search

goauthentik / authentik

The authentication glue you need.
https://goauthentik.io
Other
13.5k stars 901 forks source link

Issue with OAuth into Lithnet #3113

Closed water-pc closed 2 years ago

water-pc commented 2 years ago

Describe the bug We are using authentik to authenticate to Lithnet with OAuth. If we upgrade authentik from 2022.4.1, we get an authentication error in Lithnet. Lithnet logs state that "Both 'id_token' and 'code' are null" No other changes were made besides upgrading the authentik version.

To Reproduce

  1. Install authentik 2022.4.1
  2. Configure an LDAP Source pointing to your Active Directory servers
  3. Add a Scope property mapping return { "upn": user.attributes.get("upn", "") }
  4. Add an OAuth2/OpenID provider using Confidential client type and include the above scope
  5. Add an application using the above provider pointing to your Lithnet server
  6. Set the authorization in Lithnet Access Manager configuration tool to use OpenID Connect with the ClientID and Secret from your created provider. Issuer/authority should be https://_authentik web address_/application/o/application slug/ e.g. https://authentik.company.com/application/o/lithnet/
  7. Log into authentik with an AD account. Click on Lithnet
  8. Verify that the request access page opens image
  9. Close the browser and/or force the session to expire
  10. Update authentik to 2022.6.2
  11. Log into authentik with the AD account and open Lithnet again
  12. Get "An unexpected error occurred" image

Expected behavior The normal request access page opens

Logs No error is generated in authentik.

Error in Lithnet is below: 2022-06-17 16:22:08.3636|ERROR|Microsoft.AspNetCore.Authentication.OpenIdConnect.OpenIdConnectHandler|Exception occurred while processing message. Microsoft.IdentityModel.Protocols.OpenIdConnect.OpenIdConnectProtocolException: IDX21334: Both 'id_token' and 'code' are null in OpenIdConnectProtocolValidationContext.ProtocolMessage received from Authorization Endpoint. Cannot process the message. at Microsoft.IdentityModel.Protocols.OpenIdConnect.OpenIdConnectProtocolValidator.ValidateAuthenticationResponse(OpenIdConnectProtocolValidationContext validationContext) at Microsoft.AspNetCore.Authentication.OpenIdConnect.OpenIdConnectHandler.HandleRemoteAuthenticateAsync() 2022-06-17 16:22:08.3636|ERROR|Lithnet.AccessManager.Service.AppSettings.OidcAuthenticationProvider|The authentication provider returned an error Microsoft.IdentityModel.Protocols.OpenIdConnect.OpenIdConnectProtocolException: IDX21334: Both 'id_token' and 'code' are null in OpenIdConnectProtocolValidationContext.ProtocolMessage received from Authorization Endpoint. Cannot process the message. at Microsoft.IdentityModel.Protocols.OpenIdConnect.OpenIdConnectProtocolValidator.ValidateAuthenticationResponse(OpenIdConnectProtocolValidationContext validationContext) at Microsoft.AspNetCore.Authentication.OpenIdConnect.OpenIdConnectHandler.HandleRemoteAuthenticateAsync()

Version and Deployment:

Additional context We're using caddy (2.5.1) as a reverse proxy to authentik, but I don't think that is affecting the setup. The OAuth refresh code appears to have the same information between 2022.4.1 and 2022.6.2, as does the "Application authorized" event. Sorry, there's a bit of setup that goes with Lithnet, but the OpenID integration only has the Client ID, Client Secret, and Issuer. We built a test version of both Lithnet and authentik, so we can fairly quickly rebuild to swap between versions and authentik and get logs from either version.

BeryJu commented 2 years ago

The only notable issue I can see from your report is this:

Issuer/authority should be https://authentik web address/application/o/application slug
e.g. https://authentik.company.com/application/o/lithnet

The issuer needs to end with a trailing slash, this is required, as that's how the tokens are created. I assume Lithnet uses the OIDC well-known URL to configure itself, which it should be able to access to correctly, but the Issuer won't match and as such the ID Token cannot be validated.

water-pc commented 2 years ago

The only notable issue I can see from your report is this:

Issuer/authority should be https://authentik web address/application/o/application slug
e.g. https://authentik.company.com/application/o/lithnet

The issuer needs to end with a trailing slash, this is required, as that's how the tokens are created. I assume Lithnet uses the OIDC well-known URL to configure itself, which it should be able to access to correctly, but the Issuer won't match and as such the ID Token cannot be validated.

