search

goauthentik / authentik

The authentication glue you need.
https://goauthentik.io
Other
13.68k stars 916 forks source link

Error 400 on Forward Auth (domain level) via Outpost #10848

Open mmospanenko opened 3 months ago

mmospanenko commented 3 months ago

Describe the bug I created Forward Auth (domain level) and provider (using wizard), but it works only with Embedded Outpost correctly. With Proxies, it returns 400 (in logs wrong session). But App Level Forward Auth works correctly with external (proxy) Outposts, issue only with Domain level.

I have some multiple servers in my network, each server has Outpost (ghcr.io/goauthentik/proxy), all behind Traefik.

To Reproduce Steps to reproduce the behavior:

  1. deploy Authentic on one server and Proxy on another behind Traefik
  2. configure Domain level Forward Auth for external outpost
  3. try to log in using domain catch middleware
  4. see error (400)

Expected behavior I expect that external outpost will work similar to embedded one.

Screenshots not ui

Logs

{"event":"mismatched session ID", ...
{"event":"invalid state","level":"warning","logger":"authentik.outpost.proxyv2.application","name":"Provider for ...
{"event":"/outpost.goauthentik.io/callback?X-authentik-auth-callback=true&code=...","host":"auth....","level":"info","logger":"authentik.outpost.proxyv2.application","method":"GET","name":"Provider for ...","remote":"10....","runtime":"4.956","scheme":"http","size":0,"status":400,"timestamp":"2024-08-10T11:59:38Z","user_agent":"Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/127.0.0.0 Safari/537.36"}

Version and Deployment (please complete the following information):

Additional context Add any other context about the problem here.

davispuh commented 3 months ago

I can't get Forward Auth working - neither single application, nor domain level.

I'm using latest 2024.6.3 docker image ghcr.io/goauthentik/proxy:latest

I'm using Nginx with auth_request.

I have Authentik and Proxy Outpost at https://auth.example.org and application at https://app.example.com (note different TLDs)

With single application config attels

and error_page 401 = @goauthentik_proxy_signin with

return 302 https://auth.example.org/outpost.goauthentik.io/start?rd=$scheme://$http_host$request_uri;

In Outpost logs I see same issue "mismatched session ID"

