PinePods icon indicating copy to clipboard operation
PinePods copied to clipboard
verified publisher icon madeofpendletonwool

Authentik OIDC: Login failure (maybe related to custom port)

Open Ra72xx opened this issue 3 months ago • 2 comments

I try to setup OIDC with Authentik the same way I have setup my other homelab apps. It does not work, after entering the credentials the token exchange fails (called 'an unxpected error occured').

Authentik tries to call this url: https://myserver:myport/oauth/callback?error=token_exchange_failed which would be, without the error message, the correct url including the custom port.

The Authentik log contains the following entries:

{
    "user": {
        "pk": 2,
        "email": "",
        "username": "AnonymousUser",
        "is_anonymous": true
    },
    "action": "configuration_error",
    "app": "authentik.providers.oauth2.views.token",
.....
        "message": "Invalid redirect URI used by provider",
        "expected": [
            {
                "url": "https://myserver:myport/api/auth/callback",
                "matching_mode": "strict"
            }
        ],
        "provider": {
            "pk": 40,
            "app": "authentik_providers_oauth2",
            "name": "Provider for PinePods",
            "model_name": "oauth2provider"
        },
        "http_request": {
            "args": {},
            "path": "/application/o/token/",
            "method": "POST",
            "request_id": "",
            "user_agent": ""
        },
        "redirect_uri": "https://myserver/api/auth/callback"
    },
    "client_ip": "",
    "expires": "2025-10-25T05:04:30.080Z",
    "brand": {
        "pk": "1b7722ddfef84e0796d7e95308770d01",
        "app": "authentik_brands",
        "name": "Default brand",
        "model_name": "brand"
    }
}

Looking at the logs, two things are strange:

  1. Why am I logged as "Anonymous user"?
  2. The "redirect_uri" logged in the lower part of the output does not contain the custom port, only the hostname.

I entered the custom port at all every point in Authentik (setting for redirect) and Pinepods (hostname). So I wonder why Authentik at some point somehow seems to use/expect a redirect uri without the custom port. It works with my other OIDC apps on custom ports.

(BTW: I'm also not able to remove the configured provider from the Pinepods web ui anymore, the trash button does not work, an error pops up.)

Ra72xx avatar Oct 11 '25 05:10 Ra72xx

Update: I made OIDC work by adding the redirect url without the custom port to Authentik. This url is wrong, as nothing is listening at the standard port, but this seems to trick Authentik into working.

Ra72xx avatar Nov 01 '25 07:11 Ra72xx

Probably a mismatch between what pinepods thinks its url is (and what it reports to authentik the redirect url back to its endpint is) and what authentik is configured to allow redirects to.

To debug, start the authentication process with dev tools open. Make sure to unselect "clean network log" or whatever the corresponding checkbox is in your browser.

Image

Find the redirect uri query parameter in the request to authentic. The parameter is uri encoded, so you need to decode the parameter value. Compare this url to the regex in your authentik provider.

Miladiir avatar Nov 16 '25 09:11 Miladiir