tltglitch
commented
1 month ago The request headers is missing the authentik X-Authentik-Csrf token
:authority: sso.domain.com :method: POST :path: /api/v3/core/users/9/impersonate/ :scheme: https Accept: / Accept-Encoding: gzip, deflate, br, zstd Accept-Language: en-US,en;q=0.9 Content-Length: 0 Cookie: authentik_csrf=khvbhbjjlbjlbnjlbj;bjnbj; authentik_session=eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJzaWQiOiI1NDhlYTQwaTlsNWQ4Z2lmYXU2ODM3eHJlaGg5dnIzMSIsImlzcyI6ImF1dGhlbnRpayIsInN1YiI6ImE3ZWIyYTk2MWE5YmM1MjUxOThkNTQ5OTc1Zjk1YWUzN2M5OTE3ZWM4MjZkOWFkNTVkZTQ2MTk3YmYyNTIyNljbjlnbjblbjj; Origin: https://sso.domain.com Priority: u=1, i Referer: https://sso.domain.com/if/admin/ Sec-Ch-Ua: "Not/A)Brand";v="8", "Chromium";v="126", "Google Chrome";v="126" Sec-Ch-Ua-Mobile: ?0 Sec-Ch-Ua-Platform: "macOS" Sec-Fetch-Dest: empty Sec-Fetch-Mode: cors Sec-Fetch-Site: same-origin Sentry-Trace: User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/126.0.0.0 Safari/537.36 X-Authentik-Csrf:
Not sure how i can fix this. This only happens when accessing authentik externally.
After the Updating to the new authentik version i started getting this errrors.
Please can you help me ? no one is able to login because MFA with security keys are failing due to this. I try removing and adding a key and i still keep getting "CSRF Failed: CSRF token from the 'X-Authentik-Csrf' HTTP header has incorrect length."
Stacktrace from authentik
``` Traceback (most recent call last): File "/ak-root/venv/lib/python3.12/site-packages/rest_framework/views.py", line 497, in dispatch self.initial(request, *args, **kwargs) File "/ak-root/venv/lib/python3.12/site-packages/rest_framework/views.py", line 414, in initial self.perform_authentication(request) File "/ak-root/venv/lib/python3.12/site-packages/rest_framework/views.py", line 324, in perform_authentication request.user File "/ak-root/venv/lib/python3.12/site-packages/rest_framework/request.py", line 227, in user self._authenticate() File "/ak-root/venv/lib/python3.12/site-packages/rest_framework/request.py", line 380, in _authenticate user_auth_tuple = authenticator.authenticate(self) ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ File "/ak-root/venv/lib/python3.12/site-packages/rest_framework/authentication.py", line 130, in authenticate self.enforce_csrf(request) File "/ak-root/venv/lib/python3.12/site-packages/rest_framework/authentication.py", line 148, in enforce_csrf raise exceptions.PermissionDenied('CSRF Failed: %s' % reason) rest_framework.exceptions.PermissionDenied: CSRF Failed: CSRF token from the 'X-Authentik-Csrf' HTTP header has incorrect length. ```Version and Deployment (please complete the following information):
Additional context I followed this article: https://docs.goauthentik.io/docs/troubleshooting/csrf and i dont see anything out of the ordinary.
{"http_headers":{"REQUEST_METHOD":"GET","QUERY_STRING":"","SCRIPT_NAME":"","PATH_INFO":"/api/v3/admin/system/","SERVER_NAME":"unknown","SERVER_PORT":"0","HTTP_HOST":"sso.domain.com","HTTP_USER_AGENT":"Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/126.0.0.0 Safari/537.36","HTTP_ACCEPT":"text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7","HTTP_ACCEPT_LANGUAGE":"en-US,en;q=0.9","HTTP_CDN_LOOP":"cloudflare","HTTP_CF_CERT_PRESENTED":"false","HTTP_CF_CERT_REVOKED":"false","HTTP_CF_CERT_VERIFIED":"false","HTTP_CF_CONNECTING_IP":"x.x.x.x.x","HTTP_CF_IPCITY":"New_York","HTTP_CF_IPCONTINENT":"NA","HTTP_CF_IPCOUNTRY":"US","HTTP_CF_IPLATITUDE":"36.73280","HTTP_CF_IPLONGITUDE":"-76.58980","HTTP_CF_METRO_CODE":"544","HTTP_CF_POSTAL_CODE":"23434","HTTP_CF_RAY":"8a2211518c93bd00-ATL","HTTP_CF_REGION":"Virginia","HTTP_CF_REGION_CODE":"VA","HTTP_CF_TIMEZONE":"America/New_York","HTTP_CF_VISITOR":"{\"scheme\":\"https\"}","HTTP_COOKIE":"authentik_csrf=jpVx06Xyav8la73YAW6Kknl3VgobORcu; authentik_session=eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJzaWQiOiI1NDhlYTQwaTlsNWQ4Z2lmYXU2ODM3eHJlaGg5dnIzMSIsImlzcyI6ImF1dGhlbnRpayIsInN1YiI6ImE3ZWIyYTk2MWE5YmM1MjUxOThkNTQ5OTc1Zjk1YWUzN2M5OTE3ZWM4MjZkOWFkNTVkZTQ2MTk3YmYyNTIyNjUiLCJhdXRoZW50aWNhdGVkIjp0cnVlLCJhY3IiOiJnb2F1dGhlbnRpay5pby9jb3JlL2RlZmF1bHQifQ.K0S0STS9a1jO0Bxzb7hpKBmIwWjBCs2zgNw6TNAq8wg","HTTP_FORWARDED":"proto=https;for=x.x.x.x.x","HTTP_PRIORITY":"u=0, i","HTTP_PURPOSE":"prefetch","HTTP_SEC_CH_UA":"\"Not/A)Brand\";v=\"8\", \"Chromium\";v=\"126\", \"Google Chrome\";v=\"126\"","HTTP_SEC_CH_UA_MOBILE":"?0","HTTP_SEC_CH_UA_PLATFORM":"\"macOS\"","HTTP_SEC_FETCH_DEST":"document","HTTP_SEC_FETCH_MODE":"navigate","HTTP_SEC_FETCH_SITE":"none","HTTP_SEC_FETCH_USER":"?1","HTTP_SEC_PURPOSE":"prefetch;prerender","HTTP_UPGRADE_INSECURE_REQUESTS":"1","HTTP_X_FORWARDED_FOR":"x.x.x.x.","HTTP_X_FORWARDED_PROTO":"https","HTTP_ACCEPT_ENCODING":"gzip","CSRF_COOKIE":"jpVx06Xyav8la73YAW6Kknl3VgobORcu"},"http_host":"sso.domain.com","http_is_secure":true,"runtime":{"architecture":"x86_64","authentik_version":"2024.6.1","environment":"compose","openssl_fips_enabled":null,"openssl_version":"OpenSSL 3.0.9+ak-fips 30 May 2023","platform":"Linux-5.15.0-113-generic-x86_64-with-glibc2.36","python_version":"3.12.3 (main, May 22 2024, 07:18:52) [GCC 12.2.0]","uname":"Linux 27e5ea7e0276 5.15.0-113-generic #123-Ubuntu SMP Mon Jun 10 08:16:17 UTC 2024 x86_64 "},"brand":"Default brand","server_time":"2024-07-12T15:29:14.717181Z","embedded_outpost_disabled":false,"embedded_outpost_host":"http://10.100.70.24"}