search

goauthentik / authentik

The authentication glue you need.
https://goauthentik.io
Other
12.77k stars 850 forks source link

Error 400 on Forward Auth (domain level) via Outpost #10848

Open mmospanenko opened 1 month ago

mmospanenko commented 1 month ago

Describe the bug I created Forward Auth (domain level) and provider (using wizard), but it works only with Embedded Outpost correctly. With Proxies, it returns 400 (in logs wrong session). But App Level Forward Auth works correctly with external (proxy) Outposts, issue only with Domain level.

I have some multiple servers in my network, each server has Outpost (ghcr.io/goauthentik/proxy), all behind Traefik.

To Reproduce Steps to reproduce the behavior:

  1. deploy Authentic on one server and Proxy on another behind Traefik
  2. configure Domain level Forward Auth for external outpost
  3. try to log in using domain catch middleware
  4. see error (400)

Expected behavior I expect that external outpost will work similar to embedded one.

Screenshots not ui

Logs

{"event":"mismatched session ID", ...
{"event":"invalid state","level":"warning","logger":"authentik.outpost.proxyv2.application","name":"Provider for ...
{"event":"/outpost.goauthentik.io/callback?X-authentik-auth-callback=true&code=...","host":"auth....","level":"info","logger":"authentik.outpost.proxyv2.application","method":"GET","name":"Provider for ...","remote":"10....","runtime":"4.956","scheme":"http","size":0,"status":400,"timestamp":"2024-08-10T11:59:38Z","user_agent":"Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/127.0.0.0 Safari/537.36"}

Version and Deployment (please complete the following information):

Additional context Add any other context about the problem here.

davispuh commented 4 weeks ago

I can't get Forward Auth working - neither single application, nor domain level.

I'm using latest 2024.6.3 docker image ghcr.io/goauthentik/proxy:latest

I'm using Nginx with auth_request.

I have Authentik and Proxy Outpost at https://auth.example.org and application at https://app.example.com (note different TLDs)

With single application config attels

and error_page 401 = @goauthentik_proxy_signin with

return 302 https://auth.example.org/outpost.goauthentik.io/start?rd=$scheme://$http_host$request_uri;

In Outpost logs I see same issue "mismatched session ID"

