goauthentik
Request has been Denied. Flow does not apply to current user. What am I missing!?
Describe your question/ Simply set up Authentik in portainer with a stack.
Relevant infos Debian 12, Portainer BE 2.19.4, Docker-ce 5:24.0.7, Docker Compose 2.21.0, Authentik 2023.10.6
Screenshots
Logs
INF | auth_via=unauthenticated event=/if/flow/initial-setup/ host=10.0.0.70:9999 logger=authentik.asgi method=GET pid=21 remote=10.0.0.16 request_id=639062a4017c4e03af1af58f8247b99f runtime=45 scheme=http status=200 timestamp=2024-01-11T00:16:17.358773 user= user_agent=Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/120.0.0.0 Safari/537.36
INF | event=/ws/client/ logger=authentik.asgi pid=22 remote=10.0.0.16 scheme=ws timestamp=2024-01-11T00:16:17.534925 user_agent=Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/120.0.0.0 Safari/537.36
INF | auth_via=unauthenticated event=/api/v3/flows/executor/initial-setup/?query= host=10.0.0.70:9999 logger=authentik.asgi method=GET pid=21 remote=10.0.0.16 request_id=5bf9263a3c6840c8a0e7c60cf86bd8ec runtime=166 scheme=http status=200 timestamp=2024-01-11T00:16:17.713295 user= user_agent=Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/120.0.0.0 Safari/537.36
warning | auth_via=unauthenticated event=f(exec): Flow not applicable to current user exc=FlowNonApplicableException() flow_slug=initial-setup host=10.0.0.70:9999 logger=authentik.flows.views.executor pid=21 request_id=19be4616e2fa4f89aff2b6f7f7f8d0c2 timestamp=2024-01-11T00:16:28.714973
INF | auth_via=unauthenticated event=/api/v3/flows/executor/initial-setup/?query= host=10.0.0.70:9999 logger=authentik.asgi method=POST pid=21 remote=10.0.0.16 request_id=19be4616e2fa4f89aff2b6f7f7f8d0c2 runtime=18 scheme=http status=200 timestamp=2024-01-11T00:16:28.718903 user= user_agent=Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/120.0.0.0 Safari/537.36
INF | auth_via=unauthenticated event=/-/health/live/ host=localhost:8000 logger=authentik.asgi method=GET pid=21 remote=255.255.255.255 request_id=ef99c52845444c2ca14726005aff67ab runtime=24 scheme=http status=204 timestamp=2024-01-11T00:16:30.624566 user= user_agent=goauthentik.io/router/healthcheck
INF | event=/static/dist/flow/FlowInterface.js.map host=10.0.0.70:9999 logger=authentik.router method=GET remote=10.0.0.16:58933 runtime=0.294 scheme=http size=97 status=200 timestamp=2024-01-11T00:16:33Z user_agent=Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/120.0.0.0 Safari/537.36
INF | event=/static/dist/flow/PromptStage-8d0QKIjx.js.map host=10.0.0.70:9999 logger=authentik.router method=GET remote=10.0.0.16:58985 runtime=0.458 scheme=http size=20701 status=200 timestamp=2024-01-11T00:16:33Z user_agent=Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/120.0.0.0 Safari/537.36
INF | event=/static/dist/standalone/loading/index.js.map host=10.0.0.70:9999 logger=authentik.router method=GET remote=10.0.0.16:58987 runtime=0.449 scheme=http size=45761 status=200 timestamp=2024-01-11T00:16:33Z user_agent=Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/120.0.0.0 Safari/537.36
INF | event=/static/dist/standalone/loading/vendor-tE6fj0d6.js.map host=10.0.0.70:9999 logger=authentik.router method=GET remote=10.0.0.16:58987 runtime=12.725 scheme=http size=299257 status=200 timestamp=2024-01-11T00:16:33Z user_agent=Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/120.0.0.0 Safari/537.36
INF | event=/static/dist/flow/locale-en-oD1Dvgpn.js.map host=10.0.0.70:9999 logger=authentik.router method=GET remote=10.0.0.16:58985 runtime=21.229 scheme=http size=156981 status=200 timestamp=2024-01-11T00:16:33Z user_agent=Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/120.0.0.0 Safari/537.36
INF | event=/static/dist/flow/FlowInterface-xgZ9cG5z.js.map host=10.0.0.70:9999 logger=authentik.router method=GET remote=10.0.0.16:58988 runtime=25.638 scheme=http size=275317 status=200 timestamp=2024-01-11T00:16:33Z user_agent=Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/120.0.0.0 Safari/537.36
INF | event=/static/dist/standalone/loading/api-CiT45_yq.js.map host=10.0.0.70:9999 logger=authentik.router method=GET remote=10.0.0.16:58987 runtime=5.138 scheme=http size=345237 status=200 timestamp=2024-01-11T00:16:33Z user_agent=Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/120.0.0.0 Safari/537.36
