Describe the bug
I tried to setup the docker registry v2 behind traefik, using authentik forward auth as authentication.
Docker uses basic auth when running docker login and uses that to pull images.
Every time, I try to do anything, the outpost shows this error in the logs:
{"body":"{\"error\": \"invalid_grant\", \"error_description\": \"The provided authorization grant or refresh token is invalid, expired, revoked, does not match the redirection URI used in the authorization request, or was issued to another client\"}","error":null,"event":"failed to send token request","level":"warning","logger":"authentik.outpost.proxyv2.application","name":"Provider for Registry","timestamp":"2024-06-30T23:05:16Z"}
The request sent to authentik from the outpost has this payload in wireshark (after TLS termination by traefik!):
Hypertext Transfer Protocol
POST /application/o/token/ HTTP/1.1\r\n
Host: REDACTED\r\n
User-Agent: goauthentik.io/outpost/2024.6.0 (provider=Provider for Registry)\r\n
Content-Length: 253\r\n
Accept-Encoding: gzip\r\n
Content-Type: application/x-www-form-urlencoded\r\n
Sentry-Trace: a174265de43ba610546bb9e49252b90f-b00a420decc864cc-0\r\n
X-Forwarded-For: 172.27.0.1\r\n
X-Forwarded-Host: REDACTED\r\n
X-Forwarded-Port: 10724\r\n
X-Forwarded-Proto: https\r\n
X-Forwarded-Server: 37e0e0b32d97\r\n
X-Real-Ip: 172.27.0.1\r\n
\r\n
[Full request URI: http://REDACTED/application/o/token/]
[HTTP request 1/1]
[Response in frame: 25]
File Data: 253 bytes
HTML Form URL Encoded: application/x-www-form-urlencoded
Form item: "client_id" = "REDACTED"
Form item: "grant_type" = "client_credentials"
Form item: "password" = "REDACTED"
Form item: "scope" = "openid email profile ak_proxy"
Form item: "username" = "akadmin"
client_id is the valid client id shown in authentik (and set automatically by the outpost).
I tried an "App Password" and the user password for password no success.
Expected behavior
No errors; access granted, since akadmin can access the application no problem via browser.
Version and Deployment:
authentik version: 2024.6
Deployment: docker-compose
Additional context
Add any other context about the problem here.
Describe the bug I tried to setup the docker registry v2 behind traefik, using authentik forward auth as authentication. Docker uses basic auth when running
docker login
and uses that to pull images. Every time, I try to do anything, the outpost shows this error in the logs:This warning is emitted here.
The request sent to authentik from the outpost has this payload in wireshark (after TLS termination by traefik!):
client_id
is the valid client id shown in authentik (and set automatically by the outpost). I tried an "App Password" and the user password forpassword
no success.Expected behavior No errors; access granted, since akadmin can access the application no problem via browser.
Version and Deployment:
Additional context Add any other context about the problem here.