timestamp="2024-08-15T20:07:17Z" level=trace event="passing to single app mux" host=auth.example.org logger=authentik.outpost.proxyv2
timestamp="2024-08-15T20:07:17Z" level=trace event="cookie decode"
timestamp="2024-08-15T20:07:17Z" level=trace event="cookie decode"
timestamp="2024-08-15T20:07:17Z" level=trace event="tracing headers for debug" header="map[Accept:[text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/png,image/svg+xml,*/*;q=0.8] Accept-Encoding:[gzip, deflate, br, zstd] Accept-Language:[lv,en-US;q=0.7,en;q=0.3] Cookie:[authentik_proxy_gYg4g0pN=MTcyMzc1MjIwNHxOd3dBTkVreVdWY3pWRXhEV0U1SFRVczBRMGhWVDFrek5FbFpTRkUwVmtKQlJEZFBUVTlVVTBOVVMwMUlNMHBOUWtwS1NEZERTMEU9fNTqI5Ot4zcJZ6GEn6r7iS2KMlNCZViVp9NAi36YnCEH] Dnt:[1] Priority:[u=0, i] Sec-Fetch-Dest:[document] Sec-Fetch-Mode:[navigate] Sec-Fetch-Site:[none] Sec-Fetch-User:[?1] Sec-Gpc:[1] Upgrade-Insecure-Requests:[1] User-Agent:[Mozilla/5.0 (X11; Linux x86_64; rv:129.0) Gecko/20100101 Firefox/129.0] X-Forwarded-For:[192.168.1.234] X-Forwarded-Host:[auth.example.org] X-Forwarded-Proto:[https] X-Forwarded-Protocol:[https] X-Original-Url:[https://app.example.com/] X-Real-Ip:[192.168.1.234]]" logger=authentik.outpost.proxyv2.application name=Provider
timestamp="2024-08-15T20:07:17Z" level=trace event="nginx forwarded url" logger=authentik.outpost.proxyv2.application name=Provider url="https://app.example.com/"
timestamp="2024-08-15T20:07:17Z" level=info event=/outpost.goauthentik.io/auth/nginx host=auth.example.org logger=authentik.outpost.proxyv2.application method=GET name=Provider remote="192.168.2.100:36084" runtime=0.294 scheme=http size=21 status=401 user_agent="Mozilla/5.0 (X11; Linux x86_64; rv:129.0) Gecko/20100101 Firefox/129.0"
timestamp="2024-08-15T20:07:17Z" level=trace event="passing to single app mux" host=auth.example.org logger=authentik.outpost.proxyv2
timestamp="2024-08-15T20:07:17Z" level=trace event="cookie decode"
timestamp="2024-08-15T20:07:17Z" level=trace event="cookie decode"
timestamp="2024-08-15T20:07:17Z" level=trace event="Setting redirect" logger=authentik.outpost.proxyv2.application name=Provider rd="https://app.example.com/"
timestamp="2024-08-15T20:07:17Z" level=trace event="cookie encode"
timestamp="2024-08-15T20:07:17Z" level=trace event="cookie encode"
timestamp="2024-08-15T20:07:17Z" level=info event="/outpost.goauthentik.io/start?rd=https://app.example.com/" host=auth.example.org logger=authentik.outpost.proxyv2.application method=GET name=Provider remote="192.168.2.100:36096" runtime=0.505 scheme=http size=698 status=302 user_agent="Mozilla/5.0 (X11; Linux x86_64; rv:129.0) Gecko/20100101 Firefox/129.0"
timestamp="2024-08-15T20:07:19Z" level=trace event="passing to single app mux" host=auth.example.org logger=authentik.outpost.proxyv2
timestamp="2024-08-15T20:07:19Z" level=trace event="cookie decode"
timestamp="2024-08-15T20:07:19Z" level=trace event="cookie decode"
timestamp="2024-08-15T20:07:19Z" level=debug event="handling OAuth Callback from querystring signature" logger=authentik.outpost.proxyv2.application name=Provider
timestamp="2024-08-15T20:07:19Z" level=warning event="mismatched session ID" is=JKRPMNYZQEOZ33WAC6ORGOHXNV7DZGTNYCAFVIBFALB7O5MXVQIA logger=authentik.outpost.proxyv2.application name=Provider should=I2YW3TLCXNGMK4CHUOY34IYHQ4VBAD7OMOTSCTKMH3JMBJJH7CKA
timestamp="2024-08-15T20:07:19Z" level=warning event="invalid state" logger=authentik.outpost.proxyv2.application name=Provider
timestamp="2024-08-15T20:07:19Z" level=warning event="mismatched session ID" is=JKRPMNYZQEOZ33WAC6ORGOHXNV7DZGTNYCAFVIBFALB7O5MXVQIA logger=authentik.outpost.proxyv2.application name=Provider should=I2YW3TLCXNGMK4CHUOY34IYHQ4VBAD7OMOTSCTKMH3JMBJJH7CKA
timestamp="2024-08-15T20:07:19Z" level=info event="/outpost.goauthentik.io/callback?X-authentik-auth-callback=true&code=0c7d07a006fb4b54a26825dcc704eb1e&state=eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJpc3MiOiJnb2F1dGhlbnRpay5pby9vdXRwb3N0L2dZZzRnMHBOOWQ2MFl0Tm9RWE43VTVqM3oyM1lmT3VVQUFMOW9oSWsiLCJzaWQiOiJKS1JQTU5ZWlFFT1ozM1dBQzZPUkdPSFhOVjdEWkdUTllDQUZWSUJGQUxCN081TVhWUUlBIiwic3RhdGUiOiI3S0t2ZVpRZ1pkSnNnTUZlUHN2dDZZc3NkNG1kQ1VOcHRBU195aVRaLXY0IiwicmVkaXJlY3QiOiJodHRwczovL3Zpa2kuYXRyYWR1LmluZm8vIn0.eePNCpqgjTaG26Y0_05xck4SQ0I-yNx7uEHh8Bd_WK0" host=auth.example.org logger=authentik.outpost.proxyv2.application method=GET name=Provider remote="192.168.2.100:36156" runtime=0.316 scheme=http size=0 status=400 user_agent="Mozilla/5.0 (X11; Linux x86_64; rv:129.0) Gecko/20100101 Firefox/129.0"

