Can't create OpenID Connect Provider

[EmilZackrisson]

Describe the bug Can't create a new OpenID Connect/OAuth provider. Works until I press "Finish" but nothing happens. Tried to create only the provider and via the Wizard but either works.

To Reproduce Steps to reproduce the behavior:

1. Update to 2024.8.0
2. Create provider

Expected behavior A new provider

Logs No relevant logs

Version and Deployment (please complete the following information):

• authentik version: 2024.8.0
• Deployment: helm

[mkleger]

I have the same problem and also when using an existing OpenID authentication I get the following error: could not read block 0 in file "base/16384/18994": read only 0 of 8192 bytes Traceback (most recent call last): File "/authentik/flows/views/executor.py", line 286, in get stage_response = self.current_stage_view.dispatch(request) ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ File "/ak-root/venv/lib/python3.12/site-packages/django/views/generic/base.py", line 143, in dispatch return handler(request, *args, **kwargs) ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ File "/authentik/providers/oauth2/views/authorize.py", line 531, in get return self.redirect(self.create_response_uri()) ^^^^^^^^^^^^^^^^^^^^^^^^^^ File "/authentik/providers/oauth2/views/authorize.py", line 554, in create_response_uri code.save() File "/ak-root/venv/lib/python3.12/site-packages/django/db/models/base.py", line 822, in save self.save_base( File "/ak-root/venv/lib/python3.12/site-packages/django/db/models/base.py", line 909, in save_base updated = self._save_table( ^^^^^^^^^^^^^^^^^ File "/ak-root/venv/lib/python3.12/site-packages/django/db/models/base.py", line 1071, in _save_table results = self._do_insert( ^^^^^^^^^^^^^^^^ File "/ak-root/venv/lib/python3.12/site-packages/django/db/models/base.py", line 1112, in _do_insert return manager._insert( ^^^^^^^^^^^^^^^^ File "/ak-root/venv/lib/python3.12/site-packages/django/db/models/manager.py", line 87, in manager_method return getattr(self.get_queryset(), name)(*args, **kwargs) ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ File "/ak-root/venv/lib/python3.12/site-packages/django/db/models/query.py", line 1847, in _insert return query.get_compiler(using=using).execute_sql(returning_fields) ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ File "/ak-root/venv/lib/python3.12/site-packages/django/db/models/sql/compiler.py", line 1823, in execute_sql cursor.execute(sql, params) File "/ak-root/venv/lib/python3.12/site-packages/django/db/backends/utils.py", line 79, in execute return self._execute_with_wrappers( ^^^^^^^^^^^^^^^^^^^^^^^^^^^^ File "/ak-root/venv/lib/python3.12/site-packages/django/db/backends/utils.py", line 92, in _execute_with_wrappers return executor(sql, params, many, context) ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ File "/ak-root/venv/lib/python3.12/site-packages/django/db/backends/utils.py", line 100, in _execute with self.db.wrap_database_errors: File "/ak-root/venv/lib/python3.12/site-packages/django/db/utils.py", line 91, in __exit__ raise dj_exc_value.with_traceback(traceback) from exc_value File "/ak-root/venv/lib/python3.12/site-packages/django/db/backends/utils.py", line 105, in _execute return self.cursor.execute(sql, params) ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ File "/ak-root/venv/lib/python3.12/site-packages/django_prometheus/db/common.py", line 69, in execute return super().execute(*args, **kwargs) ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ File "/ak-root/venv/lib/python3.12/site-packages/psycopg/cursor.py", line 97, in execute raise ex.with_traceback(None) django.db.utils.InternalError: could not read block 0 in file "base/16384/18994": read only 0 of 8192 bytes Request ID

[m4tt72]

Having the same issue, might be related to the errors shown in the browser console.

