[Bug]: "Authentik Forward Authentication Middleware​" documentation does not work

[StellarRounin]

Error Message and Logs

When trying to add an auth page for my service (https://silverbullet.md/) I found out that coolify had documentation telling you how to do it using Authentik... following the steps didnt work at all.

After some reserching I did not find ANY tutorial of how to do this... with the exception of this post.

But again, didnt work... the most that I could did in order to make it work was reaching to this page when trying to access my domain...

Steps to Reproduce

1. Follow this tutorial except for the part where you need to change the port because this is already solved.
2. In this part of the tutorial be sure that the name of the AUTHENTIK_SERVER_HOST starts with authentik-server-XXXXXXXXX…:9000/outpost.goauthentik.io/auth/traefik
3. In the final part of the tutorial, if you create your service with an empty docker compose file just add the following label at the same level as the docker image

labels:
      - traefik.http.middlewares.authentik-auth@file

Example:

services:
  privatebin:
    image: privatebin/nginx-fpm-alpine
    environment:
      - SERVICE_FQDN_PRIVATEBIN_8080
    volumes:
      - 'privatebin_data:/srv/data'
    healthcheck:
      test:
        - CMD-SHELL
        - 'wget -qO- http://127.0.0.1:8080/'
      interval: 5s
      timeout: 20s
      retries: 10
    labels:
      - traefik.http.middlewares.authentik-auth@file

3. Restart / Redeploy your service and enter again

Example Repository URL

No response

Coolify Version

v4.0.0-beta.404

Are you using Coolify Cloud?

No (self-hosted)

Operating System and Version (self-hosted)

Debian GNU/Linux 11 (bullseye)

Additional Information

No response

[Datenschmutz]

Hi @StellarRounin, did you assign the authentication provider to the outpost?

In Authentik Applications --> Outposts --> (authentik Embedded) Outpost --> Edit... Add Provider e.g MyProxy Provider

[StellarRounin]

Hi @StellarRounin, did you assign the authentication provider to the outpost?

In Authentik Applications --> Outposts --> (authentik Embedded) Outpost --> Edit... Add Provider e.g MyProxy Provider

@Datenschmutz Thanks for the response, yeap, someone in Reddit also told me this but I already did it… https://www.reddit.com/r/coolify/comments/1g5bz2t/comment/mlqufni/?context=3

[Datenschmutz]

@StellarRounin Hm ok...

On reddit you mention

I have setup the forwardAuth address to https://my-domain.com/outpost.goauthentik.io/auth/service I noticed in many docs that the port :9000 is usually added however when I add it I don't even get the Not Found page.

I think that is your error. Your dynamic configuration should look like this (address http://your-docker-container-name......)

http:
  middlewares:
    authentik-auth:
      forwardAuth:
        address: 'http://authentik-server-kg8xyxyxyxyxyxyxyxyxyxyyx0:9000/outpost.goauthentik.io/auth/traefik'
        trustForwardHeader: true
        authResponseHeaders:
          - X-authentik-username
          - X-authentik-groups
          - X-authentik-entitlements
          - X-authentik-email
          - X-authentik-name
          - X-authentik-uid
          - X-authentik-jwt
          - X-authentik-meta-jwks
          - X-authentik-meta-outpost
          - X-authentik-meta-provider
          - X-authentik-meta-app
          - X-authentik-meta-version

If that doesn't help please look at my Private Message on reddit.

[StellarRounin]

@Datenschmutz I have this in my dynamic proxy:

http:
  middlewares:
    authentik-auth:
      forwardAuth:
        address: 'http://authentik-server-xyzxyzxyzxyzxyzxyzxyzxyz:9000/outpost.goauthentik.io/auth/traefik'
        trustForwardHeader: true
        authResponseHeaders:
          - X-authentik-username
          - X-authentik-groups
          - X-authentik-entitlements
          - X-authentik-email
          - X-authentik-name
          - X-authentik-uid
          - X-authentik-jwt
          - X-authentik-meta-jwks
          - X-authentik-meta-outpost
          - X-authentik-meta-provider
          - X-authentik-meta-app
          - X-authentik-meta-version

[Splarkszter]

I'm having the same issue. Followed the guide in the coolify docs but the best I can get is a completely blank page.

[nicanordlc]

Hello Hello, do you have authentik working on your coolify instance now days ? With the default that it has when you select it from the templates ?

Like the full integration it being authentik hosted on your domain, configure the application + provider + outpost and finally seguring a service with the traefik middleware ? 🤔

(I tried so hard, but in the end...)

[mikran]

How to make it work when Authentik is installed on different server?

