After "Add to Home Screen" on iPhone Safari, Authentik in forward auth failed with 404 not found.

[1298345095]

Describe the bug

After "Add to Home Screen" on iPhone Safari, Authentik in forward auth failed with 404 not found. But before adding, the website could successfully auth.

To Reproduce

1. Open Safari and enter the website.
2. Jump to the authentication page successfully
3. But make this website "add to home screen", it only shows "404 not found".

Logs server-1 | {"event":"/outpost.goauthentik.io/auth/traefik","host":"xxx.mydomain.com","level":"info","logger":"authentik.outpost.proxyv2.application","method":"GET","name":"Provider for qbittorrent (Proxy)","remote":"192.168.1.1","runtime":"1.219","scheme":"http","size":726,"status":302,"timestamp":"2024-08-10T11:51:43Z","user_agent":"Mozilla/5.0 (iPhone; CPU iPhone OS 16_2 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/16.2 Mobile/15E148 Safari/604.1"} worker-1 | {"event": "TenantAwareScheduler: Sending due task clean_expired_models (authentik.core.tasks.clean_expired_models) to 1 tenants", "level": "info", "logger": "tenant_schemas_celery.scheduler", "timestamp": 1723290720.005522} worker-1 | {"domain_url": null, "event": "Task published", "level": "info", "logger": "authentik.root.celery", "pid": 53, "schema_name": "public", "task_id": "ea2c3b3db1204afe8c5d9d99ef564a84", "task_name": "authentik.core.tasks.clean_expired_models", "timestamp": "2024-08-10T11:52:00.008460"} worker-1 | {"domain_url": null, "event": "Task started", "level": "info", "logger": "authentik.root.celery", "pid": 7936, "schema_name": "public", "task_id": "ea2c3b3d-b120-4afe-8c5d-9d99ef564a84", "task_name": "clean_expired_models", "timestamp": "2024-08-10T11:52:00.013852"} worker-1 | {"domain_url": null, "event": "Task finished", "level": "info", "logger": "authentik.root.celery", "pid": 7936, "schema_name": "public", "state": "SUCCESS", "task_id": "ea2c3b3db1204afe8c5d9d99ef564a84", "task_name": "clean_expired_models", "timestamp": "2024-08-10T11:52:00.245295"} server-1 | {"auth_via": "unauthenticated", "domain_url": "0.0.0.0", "event": "/-/health/live/", "host": "0.0.0.0:9000", "level": "info", "logger": "authentik.asgi", "method": "HEAD", "pid": 4027, "remote": "127.0.0.1", "request_id": "08dc90433cab4d31a82ac5371aa57713", "runtime": 24, "schema_name": "public", "scheme": "http", "status": 204, "timestamp": "2024-08-10T11:52:04.963672", "user": "", "user_agent": "goauthentik.io/healthcheck"}

Version and Deployment (please complete the following information): 2024.6.3

services: postgresql: image: docker.io/library/postgres:16-alpine restart: unless-stopped healthcheck: test: ["CMD-SHELL", "pg_isready -d $${POSTGRES_DB} -U $${POSTGRES_USER}"] start_period: 20s interval: 30s retries: 5 timeout: 5s volumes:

• database:/var/lib/postgresql/data environment: POSTGRES_PASSWORD: ${PG_PASS:?database password required} POSTGRES_USER: ${PG_USER:-authentik} POSTGRES_DB: ${PG_DB:-authentik} networks:
• authentik env_file:
• .env redis: image: docker.io/library/redis:alpine command: --save 60 1 --loglevel warning restart: unless-stopped healthcheck: test: ["CMD-SHELL", "redis-cli ping | grep PONG"] start_period: 20s interval: 30s retries: 5 timeout: 3s volumes:
• redis:/data networks:
• authentik server: image: ${AUTHENTIK_IMAGE:-ghcr.io/goauthentik/server}:${AUTHENTIK_TAG:-2024.6.3} restart: unless-stopped command: server environment: AUTHENTIK_REDISHOST: redis AUTHENTIK_POSTGRESQL__HOST: postgresql AUTHENTIK_POSTGRESQLUSER: ${PG_USER:-authentik} AUTHENTIK_POSTGRESQLNAME: ${PG_DB:-authentik} AUTHENTIK_POSTGRESQLPASSWORD: ${PG_PASS} volumes:
• /mnt/user/appdata/Authentik/media:/media
• /mnt/user/appdata/Authentik/custom-templates:/templates networks:
• authentik
• traefik labels:
• "traefik.enable=true"
• "traefik.http.services.authentik.loadbalancer.server.port=${COMPOSE_PORT_HTTP:-9000}"
• "traefik.http.routers.authentik-http.service=authentik"
• "traefik.http.routers.authentik-http.rule=Host(auth.mydomain.com)"
• "traefik.http.routers.authentik.entryPoints=https"
• "traefik.http.routers.authentik.rule=Host(auth.mydomain.com) || HostRegexp({subdomain:[a-z0-9]+}.mydomain.com) && PathPrefix(/outpost.goauthentik.io/)" env_file:
• .env ports:
• "${COMPOSE_PORT_HTTP:-9000}:9000"
• "${COMPOSE_PORT_HTTPS:-9443}:9443" depends_on:
• postgresql
• redis worker: image: ${AUTHENTIK_IMAGE:-ghcr.io/goauthentik/server}:${AUTHENTIK_TAG:-2024.6.3} restart: unless-stopped command: worker environment: AUTHENTIK_REDISHOST: redis AUTHENTIK_POSTGRESQL__HOST: postgresql AUTHENTIK_POSTGRESQLUSER: ${PG_USER:-authentik} AUTHENTIK_POSTGRESQLNAME: ${PG_DB:-authentik} AUTHENTIK_POSTGRESQLPASSWORD: ${PG_PASS}

  user: root and the docker socket volume are optional.

  See more for the docker socket integration here:

  https://goauthentik.io/docs/outposts/integrations/docker

  Removing user: root also prevents the worker from fixing the permissions

  on the mounted folders, so when removing this make sure the folders have the correct UID/GID

  (1000:1000 by default)

  user: root volumes:

• /var/run/docker.sock:/var/run/docker.sock
• /mnt/user/appdata/Authentik/media:/media
• /mnt/user/appdata/Authentik/certs:/certs
• /mnt/user/appdata/Authentik/custom-templates:/templates networks:
• authentik env_file:
• .env depends_on:
• postgresql
• redis

volumes: database: driver: local redis: driver: local

networks: traefik: external: true authentik:

[authentik-automation[bot]]

This issue has been automatically marked as stale because it has not had recent activity. It will be closed if no further activity occurs. Thank you for your contributions.