Uncaught (in promise) TypeError: this.selected is undefined
    willUpdate ak-dual-select.ts:118
    performUpdate reactive-element.ts:1439
    scheduleUpdate reactive-element.ts:1338
    _$ET reactive-element.ts:1310
    requestUpdate reactive-element.ts:1268
    _$Ev reactive-element.ts:1017
    f reactive-element.ts:1000
    C lit-element.ts:122
    St Base.ts:63
    <anonymous> eventEmitter.ts:60
    <anonymous> eventEmitter.ts:11
    h ak-dual-select.ts:96
    u lit-html.ts:1212
    $ lit-html.ts:1633
    _$AI lit-html.ts:1469
    Ct lit-html.ts:2269
    update lit-element.ts:163
    performUpdate reactive-element.ts:1441
    scheduleUpdate reactive-element.ts:1338
    _$ET reactive-element.ts:1310
    requestUpdate reactive-element.ts:1268
    _$Ev reactive-element.ts:1017
    f reactive-element.ts:1000
    C lit-element.ts:122
    St Base.ts:63
    K AkControlElement.ts:13
    <anonymous> eventEmitter.ts:60
    f ak-dual-select-provider.ts:84
    u lit-html.ts:1212
    $ lit-html.ts:1633
    _$AI lit-html.ts:1469
    p lit-html.ts:1276
    $ lit-html.ts:1644
    _$AI lit-html.ts:1469
    p lit-html.ts:1276
    $ lit-html.ts:1644
    _$AI lit-html.ts:1469
    Ct lit-html.ts:2269
    update lit-element.ts:163
    performUpdate reactive-element.ts:1441
    scheduleUpdate reactive-element.ts:1338
    _$ET reactive-element.ts:1310
    requestUpdate reactive-element.ts:1268
    render ModelForm.ts:93
    promise callback*render ModelForm.ts:89
    update lit-element.ts:158
    performUpdate reactive-element.ts:1441
    scheduleUpdate reactive-element.ts:1338
    _$ET reactive-element.ts:1310
    requestUpdate reactive-element.ts:1268
    _$Ev reactive-element.ts:1017
    f reactive-element.ts:1000
    C lit-element.ts:122
    St Base.ts:63
    S Form.ts:161
    u ModelForm.ts:58
    v BaseProviderForm.ts:5
    h OAuth2ProviderForm.ts:129
    renderVisible ProxyForm.ts:43
    render Form.ts:408
    update lit-element.ts:158
    performUpdate reactive-element.ts:1441
    scheduleUpdate reactive-element.ts:1338
    _$ET reactive-element.ts:1310
    requestUpdate reactive-element.ts:1268
    requestUpdate ProxyForm.ts:32
    requestUpdate WizardPage.ts:47
    requestUpdate WizardPage.ts:45
    set currentStep Wizard.ts:86
    renderModalInner Wizard.ts:210

[Skorsnet]

Edit 9/7: after uninstalling then restoring from backup, then pulling the beta/dev version it has been working. I am no longer having issues with the finish button. I have also not received any other errors.

I am having the same issue with OpenID Connect/OAuth as well as Forward Auth Single Application. Even though the result was the same, noticed that when I used the wizard there was an option for Forward Auth Single Application but when I went directly to providers it only has an option for Proxy Provider. Anyway, I am not receiving any errors, just the button not working.

[m4tt72]

It's definitely a UI issue. I managed to temporarily fix by downgrading to 2024.6.4 as it seems like it doesn't have this issue. Not an ideal solution but it works until we get a fix.

[coworkers-de]

Can confirm on 2024.8.0. If I click on "Next" (German "Weiter") nothing happens. Downgrading to 2024.6.4 solved it.

[bdorr1105]

How exactly can anyone rollback? It will not become healthy again for me if I roll back, and I also can't upgrade apline as it causes constant restarts. Updating tips and tricks would be cool, I am using docker-compose. I can't rollback for nothing. Thanks

[q20]

How exactly can anyone rollback? It will not become healthy again for me if I roll back, and I also can't upgrade apline as it causes constant restarts. Updating tips and tricks would be cool, I am using docker-compose. I can't rollback for nothing. Thanks

You can specify the following docker image tag to roll back:

ghcr.io/goauthentik/server:2024.6.4

I have just done this myself after all my proxy applications appended X-authentik-auth-callback=true to the application URLs, causing them not to load. 2024.8.0 is a no-go for me. It was faster to roll back than look for a fix (assuming one even exists).

[mkleger]

Unfortunately, this does not work for me, the containers then restart again and again with errors as soon as I save the new version again, the container comes up without any problems.

[q20]

Unfortunately, this does not work for me, the containers then restart again and again with errors as soon as I save the new version again, the container comes up without any problems.

