authentik icon indicating copy to clipboard operation
authentik copied to clipboard
verified publisher icon goauthentik

outpost/proxyv2: revalidate auth if session fails to load

Open chetan opened this issue 1 month ago β€’ 4 comments

Bug

The forward auth handler in the outpost does not properly handle a session load failure. When the session fails to load, it simply bails out, returning a 200 to the reverse proxy which then allows the request to proceed. Depending on the configuration of the upstream service, this can result in a 401, basic auth prompt, or simply allowing access. With one of my applications, the app set it's own cookies which still granted access despite the invalid authentik session.

Similar issue is mentioned in https://github.com/goauthentik/authentik/issues/2023#issuecomment-2962624284

Setup:

  • https://auth.example.com
  • https://app.example.com (using fwd auth to outpost [I'm using traefik but should apply to others])

Flow:

  1. Visit https://app.example.com -> redir to auth, sign in -> redir to app
  2. Visit https://auth.example.com -> sign out
  3. Session is properly invalidated at the outpost, e.g.:
{"event":"Logging out","level":"debug","logger":"authentik.outpost.proxyv2","provider":"app.example.com","timestamp":"2025-11-10T17:22:54Z"}
{"event":"deleting session","level":"trace","logger":"authentik.outpost.proxyv2.application","name":"provider-app","path":"/dev/shm/session_6JCRTWRRAVWIPWGLBIWZZPLTYUI27PYAVIEQKH5YSDQOMBNMMIWA","timestamp":"2025-11-10T17:22:54Z"}
  1. Visit https://app.example.com - warning logged but fwd auth returns 200 - app returns 401

Step 2 can also be a restart of the outpost due to crash, reboot, or redeployment.

Fix

After session validation falls through, fix the session/state setup so we can redirect to the auth server and complete the flow. User will either be prompted to log in or, if they had already logged back in again, they will be sent back and the new session will be established properly.

chetan avatar Nov 11 '25 15:11 chetan

Deploy Preview for authentik-docs canceled.

Name Link
Latest commit cb47b17df9df19ea89c324ed7a4ddcbb87680556
Latest deploy log https://app.netlify.com/projects/authentik-docs/deploys/69161a286162040008b9b54c

netlify[bot] avatar Nov 11 '25 15:11 netlify[bot]

Deploy Preview for authentik-integrations canceled.

Name Link
Latest commit cb47b17df9df19ea89c324ed7a4ddcbb87680556
Latest deploy log https://app.netlify.com/projects/authentik-integrations/deploys/69161a281d2d7a000815d49c

netlify[bot] avatar Nov 11 '25 15:11 netlify[bot]

Deploy Preview for authentik-storybook canceled.

Name Link
Latest commit cb47b17df9df19ea89c324ed7a4ddcbb87680556
Latest deploy log https://app.netlify.com/projects/authentik-storybook/deploys/69161a280819e2000862b2b5

netlify[bot] avatar Nov 11 '25 15:11 netlify[bot]

Codecov Report

:white_check_mark: All modified and coverable lines are covered by tests. :white_check_mark: Project coverage is 92.65%. Comparing base (9625270) to head (cb47b17). :warning: Report is 397 commits behind head on main.

Additional details and impacted files 
@@            Coverage Diff             @@
##             main   #18063      +/-   ##
==========================================
- Coverage   92.92%   92.65%   -0.27%     
==========================================
  Files         869      869              
  Lines       48040    48039       -1     
==========================================
- Hits        44640    44512     -128     
- Misses       3400     3527     +127
Flag Coverage Ξ”
e2e 44.52% <ΓΈ> (-0.37%) :arrow_down:
integration 23.13% <ΓΈ> (-0.06%) :arrow_down:
unit 91.08% <ΓΈ> (+<0.01%) :arrow_up:
unit-migrate 91.13% <ΓΈ> (+<0.01%) :arrow_up:

Flags with carried forward coverage won't be shown. Click here to find out more.

:umbrella: View full report in Codecov by Sentry.
:loudspeaker: Have feedback on the report? Share it here.

codecov[bot] avatar Nov 11 '25 16:11 codecov[bot]