gtsteffaniak
Filebrowser will hard fail when OIDC provider is not found
Description If the Oauth server goes offline the filebrowser service will get a hard failure and become inop.
Expected behaviour Filebrowser has a fallback failure state when the Oauth server is unavailable but OAuth is configured.
What is happening instead?
> > "Failure log (domain name changed for privacy): 2025/06/07 08:57:40 [FATAL] Error validating OIDC auth: url 'https://authentik.example.com/application/o/filebrowser/' failed to create OIDC provider: 404 Not Found:
> >
> >
> >
> > <!DOCTYPE html>
> >
> > <html>
> > <head>
> > <meta charset="UTF-8">
> > <meta name="viewport" content="width=device-width, initial-scale=1, maximum-scale=1">
> >
> > <meta name="darkreader-lock">
> > <title>
> > authentik
> > </title>
> > <link rel="icon" href="/static/dist/assets/icons/icon.png">
> > <link rel="shortcut icon" href="/static/dist/assets/icons/icon.png">
> >
> > <link rel="prefetch" href="/static/dist/assets/images/flow_background.jpg" />
> > <link rel="stylesheet" type="text/css" href="/static/dist/patternfly.min.css">
> > <link rel="stylesheet" type="text/css" href="/static/dist/theme-dark.css" media="(prefers-color-scheme: dark)">
> >
> >
> >
> > <script>
> > window.authentik = {
> > locale: "en-us",
> > config: JSON.parse(''),
> > brand: JSON.parse(''),
> > versionFamily: "",
> > versionSubdomain: "",
> > build: "",
> > api: {
> > base: "",
> > relBase: "",
> > },
> > };
> > window.addEventListener("DOMContentLoaded", function () {
> >
> > });
> > </script>
> >
> >
> > <link rel="stylesheet" type="text/css" href="/static/dist/authentik.css">
> > <style></style>
> > <script src="/static/dist/poly-2025.4.2.js" type="module"></script>
> > <script src="/static/dist/standalone/loading/index-2025.4.2.js" type="module"></script>
> >
> > <style>
> > :root {
> > --ak-flow-background: url("/static/dist/assets/images/flow_background.jpg");
> > --pf-c-background-image--BackgroundImage: var(--ak-flow-background);
> > --pf-c-background-image--BackgroundImage-2x: var(--ak-flow-background);
> > --pf-c-background-image--BackgroundImage--sm: var(--ak-flow-background);
> > --pf-c-background-image--BackgroundImage--sm-2x: var(--ak-flow-background);
> > --pf-c-background-image--BackgroundImage--lg: var(--ak-flow-background);
> > }
>
> ```
> > /* Form with user */
> > .form-control-static {
> > margin-top: var(--pf-global--spacer--sm);
> > display: flex;
> > align-items: center;
> > justify-content: space-between;
> > }
> > .form-control-static .avatar {
> > display: flex;
> > align-items: center;
> > }
> > .form-control-static img {
> > margin-right: var(--pf-global--spacer--xs);
> > }
> > .form-control-static a {
> > padding-top: var(--pf-global--spacer--xs);
> > padding-bottom: var(--pf-global--spacer--xs);
> > line-height: var(--pf-global--spacer--xl);
> > }
> > </style>
> >
> > <meta name="sentry-trace" content="3e44daf1d88742058de745e929b36922-aa973bcdab330d9f-0" />
> > </head>
> > <body>
> >
> > <div class="pf-c-background-image">
> > </div>
> > <ak-message-container></ak-message-container>
> > <div class="pf-c-login stacked">
> > <div class="ak-login-container">
> > <main class="pf-c-login__main">
> > <div class="pf-c-login__main-header pf-c-brand ak-brand">
> > <img src="/static/dist/assets/icons/icon_left_brand.svg" alt="authentik Logo" />
> > </div>
> > <header class="pf-c-login__main-header">
> > <h1 class="pf-c-title pf-m-3xl">
> >
> > Not Found
> >
> > </h1>
> > </header>
> > <div class="pf-c-login__main-body">
> >
> > <form method="POST" class="pf-c-form">
> > <p></p>
> > <a id="ak-back-home" href="/" class="pf-c-button pf-m-primary">
> > Go home
> > </a>
> > </form>
> >
> > </div>
> > </main>
> > <footer class="pf-c-login__footer">
> > <ul class="pf-c-list pf-m-inline">
> >
> > <li>
> > <span>
> > Powered by authentik
> > </span>
> > </li>
> > </ul>
> > </footer>
> > </div>
> > </div>
> >
> >
> >
> > </body>
> > </html>"
Or Failure Log:
> > "cannot create context: incompatible header (1.24.9) and library (1.25.6) versions