After rolling back to ghcr.io/goauthentik/server:2024.6.4 I was also required to restore the mapped volumes from backup, as not all containers in the stack succeeded in starting correctly. Not ideal, but I'm able to do this relatively painlessly with my setup.

[malmeloo]

FWIW, only the provider creation UI appears to be affected, so you can still create providers through the API. For example, to create a proxy provider:

curl -X POST -L 'https://your.authentik.host/api/v3/providers/proxy/' \
  -H 'Content-Type: application/json' \
  -H 'Authorization: Bearer <api_token_here>' \
  --data '{"authorization_flow": "<authorization_flow_id>", "name": "New proxy", "external_host": "https://test", "mode": "forward_single"}'

You can create an api token under Directory > Tokens and App Passwords. To find your authorization flow ID, I believe the easiest way is to navigate to the flow in Authentik and "export" it. That will download a .yaml file with the flow's details, and the flow ID will be in there as well. Example: 7aff7101-1222-48e4-a5c0-7ebc62775e48.

Don't worry too much about the request details, as you can seemingly still modify the provider through the web interface. Only creation appears to be affected.

[malmeloo]

Creating outposts also seems to be affected. The relevant command for this one is as follows:

curl -X POST -L 'https://your.authentik.host/api/v3/outposts/instances/' \
  -H 'Content-Type: application/json' \
  -H 'Authorization: Bearer <api_token_here>' \
  --data '{"name": "Some outpost name", "type": "proxy", "providers": [<provider_id_here>], "config": {}}'

This time, the provider ID can be found by navigating to the provider and looking at the URL: you should see /core/providers/<number> somewhere in the middle there. That number is your provider ID.

[fstracke]

After a very brief review, there seems to be no click-event attached to the button that is not sentry related. Maybe the ui isn't loading correctly?

[jadehawk]

Same behavior running both the Authentik & Authentik-worker latest version 2024.8 on a machine running UnRaid. Just learned the basics of Authentik + Traefik on the 2024.6.4 version, only to lose internet access for 36 hrs (Lightning Strike) and to restart system, update containers to the latest version and everything broke (Can't create new providers and "X-authentik-auth-callback=true" was added to all "Forward Auth" applications I had already configured.

In my case downgrading back to 2024.6.4 did not work, in fact after downgrading both Authentik & Authentik-worker containers, the Authentik server failed to load, I was forced to delete the Postgres database and start from scratch.

Glad is an issue and not something I did.

[BeryJu]

might be fixed by https://github.com/goauthentik/authentik/pull/11203, please try on ghcr.io/goauthentik/dev-server:gh-version-2024.8

[jkennedyvz]

might be fixed by #11203, please try on ghcr.io/goauthentik/dev-server:gh-version-2024.8

I was able to create a proxy and an oidc provider with this branch! Error messages are missing text, but it's functional.

[BeryJu]

Was that error message from a failed attempt to submit the form or did that error message show up when filling out everything correctly?

[zenjabba]

Same behavior running both the Authentik & Authentik-worker latest version 2024.8 on a machine running UnRaid. Just learned the basics of Authentik + Traefik on the 2024.6.4 version, only to lose internet access for 36 hrs (Lightning Strike) and to restart system, update containers to the latest version and everything broke (Can't create new providers and "X-authentik-auth-callback=true" was added to all "Forward Auth" applications I had already configured.

In my case downgrading back to 2024.6.4 did not work, in fact after downgrading both Authentik & Authentik-worker containers, the Authentik server failed to load, I was forced to delete the Postgres database and start from scratch.

Glad is an issue and not something I did.

Seeing the same issue so I'm glad I am not the only one. I found out the backups of the database wasn't running so I cannot revert back to 2024.06.04 so I'm kinda stuck waiting for a fix.

Thanks for posting this as I was going insane and even had a support ticket open.

[BeryJu]

X-authentik-auth-callback=true is purposefully added to all proxy providers, depending on the reverse proxy it is used by the authentik outpost to know which requests are for it

[aaronriedel]

might be fixed by #11203, please try on ghcr.io/goauthentik/dev-server:gh-version-2024.8

works for me now

[jkennedyvz]

Was that error message from a failed attempt to submit the form or did that error message show up when filling out everything correctly?