Changing to

return 302 https://auth.example.org/outpost.goauthentik.io/start?rd=$request_uri;

There is additional error "redirect URI did not contain external host"

timestamp="2024-08-15T21:25:04Z" level=trace event="passing to single app mux" host=auth.example.org logger=authentik.outpost.proxyv2
timestamp="2024-08-15T21:25:04Z" level=trace event="cookie decode"
timestamp="2024-08-15T21:25:04Z" level=trace event="cookie decode"
timestamp="2024-08-15T21:25:04Z" level=trace event="tracing headers for debug" header="map[Accept:[text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/png,image/svg+xml,*/*;q=0.8] Accept-Encoding:[gzip, deflate, br, zstd] Accept-Language:[lv,en-US;q=0.7,en;q=0.3] Cookie:[authentik_proxy_gYg4g0pN=MTcyMzc1NjU3OHxOd3dBTkZoTVMweFVTRmd6UlVKVlZWcE5NemRLV2pkSVZWTklOVmMzTlVaVFRFSTBNak5YVEVKTE0wOVdTRUpNTnpaQ1NFcEVRVUU9fH9XNxp4bGlpPIVMTBQcpDjIQ9C883-fgcWcGvhA7k4l] Dnt:[1] Priority:[u=0, i] Sec-Fetch-Dest:[document] Sec-Fetch-Mode:[navigate] Sec-Fetch-Site:[none] Sec-Fetch-User:[?1] Sec-Gpc:[1] Upgrade-Insecure-Requests:[1] User-Agent:[Mozilla/5.0 (X11; Linux x86_64; rv:129.0) Gecko/20100101 Firefox/129.0] X-Forwarded-For:[192.168.1.234] X-Forwarded-Host:[auth.example.org] X-Forwarded-Proto:[https] X-Forwarded-Protocol:[https] X-Original-Url:[https://app.example.com/] X-Real-Ip:[192.168.1.234]]" logger=authentik.outpost.proxyv2.application name=Provider
timestamp="2024-08-15T21:25:04Z" level=trace event="nginx forwarded url" logger=authentik.outpost.proxyv2.application name=Provider url="https://app.example.com/"
timestamp="2024-08-15T21:25:04Z" level=info event=/outpost.goauthentik.io/auth/nginx host=auth.example.org logger=authentik.outpost.proxyv2.application method=GET name=Provider remote="192.168.2.100:40334" runtime=0.315 scheme=http size=21 status=401 user_agent="Mozilla/5.0 (X11; Linux x86_64; rv:129.0) Gecko/20100101 Firefox/129.0"
timestamp="2024-08-15T21:25:04Z" level=trace event="passing to single app mux" host=auth.atradu.ai logger=authentik.outpost.proxyv2
timestamp="2024-08-15T21:25:04Z" level=trace event="cookie decode"
timestamp="2024-08-15T21:25:04Z" level=trace event="cookie decode"
timestamp="2024-08-15T21:25:04Z" level=warning event="redirect URI did not contain external host" ext=//app.example.com/ logger=authentik.outpost.proxyv2.application name=Provider url=/
timestamp="2024-08-15T21:25:04Z" level=trace event="cookie encode"
timestamp="2024-08-15T21:25:04Z" level=trace event="cookie encode"
timestamp="2024-08-15T21:25:04Z" level=info event="/outpost.goauthentik.io/start?rd=/" host=auth.atradu.ai logger=authentik.outpost.proxyv2.application method=GET name=Provider remote="192.168.2.100:40346" runtime=0.699 scheme=http size=665 status=302 user_agent="Mozilla/5.0 (X11; Linux x86_64; rv:129.0) Gecko/20100101 Firefox/129.0"
timestamp="2024-08-15T21:25:05Z" level=trace event="passing to single app mux" host=auth.example.org logger=authentik.outpost.proxyv2
timestamp="2024-08-15T21:25:05Z" level=trace event="cookie decode"
timestamp="2024-08-15T21:25:05Z" level=trace event="cookie decode"
timestamp="2024-08-15T21:25:05Z" level=debug event="handling OAuth Callback from querystring signature" logger=authentik.outpost.proxyv2.application name=Provider
timestamp="2024-08-15T21:25:05Z" level=warning event="mismatched session ID" is=YY6EYUDNAF2GLQYCXUEAQSWHGWS724WJ5K35S7R2N2JORE2OHKGQ logger=authentik.outpost.proxyv2.application name=Provider should=XLKLTHX3EBUUZM37JZ7HUSH5W75FSLB423WLBK3OVHBL76BHJDAA
timestamp="2024-08-15T21:25:05Z" level=warning event="invalid state" logger=authentik.outpost.proxyv2.application name=Provider
timestamp="2024-08-15T21:25:05Z" level=warning event="mismatched session ID" is=YY6EYUDNAF2GLQYCXUEAQSWHGWS724WJ5K35S7R2N2JORE2OHKGQ logger=authentik.outpost.proxyv2.application name=Provider should=XLKLTHX3EBUUZM37JZ7HUSH5W75FSLB423WLBK3OVHBL76BHJDAA
timestamp="2024-08-15T21:25:05Z" level=info event="/outpost.goauthentik.io/callback?X-authentik-auth-callback=true&code=f47754b29a0646059fd3de0b8b56c42b&state=eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJpc3MiOiJnb2F1dGhlbnRpay5pby9vdXRwb3N0L2dZZzRnMHBOOWQ2MFl0Tm9RWE43VTVqM3oyM1lmT3VVQUFMOW9oSWsiLCJzaWQiOiJZWTZFWVVETkFGMkdMUVlDWFVFQVFTV0hHV1M3MjRXSjVLMzVTN1IyTjJKT1JFMk9IS0dRIiwic3RhdGUiOiJvcVBuZXdXQ2dJcVlRVVMwQkp6VmRvbWt1NjdIRmVERXJmNmhkMk5RQVZrIiwicmVkaXJlY3QiOiIifQ.gclInXEAT8N8jMmuebhPyZNQnT-1-_Db7tHE51wrwDw" host=auth.example.org logger=authentik.outpost.proxyv2.application method=GET name=Provider remote="192.168.2.100:40358" runtime=0.453 scheme=http size=0 status=400 user_agent="Mozilla/5.0 (X11; Linux x86_64; rv:129.0) Gecko/20100101 Firefox/129.0"

