Proxy/Forward auth with applications in subpaths

[SBado]

Describe the bug When accessing an URL behind an Authentik proxy provider, if the URL contains a subfolder the browser gets redirected to a wrong URL.

To Reproduce Steps to reproduce the behavior:

1. Create a proxy provider, type "Proxy"
2. Set the external host as https://domain.example/myapp
3. Note that "Allowed Redirect URIs" is set to https://domain.example/akprox/callback
4. Navigate to https://domain.example/myapp
5. The browser gets redirected to https://domain.example/myapp/akprox/callback, which is not an allowed redirect URI

Expected behavior The browser get redirected to https://domain.example/akprox/callback

Screenshots

Logs

Version and Deployment (please complete the following information):

• authentik version: 2022.1.5]
• Deployment: docker-compose

Additional context I think the problem is caused by the different outputs of two functions. Given the same external host URL https://domain.example/myapp, this is what they return:

• _get_callback_url: used to generate the allowed URIs -> https://domain.example/akprox/callback
• urlJoin : used to generate the redirection URL -> https://domain.example/myapp/akprox/callback

Maybe the Go function can be modified like this? (Or maybe not, honestly I didn't try).

[SBado]

@BeryJu I tried your fix, but it seems that it's not working:

1. • External host: https://domain.example/myapp
   • Allowed Redirect URIs: https://domain.example/outpost.goauthentik.io/callback
   • Browser redirects to https://domain.example/myapp/outpost.goauthentik.io/start -> Browser error (The Page isn’t Redirecting Properly)
2. • External host: https://domain.example/myapp/ (with trailing slash)
   • Allowed Redirect URIs: https://domain.example/myapp/outpost.goauthentik.io/callback
   • Browser redirects to https://domain.example/myapp/outpost.goauthentik.io/start -> Browser error (The Page isn’t Redirecting Properly)

With your fix AND my proposed code:

1. • External host: https://domain.example/myapp
   • Allowed Redirect URIs: https://domain.example/outpost.goauthentik.io/callback
   • Browser redirects to https://domain.example/outpost.goauthentik.io/start -> Everything works
2. • External host: https://domain.example/myapp/ (with trailing slash)
   • Allowed Redirect URIs: https://domain.example/myapp/outpost.goauthentik.io/callback
   • Browser redirects to https://domain.example/outpost.goauthentik.io/start -> Authentik error (Redirect URI Error The request fails due to a missing, invalid, or mismatching redirection URI (redirect_uri).)

With my proposed code only:

1. • External host: https://domain.example/myapp
   • Allowed Redirect URIs: https://domain.example/outpost.goauthentik.io/callback
   • Browser redirects to https://domain.example/outpost.goauthentik.io/start -> Everything works
2. • External host: https://domain.example/myapp/ (with trailing slash)
   • Allowed Redirect URIs: https://domain.example/outpost.goauthentik.io/callback
   • Browser redirects to https://domain.example/outpost.goauthentik.io/start -> Everything works

[BeryJu]

The reason I did the change I did was that for a subdirectory to work, /outpost.goauthentik.io would have to be mounted in the same subdirectory

[SBado]

@BeryJu So is your change working for you?

[BeryJu]

I've not actually gotten around to test this, mostly because even if it worked it wouldn't be something officially supported

[dgyulaid]

I'm running 2022.2.1 with the following nginx config, which works as intended:

location /vscode/ {
        proxy_pass http://localhost:8080/;
        proxy_set_header Upgrade $http_upgrade;
        proxy_set_header Connection upgrade;
        proxy_set_header Accept-Encoding gzip;

        auth_request        /vscode/outpost.goauthentik.io/auth/nginx;
        # authentik-specific config
        error_page          401 = @goauthentik_proxy_signin;
        auth_request_set $auth_cookie $upstream_http_set_cookie;
        add_header Set-Cookie $auth_cookie;

        # translate headers from the outposts back to the actual upstream
        auth_request_set $authentik_username $upstream_http_x_authentik_username;
        auth_request_set $authentik_groups $upstream_http_x_authentik_groups;
        auth_request_set $authentik_email $upstream_http_x_authentik_email;
        auth_request_set $authentik_name $upstream_http_x_authentik_name;
        auth_request_set $authentik_uid $upstream_http_x_authentik_uid;

        proxy_set_header X-authentik-username $authentik_username;
        proxy_set_header X-authentik-groups $authentik_groups;
        proxy_set_header X-authentik-email $authentik_email;
        proxy_set_header X-authentik-name $authentik_name;
        proxy_set_header X-authentik-uid $authentik_uid;

}
location /vscode/outpost.goauthentik.io {
        proxy_pass          http://localhost:9000/outpost.goauthentik.io;
        proxy_set_header    Host $host;
        proxy_set_header    X-Original-URL $scheme://$http_host$request_uri;
        add_header          Set-Cookie $auth_cookie;
        auth_request_set    $auth_cookie $upstream_http_set_cookie;
}

Proxy provider settings: Forward auth (single application) External host: https://domain.tld/vscode/

Generated allowed URIs: https://domain.tld/vscode/outpost.goauthentik.io/callback

For clarity: both vscode and goauthentik outpost runs on the host machine via docker and exposed ports, hence the localhost in my config.

[Cookie-Monster-Coder]

+1 I still have an issue with this

[stale[bot]]

This issue has been automatically marked as stale because it has not had recent activity. It will be closed if no further activity occurs. Thank you for your contributions.

[rickyelopez]

I'm also having this issue. Any suggestions? edit: I fixed it by adding a trailing / to the External Host after the subdirectory. Now I'm caught in an infinite redirect loop though, probably something unrelated that I did wrong.