> > cannot create context: incompatible header (1.24.10) and library (1.25.6) versions
> > cannot create context: incompatible header (1.24.8) and library (1.25.6) versions
> > cannot create context: incompatible header (1.24.7) and library (1.25.6) versions
> > cannot create context: incompatible header (1.24.6) and library (1.25.6) versions
> > cannot create context: incompatible header (1.24.5) and library (1.25.6) versions
> > cannot create context: incompatible header (1.24.4) and library (1.25.6) versions
> > cannot create context: incompatible header (1.24.3) and library (1.25.6) versions
> > cannot create context: incompatible header (1.24.2) and library (1.25.6) versions
> > cannot create context: incompatible header (1.24.1) and library (1.25.6) versions
> > cannot create context: incompatible header (1.24.0) and library (1.25.6) versions
> > 2025/06/07 09:12:59 [FATAL] Error validating OIDC auth: url 'https://authentik.example.com/application/o/filebrowser/' failed to create OIDC provider: Get "https://authentik.example.com/application/o/filebrowser/.well-known/openid-configuration": dial tcp: lookup authentik.example.com on 127.0.0.11:53: no such host"
> > **Additional context**
> > "I can comment out the Oauth portion and filebrowser returns with no issue. My config.yaml file: server:
> > port: 80
> > baseURL: "/"
> > database: "database/database.db"
> > sources:
> > - path: "/folder"
> > config:
> > defaultUserScope: "/Filebrowser"
> > auth:
> > methods:
> > noauth: false # if set to true, overrides all other auth methods and disables authentication
> > password: # validate:omitempty
> > enabled: true
> > minLength: 5 # validate:omitempty,min=5
> > signup: false # currently not used by filebrowser validate:omitempty
> > # oidc: # validate:omitempty
> > # enabled: true # whether to enable OIDC authentication
> > # clientId: "myclientidgoeshere" # client id of the OIDC application
> > # clientSecret: "myverylongclientsecretgoeshere" # client secret of the OIDC applicati>
> > # issuerUrl: "https://authentik.example.com/application/o/filebrowser/" # authorization URL of the OIDC provider
> > # scopes: "email openid profile" # scopes to request from the OIDC provider
> > # userIdentifier: "email" # the user identifier to use for authentication.
> > # disableVerifyTLS: false # disable TLS verification for the OIDC provider.
> > # logoutRedirectUrl: "https://authentik.example.com/application/o/filebrowser/end-session/"
> >
>
> ```
How to reproduce? "I can recreate the hard fail by adding back in the commented out OIDC section and I will get a [FATAL] error validating the OIDC auth. If the OIDC section is commented out, then the filebrowser container starts successfully and runs without issue. "
Files Thank you for your work on this project!
Sorry if the formatting is bad, I didn't realize github was going to try and code out the information in the error logs.
at the moment, this is by design. I will probably make it a warning in 0.8.0 though.
The reason it hard fails is because it's a brand new feature, so it helps someone configuring and having problems to either immediately know and fix it or raise the issue on GitHub.
lol, that does seem like a simpler solution. I went the comment out route for a quick, known fix in the troubleshooting process. Roger on the feature not a bug on the hard fail. I wanted to bring it to your attention if you weren't tracking. Thank you for the support!
Appreciate it. Lots of config related issues are hard fails because otherwise someone might not realize something isn't configured right until much later.
The alternative is warnings. Would be nice to have a log viewer in the UI for admin users. That's another feature that might have to come first.
After looking at doing this, its a lot of changes to account for when the oidc is not available and the startup isn't properly run. So I will keep it hard fail, its actually quite useful for getting started as well. So unforuntely the behavior will remain a fatal error.