Brand attributes aren't being applied when authenticating through its domain

[jgeniowave]

Describe the bug

As described by the Brand create form UI ("Any attributes set here will be inherited by users, if the request is handled by this brand."), when authenticating a user through a domain, it should inherit the attributes of that domain's Brand. What's happening is that the user is not inheriting such attributes.

To Reproduce

I created an application and a proxy provider named whoami98.local.wavesys.pt. Then, I created a Brand with the domain whoami98.local.wavesys.pt. To debug the request, i created a scope mapping and associated the proxy provider with it, containing the following expression:

ak_logger.info("debugging request...", foo=request.http_request.brand.__dict__)
ak_logger.info("debugging user...", foo=request.user.attributes)

The first screenshot indicates that the branding is being applied correctly and, upon authenticating, i can see my debug attempt in the authentik server's logs. However, the wrong brand (default) is being injected into the request.

Expected behavior When debugging the request, the Brand attributes should be inherited since the user is authenticating through the Brand's domain.

Screenshots Correct branding (although the title is wrong) when authenticating, meaning that the Brand is being recognized correctly. Brand configuration User attributes

Logs My (debugging attempt) Authentik server kubectl log:

{"auth_via": "oauth_client_secret", "domain_url": "authentik", "event": "debugging request...", "foo": {"_state": "<django.db.models.base.ModelState object at 0x7f8d0572e3f0>", "attributes": {}, "brand_uuid": "UUID('44870452-683f-48e3-997a-d6530c4a6716')", "branding_favicon": "/static/dist/assets/icons/icon.png", "branding_logo": "/static/dist/assets/icons/icon_left_brand.svg", "branding_title": "authentik", "default": false, "domain": "fallback", "flow_authentication_id": null, "flow_device_code_id": null, "flow_invalidation_id": null, "flow_recovery_id": null, "flow_unenrollment_id": null, "flow_user_settings_id": null, "web_certificate_id": null}, "host": "authentik", "level": "info", "logger": "authentik-operator", "pid": 59925, "request_id": "04b576961e30484781ca37b55d5ee046", "schema_name": "public", "timestamp": "2024-06-26T16:43:23.047009"}
{"auth_via": "oauth_client_secret", "domain_url": "authentik", "event": "debugging user...", "foo": {"scopes": {"a": {"aa": "aaa"}}}, "host": "authentik", "level": "info", "logger": "authentik-operator", "pid": 59925, "request_id": "04b576961e30484781ca37b55d5ee046", "schema_name": "public", "timestamp": "2024-06-26T16:43:23.051786"}

Version and Deployment (please complete the following information):

• authentik version: 2024.4.2
• Deployment: helm

Additional context

• Changing the Brand domain to auth.whoami98.local.wavesys.pt produces the same result.
• Having no user-specific attributes still doesn't show the Brand attributes.

[jgeniowave]

Updated my outpost configuration to have the authentik_host property to be equal to the authentik_host_browser property and now it works as intended. I guess the scope of the question now changes to:

What is the purpose of the authentik_host property when configuring an outpost?

[authentik-automation[bot]]

This issue has been automatically marked as stale because it has not had recent activity. It will be closed if no further activity occurs. Thank you for your contributions.

[BeryJu]

request.user.attributes does not contain the brand attributes, that always directly access the user's attributes. request.user.group_attributes() contains all attributes for the user and groups merged together. To also include the brand, you'd have to do request.user.group_attributes(request.http_request)

authentik_host is both the URL the outpost uses to talk to the authentik API, and also the URL that the user is redirected to for authentication