authentik
authentik copied to clipboard
goauthentik
Docker + Traefik forward-auth redirects to library
Describe the bug I am using traefik as a reverse proxy and I wish to setup forward-auth using authentik. The hosted services are: traefik, authentik and for testing purposes a whoami container. Everything is deployed on a docker swarm cluster.
Here is the issue: When I open up whoami.domain.tld, I'm redirected to an authentik login (yay !) I login and I'm redirected to authentik's application library. I expected to be redirected to my app (whoami.domain.tld) My whoami application is in the list and when I click on it, I'm again, redirected the library page.
Here are the relevant parts of my docker compose file:
networks:
traefik:
external: true
internal:
driver: overlay
services:
traefik:
image: traefik:latest
ports:
- target: 53
published: 53
protocol: tcp
- target: 53
published: 53
protocol: udp
- target: 80
published: 80
protocol: tcp
- target: 443
published: 443
protocol: tcp
[...]
networks:
- traefik
deploy:
[...]
labels:
- traefik.enable=true
- traefik.http.routers.api.rule=Host(`traefik.domain.tld`)
- traefik.http.routers.api.service=api@internal
- traefik.http.routers.api.entrypoints=web
- traefik.http.services.api.loadbalancer.server.port=8080
server:
image: ghcr.io/goauthentik/server:latest
command: server
networks:
- internal
- traefik
deploy:
labels:
- traefik.enable=true
- traefik.docker.network=traefik
- traefik.http.middlewares.redirect-https.redirectScheme.scheme=https
- traefik.http.middlewares.redirect-https.redirectScheme.permanent=true
- traefik.http.services.authentik.loadbalancer.server.port=9000
- traefik.http.routers.authentik.rule=Host(`auth.domain.tld`)
- traefik.http.routers.authentik.priority=1
- traefik.http.routers.authentik.service=authentik
- traefik.http.routers.authentik.entrypoints=web
- traefik.http.routers.authentik.middlewares=redirect-https
- traefik.http.routers.authentik-https.rule=Host(`auth.domain.tld`)
- traefik.http.routers.authentik-https.priority=1
- traefik.http.routers.authentik-https.service=authentik
- traefik.http.routers.authentik-https.entrypoints=websecure
- traefik.http.routers.authentik-https.tls=true
- traefik.http.routers.authentik-https.tls.certresolver=letsencrypt
whoami:
image: traefik/whoami
networks:
- traefik
deploy:
labels:
- traefik.enable=true
- traefik.http.services.whoami.loadbalancer.server.port=80
- traefik.http.routers.whoami-http.rule=Host(`whoami.domain.tld`)
- traefik.http.routers.whoami-http.service=whoami
- traefik.http.routers.whoami-http.entrypoints=web
- traefik.http.routers.whoami-http.middlewares=authentik@file
- traefik.http.routers.whoami-https.rule=Host(`whoami.domain.tld`)
- traefik.http.routers.whoami-https.service=whoami
- traefik.http.routers.whoami-https.entrypoints=websecure
- traefik.http.routers.whoami-https.tls=true
- traefik.http.routers.whoami-https.tls.certresolver=letsencrypt
- traefik.http.routers.whoami-https.middlewares=authentik@file
I setup an outpost for traefik. Its named traefik.
log_level: info
docker_labels:
traefik.http.routers.ak-outpost-traefik-router.priority: "50"
authentik_host: https://auth.domain.tld
docker_network: traefik
container_image: null
docker_map_ports: false
kubernetes_replicas: 1
kubernetes_namespace: default
authentik_host_browser: ""
object_naming_template: ak-outpost-%(name)s
authentik_host_insecure: true
kubernetes_service_type: ClusterIP
kubernetes_image_pull_secrets: []
kubernetes_disabled_components: []
kubernetes_ingress_annotations: {}
kubernetes_ingress_secret_name: authentik-outpost-tls
Provider is setup as follows: Authentication URL: https://auth.domain.tld Cookie domain: domain.tld
Expected behavior I expect to be redirected to my application after I login.
