search

goauthentik / authentik

The authentication glue you need.
https://goauthentik.io
Other
13.73k stars 918 forks source link

404 errors for Flows on compose/development environment #10487

Open konradmoesch opened 4 months ago

konradmoesch commented 4 months ago

Describe the bug I have set up a development environment of authentik as described in the docs (https://docs.goauthentik.io/developer-docs/setup/full-dev-environment). After pulling the main branch and following the instructions, I get various 404 errors:

Request Method: GET Request URL: http://localhost:9000/flows/-/default/authentication/?next=/ raised by: authentik.flows.views.executor.ToDefaultFlow



**To Reproduce**
Steps to reproduce the behavior:

1. Follow instructions on docs (https://docs.goauthentik.io/developer-docs/setup/full-dev-environment)

**Expected behavior**
The web interface should be shown correctly

**Logs**
[ak_server_output.txt](https://github.com/user-attachments/files/16202831/ak_server_output.txt)
[docker_compose_output.txt](https://github.com/user-attachments/files/16202877/docker_compose_output.txt)

**Version and Deployment:**

-   authentik version: full dev environment based on main branch (commit 8f7fe8e)
-   Deployment: none; local dev env

**Additional context**
I was able to run the set up the dev environment some time ago (version 2024.4). I have deleted and cloned the repository, deleted and rerun `docker compose` and have tried `make dev-reset`
verkaufer commented 4 months ago

I ran into this yesterday as well. I discussed with @BeryJu in Discord and we think there's a bug with how Authentik bootstraps the system & default Blueprints

The local database records all issues with system tasks in the authentik_events_systemtask table, and I was able to pull out a few notable errors (attached below).

The most common error is [ErrorDetail(string='Invalid pk \"1476efb9-e3a0-4116-a0d6-f89167ab54a6\" - object does not exist.', code='does_not_exist') which points me to an issue during Importer.apply() 🤔

Unable to create akadmin

Toggle to view error ```json "event": "Entry invalid: Serializer errors {'groups': [ErrorDetail(string='Invalid pk \"79c2bb83-6b76-41a9-859d-51cd3012a24b\" - object does not exist.', code='does_not_exist')]}", "logger": "authentik.blueprints.v1.importer", "log_level": "warning", "timestamp": "2024-07-13T19:11:22.726612", "attributes": { "entry": { "id": "admin-user", "attrs": { "name": "authentik Default Admin", "email": "", "groups": [ "" ], "password": "" }, "model": "authentik_core.user", "state": "created", "_state": { "instance": null }, "conditions": [], "identifiers": { "username": "" } }, "error": "Serializer errors {'groups': [ErrorDetail(string='Invalid pk \"79c2bb83-6b76-41a9-859d-51cd3012a24b\" - object does not exist.', code='does_not_exist')]}", ```

Unable to create system flows

This is one of the many blueprints that failed to import. Error below is for the default-out-of-box-experience flow