timestamp="2024-08-15T20:07:17Z" level=trace event="passing to single app mux" host=auth.example.org logger=authentik.outpost.proxyv2
timestamp="2024-08-15T20:07:17Z" level=trace event="cookie decode"
timestamp="2024-08-15T20:07:17Z" level=trace event="cookie decode"
timestamp="2024-08-15T20:07:17Z" level=trace event="tracing headers for debug" header="map[Accept:[text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/png,image/svg+xml,*/*;q=0.8] Accept-Encoding:[gzip, deflate, br, zstd] Accept-Language:[lv,en-US;q=0.7,en;q=0.3] Cookie:[authentik_proxy_gYg4g0pN=MTcyMzc1MjIwNHxOd3dBTkVreVdWY3pWRXhEV0U1SFRVczBRMGhWVDFrek5FbFpTRkUwVmtKQlJEZFBUVTlVVTBOVVMwMUlNMHBOUWtwS1NEZERTMEU9fNTqI5Ot4zcJZ6GEn6r7iS2KMlNCZViVp9NAi36YnCEH] Dnt:[1] Priority:[u=0, i] Sec-Fetch-Dest:[document] Sec-Fetch-Mode:[navigate] Sec-Fetch-Site:[none] Sec-Fetch-User:[?1] Sec-Gpc:[1] Upgrade-Insecure-Requests:[1] User-Agent:[Mozilla/5.0 (X11; Linux x86_64; rv:129.0) Gecko/20100101 Firefox/129.0] X-Forwarded-For:[192.168.1.234] X-Forwarded-Host:[auth.example.org] X-Forwarded-Proto:[https] X-Forwarded-Protocol:[https] X-Original-Url:[https://app.example.com/] X-Real-Ip:[192.168.1.234]]" logger=authentik.outpost.proxyv2.application name=Provider
timestamp="2024-08-15T20:07:17Z" level=trace event="nginx forwarded url" logger=authentik.outpost.proxyv2.application name=Provider url="https://app.example.com/"
timestamp="2024-08-15T20:07:17Z" level=info event=/outpost.goauthentik.io/auth/nginx host=auth.example.org logger=authentik.outpost.proxyv2.application method=GET name=Provider remote="192.168.2.100:36084" runtime=0.294 scheme=http size=21 status=401 user_agent="Mozilla/5.0 (X11; Linux x86_64; rv:129.0) Gecko/20100101 Firefox/129.0"
timestamp="2024-08-15T20:07:17Z" level=trace event="passing to single app mux" host=auth.example.org logger=authentik.outpost.proxyv2
timestamp="2024-08-15T20:07:17Z" level=trace event="cookie decode"
timestamp="2024-08-15T20:07:17Z" level=trace event="cookie decode"
timestamp="2024-08-15T20:07:17Z" level=trace event="Setting redirect" logger=authentik.outpost.proxyv2.application name=Provider rd="https://app.example.com/"
timestamp="2024-08-15T20:07:17Z" level=trace event="cookie encode"
timestamp="2024-08-15T20:07:17Z" level=trace event="cookie encode"
timestamp="2024-08-15T20:07:17Z" level=info event="/outpost.goauthentik.io/start?rd=https://app.example.com/" host=auth.example.org logger=authentik.outpost.proxyv2.application method=GET name=Provider remote="192.168.2.100:36096" runtime=0.505 scheme=http size=698 status=302 user_agent="Mozilla/5.0 (X11; Linux x86_64; rv:129.0) Gecko/20100101 Firefox/129.0"
timestamp="2024-08-15T20:07:19Z" level=trace event="passing to single app mux" host=auth.example.org logger=authentik.outpost.proxyv2
timestamp="2024-08-15T20:07:19Z" level=trace event="cookie decode"
timestamp="2024-08-15T20:07:19Z" level=trace event="cookie decode"
timestamp="2024-08-15T20:07:19Z" level=debug event="handling OAuth Callback from querystring signature" logger=authentik.outpost.proxyv2.application name=Provider
timestamp="2024-08-15T20:07:19Z" level=warning event="mismatched session ID" is=JKRPMNYZQEOZ33WAC6ORGOHXNV7DZGTNYCAFVIBFALB7O5MXVQIA logger=authentik.outpost.proxyv2.application name=Provider should=I2YW3TLCXNGMK4CHUOY34IYHQ4VBAD7OMOTSCTKMH3JMBJJH7CKA
timestamp="2024-08-15T20:07:19Z" level=warning event="invalid state" logger=authentik.outpost.proxyv2.application name=Provider
timestamp="2024-08-15T20:07:19Z" level=warning event="mismatched session ID" is=JKRPMNYZQEOZ33WAC6ORGOHXNV7DZGTNYCAFVIBFALB7O5MXVQIA logger=authentik.outpost.proxyv2.application name=Provider should=I2YW3TLCXNGMK4CHUOY34IYHQ4VBAD7OMOTSCTKMH3JMBJJH7CKA
timestamp="2024-08-15T20:07:19Z" level=info event="/outpost.goauthentik.io/callback?X-authentik-auth-callback=true&code=0c7d07a006fb4b54a26825dcc704eb1e&state=eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJpc3MiOiJnb2F1dGhlbnRpay5pby9vdXRwb3N0L2dZZzRnMHBOOWQ2MFl0Tm9RWE43VTVqM3oyM1lmT3VVQUFMOW9oSWsiLCJzaWQiOiJKS1JQTU5ZWlFFT1ozM1dBQzZPUkdPSFhOVjdEWkdUTllDQUZWSUJGQUxCN081TVhWUUlBIiwic3RhdGUiOiI3S0t2ZVpRZ1pkSnNnTUZlUHN2dDZZc3NkNG1kQ1VOcHRBU195aVRaLXY0IiwicmVkaXJlY3QiOiJodHRwczovL3Zpa2kuYXRyYWR1LmluZm8vIn0.eePNCpqgjTaG26Y0_05xck4SQ0I-yNx7uEHh8Bd_WK0" host=auth.example.org logger=authentik.outpost.proxyv2.application method=GET name=Provider remote="192.168.2.100:36156" runtime=0.316 scheme=http size=0 status=400 user_agent="Mozilla/5.0 (X11; Linux x86_64; rv:129.0) Gecko/20100101 Firefox/129.0"

