFilter.doFilter(SecurityContextHolderFilter.java:69) ~[spring-security-web-6.5.1.jar!/:6.5.1]
booklore | at org.springframework.security.web.ObservationFilterChainDecorator$ObservationFilter.wrapFilter(ObservationFilterChainDecorator.java:240) ~[spring-security-web-6.5.1.jar!/:6.5.1]
booklore | at org.springframework.security.web.ObservationFilterChainDecorator$ObservationFilter.doFilter(ObservationFilterChainDecorator.java:227) ~[spring-security-web-6.5.1.jar!/:6.5.1]
booklore | at org.springframework.security.web.ObservationFilterChainDecorator$VirtualFilterChain.doFilter(ObservationFilterChainDecorator.java:137) ~[spring-security-web-6.5.1.jar!/:6.5.1]
booklore | at org.springframework.security.web.context.request.async.WebAsyncManagerIntegrationFilter.doFilterInternal(WebAsyncManagerIntegrationFilter.java:62) ~[spring-security-web-6.5.1.jar!/:6.5.1]
booklore | at org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:116) ~[spring-web-6.2.8.jar!/:6.2.8]
booklore | at org.springframework.security.web.ObservationFilterChainDecorator$ObservationFilter.wrapFilter(ObservationFilterChainDecorator.java:240) ~[spring-security-web-6.5.1.jar!/:6.5.1]
booklore | at org.springframework.security.web.ObservationFilterChainDecorator$ObservationFilter.doFilter(ObservationFilterChainDecorator.java:227) ~[spring-security-web-6.5.1.jar!/:6.5.1]
booklore | at org.springframework.security.web.ObservationFilterChainDecorator$VirtualFilterChain.doFilter(ObservationFilterChainDecorator.java:137) ~[spring-security-web-6.5.1.jar!/:6.5.1]
booklore | at org.springframework.security.web.session.DisableEncodeUrlFilter.doFilterInternal(DisableEncodeUrlFilter.java:42) ~[spring-security-web-6.5.1.jar!/:6.5.1]
booklore | at org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:116) ~[spring-web-6.2.8.jar!/:6.2.8]
booklore | at org.springframework.security.web.ObservationFilterChainDecorator$ObservationFilter.wrapFilter(ObservationFilterChainDecorator.java:240) ~[spring-security-web-6.5.1.jar!/:6.5.1]
booklore | at org.springframework.security.web.ObservationFilterChainDecorator$AroundFilterObservation$SimpleAroundFilterObservation.lambda$wrap$0(ObservationFilterChainDecorator.java:323) ~[spring-security-web-6.5.1.jar!/:6.5.1]
booklore | at org.springframework.security.web.ObservationFilterChainDecorator$ObservationFilter.doFilter(ObservationFilterChainDecorator.java:224) ~[spring-security-web-6.5.1.jar!/:6.5.1]
booklore | at org.springframework.security.web.ObservationFilterChainDecorator$VirtualFilterChain.doFilter(ObservationFilterChainDecorator.java:137) ~[spring-security-web-6.5.1.jar!/:6.5.1]
booklore | at org.springframework.security.web.FilterChainProxy.doFilterInternal(FilterChainProxy.java:233) ~[spring-security-web-6.5.1.jar!/:6.5.1]
booklore | at org.springframework.security.web.FilterChainProxy.doFilter(FilterChainProxy.java:191) ~[spring-security-web-6.5.1.jar!/:6.5.1]
booklore | at org.springframework.web.filter.CompositeFilter$VirtualFilterChain.doFilter(CompositeFilter.java:113) ~[spring-web-6.2.8.jar!/:6.2.8]
booklore | at org.springframework.web.filter.ServletRequestPathFilter.doFilter(ServletRequestPathFilter.java:52) ~[spring-web-6.2.8.jar!/:6.2.8]
booklore | at org.springframework.web.filter.CompositeFilter$VirtualFilterChain.doFilter(CompositeFilter.java:113) ~[spring-web-6.2.8.jar!/:6.2.8]
booklore | at org.springframework.web.filter.CompositeFilter.doFilter(CompositeFilter.java:74) ~[spring-web-6.2.8.jar!/:6.2.8]
booklore | at org.springframework.security.config.annotation.web.configuration.WebSecurityConfiguration$CompositeFilterChainProxy.doFilter(WebSecurityConfiguration.java:319) ~[spring-security-config-6.5.1.jar!/:6.5.1]
booklore | at org.springframework.web.filter.CompositeFilter$VirtualFilterChain.doFilter(CompositeFilter.java:113) ~[spring-web-6.2.8.jar!/:6.2.8]
booklore | at org.springframework.web.servlet.handler.HandlerMappingIntrospector.lambda$createCacheFilter$4(HandlerMappingIntrospector.java:267) ~[spring-webmvc-6.2.8.jar!/:6.2.8]
booklore | at org.springframework.web.filter.CompositeFilter$VirtualFilterChain.doFilter(CompositeFilter.java:113) ~[spring-web-6.2.8.jar!/:6.2.8]
booklore | at org.springframework.web.filter.CompositeFilter.doFilter(CompositeFilter.java:74) ~[spring-web-6.2.8.jar!/:6.2.8]
