Closed hackmybeer closed 2 years ago
xpufx
commented
2 years ago @hackmybeer I just logged into my prox. I am running the latest authentik (2022.1.3) and the latest proxmox ( 7.1 with updates applied). You can find me on the discord channel if you'd like to compare configurations.
fwollny
commented
2 years ago @hackmybeer Can you post the syslog of proxmox while trying to log invia oauth?
xpufx
commented
2 years ago Mar 19 23:12:19 prox1 pvedaemon[3595767]: <root@pam> successful openid auth for user 'MYUSER@authentik'
This is the only thing in syslog.
Maximilian-Staab
commented
2 years ago I'm having the same issue. It also looks like the documentation is somewhat out of date: https://goauthentik.io/integrations/services/proxmox-ve/
It said to set the JWT Algorithm to RS256, but this setting isn't visible for me. When I check the openid-configuration, this is what I get (note the lack of RS256):
EDIT: @hackmybeer I just added the self-signed certificate as Signing Key for the proxmox provider, now it works! Did you try that as well?
hackmybeer
commented
2 years ago Sorry for my inactivity. Thanks for all you replies! I’m going to test it later this day. Thank you so much (:
hackmybeer
commented
2 years ago @Maximilian-Staab i think i did. I've added my config here...
Maximilian-Staab
commented
2 years ago Does is work for you? My setup is slightly different: I've kept my launch URL empty and I don't have a trailing slash in the redirect URL.
hackmybeer
commented
2 years ago No, it doesn't work :/
Here is my Proxmox config:
And this is the error message I'm getting when trying to use authentik as my ID-Provider:
BeryJu
commented
2 years ago No, it doesn't work :/
Here is my Proxmox config:
And this is the error message I'm getting when trying to use authentik as my ID-Provider:
You are missing a leading slash on the issuer URL, with this URL it won't work since promox will append a path and get a wrong URL
hackmybeer
commented
2 years ago No, it doesn't work :/ Here is my Proxmox config:
You are missing a leading slash on the issuer URL, with this URL it won't work since promox will append a path and get a wrong URL
Thanks for your quick reply. I added it and it sadly it still refuses to work...
Maximilian-Staab
commented
2 years ago Does the user you want to log in with exist? You need a <username>@authentik user, or you enable Autocreate Users in the OpenID config for proxmox. Also check your Issuer URL in the same config. I have a trailing slash, pretty sure that's what @BeryJu is referring to. See:
hackmybeer
commented
2 years ago I don‘t even get to the part where i can log in. I just get a error 500 from the proxmox api. I‘ve also added the trailing slash but it doesn‘t work either :/ Autocreate is also enabled.
Maximilian-Staab
commented
2 years ago Make sure you use a private window or delete cookies every time you change something. Other than that I'm all out of ideas.
hackmybeer
commented
2 years ago Thanks for the quick reply (: In Authentik or Proxmox? To test the openID login I already use a private window :/ Hmm
Maximilian-Staab
commented
2 years ago The cookies for the domain your proxmox is responding from, so pve.<something>.intern. Also are you not using a proxy for your subdomain? I'm asking because of your use of a both specific subdomain and a non standard port. My setup is probably a bit different from yours, so I can't really show you my configs (I'm using authentik both for authentication and as my proxy).
I'm pretty sure that when the 'datacenter-path', eg. #v1:0:18:4:::::7:: was missing, my setup wasn't working as well. Maybe try adding that as the redirection URL.
Also we should probably move this to a private conversation. This isn't a bug report anymore. We could still update the documentation if we find out what's wrong with your config.
hackmybeer
commented
2 years ago Thanks, I agree with you.
hackmybeer
commented
2 years ago I finally found the issue. Turns out using your brain correctly would save you some time and a big headache. I neglected the fact that Proxmox, or in general all OSes, don‘t trust self signed certificates… After playing around with CAs and Certifictes it finally works!
Thanks for trying to help me (: Have a nice day!
thimplicity
commented
1 year ago @hackmybeer I am facing the same issue and I am using Nginx Proxy Manager with a Let's Encrypt certificate. Are you doing the same now? I am facing the same issue as you
mgrimace
commented
1 year ago @hackmybeer I am facing the same issue and I am using Nginx Proxy Manager with a Let's Encrypt certificate. Are you doing the same now? I am facing the same issue as you
What are you using in your 'advanced' tab in your NPM entry for PVE? I can use Authentik to login/authenticate Proxmox VE (e.g., if I launch the app directly from Authentik, then select the 'authentik' realm), but when attempting to use NPM with the 'default' advanced config just results in a 500 error.
thimplicity
commented
1 year ago @hackmybeer I am facing the same issue and I am using Nginx Proxy Manager with a Let's Encrypt certificate. Are you doing the same now? I am facing the same issue as you
What are you using in your 'advanced' tab in your NPM entry for PVE? I can use Authentik to login/authenticate Proxmox VE (e.g., if I launch the app directly from Authentik, then select the 'authentik' realm), but when attempting to use NPM with the 'default' advanced config just results in a 500 error.
Today when I open the proxmox URL, I need to login via authentik, but then I am forwarded to the proxmox login. When I try to use the Authentik realm, I get a 500 error (forwarding error).
My advanced tab in nginx proxy manager is empty, which seems to be part of the problem.
mgrimace
commented
1 year ago Today when I open the proxmox URL, I need to login via authentik, but then I am forwarded to the proxmox login. When I try to use the Authentik realm, I get a 500 error (forwarding error).