Hi @BeryJu , the blank error banner showed up when I tried creating a provider without all of the required fields. The red text underneath each field is displayed correctly.

[jadehawk]

ghcr.io/goauthentik/dev-server:gh-version-2024.8

OK using the new dev image provided, I can now add providers. however within the authentik's "my applications" screen as before the extra text has been added to all "Applications URL" This prevents the application from launching (I have it set to open new window) if I removed the extra text and just type "app.domain.com" at the browser, it works as expected.

It also automatically adds "Additional Scopes" to all providers; This was not required on version 2024.6.4 Since i am new to Authentik I didn't know I had to used them, but works fine on 2024.6.4 without them. ( I'm only using "Forward Auth" not using OpenID at all)

So at this moment with this dev 2024.8 version all but the "My Application" apps seem to work. sticking to 2024.6.4 till a version 2024.8 is iron-out a little more.

[Cecchellone]

might be fixed by #11203, please try on ghcr.io/goauthentik/dev-server:gh-version-2024.8

On ARM the correct image is ghcr.io/goauthentik/dev-server:gh-version-2024.8 It fixed the problem for me 😊

[zenjabba]

Can we roll back to 2024.6.4 without a database backup?

[aaronriedel]

Can we roll back to 2024.6.4 without a database backup?

You should definitely backup before you attempt this. For me a rollback did not work, I used the dev version instead.

[mkleger]

After updating to the DEV version, I still have the problem that OpenID logins do not work:

Is that just me?

[ghostklart]

+1 for the issue, hope to see update/fix soon

[caiodstx]

Same issue for me, just waiting for a fix since I just deployed authentik yesterday so nothing to lose, but hoping it gets fixed soon.

[devadattas]

Same issue here!

[schmidt-silas]

+1 Same for me, FIX #11203 (ghcr.io/goauthentik/dev-server:gh-version-2024.8) NOT working with ARM

[SirWobbyTheFirst]

I think for the time being, I'm going to wait on 2024.6.4 as the initial 2024.8 release seems to be really buggy and the previous attempt to upgrade on day one, I didn't take a backup and in the end had to rebuild everything from scratch.

@BeryJu - Would it be safe to upgrade from 2024.6.4 to 2024.8.1 when it comes out and skip over the 2024.8 initial version?

[zenjabba]

I am running the dev build which should turn into 2024.8.1 and it's still not fixed the problem.

[b2un0]

same 4 me

[zenjabba]

Ok I think I've figured out what's going wrong. instead of the outpost redirecting the session to the correct endpoint, it's always redirecting it to localhost:8000 and failing

[armsby]

Ok I think I've figured out what's going wrong. instead of the outpost redirecting the session to the correct endpoint, it's always redirecting it to localhost:8000 and failing

when it does this url=http://localhost:8000/outpost.goauthentik.io/auth/traefik I would expect that to be something like http://outpost.company:9000/outpost.goauthentik.io/auth/traefik

[Jeremiegmoore]

Ok I think I've figured out what's going wrong. instead of the outpost redirecting the session to the correct endpoint, it's always redirecting it to localhost:8000 and failing

when it does this url=http://localhost:8000/outpost.goauthentik.io/auth/traefik I would expect that to be something like http://outpost.company:9000/outpost.goauthentik.io/auth/traefik

[](url)

Describe the bug Can't create a new OpenID Connect/OAuth provider. Works until I press "Finish" but nothing happens. Tried to create only the provider and via the Wizard but either works.

To Reproduce Steps to reproduce the behavior:

1. Update to 2024.8.0
2. Create provider

Expected behavior A new provider

Logs No relevant logs

Version and Deployment (please complete the following information):

• authentik version: 2024.8.0
• Deployment: helm

[NCVito]

Seeing the same issue. I've downgraded to 2024.6.4. Hoping to see an update soon!

