warp-tech
[bug] Custom SSO failing with no error details
Attempting to setup Warpgate with Authelia, as suggested by this page, results in the following error message anytime I try to login with it:
Pressing the login button results in a 404 to /@warpgate/api/auth/state, followed by a 500 to /@warpgate/api/sso/providers/oidc-custom/start. The warpgate logs give no useful information at all:
Relevant Warpgate configuration:
sso_providers:
- name: oidc-custom
label: Custom SSO
provider:
type: custom
client_id: warpgate
client_secret: <secret>
issuer_url: https://sso.obrien.lan
scopes: ["openid", "email"]
Authelia configuration:
clients:
- client_id: 'warpgate'
client_name: 'Warpgate'
client_secret: '<secret>'
public: false
authorization_policy: 'one_factor'
require_pkce: false
pkce_challenge_method: ''
redirect_uris:
- 'https://gate.obrien.lan/@warpgate/api/sso/return'
scopes:
- 'openid'
- 'email'
response_types:
- 'code'
grant_types:
- 'authorization_code'
access_token_signed_response_alg: 'none'
userinfo_signed_response_alg: 'none'
token_endpoint_auth_method: 'client_secret_basic'
In addition, Warpgate never makes any sort of HTTP request to Authelia in an attempt to authenticate, so it's either failing somewhere on the client or server I'm guessing. As a side note: it's also strange how the SSO button shows the provider ID rather then the display label, which it's meant to be using.
I'm running into the same issue with Authentik. At first I thought it was a misconfiguration, but it seems to go deeper. I’ve tried everything I could think of, including setting external_host and even downgrading the Warpgate version.
Here’s my current config snippet for reference:
sso_providers:
- name: custom
label: Authentik SSO
auto_create_users: true
provider:
type: custom
client_id: REDACTED
client_secret: REDACTED
issuer_url: https://authentik.example.org/application/o/warpgate/
scopes: ["email", "openid"]
external_host: warp.example.org
warpgate:
container_name: warpgate
image: ghcr.io/warp-tech/warpgate:latest
volumes:
- warpgate:/data
stdin_open: true
tty: true
networks:
- proxy_net
labels:
- "traefik.enable=true"
- "traefik.docker.network=proxy_net"
- "traefik.http.routers.warpgate.rule=Host(`warp.example.org`)"
- "traefik.http.services.warpgate.loadbalancer.server.port=8888"
- "traefik.http.services.warpgate.loadbalancer.server.scheme=https"
I suspected the issue might be related to Traefik, since everything runs behind it and I haven’t yet been able to test outside that setup. However, based on this issue the response comes directly from Warpgate, Traefik config isn’t the cause.
Did you set external Port in your http configs correctly? I had similar problems and always overlooked that one.
For testing I also changed to .* for regex redirect matching (using authentik).
Did you set external Port in your http configs correctly?
I have, and it makes no difference.
I'm busy this weekend, but I'll try to document my setup, so it might be of use for all. I'll try to answer at the beginning of next week.
WARPGATE SETUP
docker-compose.yml
warpgate:
image: ghcr.io/warp-tech/warpgate:latest
container_name: warpgate
expose:
- 4422
- 8888
volumes:
- ./data:/data
stdin_open: true
tty: true
# optional: dns if you use local DNS server which resolves your domain names:
# dns:
# - <your DNS Server IP, e.g. pihole/adguard/tdns>
networks:
- <your-network-name>
healthcheck:
test: [ "CMD", "curl", "--connect-timeout", "15", "--silent", "--show-error", "--fail", "http://127.0.0.1:8888" ]
interval: 60s
timeout: 5s
retries: 3
networks:
<your-network-name>:
external: true
Warpgate config:
# Config generated in version v0.17.0-modified
# yaml-language-server: $schema=https://raw.githubusercontent.com/warp-tech/warpgate/refs/heads/main/config-schema.json
sso_providers:
- name: authentik
label: Authentik
auto_create_users: true
provider:
type: custom
client_id: <warpgate_ID>
client_secret: <warpgate_SECRET>
issuer_url: https://<authentik_url>/application/o/warpgate/ # Authentik URL set in my DNS Server (e.g. pihole/adguard/tdns)
scopes: ["email", "profile"]
recordings:
enable: true
path: /data/recordings
external_host: <warpgate.your.domain> # set in my DNS Server (e.g. pihole/adguard/tdns)
database_url: sqlite:/data/db
ssh:
enable: true
listen: '[::]:2222'
external_port: 4422 # set in my reverse-proxy listens on 4422 redirects to 2222
keys: /data/ssh-keys
host_key_verification: prompt
inactivity_timeout: 5m
keepalive_interval: null
http:
listen: '[::]:8888'
external_port: 443 # set in my reverse-proxy listens on 443 redirects to 8888
certificate: /data/tls.certificate.pem
key: /data/tls.key.pem
trust_x_forwarded_headers: true
session_max_age: 30m
cookie_max_age: 1day
sni_certificates: []
mysql:
enable: false
listen: '[::]:33306'
external_port: null
certificate: /data/tls.certificate.pem
key: /data/tls.key.pem
postgres:
enable: false
listen: '[::]:55432'
external_port: null
certificate: /data/tls.certificate.pem
key: /data/tls.key.pem
log:
retention: 7days
send_to: null
Reverse Proxy Config
I use a reverse-proxy in front: NGINX Proxy Manager
docker-compose.yml:
services:
nginx-proxy-manager:
image: 'jc21/nginx-proxy-manager:latest'
container_name: nginx-proxy-manager
restart: unless-stopped
ports:
- '80:80'
- '81:81'
- '443:443' # HTTPS
- '4422:4422' # Warpgate SSH Port --> Stream in NGINX Proxy Manager Config
volumes:
- ./data:/data
- ./data/nginx/snippets:/snippets
- ./letsencrypt:/etc/letsencrypt
healthcheck:
test: ["CMD", "/usr/bin/check-health"]
interval: 10s
timeout: 3s
networks:
- <your-network-name>
# optional: dns if you use local DNS server which resolves your domain names:
# dns:
# - <your DNS Server IP, e.g. pihole/adguard/tdns>
networks:
<your-network-name>:
external: true
Authentik SSO
[... DB config, default from authentik repo ...]