Changing to

return 302 /outpost.goauthentik.io/start?rd=$request_uri;

I get infinite redirect because even when /callback succeeds it still doesn't register as authenticated

attels

Changing to

return 302 /outpost.goauthentik.io/start?rd=$scheme://$http_host$request_uri;

Doesn't make difference, still infinite redirect.

Switching to domain level doesn't make any difference and I get same behavior as with single application either "mismatched session ID" or infinite redirect.

attels

My nginx section looks like this

 location /outpost.goauthentik.io {
        proxy_pass              https://auth.example.org/outpost.goauthentik.io;

        # This doesn't work due to using SNI
        #proxy_set_header        Host $host
        # So need to set explicitly 
        proxy_set_header        Host Auth.example.org;

        proxy_set_header        X-Original-URL $scheme://$http_host$request_uri;
        add_header              Set-Cookie $auth_cookie;
        auth_request_set        $auth_cookie $upstream_http_set_cookie;
        proxy_pass_request_body off;
        proxy_set_header        Content-Length "";
}
davispuh commented 4 weeks ago

I got single application Forward Auth working. Turns out issue for infinite redirect loop was because in Outpost ENV variable AUTHENTIK_HOST I had it as AUTHENTIK_HOST=https://Auth.example.org (note the capital A).

In logs I noticed

{"error":"oidc: id token issued by a different provider, expected \"https://Auth.example.org/application/o/app/\" got \"https://auth.example.org/application/o/app/\"","event":"failed to redeem code","level":"warning","logger":"authentik.outpost.proxyv2.application","name":"Provider","timestamp":"2024-08-16T14:03:08Z"}

This was such an obscure issue... But it's a bug because domain names should be case insensitive. So anyway need to set AUTHENTIK_HOST all lowercase and now it works.

This is also why previously proxy_set_header Host $host wasn't working at all but proxy_set_header Host Auth.example.org; caused infinite redirect. Also looks like Host header is not really needed at all, it works fine without it.

pwaldon commented 3 weeks ago

For me AUTHENTIK_HOST & AUTHENTIK_HOST_BROWSER is always ignored, it is taking AUTHENTIK_HOST from URL I access it...