[stale[bot]]

This issue has been automatically marked as stale because it has not had recent activity. It will be closed if no further activity occurs. Thank you for your contributions.

[barrelltitor]

I'm running 2022.2.1 with the following nginx config, which works as intended:

location /vscode/ {
        proxy_pass http://localhost:8080/;
        proxy_set_header Upgrade $http_upgrade;
        proxy_set_header Connection upgrade;
        proxy_set_header Accept-Encoding gzip;

        auth_request        /vscode/outpost.goauthentik.io/auth/nginx;
        # authentik-specific config
        error_page          401 = @goauthentik_proxy_signin;
        auth_request_set $auth_cookie $upstream_http_set_cookie;
        add_header Set-Cookie $auth_cookie;

        # translate headers from the outposts back to the actual upstream
        auth_request_set $authentik_username $upstream_http_x_authentik_username;
        auth_request_set $authentik_groups $upstream_http_x_authentik_groups;
        auth_request_set $authentik_email $upstream_http_x_authentik_email;
        auth_request_set $authentik_name $upstream_http_x_authentik_name;
        auth_request_set $authentik_uid $upstream_http_x_authentik_uid;

        proxy_set_header X-authentik-username $authentik_username;
        proxy_set_header X-authentik-groups $authentik_groups;
        proxy_set_header X-authentik-email $authentik_email;
        proxy_set_header X-authentik-name $authentik_name;
        proxy_set_header X-authentik-uid $authentik_uid;

}
location /vscode/outpost.goauthentik.io {
        proxy_pass          http://localhost:9000/outpost.goauthentik.io;
        proxy_set_header    Host $host;
        proxy_set_header    X-Original-URL $scheme://$http_host$request_uri;
        add_header          Set-Cookie $auth_cookie;
        auth_request_set    $auth_cookie $upstream_http_set_cookie;
}

Proxy provider settings: Forward auth (single application) External host: https://domain.tld/vscode/

Generated allowed URIs: https://domain.tld/vscode/outpost.goauthentik.io/callback

For clarity: both vscode and goauthentik outpost runs on the host machine via docker and exposed ports, hence the localhost in my config.

What's your config for location @goauthentik_proxy_signin? This way it seems like you can only have a single subpath working, as the proxy signin can't be configured for multiple subpaths

Edit: Oh, I'm quite an idiot, just make a different signing location per subpath

[matthijsvdr]

and I just ran into the same issue, to bad this is not supported two years later :(

[prenone]

Are there plans to ever implement this feature?

In the mean time documentation should at least be updated to reflect the fact that subpaths are not supported, as this is NOT obvious.

EDIT: I managed to get subpath working with forward auth in Nginx using a rewrite rule. This is my configuration

External host: https://example.com/subpath/ Nginx configuration:

       ### proxy pass to my upstream and stuff

        ##############################
        # authentik-specific config
        ##############################
        auth_request     /subpath/outpost.goauthentik.io/auth/nginx;
        error_page       401 = @subpath_goauthentik_proxy_signin;
        auth_request_set $auth_cookie $upstream_http_set_cookie;
        add_header       Set-Cookie $auth_cookie;

        # translate headers from the outposts back to the actual upstream
        auth_request_set $authentik_username $upstream_http_x_authentik_username;
        auth_request_set $authentik_groups $upstream_http_x_authentik_groups;
        auth_request_set $authentik_email $upstream_http_x_authentik_email;
        auth_request_set $authentik_name $upstream_http_x_authentik_name;
        auth_request_set $authentik_uid $upstream_http_x_authentik_uid;

        proxy_set_header X-authentik-username $authentik_username;
        proxy_set_header X-authentik-groups $authentik_groups;
        proxy_set_header X-authentik-email $authentik_email;
        proxy_set_header X-authentik-name $authentik_name;
        proxy_set_header X-authentik-uid $authentik_uid;

        # This section should be uncommented when the "Send HTTP Basic authentication" option
        # is enabled in the proxy provider
        # auth_request_set $authentik_auth $upstream_http_authorization;
        # proxy_set_header Authorization $authentik_auth;
}

location /subpath/outpost.goauthentik.io {
        resolver 127.0.0.11 valid=30s;
        set $upstream_authentik authentik:9000;

        rewrite ^/subpath/outpost.goauthentik.io/(.*)$ /outpost.goauthentik.io/$1 break;

        proxy_pass http://$upstream_authentik;

        # When using the embedded outpost, use:
        #proxy_pass              http://authentik.company:9000/outpost.goauthentik.io;
        # For manual outpost deployments:
        # proxy_pass              http://outpost.company:9000;

        # Note: ensure the Host header matches your external authentik URL:
        proxy_set_header        Host $host;

        proxy_set_header        X-Original-URL $scheme://$http_host$request_uri;
        add_header              Set-Cookie $auth_cookie;
        auth_request_set        $auth_cookie $upstream_http_set_cookie;
        proxy_pass_request_body off;
        proxy_set_header        Content-Length "";

        proxy_set_header Upgrade $http_upgrade;
        proxy_set_header Connection "upgrade";
}

# Special location for when the /auth endpoint returns a 401,
# redirect to the /start URL which initiates SSO
location @subpath_goauthentik_proxy_signin {
        internal;
        add_header Set-Cookie $auth_cookie;
        return 302 /subpath/outpost.goauthentik.io/start?rd=$request_uri;
        # For domain level, use the below error_page to redirect to your authentik server with the full redirect path
        # return 302 https://authentik.company/outpost.goauthentik.io/start?rd=$scheme://$http_host$request_uri;
}