Sorry, I must have accidentally removed that while editing the issue. I just double-checked, and we do have the trailing slash in the configuration. I amended the instructions above.

BeryJu commented 2 years ago

The other thing I could imagine, does the redirect URI contain uppercase letters? In that case thats an authentik issue and will be fixed in 2022.6.3

water-pc commented 2 years ago

The other thing I could imagine, does the redirect URI contain uppercase letters? In that case thats an authentik issue and will be fixed in 2022.6.3

No, it's just the Lithnet server address + "/auth". I let it populate automatically after signing in. I just tested in 2022.6.3 and get the same result.

BeryJu commented 2 years ago

Hmm, could you also post the authentik server container logs while logging into lithnet?

water-pc commented 2 years ago

Hmm, could you also post the authentik server container logs while logging into lithnet?

2022-06-20T17:36:27.326877153Z {"event": "/api/v3/core/applications/", "host": "openid-test.company.com", "level": "info", "logger": "authentik.asgi", "method": "GET", "pid": 16, "remote": "10.1.0.217", "request_id": "5133c8c363284b3588691e8f670d997d", "runtime": 166, "scheme": "https", "status": 200, "timestamp": "2022-06-20T17:36:27.326666", "user": "testuser", "user_agent": "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/102.0.5005.125 Safari/537.36"}
2022-06-20T17:36:28.237244609Z {"event": "/-/health/live/", "host": "localhost:8000", "level": "info", "logger": "authentik.asgi", "method": "GET", "pid": 15, "remote": "127.0.0.1", "request_id": "2e017c1c626845328ba531f5b12b31f5", "runtime": 6, "scheme": "http", "status": 204, "timestamp": "2022-06-20T17:36:28.237032", "user": "", "user_agent": "goauthentik.io/proxy/healthcheck"}
2022-06-20T17:36:44.539303249Z {"event": "/application/o/authorize/?client_id=45675a1529281068f58c8109352dba2eda58328f&redirect_uri=https%3A%2F%2Flithnet-test.company.com%2Fauth&response_type=code&scope=openid%20profile&code_challenge=slPRlKQXzFvpvMq28xXOs5oBCbEGrRZ11vWCVrhGuqc&code_challenge_method=S256&response_mode=form_post&nonce=637913434044872300.ZDliODE0NWYtMmRjZi00ZGUwLTllZTEtMmUzOWRhMmM5OTY5ZWY2MjQ1ODEtNjVhOC00ODhlLThiMmItYzAwZTgyMDZlODM0&state=CfDJ8IBUmBJ4t1ZPjN_9Bi4r4bkVHBugJkAVaSyUm_SM82LpoG1U4DfXuUGJEACiHc4UCV8tGw8ue49VD4hksE0xYcdw5AzrDkUxYIdwcZhe1D7DDl3WPrGtqSNo4-9eAs5u0t_E7qiWOznEKK5-yhERGazuEPOiHvAUgN93dqIgyJVoIY7Q_zLDmKzhso7u3scBS1Tdz2SaLXVmGeYW5wXTdLZYnh12Wc7FbPDV7WdiIUuaBD5nymrphOu3Z-wvcthUUVWBCdCSh05bIypSje9PTjTVYxBTR8PW_-VIY_jEG4FtrhaMXeDpu7ssZopOl7z3EE8iX65TSyTIaY57zPugGBxJWG2JbTxB-Qmz2oXpG5E65WmlbnEUss5CIV2kE2dKfYiry0qrhvmKkz8sz0kQtb-nJFjiwEywSKEpgPQ6m5A0&x-client-SKU=ID_NETSTANDARD2_0&x-client-ver=6.7.1.0", "host": "openid-test.company.com", "level": "info", "logger": "authentik.asgi", "method": "GET", "pid": 16, "remote": "10.1.0.217", "request_id": "5b2ae13bd7ed4961aab0950a7f9d1aff", "runtime": 25, "scheme": "https", "status": 302, "timestamp": "2022-06-20T17:36:44.539096", "user": "testuser", "user_agent": "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/102.0.5005.125 Safari/537.36"}