INF | event=/static/dist/flow/api-MAwzzYsg.js.map host=10.0.0.70:9999 logger=authentik.router method=GET remote=10.0.0.16:58933 runtime=31.003 scheme=http size=1569092 status=200 timestamp=2024-01-11T00:16:33Z user_agent=Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/120.0.0.0 Safari/537.36
INF | event=/static/dist/flow/vendor-U84AyUBr.js.map host=10.0.0.70:9999 logger=authentik.router method=GET remote=10.0.0.16:58989 runtime=48.175 scheme=http size=835541 status=200 timestamp=2024-01-11T00:16:33Z user_agent=Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/120.0.0.0 Safari/537.36
INF | event=/static/dist/poly.js.map host=10.0.0.70:9999 logger=authentik.router method=GET remote=10.0.0.16:58986 runtime=75.906 scheme=http size=1611949 status=200 timestamp=2024-01-11T00:16:33Z user_agent=Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/120.0.0.0 Safari/537.36
INF | auth_via=unauthenticated event=/-/health/live/ host=localhost:8000 logger=authentik.asgi method=GET pid=22 remote=255.255.255.255 request_id=f5286c6e59a84751accd76696a52973c runtime=12 scheme=http status=204 timestamp=2024-01-11T00:17:00.618716 user= user_agent=goauthentik.io/router/healthcheck
INF | auth_via=unauthenticated event=/-/health/live/ host=localhost:8000 logger=authentik.asgi method=GET pid=22 remote=255.255.255.255 request_id=9e5e7fb88ea844bba5a97a4a529747ae runtime=12 scheme=http status=204 timestamp=2024-01-11T00:17:30.613058 user= user_agent=goauthentik.io/router/healthcheck
Version and Deployment (please complete the following information):
- authentik version: 2023.10.6
- Deployment: docker-compose via portainer stacks
Additional context After seemingly sucessfully starting Authentik up, I go to if/flows/initial-setup, I enter in my email and password that I want to use, and every single time, I get this message showing up. What am I doing wrong??? What does it mean flow isn't applicable to current user? There are no users! I'm attempting to create the first one!!
I just had the same issue, the workaround was use Chrome instead of Firefox, and use the HTTPS port instead of HTTP. IE https://172.16.117.253:9443/if/flow/initial-setup/
Which one of those changes sorted it I can't say, but it works now.
Struggling with a very similar thing atm...
I have a fresh setup where initial setup worked fine, but when I attempt to use the enrollment flow I get the same message. Regular login with the akadmin user works though.
This is the same no matter the browser, incognito or otherwise. I installed using the v2023.10.6 helm chart on Kubernetes, with only an http port (80) exposed on the container. Ingress acts as HTTPS termination.
had a similar issue while still had an additional basic auth middleware applied. after removal it worked.
its strange, launching through authentik home works fine, but opening from an incognito window doesn't.
Same applies me too, I just installed it to try it out but giving me the same error. Cannot setup.
Looks like something is messing up the ui, checked the network and nothing is wrong but the ui doesn't seem to respond how it should, probably because of the extensions I installed.
Tried in mozilla and it works.
Same issue here. Fresh installation using last version 2024.2.2 and accessing Authentik redirecting me to the login default page if/flow/default-authentication-flow/?next=%2F and then show an error in both UI and logs.
authentik-server | {"action": "system_exception", "auth_via": "unauthenticated", "client_ip": "172.29.125.27", "context": {"http_request": {"args": {"next": "/"}, "method": "GET", "path": "/api/v3/flows/exe
cutor/default-authentication-flow/", "user_agent": "Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:124.0) Gecko/20100101 Firefox/124.0"}, "message": "Traceback (most recent call last):\n File \"/ak-root/venv/lib/
python3.12/site-packages/rest_framework/views.py\", line 497, in dispatch\n self.initial(request, *args, **kwargs)\n File \"/ak-root/venv/lib/python3.12/site-packages/sentry_sdk/integrations/django/__init__.
