goauthentik
Proxy provider random incorrect redirects
This is a summarising issue for #4732, #5603, #4166, #6253 and a bunch of other ones
The gist of the issue is that the proxy provider will occasionally (depending on application it happens more or less often) redirect to the incorrect URL. As far as I know this only happens with the forward_auth and forward_auth domain mode
This is caused by the provider saving the final redirect URL in the session whenever accessing the forward_auth url without a session, so that the final redirect can be done correctly. When using a website/PWA that loads many things at once, requests for resources can be sent at the same time and overwrite that session value, causing the final redirect to point to a JS/CSS file, or with the forward_auth domain mode even to point to a different domain.
I was just thinking... I'm pretty sure back in the day when I used authelia I didn't notice this problem with forward auth. I don't suppose there is something that can be referenced in their code?
EDIT: People, no need to comment on this thread and needlessly spam people. To vote on this, just click the thumbs up (👍🏻 ) on the first post!
This is a summarising issue for #4732, #5603 and a bunch of other ones
The gist of the issue is that the proxy provider will occasionally (depending on application it happens more or less often) redirect to the incorrect URL. As far as I know this only happens with the forward_auth and forward_auth domain mode
This is caused by the provider saving the final redirect URL in the session whenever accessing the forward_auth url without a session, so that the final redirect can be done correctly. When using a website/PWA that loads many things at once, requests for resources can be sent at the same time and overwrite that session value, causing the final redirect to point to a JS/CSS file, or with the forward_auth domain mode even to point to a different domain.
Not sure if this information is of any use, but I find this behavior occurs fairly consistently with the docker container for Semaphore (Ansible). Maybe it's of some use for debugging, I don't know.
It seems to forward fine the first time, but if the tab is left for a while, and it re-auths on refreshing the page then it fairly consistently ends up at /api/ws instead of whatever page it was previously on.
I have this problem a LOT on the 'arr stack of software. It's usually API requests that end up getting stuck and it's mighty frustrating.
For reference I use NPM as my Proxy Provider and Authentik as a Forward Auth provider.
I have the same issue, is there any workaround available for it? It's very problematic, after authentication it redirects to random URLs and sometimes even browser will download some server app files.
Using ingress-nginx and authentik on k8s, backend apps with issues so far: Vigil Homer
I've also been having this issue for quite some time. I figured that I had misconfigured something but maybe not. I'm also using Authentik for oauth2... that works perfectly for me. But forward auth is frequently redirecting me to random API responses, causing my browser to download files or start downloading streams of data from the server, and so on. I always just have to spam the back button to get back to the UI of whatever I was using, and then everything starts working again.
I'm using Traefik with the standard k8s ingress resource plus Traefik's annotations to set the normal outpost-created middleware, e.g.:
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
name: my-ingress
annotations:
traefik.ingress.kubernetes.io/router.middlewares: authentik-ak-outpost@kubernetescrd
Only maybe-workaround I've noticed: the issue appears when you re-authenticate, so if you increase the length of token validity it becomes progressively less annoying. I find that minutes=60 isn't too bad. Try it at your own risk I guess.
I've had this issue for a while, and thought it might have been related to or caused by #7464, but after (hopefully) finding the root of that problem, the redirects to CSS and other assets for Actual and Nginx Proxy Manager have continued.
I'm using Authentik for forward auth for a few of my services, and using Nginx Proxy Manager for reverse proxy.
I also have this issue for a long time its just really bothering me now because i use a new home dashboard thats app style and wont let you change the url path quickly on mobile. It happens mostly after revisiting an app like the arrs or home assistant with in a certain short time frame only with proxy provider in both proxy mode and forward auth in combination with npm. With authelia back in the days I didn't have this issue but with authentik i always had this from the start mostly redirecting to /api and getting stuck removing everything after / fixes the issue until the next time it happens. A fix would be highly appreciated.
I don't suppose the proxy outpost could be modified to use unique state values for every request and associate the redirect URL with that state value?
I am running into this as well with https://github.com/janeczku/calibre-web with static assets not loading correctly. I can reproduce it within a few page loads. Surprisingly, I've only been able to reproduce in Safari - Firefox is working fine.
server-1 | {"event":"redirect URI did not contain external host","ext":"//REDACTED-DOMAIN","level":"warning","logger":"authentik.outpost.proxyv2.application","name":"Calibre-Web Proxy","timestamp":"2024-01-15T03:43:20Z","url":"/static/css/libs/bootstrap.min.css"}
As far as I know this only happens with the forward_auth and forward_auth domain mode
I converted my app to be a regular proxy provider and I had exactly the same issues. Anything I can offer to help debug this?