booklore | at org.springframework.security.config.annotation.web.configuration.WebMvcSecurityConfiguration$CompositeFilterChainProxy.doFilter(WebMvcSecurityConfiguration.java:240) ~[spring-security-config-6.5.1.jar!/:6.5.1]
booklore | at org.springframework.web.filter.DelegatingFilterProxy.invokeDelegate(DelegatingFilterProxy.java:362) ~[spring-web-6.2.8.jar!/:6.2.8]
booklore | at org.springframework.web.filter.DelegatingFilterProxy.doFilter(DelegatingFilterProxy.java:278) ~[spring-web-6.2.8.jar!/:6.2.8]
booklore | at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:164) ~[tomcat-embed-core-10.1.42.jar!/:na]
booklore | at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:140) ~[tomcat-embed-core-10.1.42.jar!/:na]
booklore | at org.springframework.web.filter.RequestContextFilter.doFilterInternal(RequestContextFilter.java:100) ~[spring-web-6.2.8.jar!/:6.2.8]
booklore | at org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:116) ~[spring-web-6.2.8.jar!/:6.2.8]
booklore | at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:164) ~[tomcat-embed-core-10.1.42.jar!/:na]
booklore | at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:140) ~[tomcat-embed-core-10.1.42.jar!/:na]
booklore | at org.springframework.web.filter.FormContentFilter.doFilterInternal(FormContentFilter.java:93) ~[spring-web-6.2.8.jar!/:6.2.8]
booklore | at org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:116) ~[spring-web-6.2.8.jar!/:6.2.8]
booklore | at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:164) ~[tomcat-embed-core-10.1.42.jar!/:na]
booklore | at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:140) ~[tomcat-embed-core-10.1.42.jar!/:na]
booklore | at org.springframework.web.filter.ServerHttpObservationFilter.doFilterInternal(ServerHttpObservationFilter.java:114) ~[spring-web-6.2.8.jar!/:6.2.8]
booklore | at org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:116) ~[spring-web-6.2.8.jar!/:6.2.8]
booklore | at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:164) ~[tomcat-embed-core-10.1.42.jar!/:na]
booklore | at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:140) ~[tomcat-embed-core-10.1.42.jar!/:na]
booklore | at org.springframework.web.filter.CharacterEncodingFilter.doFilterInternal(CharacterEncodingFilter.java:201) ~[spring-web-6.2.8.jar!/:6.2.8]
booklore | at org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:116) ~[spring-web-6.2.8.jar!/:6.2.8]
booklore | at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:164) ~[tomcat-embed-core-10.1.42.jar!/:na]
booklore | at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:140) ~[tomcat-embed-core-10.1.42.jar!/:na]
booklore | at org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:167) ~[tomcat-embed-core-10.1.42.jar!/:na]
booklore | at org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:90) ~[tomcat-embed-core-10.1.42.jar!/:na]
booklore | at org.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:483) ~[tomcat-embed-core-10.1.42.jar!/:na]
booklore | at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:116) ~[tomcat-embed-core-10.1.42.jar!/:na]
booklore | at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:93) ~[tomcat-embed-core-10.1.42.jar!/:na]
booklore | at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:74) ~[tomcat-embed-core-10.1.42.jar!/:na]
booklore | at org.apache.catalina.valves.RemoteIpValve.invoke(RemoteIpValve.java:732) ~[tomcat-embed-core-10.1.42.jar!/:na]
booklore | at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:344) ~[tomcat-embed-core-10.1.42.jar!/:na]
booklore | at org.apache.coyote.http11.Http11Processor.service(Http11Processor.java:398) ~[tomcat-embed-core-10.1.42.jar!/:na]
booklore | at org.apache.coyote.AbstractProcessorLight.process(AbstractProcessorLight.java:63) ~[tomcat-embed-core-10.1.42.jar!/:na]
booklore | at org.apache.coyote.AbstractProtocol$ConnectionHandler.process(AbstractProtocol.java:903) ~[tomcat-embed-core-10.1.42.jar!/:na]
booklore | at org.apache.tomcat.util.net.NioEndpoint$SocketProcessor.doRun(NioEndpoint.java:1769) ~[tomcat-embed-core-10.1.42.jar!/:na]
booklore | at org.apache.tomcat.util.net.SocketProcessorBase.run(SocketProcessorBase.java:52) ~[tomcat-embed-core-10.1.42.jar!/:na]
