authentik icon indicating copy to clipboard operation
authentik copied to clipboard

Published 20 hours ago verified publisher icon goauthentik

Harbor documentation is incorrect and should include offline_access OIDC scope

Open fuomag9 opened this issue 1 year ago • 2 comments

Describe the bug Harbor documentation is incorrect and should include the offline_access OIDC scope. Without this, docker login will fail due to failure to refresh the access token

Screenshots Correct implementation: image

Logs

harbor-core        | 2024-05-23T22:41:54Z [ERROR] [/server/middleware/security/oidc_cli.go:68][requestID="6c4a58aa-4192-4b72-a403-780a44c13d83"]: failed to verify secret, username: fuomag9, error: failed to verify the secret: secret mismatch, username: fuomag9
harbor-core        | 2024-05-23T22:41:54Z [ERROR] [/server/middleware/security/basic_auth.go:72][client IP="2404:9dc0:cd01:0:ed18:4ed:e86:6ba6, 192.168.6.200" requestID="6c4a58aa-4192-4b72-a403-780a44c13d83" user agent="docker/26.1.1 go/go1.21.9 git-commit/ac2de55 kernel/6.6.26-linuxkit os/linux arch/arm64 UpstreamClient(Docker-Client/26.1.1 \(darwin\))"]: failed to authenticate user:fuomag9, error:not supported

Version and Deployment (please complete the following information):

  • authentik version: 2024.4.2
  • Deployment: docker-compose

fuomag9 avatar May 23 '24 22:05 fuomag9

This issue has been automatically marked as stale because it has not had recent activity. It will be closed if no further activity occurs. Thank you for your contributions.

authentik-automation[bot] avatar Jul 23 '24 01:07 authentik-automation[bot]

Not stale

fuomag9 avatar Jul 23 '24 05:07 fuomag9

I'm just getting started with Harbor using the RC of v2.12. Authentik is not working for me, even after adding offline_access.

I get:

{"errors":[{"code":"BAD_REQUEST","message":"oauth2: cannot fetch token: 405 Method Not Allowed\nResponse: "}]}

Have not been able to figure out a solution.

mlamoure avatar Nov 03 '24 21:11 mlamoure

@mlamoure In addition to the Harbor OIDC configuration, did you move authentik default OAuth Mapping: OpenID 'offline_access' to Selected Scopes under Advanced protocol settings in the OAuth2 Provider configuration for Harbor in Authentik?

sysaeon avatar Nov 09 '24 04:11 sysaeon

Hey @sysaeon thanks for the message. I had added it to the scopes. No luck!

mlamoure avatar Nov 09 '24 18:11 mlamoure

I have added the authentik default OAuth Mapping: OpenID 'offline_access' to Selected Scopes under the Advanced protocol settings, and added offline_access in the OIDC configuration on Harbor. I can't login and get 401. I see nothing in my core log.

What fixed it for me for anyone else having issues is setting the external_url in harbor.yml. I only had hostname set before.

sebedh avatar Apr 06 '25 16:04 sebedh