I have the same issue with Authentik and Traefik.
Assuming I am running Homer, or any other web app, here it is what I noticed:
- Upon first login the
config.ymlfile is being downloaded. In order to access the homer page I need to reinsert the URL and all works fine. - If already logged in and the Provider token expires, then when you click refresh inside Homer, or any other link that should keep you inside Homer, it goes back to Authentik to get a new token and downloads the
config.ymlagain.
So my conclusion is that the bad redirect happends upon the token creation. If the token is valid, the redirect is good.
Maybe it is related to #8137 and the issue will be fixed with the next release?
I closed #8137 shortly after creating it because I realized it's the same thing that's already discussed in a comment above.
I don't think it's going to be fixed until someone basically rewrites how the proxy outpost handles it's redirect state.
I tried to take a stab at it, but found out that trying to build authentik to test locally to be complicated enough that I can't spare the time for it personally.
any chance this can be fixed? I was hoping it would get fixed with time but it is pretty frustrating to open a URL and then after being redirect incorrectly. opnening the same URL again...
I actually discovered that I was accidentally running a version of Authentik from the spring. I've upgraded, and everything seems to be working fine for me. I'm pulling my back my offer to help debug this 😄 .
Quite likely not the issue for others, but I believe one of the things I did prior to this issue disappearing was resetting the container names in my Portainer stack. I'd customized them to be less verbose (authentik instead of authentik-server-1 or whatever), and I think leaving the containers to name themselves as they see fit might have fixed it for me.
Then again, I tried a number of things back then, and I'm not positive which one actually resolved the issue as a result.
Actually I was on the newest version, 2024.2 was not released yet but I also tried 2024.2 and am facing the same issue
I've got the same issue. Actuallly i'm using traefik => middleware Authentik (proxy forward) > Home Assistant
When a load home assistant, the browser loads static content assets, hosted by ha, and randomly the redirect URI in the authentik callback is the url of static content. Is the brower cache try to call authentik in the wrong order (loading first an assets and then having a wrong redirect uri?
The solution could be to not filter static assets but only apis endpoints, I'll try. I've not tested with authelia, if the bug is not reproduced with authelia, can be interesting to dig why.
I've got the same issue. Actuallly i'm using traefik => middleware Authentik (proxy forward) > Home Assistant
When a load home assistant, the browser loads static content assets, hosted by ha, and randomly the redirect URI in the authentik callback is the url of static content. Is the brower cache try to call authentik in the wrong order (loading first an assets and then having a wrong redirect uri?
The solution could be to not filter static assets but only apis endpoints, I'll try. I've not tested with authelia, if the bug is not reproduced with authelia, can be interesting to dig why.
Do you have this issue on every site? I have it on most sites behind authentik and the issue seems to occur when the user session times out, no matter if you use even incognito mode, authentik has saved somewhere that it will redirect to some other object even if only the main url is being tried to open
I found out that if you use the internal proxy instead of npm or nginx or whatever that you dont have this issue. I change all my *arrs sonarr etc to internal and now this works fine. Also something got better with the update couple of months back because for example home assistant redirects works 9 of the 10 times some times i still have black page after login but simple refresh fixes that. Wrong api redirect still happens in HA but only very occasionally. Thats my experience at least.
have this issue on every site? I have it on most sites behind authentik and the issue seems to occur when the user session times out, no matter if you use even incognito mode, authentik has saved somewhere that it will redirect to some other object even if only the main url is being tried to open
I have multi websites in others subdomains, also in other vms, for instance a piwigo instance (photo php/nginx/mariadb app), and i've the same wrong random behaviour.
The proposed fix #8594 is not merged into any of the release yet. Can we have this bumped to priority?
I have the same issue with traefik forward auth and homer dashboard. After the session timeout and loggin in again in authentik it downloads static assets from homer (config.yml)
Looks like #8594 did not manage to get to 2024.4 yet, so issue still occurs. Let's wait :)
Is there something needed to change on a normal nginx to now have redirections after login? We've lost it after the 2024.06 update, maybe we were the only ones with it working properly 😅
Update: fixed it, the docs include this snippet for standalone nginx:
return 302 /outpost.goauthentik.io/start?rd=$request_uri;
but it should be changed to:
return 302 /outpost.goauthentik.io/start?rd=$scheme://$http_host$request_uri;