booklore | at org.apache.tomcat.util.threads.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1189) ~[tomcat-embed-core-10.1.42.jar!/:na]
booklore | at org.apache.tomcat.util.threads.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:658) ~[tomcat-embed-core-10.1.42.jar!/:na]
booklore | at org.apache.tomcat.util.threads.TaskThread$WrappingRunnable.run(TaskThread.java:63) ~[tomcat-embed-core-10.1.42.jar!/:na]
booklore | at java.base/java.lang.Thread.run(Unknown Source) ~[na:na]
I have been having the same issue as EldritchGarden: with Authentik OIDC provider configured for client type of Public, I keep getting logged out after a short time (less than the 30 day refresh token validity I set in the Authentik provider, but maybe longer than the 5 minute access token validity, but I haven't measured).
The login page shows the message "Authentik authentication has been automatically disabled after 3 consecutive failures (including timeouts). You can retry or continue with local login." My docker logs also show "OIDC token is expired or missing exp claim" and "APIException: OIDC JWT validation failed".
The login page also shows a "Retry OIDC" button and a "Re-enable OIDC authentication" (or similiar) link, but clicking on either usually just ends up reloading the login page that then shows a "Login with Authentik" button, and then clicking on that button works to login.
I checked and this is still an issue with version 1.0.0
I had the same issue in 1.1.0 and changed my access [code|token] validity to 8 hours in Authentik ... one of the two seems to have done the trick for me, not sure which.
That didn’t fix the redirect to login issue for me, but thanks for sharing!
I had the same issue in 1.1.0 and changed my access [code|token] validity to 8 hours in Authentik ... one of the two seems to have done the trick for me, not sure which.
I have also tried messing with the validity time and timezone settings to no avail
@adityachandelgit any update on the redirecting to login issue that’s persisting for several of us using Authentik??
I fixed it for myself: I was using my wildcard cert to sign requests for the provider which is an EC cert. Using the self-signed authentik certificate which is an RSA cert instead worked and Authentik users can log in properly now.
@EldritchGarden good to hear that. In my case, I'm already using that cert, so it made no difference. However, I have seen inconsistency whereby sometimes the login redirect issue doesn't happen.
When I tested adding OIDC in a different application, the same issue occurred when the cookie size was too large. Maybe that might be involved? Either way, I’d love if this could be investigated more as it’s still happening on my end.
I'm having this same login with OIDC -> loop back to login page issue. When I swapped the signing cert to the self-signed authentik cert it stopped doing the loop but took me to a dash with nothing on it and blank user info.
Even though I have user provisioning enabled
Not sure this is is the cause, but it impacted me initially:
If the admin account has the same email address as the user that is attempting to sign in via OIDC it will redirect to the login page. This is because the app can't create the new user as a user with that email address already exists.
I didn't see any error messages showing that, but as soon as I edited the admin account to use an email that differed from OIDC it worked without issues.
I was also experiencing the redirection loop to the login page, which eventually led to the blank user profile problem after some configuration changes.
Upon reviewing the configuration of the authentik provider used for booklore, I identified that the self-signed certificate configured as the signing key had expired. After generating a new one and updating the provider to use it as the new signing key, authentication started working as expected. No encryption key is used.
Maybe this helps.
Unfortunately, neither of those seemed to apply in my case; I tried logging in with a user with a different email than the admin account and got the blank user, and my self-signed key doesn't expire until 2026.
Testing again today, it looks like OIDC seems to be fully working, including auto-provisioning, though! Not sure what changed.