authentik icon indicating copy to clipboard operation
authentik copied to clipboard
verified publisher icon goauthentik

Receiving Basic Auth with proxy provider always fails

Open TheCataliasTNT2k opened this issue 1 year ago • 3 comments

Describe the bug I tried to setup the docker registry v2 behind traefik, using authentik forward auth as authentication. Docker uses basic auth when running docker login and uses that to pull images. Every time, I try to do anything, the outpost shows this error in the logs:

{"body":"{\"error\": \"invalid_grant\", \"error_description\": \"The provided authorization grant or refresh token is invalid, expired, revoked, does not match the redirection URI used in the authorization request, or was issued to another client\"}","error":null,"event":"failed to send token request","level":"warning","logger":"authentik.outpost.proxyv2.application","name":"Provider for Registry","timestamp":"2024-06-30T23:05:16Z"}

This warning is emitted here.

The request sent to authentik from the outpost has this payload in wireshark (after TLS termination by traefik!):

Hypertext Transfer Protocol
    POST /application/o/token/ HTTP/1.1\r\n
    Host: REDACTED\r\n
    User-Agent: goauthentik.io/outpost/2024.6.0 (provider=Provider for Registry)\r\n
    Content-Length: 253\r\n
    Accept-Encoding: gzip\r\n
    Content-Type: application/x-www-form-urlencoded\r\n
    Sentry-Trace: a174265de43ba610546bb9e49252b90f-b00a420decc864cc-0\r\n
    X-Forwarded-For: 172.27.0.1\r\n
    X-Forwarded-Host: REDACTED\r\n
    X-Forwarded-Port: 10724\r\n
    X-Forwarded-Proto: https\r\n
    X-Forwarded-Server: 37e0e0b32d97\r\n
    X-Real-Ip: 172.27.0.1\r\n
    \r\n
    [Full request URI: http://REDACTED/application/o/token/]
    [HTTP request 1/1]
    [Response in frame: 25]
    File Data: 253 bytes
HTML Form URL Encoded: application/x-www-form-urlencoded
    Form item: "client_id" = "REDACTED"
    Form item: "grant_type" = "client_credentials"
    Form item: "password" = "REDACTED"
    Form item: "scope" = "openid email profile ak_proxy"
    Form item: "username" = "akadmin"

client_id is the valid client id shown in authentik (and set automatically by the outpost). I tried an "App Password" and the user password for password no success.

Expected behavior No errors; access granted, since akadmin can access the application no problem via browser.

Version and Deployment:

  • authentik version: 2024.6
  • Deployment: docker-compose

Additional context Add any other context about the problem here.

TheCataliasTNT2k avatar Jul 01 '24 00:07 TheCataliasTNT2k

Hi, I'm trying to implement the same thing, did you find any solution?

EmilianoEscobedo avatar Jul 05 '24 20:07 EmilianoEscobedo

No, not yet. I hope the maintainers have a solution for this.

TheCataliasTNT2k avatar Jul 05 '24 20:07 TheCataliasTNT2k

This issue has been automatically marked as stale because it has not had recent activity. It will be closed if no further activity occurs. Thank you for your contributions.

authentik-automation[bot] avatar Sep 04 '24 01:09 authentik-automation[bot]

We might need someone of the maintainers, who has a look on this....

TheCataliasTNT2k avatar Sep 11 '24 11:09 TheCataliasTNT2k

The "answer" of the bot wasn't really helpful. I have the same problem.

viaregio avatar Sep 11 '24 14:09 viaregio

OK. I could solve my problem. It was a dumb mistake on my behalf: I copied a token instead of the intended app password.

viaregio avatar Sep 11 '24 15:09 viaregio