Toggle to view event log ```json [ { "event": "Initialised new serializer instance", "logger": "authentik.blueprints.v1.importer", "log_level": "debug", "timestamp": "2024-07-13T20:58:55.099393", "attributes": { "slug": "initial-setup", "model": { "type": "Flow", "module": "authentik.flows.models" }, "task_id": "task-718938560d444a82beedb66a3f9f5cb7", "domain_url": null, "schema_name": "public" } }, { "event": "Invalidating Flow cache", "logger": "authentik.flows.signals", "log_level": "debug", "timestamp": "2024-07-13T20:58:55.107934", "attributes": { "len": 0, "flow": { "pk": "1a1a98cd8a314e25b59fac6a3c7e177b", "app": "authentik_flows", "name": "default-oobe-setup", "model_name": "flow" }, "task_id": "task-718938560d444a82beedb66a3f9f5cb7", "domain_url": null, "schema_name": "public" } }, { "event": "Updated model", "logger": "authentik.blueprints.v1.importer", "log_level": "debug", "timestamp": "2024-07-13T20:58:55.108001", "attributes": { "model": { "pk": "1a1a98cd8a314e25b59fac6a3c7e177b", "app": "authentik_flows", "name": "default-oobe-setup", "model_name": "flow" }, "task_id": "task-718938560d444a82beedb66a3f9f5cb7", "domain_url": null, "schema_name": "public" } }, { "event": "Initialised new serializer instance", "logger": "authentik.blueprints.v1.importer", "log_level": "debug", "timestamp": "2024-07-13T20:58:55.110336", "attributes": { "name": "initial-setup-field-header", "model": { "type": "Prompt", "module": "authentik.stages.prompt.models" }, "task_id": "task-718938560d444a82beedb66a3f9f5cb7", "domain_url": null, "schema_name": "public" } }, { "event": "Updated model", "logger": "authentik.blueprints.v1.importer", "log_level": "debug", "timestamp": "2024-07-13T20:58:55.115493", "attributes": { "model": { "pk": "1476efb9e3a04116a0d6f89167ab54a6", "app": "authentik_stages_prompt", "name": "initial-setup-field-header", "model_name": "prompt" }, "task_id": "task-718938560d444a82beedb66a3f9f5cb7", "domain_url": null, "schema_name": "public" } }, { "event": "Initialised new serializer instance", "logger": "authentik.blueprints.v1.importer", "log_level": "debug", "timestamp": "2024-07-13T20:58:55.117908", "attributes": { "name": "initial-setup-field-email", "model": { "type": "Prompt", "module": "authentik.stages.prompt.models" }, "task_id": "task-718938560d444a82beedb66a3f9f5cb7", "domain_url": null, "schema_name": "public" } }, { "event": "Updated model", "logger": "authentik.blueprints.v1.importer", "log_level": "debug", "timestamp": "2024-07-13T20:58:55.123029", "attributes": { "model": { "pk": "8d9cd0ecc72649b9a1019b9b1e8da82e", "app": "authentik_stages_prompt", "name": "initial-setup-field-email", "model_name": "prompt" }, "task_id": "task-718938560d444a82beedb66a3f9f5cb7", "domain_url": null, "schema_name": "public" } }, { "event": "Initialised new serializer instance", "logger": "authentik.blueprints.v1.importer", "log_level": "debug", "timestamp": "2024-07-13T20:58:55.125445", "attributes": { "name": "initial-setup-field-password", "model": { "type": "Prompt", "module": "authentik.stages.prompt.models" }, "task_id": "task-718938560d444a82beedb66a3f9f5cb7", "domain_url": null, "schema_name": "public" } }, { "event": "Updated model", "logger": "authentik.blueprints.v1.importer", "log_level": "debug", "timestamp": "2024-07-13T20:58:55.130967", "attributes": { "model": { "pk": "492d862b8abd4b3180e221eb4cf457e8", "app": "authentik_stages_prompt", "name": "initial-setup-field-password", "model_name": "prompt" }, "task_id": "task-718938560d444a82beedb66a3f9f5cb7", "domain_url": null, "schema_name": "public" } }, { "event": "Initialised new serializer instance", "logger": "authentik.blueprints.v1.importer", "log_level": "debug", "timestamp": "2024-07-13T20:58:55.133451", "attributes": { "name": "initial-setup-field-password-repeat", "model": { "type": "Prompt", "module": "authentik.stages.prompt.models" }, "task_id": "task-718938560d444a82beedb66a3f9f5cb7", "domain_url": null, "schema_name": "public" } }, { "event": "Updated model", "logger": "authentik.blueprints.v1.importer", "log_level": "debug", "timestamp": "2024-07-13T20:58:55.138689", "attributes": { "model": { "pk": "2c5adf3c689b485ab3628168856cc566", "app": "authentik_stages_prompt", "name": "initial-setup-field-password-repeat", "model_name": "prompt" }, "task_id": "task-718938560d444a82beedb66a3f9f5cb7", "domain_url": null, "schema_name": "public" } }, { "event": "Initialised