[zbig-t]

I honestly find it surprising that the maintainers hadn't, at the very least, pull down what basically is a broken release. I've wasted way too much time trying to debug my Kubernetes installation of the software that "worked fine in Docker just a day ago". Of course luck had it that the new (broken) release dropped just between me PoC'ing it in Docker Desktop and putting it on my Kubernetes lab. Not to sound ungrateful for a good piece of software overall, but it seems just a bit disrespectful wasting users' time just like that, especially given no official downgrade path. And I'm just a hobbyist fooling around; hard to imagine all the cursing that ensued with folks dealing with mission-critical, production installations (ok, perhaps they shouldn't be on free open-source version in the first place (does commercial version lag behind, anyway?) 😉)

[zenjabba]

The paid edition and the open source edition are the same.. ask me how I know :)

[zbig-t]

The paid edition and the open source edition are the same.. ask me how I know :)

Oh, that's a bummer. Then there's really no excuse for Authentik team to keep the critically broken release as latest for days 😕

[CrazyWolf13]

@BeryJu Any news yet?

Pinning the version and downgrading did not work for me, the server stays on starting..

[jangrewe]

Same here, getting various errors at different stages of creating a provider.

Uncaught (in promise) TypeError: this.selected is undefined (ak-dual-select.ts:118:40)
Uncaught (in promise) TypeError: t is undefined render (ak-dual-select.ts:284)
TypeError: this.dualSelector.value.selected is undefined (lockdown-install.js:1:97687)

[make-suffer]

The dev version seem to fix it for me, but I only use OIDC for Outline, so maybe other cases doesn't work as well as mine. The only problem I have is: will upgrading from dev version to newer release with hotfixes bork my install or not?

[ihatethecloud]

FWIW, only the provider creation UI appears to be affected, so you can still create providers through the API. For example, to create a proxy provider:

curl -X POST -L 'https://your.authentik.host/api/v3/providers/proxy/' \
  -H 'Content-Type: application/json' \
  -H 'Authorization: Bearer <api_token_here>' \
  --data '{"authorization_flow": "<authorization_flow_id>", "name": "New proxy", "external_host": "https://test", "mode": "forward_single"}'

You can create an api token under Directory > Tokens and App Passwords. To find your authorization flow ID, I believe the easiest way is to navigate to the flow in Authentik and "export" it. That will download a .yaml file with the flow's details, and the flow ID will be in there as well. Example: 7aff7101-1222-48e4-a5c0-7ebc62775e48.

Don't worry too much about the request details, as you can seemingly still modify the provider through the web interface. Only creation appears to be affected.

This worked just fine as a workaround

[Seiikatsu]

Same issue here, tried to setup authentik yesterday on my unraid server. Had to fix the version to 2024.6.4 and also wipe the database as a downgrade was not possible. (In my case that worked fine as it was a fresh installation without any data in it).

[Mr-Boshi]

Same issue on the k8s cluster, authentik release 2024.8.

[tygrdotdev]

Can confirm that downgrading to 2024.6.4 did the trick.

[jangrewe]

There's now 2024.8.1, which probably fixes this... so no need to downgrade anymore, i guess?

[NCVito]

Can confirm that downgrading to 2024.6.4 did the trick.

Yup, that's where I'm living now too.

There's now 2024.8.1, which probably fixes this... so no need to downgrade anymore, i guess?

Personally, I think I'm going to wait until it's confirmed before I go through it all again.

[verchalent]

Updated to 2024.8.1 and I am now able to create new oauth providers again. Still verifying everything, but it is no longer hanging at "Finish".

[SirWobbyTheFirst]

Anyone on 2024.6.4 done the update yet? If so, did you go direct from 2024.6.4 to 2024.8.1 or did you have to go through another version?

I’m going to backup the hell out of my Authentik instance.

---

From: Verchalent @.> Sent: Saturday, September 7, 2024 9:36:15 PM To: goauthentik/authentik @.> Cc: SirWobbyTheFirst @.>; Comment @.> Subject: Re: [goauthentik/authentik] Can't create OpenID Connect Provider (Issue #11179)

Updated to 2024.8.1 and I am now able to create new oauth providers again. Still verifying everything, but it is no longer hanging at "Finish".

— Reply to this email directly, view it on GitHubhttps://github.com/goauthentik/authentik/issues/11179#issuecomment-2336432866, or unsubscribehttps://github.com/notifications/unsubscribe-auth/ALJEMJ2RT7MLHKZVA722KQDZVNPT7AVCNFSM6AAAAABNSUB4A6VHI2DSMVQWIX3LMV43OSLTON2WKQ3PNVWWK3TUHMZDGMZWGQZTEOBWGY. You are receiving this because you commented.Message ID: @.***>