server:
image: ${AUTHENTIK_IMAGE:-ghcr.io/goauthentik/server}:${AUTHENTIK_TAG:-2025.8}
container_name: authentik
restart: unless-stopped
command: server
user: root
environment:
AUTHENTIK_SECRET_KEY: ${AUTHENTIK_SECRET_KEY:?secret key required}
AUTHENTIK_REDIS__HOST: redis
AUTHENTIK_POSTGRESQL__HOST: postgresql
AUTHENTIK_POSTGRESQL__USER: ${PG_USER:-authentik}
AUTHENTIK_POSTGRESQL__NAME: ${PG_DB:-authentik}
AUTHENTIK_POSTGRESQL__PASSWORD: ${PG_PASS}
volumes:
- ${DATA:-/srv/data/authentik/}server/media:/media
- ${DATA:-/srv/data/authentik/}server/custom-templates:/templates
env_file:
- .env
ports:
- "${COMPOSE_PORT_HTTP:-9000}:9000"
- "${COMPOSE_PORT_HTTPS:-9443}:9443"
depends_on:
postgresql:
condition: service_healthy
redis:
condition: service_healthy
networks:
- <your-network-name>
# optional: dns if you use local DNS server which resolves your domain names:
# dns:
# - <your DNS Server IP, e.g. pihole/adguard/tdns>
worker:
image: ${AUTHENTIK_IMAGE:-ghcr.io/goauthentik/server}:${AUTHENTIK_TAG:-2025.8}
restart: unless-stopped
command: worker
environment:
AUTHENTIK_SECRET_KEY: ${AUTHENTIK_SECRET_KEY:?secret key required}
AUTHENTIK_REDIS__HOST: redis
AUTHENTIK_POSTGRESQL__HOST: postgresql
AUTHENTIK_POSTGRESQL__USER: ${PG_USER:-authentik}
AUTHENTIK_POSTGRESQL__NAME: ${PG_DB:-authentik}
AUTHENTIK_POSTGRESQL__PASSWORD: ${PG_PASS}
# `user: root` and the docker socket volume are optional.
# See more for the docker socket integration here:
# https://goauthentik.io/docs/outposts/integrations/docker
# Removing `user: root` also prevents the worker from fixing the permissions
# on the mounted folders, so when removing this make sure the folders have the correct UID/GID
# (1000:1000 by default)
user: root
volumes:
- /var/run/docker.sock:/var/run/docker.sock
- ${DATA:-/srv/data/authentik/}media:/media
- ${DATA:-/srv/data/authentik/}certs:/certs
- ${DATA:-/srv/data/authentik/}custom-templates:/templates
env_file:
- .env
depends_on:
postgresql:
condition: service_healthy
redis:
condition: service_healthy
networks:
- <your-network-name>
# optional: dns if you use local DNS server which resolves your domain names:
# dns:
# - <your DNS Server IP, e.g. pihole/adguard/tdns>
networks:
<your-network-name>:
external: true
Provider Config
This is very default, as you would do with any application you add to oidc: client_id, client_secret, redirect URI
redirect_uri: https://<warpgate.your.domain>/@warpgate/api/sso/return
Other information
A note on Docker Networks
I created a network for my Docker Services. This has to be added to each docker-compose.yml so you can use internal docker hostnames, e.g. in your nginx-proxy-manager --> authentik:9000 or warpgate:8888
docker network create <your-network-name>
A note on Authentik
Authentik must be able to reach/resolve your warpgate host/hostname.
I hope this helps...
I've traced it down to these lines coming from the openidconnect-rs repo, where it seems to prepare the request for discovery just fine and then fails to send it, in some form of network related error. I do know with certainty however that it never ends up sending a request so this might be some dependency issue or some obscure edge case, I really don't know.
No amount of changing warpgate configuration options fixes this, as it's not a warpgate issue evidently.