search

goauthentik / authentik

The authentication glue you need.
https://goauthentik.io
Other
7.84k stars 601 forks source link

Receiving Basic Auth with proxy provider always fails #10305

Open TheCataliasTNT2k opened 1 week ago

TheCataliasTNT2k commented 1 week ago

Describe the bug I tried to setup the docker registry v2 behind traefik, using authentik forward auth as authentication. Docker uses basic auth when running docker login and uses that to pull images. Every time, I try to do anything, the outpost shows this error in the logs: 

{"body":"{\"error\": \"invalid_grant\", \"error_description\": \"The provided authorization grant or refresh token is invalid, expired, revoked, does not match the redirection URI used in the authorization request, or was issued to another client\"}","error":null,"event":"failed to send token request","level":"warning","logger":"authentik.outpost.proxyv2.application","name":"Provider for Registry","timestamp":"2024-06-30T23:05:16Z"}

This warning is emitted here.

The request sent to authentik from the outpost has this payload in wireshark (after TLS termination by traefik!):

Hypertext Transfer Protocol
    POST /application/o/token/ HTTP/1.1\r\n
    Host: REDACTED\r\n
    User-Agent: goauthentik.io/outpost/2024.6.0 (provider=Provider for Registry)\r\n
    Content-Length: 253\r\n
    Accept-Encoding: gzip\r\n
    Content-Type: application/x-www-form-urlencoded\r\n
    Sentry-Trace: a174265de43ba610546bb9e49252b90f-b00a420decc864cc-0\r\n
    X-Forwarded-For: 172.27.0.1\r\n
    X-Forwarded-Host: REDACTED\r\n
    X-Forwarded-Port: 10724\r\n
    X-Forwarded-Proto: https\r\n
    X-Forwarded-Server: 37e0e0b32d97\r\n
    X-Real-Ip: 172.27.0.1\r\n
    \r\n
    [Full request URI: http://REDACTED/application/o/token/]
    [HTTP request 1/1]
    [Response in frame: 25]
    File Data: 253 bytes
HTML Form URL Encoded: application/x-www-form-urlencoded
    Form item: "client_id" = "REDACTED"
    Form item: "grant_type" = "client_credentials"
    Form item: "password" = "REDACTED"
    Form item: "scope" = "openid email profile ak_proxy"
    Form item: "username" = "akadmin"

client_id is the valid client id shown in authentik (and set automatically by the outpost). I tried an "App Password" and the user password for password no success.

Expected behavior No errors; access granted, since akadmin can access the application no problem via browser.

Version and Deployment:

Additional context Add any other context about the problem here.

EmilianoEscobedo commented 4 days ago

Hi, I'm trying to implement the same thing, did you find any solution?

TheCataliasTNT2k commented 4 days ago

No, not yet. I hope the maintainers have a solution for this.