Changing to

return 302 https://auth.example.org/outpost.goauthentik.io/start?rd=$request_uri;

There is additional error "redirect URI did not contain external host"

timestamp="2024-08-15T21:25:04Z" level=trace event="passing to single app mux" host=auth.example.org logger=authentik.outpost.proxyv2
timestamp="2024-08-15T21:25:04Z" level=trace event="cookie decode"
timestamp="2024-08-15T21:25:04Z" level=trace event="cookie decode"
timestamp="2024-08-15T21:25:04Z" level=trace event="tracing headers for debug" header="map[Accept:[text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/png,image/svg+xml,*/*;q=0.8] Accept-Encoding:[gzip, deflate, br, zstd] Accept-Language:[lv,en-US;q=0.7,en;q=0.3] Cookie:[authentik_proxy_gYg4g0pN=MTcyMzc1NjU3OHxOd3dBTkZoTVMweFVTRmd6UlVKVlZWcE5NemRLV2pkSVZWTklOVmMzTlVaVFRFSTBNak5YVEVKTE0wOVdTRUpNTnpaQ1NFcEVRVUU9fH9XNxp4bGlpPIVMTBQcpDjIQ9C883-fgcWcGvhA7k4l] Dnt:[1] Priority:[u=0, i] Sec-Fetch-Dest:[document] Sec-Fetch-Mode:[navigate] Sec-Fetch-Site:[none] Sec-Fetch-User:[?1] Sec-Gpc:[1] Upgrade-Insecure-Requests:[1] User-Agent:[Mozilla/5.0 (X11; Linux x86_64; rv:129.0) Gecko/20100101 Firefox/129.0] X-Forwarded-For:[192.168.1.234] X-Forwarded-Host:[auth.example.org] X-Forwarded-Proto:[https] X-Forwarded-Protocol:[https] X-Original-Url:[https://app.example.com/] X-Real-Ip:[192.168.1.234]]" logger=authentik.outpost.proxyv2.application name=Provider
timestamp="2024-08-15T21:25:04Z" level=trace event="nginx forwarded url" logger=authentik.outpost.proxyv2.application name=Provider url="https://app.example.com/"
timestamp="2024-08-15T21:25:04Z" level=info event=/outpost.goauthentik.io/auth/nginx host=auth.example.org logger=authentik.outpost.proxyv2.application method=GET name=Provider remote="192.168.2.100:40334" runtime=0.315 scheme=http size=21 status=401 user_agent="Mozilla/5.0 (X11; Linux x86_64; rv:129.0) Gecko/20100101 Firefox/129.0"
timestamp="2024-08-15T21:25:04Z" level=trace event="passing to single app mux" host=auth.atradu.ai logger=authentik.outpost.proxyv2
timestamp="2024-08-15T21:25:04Z" level=trace event="cookie decode"
timestamp="2024-08-15T21:25:04Z" level=trace event="cookie decode"
timestamp="2024-08-15T21:25:04Z" level=warning event="redirect URI did not contain external host" ext=//app.example.com/ logger=authentik.outpost.proxyv2.application name=Provider url=/
timestamp="2024-08-15T21:25:04Z" level=trace event="cookie encode"
timestamp="2024-08-15T21:25:04Z" level=trace event="cookie encode"
timestamp="2024-08-15T21:25:04Z" level=info event="/outpost.goauthentik.io/start?rd=/" host=auth.atradu.ai logger=authentik.outpost.proxyv2.application method=GET name=Provider remote="192.168.2.100:40346" runtime=0.699 scheme=http size=665 status=302 user_agent="Mozilla/5.0 (X11; Linux x86_64; rv:129.0) Gecko/20100101 Firefox/129.0"
timestamp="2024-08-15T21:25:05Z" level=trace event="passing to single app mux" host=auth.example.org logger=authentik.outpost.proxyv2
timestamp="2024-08-15T21:25:05Z" level=trace event="cookie decode"
timestamp="2024-08-15T21:25:05Z" level=trace event="cookie decode"
timestamp="2024-08-15T21:25:05Z" level=debug event="handling OAuth Callback from querystring signature" logger=authentik.outpost.proxyv2.application name=Provider
timestamp="2024-08-15T21:25:05Z" level=warning event="mismatched session ID" is=YY6EYUDNAF2GLQYCXUEAQSWHGWS724WJ5K35S7R2N2JORE2OHKGQ logger=authentik.outpost.proxyv2.application name=Provider should=XLKLTHX3EBUUZM37JZ7HUSH5W75FSLB423WLBK3OVHBL76BHJDAA
timestamp="2024-08-15T21:25:05Z" level=warning event="invalid state" logger=authentik.outpost.proxyv2.application name=Provider
timestamp="2024-08-15T21:25:05Z" level=warning event="mismatched session ID" is=YY6EYUDNAF2GLQYCXUEAQSWHGWS724WJ5K35S7R2N2JORE2OHKGQ logger=authentik.outpost.proxyv2.application name=Provider should=XLKLTHX3EBUUZM37JZ7HUSH5W75FSLB423WLBK3OVHBL76BHJDAA
timestamp="2024-08-15T21:25:05Z" level=info event="/outpost.goauthentik.io/callback?X-authentik-auth-callback=true&code=f47754b29a0646059fd3de0b8b56c42b&state=eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJpc3MiOiJnb2F1dGhlbnRpay5pby9vdXRwb3N0L2dZZzRnMHBOOWQ2MFl0Tm9RWE43VTVqM3oyM1lmT3VVQUFMOW9oSWsiLCJzaWQiOiJZWTZFWVVETkFGMkdMUVlDWFVFQVFTV0hHV1M3MjRXSjVLMzVTN1IyTjJKT1JFMk9IS0dRIiwic3RhdGUiOiJvcVBuZXdXQ2dJcVlRVVMwQkp6VmRvbWt1NjdIRmVERXJmNmhkMk5RQVZrIiwicmVkaXJlY3QiOiIifQ.gclInXEAT8N8jMmuebhPyZNQnT-1-_Db7tHE51wrwDw" host=auth.example.org logger=authentik.outpost.proxyv2.application method=GET name=Provider remote="192.168.2.100:40358" runtime=0.453 scheme=http size=0 status=400 user_agent="Mozilla/5.0 (X11; Linux x86_64; rv:129.0) Gecko/20100101 Firefox/129.0"

