authentik Forward-Auth with Intercept header authentication not behaving like documented

Describe the bug It seems that when you have configured single app forward auth, to use Intercept header authentication, and the header is either missing or invalid, it just shows an 401.

To Reproduce Steps to reproduce the behavior:

Create a new single forward auth app
Use ingress-nginx and configure the app to be secured
Try to browse to the app url
See the 401 instead of normal login page

Expected behavior I would have expected it to behave like documented which is when Intercept header authentication is enabled, authentik will intercept the authorization header. If the authorization header value is invalid, an error response will be shown with a 401 status code. Requests without an authorization header will still be redirected to the standard login flow.

I would have expected it to behave more like Authelia where it would also show an password prompt if it's asking for basic auth.

Version and Deployment (please complete the following information):

authentik version: 2024.12.1
Deployment: Helm

Additional context

The ingress manifest used:

apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
  name: dh
  namespace: networking
  annotations:
    external-dns.alpha.kubernetes.io/target: "<snip>"
    nginx.ingress.kubernetes.io/backend-protocol: "HTTPS"
    nginx.ingress.kubernetes.io/auth-url: |-
      http://ak-outpost-authentik-embedded-outpost.security.svc.cluster.local:9000/outpost.goauthentik.io/auth/nginx
    nginx.ingress.kubernetes.io/auth-response-headers: |-
      Set-Cookie,X-authentik-username,X-authentik-groups
    nginx.ingress.kubernetes.io/auth-snippet: |
      proxy_set_header X-Forwarded-Host $http_host;
    nginx.ingress.kubernetes.io/server-snippet: |
      proxy_ssl_name <snip>.fi;
      proxy_ssl_server_name on;
spec:
  ingressClassName: external-nginx
  rules:
    - host: "<snip>.fi"
      http:
        paths:
          - pathType: Prefix
            path: "/"
            backend:
              service:
                name: dh
                port:
                  number: 443
  tls:
    - hosts:
        - "<snip>.fi"

Jan 05 '25 07:01 samip5

This issue has been automatically marked as stale because it has not had recent activity. It will be closed if no further activity occurs. Thank you for your contributions.

Mar 07 '25 02:03 authentik-automation[bot]

Not stale?

Mar 07 '25 03:03 samip5

Wow, it's stale for this long?? This is old, but must be adressed

Apr 11 '25 22:04 kernelb00t

Wow, it's stale for this long?? This is old, but must be adressed

Yeah, it's really a pain. Good other example is: https://github.com/goauthentik/authentik/issues/5441

Apr 11 '25 23:04 samip5

This issue has been automatically marked as stale because it has not had recent activity. It will be closed if no further activity occurs. Thank you for your contributions.

Jun 11 '25 02:06 authentik-automation[bot]

not stale

Jun 11 '25 12:06 samip5

This issue has been automatically marked as stale because it has not had recent activity. It will be closed if no further activity occurs. Thank you for your contributions.

Aug 11 '25 02:08 authentik-automation[bot]

not stale

Aug 11 '25 02:08 samip5

This issue has been automatically marked as stale because it has not had recent activity. It will be closed if no further activity occurs. Thank you for your contributions.

Oct 12 '25 02:10 authentik-automation[bot]

not stale ! I do not have any app to re-test this, but it seems that no commit ever changed the related code. @samip5 do you have some apps to test this?

Oct 19 '25 16:10 kernelb00t

@samip5 do you have some apps to test this?

tvheadend and VLC

Oct 20 '25 21:10 samip5