My advanced tab in nginx proxy manager is empty, which seems to be part of the problem.
I have the opposite issue, I can login to the PVE optionally using the Authentik realm, but I can't force a user to login via Authentik. My NPM points proxmox.mydomain.com to it's internalIP:8006, and advanced tab is also blank. in Authentik, I set it up exactly as the documentation, except I had to remove the port from https://proxmox.mydomain.com in Authentik, I think because NPM is already handling the port. My other apps, I use the 'default' advanced config provided by Authentik. When I try and use the advanced config for PVE, this creates a 500 error for me, I think because my other apps use outpost/forwardauth where this is openID.
I'm not sure what do to fix the issue, and I don't know why yours would even prompt the login via Authentik without the advanced tab!
thimplicity
commented
1 year ago I'm not sure what do to fix the issue, and I don't know why yours would even prompt the login via Authentik without the advanced tab!
I would not know either, because I was wrong :D. Same behavior as yours. Will try the port thing.
thimplicity
commented
1 year ago Today when I open the proxmox URL, I need to login via authentik, but then I am forwarded to the proxmox login. When I try to use the Authentik realm, I get a 500 error (forwarding error). My advanced tab in nginx proxy manager is empty, which seems to be part of the problem.
I have the opposite issue, I can login to the PVE optionally using the Authentik realm, but I can't force a user to login via Authentik. My NPM points proxmox.mydomain.com to it's internalIP:8006, and advanced tab is also blank. in Authentik, I set it up exactly as the documentation, except I had to remove the port from https://proxmox.mydomain.com in Authentik, I think because NPM is already handling the port. My other apps, I use the 'default' advanced config provided by Authentik. When I try and use the advanced config for PVE, this creates a 500 error for me, I think because my other apps use outpost/forwardauth where this is openID.
Can you post your Authentik (provider and application) and proxmox config? I removed the port (all combinations of app and provider) without luck. Still getting this:
mgrimace
commented
1 year ago Ok, here's Authentik, noting the only change from the guide was that I did not include :Port
Provider:
Application:
Here's Proxmox PVE, setup as a newrealm
Note that NPM has an entry for Authentik called auth.mydomain.com already, the address I entered here was found in the metadata for the Proxmox Application in Authentik (i.e., click the application name, it lists a bunch of info). Same with the keys.
Note also, that on my first login, Authentik created a user [myusername]@authentik. I had to log back into PVE as root, go to permissions and make this user an administrator. Otherwise you won't see anything when you log in.
Here's NPM, with proxmox.mydomain.com, SSL origin certificate from Cloudflare, and no advanced config because I have zero idea what to put there.
All of this lets me choose to authenticate via Authentik by selecting the authentik realm from the PVE login window. My issue is that I without the advanced config, I don't seem to have a way to force Authentik login when I use proxmox.mydomain.com.
thimplicity
commented
1 year ago Thanks a lot - two questions:
mgrimace
commented
1 year ago
- Do you have a trailing / at the end of the URLs in the Authentik settings?
no, it is https://proxmox.mydomain.com - this was the only way I could even get it to work with NPM since the port was already 'mapped' there. Again, no idea if this is right.
- Have you created the SSL certificate in NPM with Let'sEncrypt?
no, I use Cloudflare (free tier) for my domain/DNS records, and I have an SSL origin certificate from them. In Cloudflare, my SSL is set to Full (Strict) and uses a wildcard for my various self-hosted sub-domains. I do not have Let'sEncrypt (as far as I know).
thimplicity
commented
1 year ago Got it! My setup is not exposed externally at all. Not sure that makes a difference, but I would not why it would. How would proxmox know it is an internal request only.
Will try your setup
thimplicity
commented
1 year ago Does not work - no idea what else to do here.
ArtLion74
commented
1 year ago Ok, here's Authentik, noting the only change from the guide was that I did not include
:PortProvider:
Application:
Here's Proxmox PVE, setup as a new
realmNote that NPM has an entry for Authentik called auth.mydomain.com already, the address I entered here was found in the metadata for the Proxmox Application in Authentik (i.e., click the application name, it lists a bunch of info). Same with the keys.
Note also, that on my first login, Authentik created a user [myusername]@authentik. I had to log back into PVE as root, go to permissions and make this user an administrator. Otherwise you won't see anything when you log in.
Here's NPM, with proxmox.mydomain.com, SSL origin certificate from Cloudflare, and no advanced config because I have zero idea what to put there.
All of this lets me choose to authenticate via Authentik by selecting the
authentikrealm from the PVE login window. My issue is that I without the advanced config, I don't seem to have a way to force Authentik login when I use proxmox.mydomain.com.
Guys, maybe noob question, but I don't know from where (in Authentik) I should take Client Key (value from Client Secret is not working) value to put this value in Proxmox OpenID Connect Server. I have 401 response. I take Client ID and Client Secret from defined provider.
Can you help me ?
Pandiora
commented
10 months ago Just in case anyone uses a reverse proxy (traefik) in front of proxmox and got the same problem >> look up your system logs. (/var/log/syslog) If these logs state the username is to long (64 characters) then you should have to alter what authentik is sending over to proxmox - maybe use the email address of your user. Problem was discussed in pm forum too.
Solution: Like suggested I have changed my proxmox provider in authentik > advanced protocol settings > subject mode and selected "Based on the User's Email" - voilá.
Hey, Like described in this proxmox forum post, proxmox authentication over openID isn't working anymore. Could please somebody look into this?
Thanks in advance (:
Kind Regards Maris