authentik icon indicating copy to clipboard operation
authentik copied to clipboard
verified publisher icon goauthentik

Blocked out: Permission denied Request has been denied. Interface can only be accessed by internal users.

Open nriel opened this issue 1 year ago • 3 comments

Describe the bug I am no longer able to login/be redirected to the admin page nor to the user login page with my social logins. When opening Authentik, I will immediately be redirected to the Permission denied error, in case of being logged into the social account beforehand. Authentik was running fine for months. By using a recovery link I still manage to login into one of my local user accounts: https://docs.goauthentik.io/docs/troubleshooting/login

All services/websites behind Authentik work fine. Thus, as a user with social login, I seem to be logged in just fine, but redirection to Authentik itself is not possible, so no further configuration can be done.

Any idea how to get back to normal?

To Reproduce Steps to reproduce the behavior:

  1. Go to auth.domain.com
  2. See error

Expected behavior Open Authentik page and allow for interaction

Version and Deployment (please complete the following information):

  • authentik version: 2024.6.3
  • Deployment: docker-compose

nriel avatar Aug 06 '24 08:08 nriel

I suspect you're running a beta version as the code for this behaviour is not included in 2024.6.x. This is part of an upcoming change, see https://docs.goauthentik.io/docs/releases/2024.8#manual-action-may-be-required

BeryJu avatar Aug 06 '24 10:08 BeryJu

That's it, thanks! What doesn't work btw is: ak change_user_type --all --type internal

I had to change it per user with the username-attribute.

nriel avatar Aug 06 '24 10:08 nriel

what about that command didnt work?

BeryJu avatar Aug 06 '24 11:08 BeryJu

what about that command didnt work?

I believe he had the same error I encountered:

manage.py change_user_type: error: the following arguments are required: usernames

just updated to 2024.8 here

Did the same as him to workaround it

Banh-Canh avatar Sep 03 '24 16:09 Banh-Canh

when will this be released? I also had to make the changes manually

lyz-code avatar Sep 05 '24 10:09 lyz-code

you can use ghcr.io/goauthentik/dev-server:gh-version-2024.8 where this fix is already published, otherwise 2024.8.1 will be released later this week

BeryJu avatar Sep 05 '24 12:09 BeryJu

v2024.8.2 still doesn't fix the external connection permission problem. I've worked around the problem by changing all external users to internal. Unfortunately, some scopes linked to the external plex account can no longer function since the change to internal type. What about patches? Or is there a new parameter to modify or a configuration to assign? A doc link updated?

morganorix avatar Sep 20 '24 15:09 morganorix

FWIW I was able to solve this using a source property mapper (specifically SAML in this case):

first_name = properties.get("firstName")
last_name = properties.get("lastName")
return {
  "name": f"{first_name} {last_name}",
  "email": properties.get("username"),
  "type": "internal",
  "attributes": {
    "firstName": first_name,
    "lastName": last_name,
 }
}

Now all users that login with this IDP source are set to internal.

ryantking avatar Oct 02 '24 21:10 ryantking