Screenshots N/A
Logs
docker logs -f ak-outpost-traefik:
{"event":"/outpost.goauthentik.io/auth/traefik","host":"whoami.domain.tld","level":"info","logger":"authentik.outpost.proxyv2.application","method":"GET","name":" domain","remote":"10.0.1.237:37254","runtime":"0.644","scheme":"","size":96,"status":307,"timestamp":"2022-02-23T16:47:02Z","upstream":"","user_agent":"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:97.0) Gecko/20100101 Firefox/97.0"}
{"event":"/outpost.goauthentik.io/auth/traefik","host":"whoami.domain.tld","level":"info","logger":"authentik.outpost.proxyv2.application","method":"GET","name":" domain","remote":"10.0.1.237:37254","runtime":"1.530","scheme":"","size":96,"status":307,"timestamp":"2022-02-23T16:47:04Z","upstream":"","user_agent":"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:97.0) Gecko/20100101 Firefox/97.0"}
{"event":"Starting authentik outpost","hash":"tagged","level":"info","logger":"authentik.outpost","timestamp":"2022-02-23T16:47:16Z","version":"2022.2.1"}
{"dir":"/tmp","event":"using filesystem session backend","level":"info","logger":"authentik.outpost.proxyv2.application","name":" domain","timestamp":"2022-02-23T16:47:17Z"}
Version and Deployment (please complete the following information):
- authentik version: 2022.2.1
- Deployment: docker-compose on docker swarm
Additional context Add any other context about the problem here.
Thanks for your help !
could you set the log level to trace to get some more detailed logs? See https://goauthentik.io/docs/installation/configuration#authentik_log_level, and don't forget to restart after changing
Thanks for getting back so fast. The logs for authentik server are quite long. I'll add then as an attachment:
Have the same issue. After authorization I'm able to reach applicaiton but by default I'm redirected to applications directory not a specific app
I have the same problem when using ForwardAuth in domain level mode. When configured as single application, I'm constantly redirected back to the application authorization page.
@BeryJu Did you get a chance to take look at the logs that I sent you ?
I'm also seeing this although it seems to be almost random. If i re-configure with the same settings, sometimes it will load to the app instead of the library, but it's few and far between.
To follow up on this, i've noticed that when I am re-directed to the library, the logs show this:
"http_request": {
"args": {
"query": "next=%2F"
},
"path": "/api/v3/flows/executor/default-authentication-flow/",
"method": "GET"
},
But when i'm properly redirected to the application, the logs show this:
"http_request": {
"args": {
"query": "next=%2Fapplication%2Fo%2Fauthorize%2F%3Fclient_id%3DLMCodtftgfsgshsf7LX8WaxSyuBAzgS1JBOpNXxqhCcJh4%26redirect_uri%3Dhttps%253A%252F%252Ftrilium.mydomain.org%252Foutpost.goauthentik.io%252Fcallback%26response_type%3Dcode%26scope%3Demail%2Bak_proxy%2Bprofile%2Bopenid%26state%3DUtOrXwBPfzt7EpEyh5C8wehhXh0_BnrkN-2wvQOtao"
},
"path": "/api/v3/flows/executor/default-authentication-flow/",
"method": "GET"
},
I am having the same issue and a few others which i feel are related. Environment: Authentik 2022.3.1, Traefik 2.6.2 on Kubernetes 1.20.
After trying various configurations I am pretty sure that the issue is with the outpost. I started looking in to it when I got strange redirections from the outpost proxy such as ‘myapp.domain.tldapplication[..]’, eg no forwardslash after the domainname and the redirection went to the app instead of the Authentik server. This problem came and went as I purged and redeployed the outposts in the app namespaces in kubernetes.
As for this specifik issue; I have found that these problems occur when the Forward Auth provider is connected to a outpost. When using only the default ‘outpost’ my only issue is that I don’t get redirected back to the application after the initial login. When using another outpost it’s anyones guess where I end up (I sometimes get redirected to another application) or wether or not I can actually access the application or not after authenticating.