py\", line 312, in sentry_patched_drf_initial\n return old_drf_initial(self, request, *args, **kwargs)\n ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^\n File \"/ak-root/venv/lib/python3.12/site-p
ackages/rest_framework/views.py\", line 414, in initial\n self.perform_authentication(request)\n File \"/ak-root/venv/lib/python3.12/site-packages/rest_framework/views.py\", line 324, in perform_authenticati
on\n request.user\n File \"/ak-root/venv/lib/python3.12/site-packages/rest_framework/request.py\", line 227, in user\n self._authenticate()\n File \"/ak-root/venv/lib/python3.12/site-packages/rest_framew
ork/request.py\", line 380, in _authenticate\n user_auth_tuple = authenticator.authenticate(self)\n ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^\n File \"/authentik/api/authentication.py\", line 99,
in authenticate\n user = bearer_auth(auth)\n ^^^^^^^^^^^^^^^^^\n File \"/authentik/api/authentication.py\", line 37, in bearer_auth\n user = auth_user_lookup(raw_header)\n ^^^^^^^^^^^
^^^^^^^^^^^^^^^^^\n File \"/authentik/api/authentication.py\", line 49, in auth_user_lookup\n auth_credentials = validate_auth(raw_header)\n ^^^^^^^^^^^^^^^^^^^^^^^^^\n File \"/authent
ik/api/authentication.py\", line 29, in validate_auth\n raise AuthenticationFailed(\"Unsupported authentication type\")\nrest_framework.exceptions.AuthenticationFailed: Unsupported authentication type"}, "dom
ain_url": "sub.domain.tld", "event": "Created Event", "host": "sub.domain.tld", "level": "info", "logger": "authentik.events.models", "pid": 84, "request_id": "0beeff0353c04ee78a57dd6bbb6
4a37c", "schema_name": "public", "timestamp": "2024-04-10T10:03:40.324965", "user": {"email": "", "is_anonymous": true, "pk": 1, "username": "AnonymousUser"}}
authentik-server | {"auth_via": "unauthenticated", "domain_url": "sub.domain.tld", "event": "Task published", "host": "sub.domain.tld", "level": "info", "logger": "authentik.root.cel
ery", "pid": 84, "request_id": "0beeff0353c04ee78a57dd6bbb64a37c", "schema_name": "public", "task_id": "1f069fba9c53432b8214437c82aa8a6a", "task_name": "authentik.events.tasks.event_notification_handler", "times
tamp": "2024-04-10T10:03:40.346281"}
Same issue here. Error on 2023.10.7 and updating to lastest version 2024.2.2 change nothing. The error happens on every application using oauth or oidc. (like komga,Statping or argocd). The logging work if my users are already login in authentik, but cannot login otherwise. Accessing applications is redirecting me to the login default page if/flow/default-authentication-flow/?next=%2F and then show an error in both UI and logs.
I'm also in the same boat here:
Fresh setup, the initial setup can't even kick off. And once you get the error about request denied, it's persistent and never goes away.
Any update/idea yet why? Been trying a whole week all kinds of ways, but this seems to be a bug. I'm about to give up on Authentik and change to something else.
With the latest Authentik, Docker and Docker Compose version the "Flow does not apply to current user." can be resolved by correcting the providers authentication flow from the incorrect default-source-authentication to default-authentication-flow.
Visual image of this is below:
My docker-compose.yml file:
# Installation: https://hub.docker.com/r/beryju/authentik
version: '3.9'
services:
server:
image: beryju/authentik:2024.2
container_name: authentik
restart: unless-stopped
command: server
user: "root"
environment:
- AUTHENTIK_REDIS__HOST=${AUTHENTIK_REDIS__HOST}
- AUTHENTIK_POSTGRESQL__HOST=${AUTHENTIK_POSTGRESQL__HOST}
- AUTHENTIK_POSTGRESQL__USER=${AUTHENTIK_POSTGRESQL__USER}
- AUTHENTIK_POSTGRESQL__NAME=${AUTHENTIK_POSTGRESQL__NAME}
- AUTHENTIK_POSTGRESQL__PASSWORD=${AUTHENTIK_POSTGRESQL__PASSWORD}
- AUTHENTIK_ERROR_REPORTING__ENABLED=${AUTHENTIK_ERROR_REPORTING__ENABLED}
- AUTHENTIK_SECRET_KEY=${AUTHENTIK_SECRET_KEY}
volumes:
- /opt/appdata/authentik/media:/media
- /opt/appdata/authentik/custom-templates:/templates
- /var/run/docker.sock:/var/run/docker.sock
ports:
- 9815:9000
- 9816:9443
depends_on:
- postgresql-authentik
- redis-authentik
networks:
- proxy
worker:
image: beryju/authentik:2024.2
container_name: authentik_worker
restart: unless-stopped
command: worker
user: "root"
environment:
- AUTHENTIK_REDIS__HOST=${AUTHENTIK_REDIS__HOST}
- AUTHENTIK_POSTGRESQL__HOST=${AUTHENTIK_POSTGRESQL__HOST}
- AUTHENTIK_POSTGRESQL__USER=${AUTHENTIK_POSTGRESQL__USER}
- AUTHENTIK_POSTGRESQL__NAME=${AUTHENTIK_POSTGRESQL__NAME}
- AUTHENTIK_POSTGRESQL__PASSWORD=${AUTHENTIK_POSTGRESQL__PASSWORD}
- AUTHENTIK_ERROR_REPORTING__ENABLED=${AUTHENTIK_ERROR_REPORTING__ENABLED}
- AUTHENTIK_SECRET_KEY=${AUTHENTIK_SECRET_KEY}
# `user: root` and the docker socket volume are optional.
# See more for the docker socket integration here:
# https://goauthentik.io/docs/outposts/integrations/docker
# Removing `user: root` also prevents the worker from fixing the permissions
# on the mounted folders, so when removing this make sure the folders have the correct UID/GID
# (1000:1000 by default)
volumes:
- /opt/appdata/authentik/media:/media
- /opt/appdata/authentik/certs:/certs
- /var/run/docker.sock:/var/run/docker.sock
- /opt/appdata/authentik/custom-templates:/templates
depends_on:
- postgresql-authentik
- redis-authentik
networks:
- proxy
postgresql-authentik:
image: postgres:16-alpine3.19
container_name: postgresql-authentik
restart: unless-stopped
healthcheck:
test:
[
'CMD-SHELL',
'pg_isready -d $${POSTGRES_DB} -U $${POSTGRES_USER}'
]
start_period: 20s
interval: 30s
retries: 5
timeout: 5s
environment:
- PUID='1000'
- PGID='1000'
- POSTGRES_USER=${AUTHENTIK_POSTGRESQL__USER}
- POSTGRES_DB=${AUTHENTIK_POSTGRESQL__NAME}
- POSTGRES_PASSWORD=${AUTHENTIK_POSTGRESQL__PASSWORD:?database password required}
volumes:
- authentik-postgresql-volume:/var/lib/postgresql/data
ports:
- 5432:8080
networks:
- proxy
redis-authentik:
image: redis:alpine3.19
container_name: redis-authentik
restart: unless-stopped
healthcheck:
test: [ 'CMD-SHELL', 'redis-cli ping | grep PONG' ]
start_period: 20s
interval: 30s
retries: 5
timeout: 3s
environment:
- PUID='1000'
- PGID='1000'
volumes:
- authentik-redis-volume:/data
ports:
- 6379:6379
networks:
- proxy
volumes:
authentik-postgresql-volume: {}
authentik-redis-volume: {}
networks:
proxy:
driver: bridge
external: true
At least this has resolved the issue for myself. I hope this helps everyone else, have a great day!
With the latest Authentik, Docker and Docker Compose version the "
Flow does not apply to current user." can be resolved by correcting the providers authentication flow from the incorrectdefault-source-authenticationtodefault-authentication-flow.Visual image of this is below:
My
docker-compose.ymlfile:# Installation: https://hub.docker.com/r/beryju/authentik version: '3.9' services: server: image: beryju/authentik:2024.2 container_name: authentik restart: unless-stopped command: server user: "root" environment: - AUTHENTIK_REDIS__HOST=${AUTHENTIK_REDIS__HOST} - AUTHENTIK_POSTGRESQL__HOST=${AUTHENTIK_POSTGRESQL__HOST} - AUTHENTIK_POSTGRESQL__USER=${AUTHENTIK_POSTGRESQL__USER} - AUTHENTIK_POSTGRESQL__NAME=${AUTHENTIK_POSTGRESQL__NAME} - AUTHENTIK_POSTGRESQL__PASSWORD=${AUTHENTIK_POSTGRESQL__PASSWORD} - AUTHENTIK_ERROR_REPORTING__ENABLED=${AUTHENTIK_ERROR_REPORTING__ENABLED} - AUTHENTIK_SECRET_KEY=${AUTHENTIK_SECRET_KEY} volumes: - /opt/appdata/authentik/media:/media - /opt/appdata/authentik/custom-templates:/templates - /var/run/docker.sock:/var/run/docker.sock ports: - 9815:9000 - 9816:9443 depends_on: - postgresql-authentik - redis-authentik networks: - proxy worker: image: beryju/authentik:2024.2 container_name: authentik_worker restart: unless-stopped command: worker user: "root" environment: - AUTHENTIK_REDIS__HOST=${AUTHENTIK_REDIS__HOST} - AUTHENTIK_POSTGRESQL__HOST=${AUTHENTIK_POSTGRESQL__HOST} - AUTHENTIK_POSTGRESQL__USER=${AUTHENTIK_POSTGRESQL__USER} - AUTHENTIK_POSTGRESQL__NAME=${AUTHENTIK_POSTGRESQL__NAME} - AUTHENTIK_POSTGRESQL__PASSWORD=${AUTHENTIK_POSTGRESQL__PASSWORD} - AUTHENTIK_ERROR_REPORTING__ENABLED=${AUTHENTIK_ERROR_REPORTING__ENABLED} - AUTHENTIK_SECRET_KEY=${AUTHENTIK_SECRET_KEY} # `user: root` and the docker socket volume are optional. # See more for the docker socket integration here: # https://goauthentik.io/docs/outposts/integrations/docker # Removing `user: root` also prevents the worker from fixing the permissions # on the mounted folders, so when removing this make sure the folders have the correct UID/GID # (1000:1000 by default) volumes: - /opt/appdata/authentik/media:/media - /opt/appdata/authentik/certs:/certs - /var/run/docker.sock:/var/run/docker.sock - /opt/appdata/authentik/custom-templates:/templates depends_on: - postgresql-authentik - redis-authentik networks: - proxy postgresql-authentik: image: postgres:16-alpine3.19 container_name: postgresql-authentik restart: unless-stopped healthcheck: test: [ 'CMD-SHELL', 'pg_isready -d $${POSTGRES_DB} -U $${POSTGRES_USER}' ] start_period: 20s interval: 30s retries: 5 timeout: 5s environment: - PUID='1000' - PGID='1000' - POSTGRES_USER=${AUTHENTIK_POSTGRESQL__USER} - POSTGRES_DB=${AUTHENTIK_POSTGRESQL__NAME} - POSTGRES_PASSWORD=${AUTHENTIK_POSTGRESQL__PASSWORD:?database password required} volumes: - authentik-postgresql-volume:/var/lib/postgresql/data ports: - 5432:8080 networks: - proxy redis-authentik: image: redis:alpine3.19 container_name: redis-authentik restart: unless-stopped healthcheck: test: [ 'CMD-SHELL', 'redis-cli ping | grep PONG' ] start_period: 20s interval: 30s retries: 5 timeout: 3s environment: - PUID='1000' - PGID='1000' volumes: - authentik-redis-volume:/data ports: - 6379:6379 networks: - proxy volumes: authentik-postgresql-volume: {} authentik-redis-volume: {} networks: proxy: driver: bridge external: trueAt least this has resolved the issue for myself. I hope this helps everyone else, have a great day!
this is not the same issue we are reporting. You already got "in" Authentik. We can't even do the initial admin account create immediately after Authentik is spin up. It locks completely from the first minute. And once it's locked, it remains like this. The only way to continue is docker compose down, remove volume and docker compose up again to have another try and to have the same error over and over.
It's happening since the last 2 or 3 released afaik.
I was also in the same boat yesterday. I found a temporary workaround, so it is possible to log in as admin without completing the initial-setup step due to this bug(?).
The solution below is sourced verbatim from their Troubleshooting: Login page.
To create the key, run the following command:
docker compose run --rm server create_recovery_key 10 akadmin
For Kubernetes, run
kubectl exec -it deployment/authentik-worker -c authentik -- ak create_recovery_key 10 akadmin
or, for CLI, run
ak create_recovery_key 10 akadmin
This will output a link, that can be used to instantly gain access to authentik as the user specified above. The link is valid for amount of years specified above, in this case, 10 years.
When you are inside click the following:
Admin Interface (navbar) > Directory (sidebar) > Users (option in dropdown) > akadmin (link) > User Info (left-side section) > Set Password (button)
When your password is set, you should be able to log in as akadmin.
I managed to get my issue solved by changing the LISTEN HTTP flags as following:
AUTHENTIK_LISTEN__HTTP=authentik-server:8000
AUTHENTIK_LISTEN__HTTPS=authentik-server:8443
I think the problem was coming from a port conflict with Portainer who occupies ports 8000, 9000 and 9443 by default. I already changed the ports for Authentik to 8000 and 8443 but for some reason I found in the logs parts of "output" trying to do something on port 9000 which is obviously going to Portainer container and failing.
After I set these 2 extra params, matching the same ports on COMPOSE_PORT, the problem was solved.
Also, updating to image version 2024.4.0 fixed some other issues.
At the end of the day, I ended up getting around this by using the AUTHENTIK_BOOTSTRAP_ variables to register a user during image creation. That worked, but I ran into so many other issues with getting authentication actually working that I just gave up and left it alone for a while. Trying again with all of this this weekend...