[alexgorbatchev]

I have Coolify+Authentik working in the following env: Cloudflare -> homelab_ip -> NPM -> Coolify

Outpost

• Name: coolify
• Type: Proxy
• Integration: Local Docker connection
• Applications: add the SSO app
• Advanced Settings:

  og_level: info
  ocker_labels: null
  uthentik_host: https://auth.domain.wtf/
  ocker_network: coolify
  ontainer_image: null
  ocker_map_ports: false
  efresh_interval: minutes=5
  uthentik_host_browser: https://auth.domain.wtf/
  bject_naming_template: ak-outpost-%(name)s
  uthentik_host_insecure: true
  

Coolify Proxy Dynamic Config

http:
  middlewares:
    authentik:
      forwardAuth:
        # outpost as per docs https://docs.goauthentik.io/add-secure-apps/providers/proxy/server_traefik/
        address: 'http://ak-outpost-coolify:9000/outpost.goauthentik.io/auth/traefik'
        trustForwardHeader: true
        authResponseHeaders:
          - X-authentik-username
          - X-authentik-groups
          - X-authentik-entitlements
          - X-authentik-email
          - X-authentik-name
          - X-authentik-uid
          - X-authentik-jwt
          - X-authentik-meta-jwks
          - X-authentik-meta-outpost
          - X-authentik-meta-provider
          - X-authentik-meta-app
          - X-authentik-meta-version
  routers:
    ak-outpost-callback:
      rule: 'Host(`auth.domain.wtf`) && PathPrefix(`/outpost.goauthentik.io/`)'
      service: ak-outpost-svc
  services:
    ak-outpost-svc:
      loadBalancer:
        servers:
          - url: 'http://ak-outpost-coolify:9000/outpost.goauthentik.io/'

App Docker Compose

labels:
- traefik.http.middlewares.authentik@file

[mattjennings]

@alexgorbatchev's solution worked for me. I was also getting the white "Not Found" page following the forward authentication docs.

[bpaldan]

Thank you alexgorbatchev.

Your solution also worked for me.

bpd

[murlock1000]

Had exactly the same issue. Initially, removing all Authentik applications and providers and recreating them solved it*.

*Update 1: After adding a second service using the authentik-auth middleware, the problem returned. This time, recreating the application and provider didn’t help. However, removing the provider from the outposts, adding it again, and refreshing the Authentik management UI resolved it. Some cache invalidation may be involved.

**Update 2: After reading the documentation more closely, I discovered the root cause: I was missing the outpost and incorrectly using the authentik-server host in the forwardAuth address. When using a Proxy Provider, you must configure an outpost— the embedded Authentik outpost is not sufficient.

Create Outpost: Name: Traefik ForwardAuth Type: Proxy Integration: Local Docker connection Applications: myservice Configuration:

log_level: info
docker_labels: null
authentik_host: https://auth.myurl.com/
docker_network: coolify
container_image: null
docker_map_ports: false
refresh_interval: minutes=5
kubernetes_replicas: 1
kubernetes_namespace: default
authentik_host_browser: https://auth.myurl.com/
object_naming_template: ak-outpost-%(name)s
authentik_host_insecure: false
kubernetes_json_patches: null
kubernetes_service_type: ClusterIP
kubernetes_image_pull_secrets: []
kubernetes_ingress_class_name: null
kubernetes_disabled_components: []
kubernetes_ingress_annotations: {}
kubernetes_ingress_secret_name: authentik-outpost-tls
kubernetes_httproute_annotations: {}
kubernetes_httproute_parent_refs: []

Then in Coolify Proxy Dynamic Config, instead of using

      forwardAuth:
        address: 'http://authentik-server-uuid:9000/outpost.goauthentik.io/auth/traefik'

One must use the name generated with ak-outpost-%(name)s for outpost with name Traefik ForwardAuth this generates a host ak-outpost-traefik-forwardauth

      forwardAuth:
        address: 'http://ak-outpost-traefik-forwardauth:9000/outpost.goauthentik.io/auth/traefik'

(Previously not working setup) setup had Coolify+Authentik working in: Cloudflare -> homelab_ip -> Coolify

Coolify Proxy Dynamic Config (the authentik-server-uuid was retrieved from deployable compose container_name key)

http:
  middlewares:
    authentik-auth:
      forwardAuth:
        address: 'http://authentik-server-uuid:9000/outpost.goauthentik.io/auth/traefik' !!! - Wrong here**
        trustForwardHeader: true
        authResponseHeaders:
          - X-authentik-username
          - X-authentik-groups
          - X-authentik-email
          - X-authentik-name
          - X-authentik-uid
          - X-authentik-jwt
          - X-authentik-meta-jwks
          - X-authentik-meta-outpost
          - X-authentik-meta-provider
          - X-authentik-meta-app
          - X-authentik-meta-version

App Docker Compose

services:
    myservice:
    <...>
    labels:
      - traefik.http.middlewares.authentik-auth@file

Application creation process:

1. Application

2. Choose a provider: Proxy Provider`

3. Configure Provider

4. Configure Bindings - Add your user/group/policy

5. Submit

6. Go to Outposts -> authentik Embedded Outpost and add your provider to the selected applications !!! - Wrong here**