When using Forward Auth in single-application mode I also get some strange redirection-issues (redirected to resources such as .js files on the application) or not being able to access the application until i retry a few (or many) times.
Had the same issue with ingress-nginx, but after noticing that $escaped_request_uri just resolves to the path after the domain and changing the documented signing url from
auth-signin: https://authentik.domain.tld/outpost.goauthentik.io/start?rd=$escaped_request_uri
to
auth-signin: https://authentik.domain.tld/outpost.goauthentik.io/start?rd=$scheme%3A%2F%2F$host$escaped_request_uri
this problem disappeared.
I could fix this for my setup by using the internal address of authentik for traefiks forwardAuth address rather than the public one.
So instead of getting redirected to the libary using this:
[http.middlewares]
[http.middlewares.authentik.forwardAuth]
address = "https://authentik.domain.tld/outpost.goauthentik.io/auth/traefik"
I get correctly redirected to the source by using:
[http.middlewares]
[http.middlewares.authentik.forwardAuth]
address = "http://authentik:9000/outpost.goauthentik.io/auth/traefik"
This issue has been automatically marked as stale because it has not had recent activity. It will be closed if no further activity occurs. Thank you for your contributions.
![stale[bot] avatar](https://avatars.githubusercontent.com/in/1724?v=4 "Published by a pub.dev verified publisher"){kind=small}
I have the same issue. If I redirect the authentication to the exposed docker port (:9000) directly then I properly get redirected back to the applications after logon. If I use the external FQDN to redirect the auth to (which I route through traefik) then after successfull login Im getting redirected to the library
I could fix this for my setup by using the internal address of authentik for traefiks
forwardAuthaddress rather than the public one. So instead of getting redirected to the libary using this:[http.middlewares] [http.middlewares.authentik.forwardAuth] address = "https://authentik.domain.tld/outpost.goauthentik.io/auth/traefik"I get correctly redirected to the source by using:
[http.middlewares] [http.middlewares.authentik.forwardAuth] address = "http://authentik:9000/outpost.goauthentik.io/auth/traefik"
@MarioNoll but then how do you publish your app external? do you publish port 9000 as well bypassing traefik?
@rezo552 My app containers share a docker network with the traefik container, so traefik can talk to them internally without needing to publish any ports besides https.
@rezo552 My app containers share a docker network with the traefik container, so traefik can talk to them internally without needing to publish any ports besides https.
hmm, Im sharing the same network as well but when I got forwarded then my client tries to reach authentik on port 9000. Hmm, can you share your traefik config?
This is what my dynamic file configuration looks like
[http.routers]
[http.routers.example]
rule = "Host(`example.my-domain.com`)"
entrypoints = ["websecure"]
middlewares = ["authentik"]
service = "example"
[http.routers.authentik]
rule = "Host(`authentik.my-domain.com`)"
entrypoints = ["websecure"]
service = "authentik"
[http.middlewares]
[http.middlewares.authentik.forwardAuth]
address = "http://authentik:9000/outpost.goauthentik.io/auth/traefik"
authResponseHeaders = ["X-authentik-username"]
[http.services]
[[http.services.authentik.loadBalancer.servers]]
url = "http://authentik:9000"
[[http.services.example.loadBalancer.servers]]
url = "http://example:8000"
This issue has been automatically marked as stale because it has not had recent activity. It will be closed if no further activity occurs. Thank you for your contributions.
can i re-open this issue? the work-around of setting forwardAuth.address to the internal address of authentik server (localhost:900), and not to the public-facing name of the service (authentik.domain.tld) works so long as the service i'm protecting is hosted on the same machine/network as the authentik instance.
however, i have several machines, and on the remote machines using the external name and still ending up at the application i was trying to access -- not the library -- would be nice. any ideas for how to make that happen? i tried to figure out how the fix for nginx applies to traefik, but didn't see any obvious parallels.
