Version 2024.10.2 breaks Captcha stage

[AstroGD]

Describe the bug When updating to 2024.10.2, if you have a captcha stage, the login flow loads indefinitely and throws an error to console:

Uncaught (in promise) DOMException: Node.appendChild: Cannot have more than one Element child of a Document
    updated CaptchaStage.ts:176
    _$AE reactive-element.ts:1490
    performUpdate reactive-element.ts:1455
    scheduleUpdate reactive-element.ts:1338
    _$ET reactive-element.ts:1310
    requestUpdate reactive-element.ts:1268
    _$Ev reactive-element.ts:1017
    f reactive-element.ts:1000
    C lit-element.ts:122
    g Base.ts:63
    f base.ts:52
    me CaptchaStage.ts:69
    u lit-html.ts:1212
    $ lit-html.ts:1633
    _$AI lit-html.ts:1469
    setValue async-directive.ts:366
    update until.ts:90
    promise callback*update until.ts:72
    _$AS directive.ts:135
    S lit-html.ts:1168
    _$AI lit-html.ts:1446
    p lit-html.ts:1276
    $ lit-html.ts:1630
    _$AI lit-html.ts:1469
    Ct lit-html.ts:2269
    update lit-element.ts:163
    performUpdate reactive-element.ts:1441
    scheduleUpdate reactive-element.ts:1338
    _$ET reactive-element.ts:1310
    requestUpdate reactive-element.ts:1268
    set challenge FlowExecutor.ts:67
    set reactive-element.ts:756
    firstUpdated FlowExecutor.ts:251
    _$AE reactive-element.ts:1488
    performUpdate reactive-element.ts:1455
    scheduleUpdate reactive-element.ts:1338
    _$ET reactive-element.ts:1310
    requestUpdate reactive-element.ts:1268
    _$Ev reactive-element.ts:1017
    f reactive-element.ts:1000
    C lit-element.ts:122
    g Base.ts:63
    kn Interface.ts:45
    xn FlowExecutor.ts:167
    Ho custom-element.ts:60
    s chunk-SYELWAOX.js:1
    <anonymous> FlowExecutor.ts:53
CaptchaStage.ts:118:62

To Reproduce Steps to reproduce the behavior:

1. Have a flow with captcha stage as first step
2. Update to version 2024.10.2
3. Try to log in by visiting the flow
4. Infinite loading circle and error to console appear

Expected behavior Captcha stage is loaded correctly and the login form is shown

Screenshots

• My Flow:
• The infinite loading circle:

Logs Here are the frontend console outputs: Backend logs are provided below in the comment

Version and Deployment (please complete the following information):

• authentik version: 2024.10.2 (It works as intended in 2024.10.1)
• Deployment: docker compose

[AstroGD]

These are the backend logs fired when accessing the login page:

{"auth_via": "unauthenticated", "domain_url": "authentik.tld", "event": "/", "host": "authentik.tld", "level": "info", "logger": "authentik.asgi", "method": "GET", "pid": 103, "remote": "redacted-0.0.0.0", "request_id": "535459689b034ac49ba45de5380c9068", "runtime": 18, "schema_name": "public", "scheme": "https", "status": 302, "timestamp": "2024-11-15T13:27:49.740781", "user": "", "user_agent": "Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:132.0) Gecko/20100101 Firefox/132.0"}
{"auth_via": "unauthenticated", "domain_url": "authentik.tld", "event": "/flows/-/default/authentication/?next=/", "host": "authentik.tld", "level": "info", "logger": "authentik.asgi", "method": "GET", "pid": 103, "remote": "redacted-0.0.0.0", "request_id": "9090aee5c9404e93a21bcbf1015ba007", "runtime": 25, "schema_name": "public", "scheme": "https", "status": 302, "timestamp": "2024-11-15T13:27:49.831025", "user": "", "user_agent": "Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:132.0) Gecko/20100101 Firefox/132.0"}
{"auth_via": "unauthenticated", "domain_url": "authentik.tld", "event": "/if/flow/login/?next=%2F", "host": "authentik.tld", "level": "info", "logger": "authentik.asgi", "method": "GET", "pid": 103, "remote": "redacted-0.0.0.0", "request_id": "99f0c7c825424cce9f2a3c7b140ff42c", "runtime": 44, "schema_name": "public", "scheme": "https", "status": 200, "timestamp": "2024-11-15T13:27:49.940793", "user": "", "user_agent": "Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:132.0) Gecko/20100101 Firefox/132.0"}
{"auth_via": "unauthenticated", "domain_url": "authentik.tld", "event": "/api/v3/root/config/", "host": "authentik.tld", "level": "info", "logger": "authentik.asgi", "method": "GET", "pid": 103, "remote": "redacted-0.0.0.0", "request_id": "9da332d6cd2743799b5cd0c8155b1073", "runtime": 28, "schema_name": "public", "scheme": "https", "status": 200, "timestamp": "2024-11-15T13:27:50.398084", "user": "", "user_agent": "Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:132.0) Gecko/20100101 Firefox/132.0"}
{"auth_via": "unauthenticated", "domain_url": "authentik.tld", "event": "/api/v3/core/brands/current/", "host": "authentik.tld", "level": "info", "logger": "authentik.asgi", "method": "GET", "pid": 102, "remote": "redacted-0.0.0.0", "request_id": "1f222ed9b4d94ce2a95112019fce071b", "runtime": 68, "schema_name": "public", "scheme": "https", "status": 200, "timestamp": "2024-11-15T13:27:50.463866", "user": "", "user_agent": "Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:132.0) Gecko/20100101 Firefox/132.0"}
{"auth_via": "unauthenticated", "domain_url": "authentik.tld", "event": "/api/v3/root/config/", "host": "authentik.tld", "level": "info", "logger": "authentik.asgi", "method": "GET", "pid": 102, "remote": "redacted-0.0.0.0", "request_id": "f5ddcc47831c4b078b1f51ee109d0d70", "runtime": 30, "schema_name": "public", "scheme": "https", "status": 200, "timestamp": "2024-11-15T13:27:50.489553", "user": "", "user_agent": "Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:132.0) Gecko/20100101 Firefox/132.0"}
{"auth_via": "unauthenticated", "domain_url": "authentik.tld", "event": "/api/v3/core/brands/current/", "host": "authentik.tld", "level": "info", "logger": "authentik.asgi", "method": "GET", "pid": 103, "remote": "redacted-0.0.0.0", "request_id": "880251281d0c47e19cfb02c6ae40905b", "runtime": 60, "schema_name": "public", "scheme": "https", "status": 200, "timestamp": "2024-11-15T13:27:50.494008", "user": "", "user_agent": "Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:132.0) Gecko/20100101 Firefox/132.0"}
{"auth_via": "unauthenticated", "domain_url": "authentik.tld", "event": "/api/v3/flows/executor/login/?query=next%3D%252F", "host": "authentik.tld", "level": "info", "logger": "authentik.asgi", "method": "GET", "pid": 103, "remote": "redacted-0.0.0.0", "request_id": "9aa7a20e5b684f1d8f73b81558081003", "runtime": 47, "schema_name": "public", "scheme": "https", "status": 200, "timestamp": "2024-11-15T13:27:50.516408", "user": "", "user_agent": "Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:132.0) Gecko/20100101 Firefox/132.0"}
{"domain_url": null, "event": "/ws/client/", "level": "info", "logger": "authentik.asgi", "pid": 102, "remote": "redacted-0.0.0.0, redacted-0.0.0.0", "schema_name": "public", "scheme": "ws", "timestamp": "2024-11-15T13:27:51.357426", "user_agent": "Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:132.0) Gecko/20100101 Firefox/132.0"}

[BeryJu]

Which captcha provider are you using?

[aefly]

Same here after upgrading from 2024.10.1, I tried both reCaptcha and Cloudflare Turnstile

[BeryJu]

When either captcha is configured as previously it should continue to work just fine, for reCaptcha v2 / Turnstile managed the new "Interactive" flag needs to be enabled

We'll test this with an upgraded instance with a captcha configured known working on 2024.10.1 as that should continue to work as is

[aefly]

I attempted a complete reinstallation of Authentik using the latest Docker image. I reconfigured my Turnstile Captcha, which is currently set to invisible mode (so interactive mode isn't required). However, I’m still encountering the same issue: an infinite loading circle, along with the same error appearing in the browser console.

[BeryJu]

The PR above will fix this issue. However as we've announced the security release 2024.10.3 for next week we can't create a bugfix release for this, however this will be available on the container image ghcr.io/goauthentik/dev-server:gh-version-2024.10 once the PR (and the cherry-pick) are merged

[carsten-re]

"Glad" to see that I'm not the only one :-) The login is working for me, when using WebAuthn as a login method. Hope, that it will be fixed in 2024.10.3

[yurividal]

Decided to update my reverse proxy today. After i was finished, i noticed my authelia was not working. Spent 4 hours trying to troubleshoot thinking the problem was on the proxy. turns out it was Authentik's 2024.10.2 broken captcha. Terrible timing... Downgraded to 2024.10.1, works fine now