Changing to

return 302 /outpost.goauthentik.io/start?rd=$request_uri;

I get infinite redirect because even when /callback succeeds it still doesn't register as authenticated

attels

Changing to

return 302 /outpost.goauthentik.io/start?rd=$scheme://$http_host$request_uri;

Doesn't make difference, still infinite redirect.

Switching to domain level doesn't make any difference and I get same behavior as with single application either "mismatched session ID" or infinite redirect.

attels

My nginx section looks like this

 location /outpost.goauthentik.io {
        proxy_pass              https://auth.example.org/outpost.goauthentik.io;

        # This doesn't work due to using SNI
        #proxy_set_header        Host $host
        # So need to set explicitly 
        proxy_set_header        Host Auth.example.org;

        proxy_set_header        X-Original-URL $scheme://$http_host$request_uri;
        add_header              Set-Cookie $auth_cookie;
        auth_request_set        $auth_cookie $upstream_http_set_cookie;
        proxy_pass_request_body off;
        proxy_set_header        Content-Length "";
}
davispuh commented 3 months ago

I got single application Forward Auth working. Turns out issue for infinite redirect loop was because in Outpost ENV variable AUTHENTIK_HOST I had it as AUTHENTIK_HOST=https://Auth.example.org (note the capital A).

In logs I noticed

{"error":"oidc: id token issued by a different provider, expected \"https://Auth.example.org/application/o/app/\" got \"https://auth.example.org/application/o/app/\"","event":"failed to redeem code","level":"warning","logger":"authentik.outpost.proxyv2.application","name":"Provider","timestamp":"2024-08-16T14:03:08Z"}

This was such an obscure issue... But it's a bug because domain names should be case insensitive. So anyway need to set AUTHENTIK_HOST all lowercase and now it works.