new serializer instance", "logger": "authentik.blueprints.v1.importer", "log_level": "debug", "timestamp": "2024-07-13T20:58:55.141379", "attributes": { "name": "default-oobe-prefill-user", "model": { "type": "ExpressionPolicy", "module": "authentik.policies.expression.models" }, "task_id": "task-718938560d444a82beedb66a3f9f5cb7", "domain_url": null, "schema_name": "public" } }, { "event": "Updated model", "logger": "authentik.blueprints.v1.importer", "log_level": "debug", "timestamp": "2024-07-13T20:58:55.148309", "attributes": { "model": { "pk": "672422946ded484581f599d7d328f3d4", "app": "authentik_policies_expression", "name": "default-oobe-prefill-user", "model_name": "expressionpolicy" }, "task_id": "task-718938560d444a82beedb66a3f9f5cb7", "domain_url": null, "schema_name": "public" } }, { "event": "Initialised new serializer instance", "logger": "authentik.blueprints.v1.importer", "log_level": "debug", "timestamp": "2024-07-13T20:58:55.151157", "attributes": { "name": "default-oobe-password-usable", "model": { "type": "ExpressionPolicy", "module": "authentik.policies.expression.models" }, "task_id": "task-718938560d444a82beedb66a3f9f5cb7", "domain_url": null, "schema_name": "public" } }, { "event": "Updated model", "logger": "authentik.blueprints.v1.importer", "log_level": "debug", "timestamp": "2024-07-13T20:58:55.158208", "attributes": { "model": { "pk": "00719c772aff4d4194fb6fda5896abae", "app": "authentik_policies_expression", "name": "default-oobe-password-usable", "model_name": "expressionpolicy" }, "task_id": "task-718938560d444a82beedb66a3f9f5cb7", "domain_url": null, "schema_name": "public" } }, { "event": "Initialised new serializer instance", "logger": "authentik.blueprints.v1.importer", "log_level": "debug", "timestamp": "2024-07-13T20:58:55.161074", "attributes": { "name": "default-oobe-flow-set-authentication", "model": { "type": "ExpressionPolicy", "module": "authentik.policies.expression.models" }, "task_id": "task-718938560d444a82beedb66a3f9f5cb7", "domain_url": null, "schema_name": "public" } }, { "event": "Updated model", "logger": "authentik.blueprints.v1.importer", "log_level": "debug", "timestamp": "2024-07-13T20:58:55.168294", "attributes": { "model": { "pk": "67b821b139f74eb9a68b3d13e612daa0", "app": "authentik_policies_expression", "name": "default-oobe-flow-set-authentication", "model_name": "expressionpolicy" }, "task_id": "task-718938560d444a82beedb66a3f9f5cb7", "domain_url": null, "schema_name": "public" } }, { "event": "Initialised new serializer instance", "logger": "authentik.blueprints.v1.importer", "log_level": "debug", "timestamp": "2024-07-13T20:58:55.170853", "attributes": { "name": "stage-default-oobe-password", "model": { "type": "PromptStage", "module": "authentik.stages.prompt.models" }, "task_id": "task-718938560d444a82beedb66a3f9f5cb7", "domain_url": null, "schema_name": "public" } }, { "event": "Entry invalid: Serializer errors {'fields': [ErrorDetail(string='Invalid pk \"1476efb9-e3a0-4116-a0d6-f89167ab54a6\" - object does not exist.', code='does_not_exist')]}", "logger": "authentik.blueprints.v1.importer", "log_level": "warning", "timestamp": "2024-07-13T20:58:55.176598", "attributes": { "entry": { "id": "stage-default-oobe-password", "attrs": { "fields": [ "", "", "", "" ], "validation_policies": [] }, "model": "authentik_stages_prompt.promptstage", "state": "present", "_state": { "instance": null }, "conditions": [], "identifiers": { "name": "stage-default-oobe-password" } }, "error": "Serializer errors {'fields': [ErrorDetail(string='Invalid pk \"1476efb9-e3a0-4116-a0d6-f89167ab54a6\" - object does not exist.', code='does_not_exist')]}", "task_id": "task-718938560d444a82beedb66a3f9f5cb7", "domain_url": null, "schema_name": "public" } }, { "event": "Blueprint validation failed", "logger": "authentik.blueprints.v1.importer", "log_level": "warning", "timestamp": "2024-07-13T20:58:55.176658", "attributes": { "task_id": "task-718938560d444a82beedb66a3f9f5cb7", "domain_url": null, "schema_name": "public" } } ] ```
kensternberg-authentik commented 3 months ago

