authentik icon indicating copy to clipboard operation
authentik copied to clipboard

Published 20 hours ago verified publisher icon goauthentik

Authentik gets stuck in redirect loop when using newly created application with proxy provider

Open miversen33 opened this issue 1 year ago • 9 comments

Describe the bug This was discussed a bit in the Application Reverse Proxy Issues thread on the discord but I will do my best to relay the info here as well.

On a fresh install, when I create a new proxy provider for an application (in my example I am using sonarr, though the endpoint is irrelevant), Authentik cannot seem to find the application after setting it up. Pictures are worth a thousand words, so here is a handful to show what I am seeing.

Proxy Provider setup Proxy Provider setup

Example application setup Example application setup

Authentik Embedded Outpost Authentik Embedded Outpost

Authentik Outpost Configuration

log_level: info
docker_labels: null
authentik_host: https://auth.iserver.me
docker_network: null
container_image: null
docker_map_ports: true
kubernetes_replicas: 1
kubernetes_namespace: default
authentik_host_browser: ""
object_naming_template: ak-outpost-%(name)s
authentik_host_insecure: false
kubernetes_service_type: ClusterIP
kubernetes_image_pull_secrets: []
kubernetes_ingress_class_name: null
kubernetes_disabled_components:
  - deployment
  - secret
kubernetes_ingress_annotations: {}
kubernetes_ingress_secret_name: authentik-outpost-tls

User application page User application page

Firefox dying of redirect loop Firefox dying of redirect loop

Round and round it goes Round and round it goes

To Reproduce Steps to reproduce the behavior:

  1. Setup new fresh installation of authentik with docker compose
  2. Create new proxy provider with default-authentication-flow as the authentication flow and default-provider-authorization-explicit-consent as the authorization flow (though I tried with implicit and got the same result)
  3. Setup external and internal host as requested
  4. Create an application that uses the Provider
  5. Add the application to the embedded outpost (are we supposed to set that to use the local docker connection integration?? I tried both but don't really know the "correct" way to use that).
  6. Go to application page
  7. See death

Expected behavior I would expect the application to properly load when selected. I assume I am doing something wrong but I was unable to find any documentation/examples on how to setup applications/providers. There seems to be quite a bit of assumed knowledge in the docs. Note, previously I was experiencing an authentik 404 when selecting an application. I am unable to recreate this issue now, though I feel like I haven't changed my configuration so 🤷‍♂️

Logs Output of docker-compose logs or kubectl logs respectively authentik-server-logs.gz

Version and Deployment (please complete the following information):

  • authentik version: 2023.6.1
  • Deployment: docker-compose

Additional context I am noticing that after I setup the basic proxy provider, that any request that come to the base domain (in this case, iserver.me) are being consumed by it at the listed endpoint (so iserver.me/sonarr). That screams misconfiguration to me but I have no idea what I am doing wrong :(

I will provide whatever information is needed, thanks in advanced!

miversen33 avatar Aug 14 '23 23:08 miversen33

Is there more information that I need to provide to get some kind of feedback about what I may be doing incorrectly here?

miversen33 avatar Sep 01 '23 18:09 miversen33

It's caused by the path If you use a dedicated subdomain instead of a path it will work

However, I'm curious myself about how to setup it up with a path 🤔

alyxto avatar Sep 04 '23 08:09 alyxto

Can't you just use a localIP:port? I do that with my apps and never encounter issues, then I just tell Cloudflare's tunnels where to point the external domain to, for example, observer.mydomainname.com for uptimekuma.

Node815 avatar Oct 10 '23 19:10 Node815

Like I said, if you use a dedicated domain there is no issue. The issue is that it doesn't work for path-specific rules

alyxto avatar Oct 10 '23 19:10 alyxto

This is correct. Subdomains work just fine. I was attempting to use a path instead. Possibly a lack of documentation or lack of knowledge in this area on my part. In any case, using a subdomain does work but isn't really what I wanted.

The issue experienced here is also not related to a program not knowing how to navigate the path as root, but authentik instead just getting stuck itself while trying to navigate the authentication flow. I have since changed my SSL provider (back to lets encrypt since cloudflare does not support free wildcard ssl certs) and am using a subdomain. But that was not what I wanted when I first started digging into this.

miversen33 avatar Oct 10 '23 19:10 miversen33

This issue has been automatically marked as stale because it has not had recent activity. It will be closed if no further activity occurs. Thank you for your contributions.

authentik-automation[bot] avatar Dec 10 '23 01:12 authentik-automation[bot]

stale bots are so damn annoying..

alyxto avatar Dec 10 '23 10:12 alyxto

This issue has been automatically marked as stale because it has not had recent activity. It will be closed if no further activity occurs. Thank you for your contributions.

authentik-automation[bot] avatar Feb 10 '24 01:02 authentik-automation[bot]

stale bots are so damn annoying..

alyxto avatar Feb 10 '24 09:02 alyxto

This issue has been automatically marked as stale because it has not had recent activity. It will be closed if no further activity occurs. Thank you for your contributions.

authentik-automation[bot] avatar Apr 12 '24 01:04 authentik-automation[bot]

stale bots are so damn annoying..

alyxto avatar Apr 16 '24 11:04 alyxto

there's some information about this here #2305, subpaths are not officially supported currently.

BeryJu avatar Apr 16 '24 11:04 BeryJu