This is also why previously proxy_set_header Host $host wasn't working at all but proxy_set_header Host Auth.example.org; caused infinite redirect. Also looks like Host header is not really needed at all, it works fine without it.

pwaldon commented 3 months ago

For me AUTHENTIK_HOST & AUTHENTIK_HOST_BROWSER is always ignored, it is taking AUTHENTIK_HOST from URL I access it...

ajtatum commented 2 months ago

Hey there, I've been having the same issue since upgrading to 2024.8.x. I don't recall if I had the issue with 2024.6.x though.

I've tried changing the Provider from Domain to Single Application and it doesn't make much difference.

The only thing that I can spot in the logs is an event that says "mismatched session ID". I tried setting the environment variable AUTHENTIK_HOST to my domain (https://auth.example.com) and made sure it's the right case and spelling, but that didn't change anything.

The flow, for me goes:

  1. Type my application's URL into the browser and submit
  2. Site redirects me to Authentik where I login
  3. Site redirects back to application URL with the path /outpost.goauthentik.io and other details appended on. Page the shows a HTTP Error 400.

It's driving me crazy. I'm debating whether or not I should start looking into alternatives to Authentik.

Any help would be appreciated!

linkvt commented 1 month ago

I faced the exact same issue and just found an issue on my side: Authentik allowed a redirect to http://requested.domain instead of https://requested.domain while I was accessing the https domain.

This is how I checked it:

  1. I used the URL of the page with status code 400 (looks like https://authentik.example.com/outpost.goauthentik.io/callback?X-authentik-auth-callback=true&code=...&state=eyJh...)
  2. Copy the full value of state query parameter (the value after state=) which is a JWT
  3. Decode the JWT, e.g. on https://jwt.io/
  4. Check the payload, especially the redirect field as shown below grafik

I did not find out yet why the redirect field contains an URL with the HTTP protocol. I noticed the http:// URLs in this field when accessing domains using HTTP but also when accessing domains using HTTPS where the service caused a redirect.

Example: I accessed https://service.example.com which caused a redirect to /dashboard which resulted in the domain http://service.example.com/dashboard causing the issue described in the comments above. Changing the protocol and thus accessing https://service.example.com/dashboard worked then.

I found a workaround for my setup with traefik: Configure redirection from http to https which I disabled due to some reason a few days ago. Example helm values for the traefik helm chart:

ports:
  web:
    # https://docs.traefik.io/routing/entrypoints/#redirection
    redirectTo:
      port: websecure
lameslime commented 2 weeks ago

I upgraded from 2024.4 to 2024.10 (gradually) and then the problem hit (no problems before, all configs are done as per authentik's wiki). Embedded outpost always give 404 not found, I also tried external proxy outpost. That gives

{
    "Message": "no app for hostname",
    "Host": "auth.domain.com",
    "Detail": "Check the outpost settings and make sure 'auth.domain.com' is included."
}
curl -I https://auth.domain.com/outpost.goauthentik.io/auth/nginx
1.1 400 Bad Request
Server: nginx/1.27.2
Date: Wed, 06 Nov 2024 12:30:21 GMT
Content-Type: application/json
Content-Length: 146
Connection: keep-alive

curl -I https://auth.domain.com/outpost.goauthentik.io/
HTTP/1.1 400 Bad Request
Server: nginx/1.27.2
Date: Wed, 06 Nov 2024 12:30:27 GMT
Content-Type: application/json
Content-Length: 146
Connection: keep-alive

image

MFYDev commented 1 week ago

I just met the exactly same issue here with fresh installed Authentik 2024.10, always mismatched session id for my forward auth

nchietala commented 1 week ago

I was experiencing the same issue, the resolution for me was to ensure that the outpost had its docker integration set correctly and then set the authentik_host and authentik_host_browser variables.

Edit: this didnt entirely solve the issue, I thought it did because I had a valid session cookie already. It is also necessary to configure your middleware to rewrite the location header of a 302 redirect from the authentik_host value to the authentik_host_browser value. The equivalent of nginx's proxy_redirect http://127.0.0.1:9000 https://auth.my.domain;

nchietala commented 1 week ago

2024.10.2 resolved the problem for me, I was able to remove the proxy_redirects from my middleware and whole system is functioning as intended without any strange workarounds.

epd5 commented 1 day ago

Upgraded to 2024.10.3 and started experiencing this issue. Had to revert to 2024.10.2