I have this problem as well, and have tracked down the commit that introduced it using git bisect and a test case: https://github.com/goauthentik/authentik/commit/a5467c6e1997e3d6bd4ee81748411cd4b870ce0e

We still haven't figured out why this particular commit caused it.

authentik-automation[bot] commented 1 month ago

This issue has been automatically marked as stale because it has not had recent activity. It will be closed if no further activity occurs. Thank you for your contributions.

konradmoesch commented 1 month ago

this is still occuring for me, so still relevant

BeryJu commented 1 month ago

I'm not really sure what could cause this, especially since this happens in development setups (sometimes), but also on compose setups (sometimes).

In development setups the initial suspicion was related to the commit @kensternberg-authentik mentioned above, and that a request gets mis-routed and hence the validation kicks in, but in development both primary and replica are the exact same postgres instance.

Puschek commented 2 weeks ago

We’re experiencing the same issue. As part of my work, I’m supposed to develop a feature that requires the Authentic development environment. I followed the steps outlined in the documentation. After resolving a dependency issue, I was able to install everything according to the guide. I also connected directly to the database and observed that the relevant flows were not initialized, meaning, as previously suspected, that the bootstrapping doesn’t appear to be working correctly. I tried the whole process several times and always got the same result. When I start the server with ak server, everything appears to launch correctly, but I encounter the same 404 errors as others have mentioned above. Interestingly, this doesn’t happen with the docker-compose.yml in the main directory; it only occurs when I use the compose file found in the scripts folder.

Do you have any suggestions on how to handle this? Constantly rebuilding the container locally to develop doesn’t seem very efficient.

rissson commented 2 weeks ago

Applying blueprints manually might resolve that issue, but I'm not entirely sure. See ak apply_blueprint --help if you want to try it

zuffik commented 2 weeks ago

Same here. Additionaly, I can find only this error:

{
  "error": "authentik starting",
  "event": "failed to proxy to backend",
  "level": "warning",
  "logger": "authentik.router",
  "timestamp": "2024-11-12T15:38:16Z"
}

this is my nginx config

map $http_upgrade $connection_upgrade_keepalive {
    default upgrade;
    ''      '';
}

server {
  listen 80;
  server_name auth.local;

  error_page 502 /502.html;
  location /502.html {
      root /opt/homebrew/etc/nginx/servers/html;
  }

  location / {
    proxy_pass http://localhost:4005;
    proxy_http_version 1.1;
    proxy_set_header X-Forwarded-Proto $scheme;
    proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
    proxy_set_header Host $http_host;
    proxy_set_header Upgrade $http_upgrade;
    proxy_set_header Connection $connection_upgrade_keepalive;
  }
}

and docker compose

services:
  authentik-dev:
    image: ${AUTHENTIK_IMAGE:-ghcr.io/goauthentik/server}:${AUTHENTIK_TAG:-2024.10.1}
    restart: unless-stopped
    command: server
    environment:
      AUTHENTIK_REDIS__HOST: redis
      AUTHENTIK_REDIS__DB: 0
      AUTHENTIK_POSTGRESQL__HOST: postgres
      AUTHENTIK_POSTGRESQL__USER: postgres
      AUTHENTIK_POSTGRESQL__NAME: auth
      AUTHENTIK_POSTGRESQL__PASSWORD: postgres_password
    volumes:
      - ./.docker-data/media:/media
      - ./.docker-data/custom-templates:/templates
    env_file:
      - .env
    ports:
      - "${COMPOSE_PORT_HTTP:-9000}:9000"
      - "${COMPOSE_PORT_HTTPS:-9443}:9443"
    networks:
      - global
    extra_hosts:
      - "host.docker.internal:host-gateway"

  authentik-worker-dev:
    image: ${AUTHENTIK_IMAGE:-ghcr.io/goauthentik/server}:${AUTHENTIK_TAG:-2024.10.1}
    restart: unless-stopped
    command: worker
    environment:
      AUTHENTIK_REDIS__HOST: redis
      AUTHENTIK_REDIS__DB: 0
      AUTHENTIK_POSTGRESQL__HOST: postgres
      AUTHENTIK_POSTGRESQL__USER: postgres
      AUTHENTIK_POSTGRESQL__NAME: postgres
      AUTHENTIK_POSTGRESQL__PASSWORD: postgres_password
    # `user: root` and the docker socket volume are optional.
    # See more for the docker socket integration here:
    # https://goauthentik.io/docs/outposts/integrations/docker
    # Removing `user: root` also prevents the worker from fixing the permissions
    # on the mounted folders, so when removing this make sure the folders have the correct UID/GID
    # (1000:1000 by default)
    user: root
    volumes:
      - /var/run/docker.sock:/var/run/docker.sock
      - ./.docker-data/media:/media
      - ./.docker-data/certs:/certs
      - ./.docker-data/custom-templates:/templates
    env_file:
      - .env
    networks:
      - global

networks:
  global:
    name: global
    external: true
Puschek commented 5 days ago

ak apply_blueprint --help

That did not help. But I fixed my issue. The reason why this happens...Don't really know. My blueprints/defaults files where overwritten and empty. What I did was resetting the main branch to remote, deleting all dev Docker Container I already had, deleted my poetry virtual env and started from the beginning to setup the dev env with the documentation. Now it works....don't ask me what went wrong.