authentik
authentik copied to clipboard
goauthentik
Traefik ForwardAuth Unable to access application
Describe your question/ A clear and concise description of what you're trying to do. I am trying to access a service hosted at it-tools.domain.com using Authentik, but I am getting the following error (and HTTP 400)
warning error=oauth2: "invalid_grant" "The provided authorization grant or refresh token is invalid, expired, revoked, does not match the redirection URI used in the authorization request, or was issued to another client" event=failed to redeem code logger=authentik.outpost.proxyv2.application name=it-tools timestamp=2023-07-23T03:43:19Z
Relevant infos
i.e. Version of other software you're using, specifics of your setup
Traefik v2.7 (reverse proxy, set to ports 80/443)
Authentik 2023.6
IT Tools latest (app I wish to secure)
Logs Output of docker-compose logs or kubectl logs respectively
Version and Deployment (please complete the following information):
- authentik version: 2023.6
- Deployment: docker-compose
Additional context
I am able to successfully see the login screen from Authentik when I go to the app's subdomain (it-tools.domain.com). Once I login and click continue on the OAuth consent screen, I am routed to the following URL:
https://it-tools.domain.com/outpost.goauthentik.io/callback?X-authentik-auth-callback=true&code={CODE}/outpost.goauthentik.io/callback?X-authentik-auth-callback=true&code={CODE}
which shows HTTP 400 in the browser. The above error message (failed to redeem code) is shown in the outpost container's logs.
In Authentik, I've created a Proxy outpost and enabled the 'it-tools' (forward auth provider for it-tools):
Name: Traefik - Outpost
Type: Proxy
Integration: Local Docker connection
Applications: it-tools
Container name Created: ak-outpost-traefik-outpost
Configuration:
log_lefel: info
docker_labels: null
authentik_host: https://authentik.domain.com
docker_network: t2_proxy
container_image: beryju/authentik-proxy:latest
docker_map_ports: false
kubernetes_replicas: 1
kubernetes_namespace: default
authentik_host_browser: ""
object_naming_template: ak-outpost-%(name)s
authentik_host_insecure: false
kubernetes_service_type: ClusterIP
kubernetes_image_pull_secrets: []
kubernetes_ingress_class_name: null
kubernetes_disabled_components: []
kubernetes_ingress_annotations: {}
kubernetes_ingress_secret_name: authentik-outpost-tls
Provider:
Name:it-tools
Type: Forward Auth (Single Application)
External Host: https://it-tools.domain.com
Application:
Name: IT Tools
Slug: it-tools
Policy Engine Mode: any
Provider: it-tools
Docker Compose Information:
services:
authentik-server:
container_name: authentik-server
image: ghcr.io/goauthentik/server:2023.6
command: server
environment:
AUTHENTIK_REDIS__HOST: redis
AUTHENTIK_REDIS__PASSWORD: $REDIS_PASSWORD
AUTHENTIK_POSTGRESQL__HOST: postgres
AUTHENTIK_POSTGRESQL__USER: $POSTGRES_ROOT_USER
AUTHENTIK_POSTGRESQL__NAME: authentik
AUTHENTIK_POSTGRESQL__PASSWORD: $POSTGRES_ROOT_PASSWORD
AUTHENTIK_SECRET_KEY: $AUTHENTIK_SECRET_KEY
volumes:
- $DOCKERDIR/appdata/authentik/media:/media
- $DOCKERDIR/appdata/authentik/custom-templates:/templates
- $DOCKERDIR/appdata/geoip:/geoip
ports:
- "0.0.0.0:9000:9000"
- "0.0.0.0:9443:9443"
networks:
t2_proxy:
ipv4_address: 192.168.90.12
labels:
- "traefik.enable=true"
- "traefik.http.routers.authentik-rtr.entrypoints=https"
- "traefik.http.routers.authentik-rtr.rule=Host(`authentik.$DOMAINNAME`) || HostRegexp(`{subdomain:[a-z0-9]+}.$DOMAINNAME`) && PathPrefix(`/outpost.goauthentik.io/`)"
- "traefik.http.routers.authentik-rtr.priority=1"
authentik-worker:
container_name: authentik-worker
image: ghcr.io/goauthentik/server:2023.6
command: worker
environment:
AUTHENTIK_REDIS__HOST: redis
AUTHENTIK_REDIS__PASSWORD: $REDIS_PASSWORD
AUTHENTIK_POSTGRESQL__HOST: postgres
AUTHENTIK_POSTGRESQL__USER: $POSTGRES_ROOT_USER
AUTHENTIK_POSTGRESQL__NAME: authentik
AUTHENTIK_POSTGRESQL__PASSWORD: $POSTGRES_ROOT_PASSWORD
AUTHENTIK_SECRET_KEY: $AUTHENTIK_SECRET_KEY
user: root
volumes:
- $DOCKERDIR/appdata/authentik/media:/media
- $DOCKERDIR/appdata/authentik/certs:/certs
- $DOCKERDIR/appdata/authentik/custom-templates:/templates
- $DOCKERDIR/appdata/geoip:/geoip
- /var/run/docker.sock:/var/run/docker.sock
networks:
t2_proxy:
ipv4_address: 192.168.90.10
it-tools:
container_name: it-tools
image: corentinth/it-tools:latest
networks:
t2_proxy:
ipv4_address: 192.168.90.90
labels:
- "traefik.enable=true"
- "traefik.http.routers.it-tools-rtr.entrypoints=https"
- "traefik.http.routers.it-tools-rtr.rule=Host(`it-tools.$DOMAINNAME`)"
- "traefik.http.routers.it-tools-rtr.middlewares=chain-authentik@file"
- "traefik.http.routers.it-tools-rtr.service=it-tools-svc"
- "traefik.http.services.it-tools-svc.loadbalancer.server.port=80"
Traefik Middlewares:
middleware-chains.toml
[http.middlewares]
[http.middlewares.chain-authentik]
[http.middlewares.chain-authentik.chain]
middlewares = ["middlewares-authentik"]
middlewares.toml
[http.middlewares]
[http.middlewares.middlewares-authentik]
[http.middlewares.middlewares-authentik.forwardAuth]
address = "http://ak-outpost-traefik-outpost:9000/outpost.goauthentik.io/auth/traefik"
trustForwardHeader = true
authResponseHeaders = ["X-authentik-username", "X-authentik-groups", "X-authentik-email", "X-authentik-name", "X-authentik-uid", "X-authentik-jwt", "X-authentik-meta-jwks", "X-authentik-meta-outpost", "X-authentik-meta-provider", "X-authentik-meta-app", "X-authentik-meta-version"]
I feel like I'm missing something fairly basic/obvious, but I'm not sure where to look next. I've also attempted to use the embedded outpost (initially), with the exact same result. Not sure why the code is "invalid, missing, or already redeemed by another client" (no such redemption messages in the logs)
Try replacing http://ak-outpost-traefik-outpost:9000/outpost.goauthentik.io/auth/traefik with http://host.docker.internal:9000/outpost.goauthentik.io/auth/traefik
Thanks for the feedback. When I get time away from work, I'll try to re-spin up Authentik (had to switch back to Authelia temporarily). I'll let you know if it works, once I get a chance!
It seems, at least for UptimeKuma, the issue potentially is related to #6139