2022-06-20T17:36:44.560608616Z {"event": "/if/flow/default-provider-authorization-implicit-consent/?client_id=45675a1529281068f58c8109352dba2eda58328f&redirect_uri=https%3A%2F%2Flithnet-test.company.com%2Fauth&response_type=code&scope=openid+profile&code_challenge=slPRlKQXzFvpvMq28xXOs5oBCbEGrRZ11vWCVrhGuqc&code_challenge_method=S256&response_mode=form_post&nonce=637913434044872300.ZDliODE0NWYtMmRjZi00ZGUwLTllZTEtMmUzOWRhMmM5OTY5ZWY2MjQ1ODEtNjVhOC00ODhlLThiMmItYzAwZTgyMDZlODM0&state=CfDJ8IBUmBJ4t1ZPjN_9Bi4r4bkVHBugJkAVaSyUm_SM82LpoG1U4DfXuUGJEACiHc4UCV8tGw8ue49VD4hksE0xYcdw5AzrDkUxYIdwcZhe1D7DDl3WPrGtqSNo4-9eAs5u0t_E7qiWOznEKK5-yhERGazuEPOiHvAUgN93dqIgyJVoIY7Q_zLDmKzhso7u3scBS1Tdz2SaLXVmGeYW5wXTdLZYnh12Wc7FbPDV7WdiIUuaBD5nymrphOu3Z-wvcthUUVWBCdCSh05bIypSje9PTjTVYxBTR8PW_-VIY_jEG4FtrhaMXeDpu7ssZopOl7z3EE8iX65TSyTIaY57zPugGBxJWG2JbTxB-Qmz2oXpG5E65WmlbnEUss5CIV2kE2dKfYiry0qrhvmKkz8sz0kQtb-nJFjiwEywSKEpgPQ6m5A0&x-client-SKU=ID_NETSTANDARD2_0&x-client-ver=6.7.1.0", "host": "openid-test.company.com", "level": "info", "logger": "authentik.asgi", "method": "GET", "pid": 16, "remote": "10.1.0.217", "request_id": "09a8b869d8d8428689dc66adc59143c8", "runtime": 11, "scheme": "https", "status": 200, "timestamp": "2022-06-20T17:36:44.560411", "user": "testuser", "user_agent": "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/102.0.5005.125 Safari/537.36"}
2022-06-20T17:36:44.760069242Z {"event": "/api/v3/core/tenants/current/", "host": "openid-test.company.com", "level": "info", "logger": "authentik.asgi", "method": "GET", "pid": 16, "remote": "10.1.0.217", "request_id": "766a750b7da9419f950d8ff040bf526c", "runtime": 50, "scheme": "https", "status": 200, "timestamp": "2022-06-20T17:36:44.759632", "user": "testuser", "user_agent": "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/102.0.5005.125 Safari/537.36"}
2022-06-20T17:36:44.779191802Z {"action": "authorize_application", "client_ip": "10.1.0.217", "context": {"authorized_application": {"app": "authentik_core", "model_name": "application", "name": "Lithnet", "pk": "e8b6c871a4e6469b9143b322bbfce81e"}, "flow": "7451755996664afcafc697828bb9db6e", "http_request": {"args": {"query": "client_id=45675a1529281068f58c8109352dba2eda58328f&redirect_uri=https%3A%2F%2Flithnet-test.company.com%2Fauth&response_type=code&scope=openid+profile&code_challenge=slPRlKQXzFvpvMq28xXOs5oBCbEGrRZ11vWCVrhGuqc&code_challenge_method=S256&response_mode=form_post&nonce=637913434044872300.ZDliODE0NWYtMmRjZi00ZGUwLTllZTEtMmUzOWRhMmM5OTY5ZWY2MjQ1ODEtNjVhOC00ODhlLThiMmItYzAwZTgyMDZlODM0&state=CfDJ8IBUmBJ4t1ZPjN_9Bi4r4bkVHBugJkAVaSyUm_SM82LpoG1U4DfXuUGJEACiHc4UCV8tGw8ue49VD4hksE0xYcdw5AzrDkUxYIdwcZhe1D7DDl3WPrGtqSNo4-9eAs5u0t_E7qiWOznEKK5-yhERGazuEPOiHvAUgN93dqIgyJVoIY7Q_zLDmKzhso7u3scBS1Tdz2SaLXVmGeYW5wXTdLZYnh12Wc7FbPDV7WdiIUuaBD5nymrphOu3Z-wvcthUUVWBCdCSh05bIypSje9PTjTVYxBTR8PW_-VIY_jEG4FtrhaMXeDpu7ssZopOl7z3EE8iX65TSyTIaY57zPugGBxJWG2JbTxB-Qmz2oXpG5E65WmlbnEUss5CIV2kE2dKfYiry0qrhvmKkz8sz0kQtb-nJFjiwEywSKEpgPQ6m5A0&x-client-SKU=ID_NETSTANDARD2_0&x-client-ver=6.7.1.0"}, "method": "GET", "path": "/api/v3/flows/executor/default-provider-authorization-implicit-consent/"}, "scopes": "openid, profile"}, "event": "Created Event", "host": "openid-test.company.com", "level": "info", "logger": "authentik.events", "pid": 16, "request_id": "9ccf7495aa0e4c54a3f2709cdb70db3a", "timestamp": "2022-06-20T17:36:44.778873", "user": {"email": "testuser@company.com", "pk": 1546, "username": "testuser"}}
2022-06-20T17:36:44.789430834Z {"event": "/api/v3/root/config/", "host": "openid-test.company.com", "level": "info", "logger": "authentik.asgi", "method": "GET", "pid": 16, "remote": "10.1.0.217", "request_id": "5156423cd1ee4e9bba83954310383c6f", "runtime": 62, "scheme": "https", "status": 200, "timestamp": "2022-06-20T17:36:44.788964", "user": "testuser", "user_agent": "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/102.0.5005.125 Safari/537.36"}
2022-06-20T17:36:44.813063708Z {"event": "Task published", "host": "openid-test.company.com", "level": "info", "logger": "authentik.root.celery", "pid": 16, "request_id": "9ccf7495aa0e4c54a3f2709cdb70db3a", "task_id": "8c8887a8-64fb-4e6c-a363-79540364657b", "task_name": "authentik.events.tasks.event_notification_handler", "timestamp": "2022-06-20T17:36:44.812817"}
2022-06-20T17:36:44.822104136Z {"action": "model_created", "client_ip": "10.1.0.217", "context": {"http_request": {"args": {"query": "client_id=45675a1529281068f58c8109352dba2eda58328f&redirect_uri=https%3A%2F%2Flithnet-test.company.com%2Fauth&response_type=code&scope=openid+profile&code_challenge=slPRlKQXzFvpvMq28xXOs5oBCbEGrRZ11vWCVrhGuqc&code_challenge_method=S256&response_mode=form_post&nonce=637913434044872300.ZDliODE0NWYtMmRjZi00ZGUwLTllZTEtMmUzOWRhMmM5OTY5ZWY2MjQ1ODEtNjVhOC00ODhlLThiMmItYzAwZTgyMDZlODM0&state=CfDJ8IBUmBJ4t1ZPjN_9Bi4r4bkVHBugJkAVaSyUm_SM82LpoG1U4DfXuUGJEACiHc4UCV8tGw8ue49VD4hksE0xYcdw5AzrDkUxYIdwcZhe1D7DDl3WPrGtqSNo4-9eAs5u0t_E7qiWOznEKK5-yhERGazuEPOiHvAUgN93dqIgyJVoIY7Q_zLDmKzhso7u3scBS1Tdz2SaLXVmGeYW5wXTdLZYnh12Wc7FbPDV7WdiIUuaBD5nymrphOu3Z-wvcthUUVWBCdCSh05bIypSje9PTjTVYxBTR8PW_-VIY_jEG4FtrhaMXeDpu7ssZopOl7z3EE8iX65TSyTIaY57zPugGBxJWG2JbTxB-Qmz2oXpG5E65WmlbnEUss5CIV2kE2dKfYiry0qrhvmKkz8sz0kQtb-nJFjiwEywSKEpgPQ6m5A0&x-client-SKU=ID_NETSTANDARD2_0&x-client-ver=6.7.1.0"}, "method": "GET", "path": "/api/v3/flows/executor/default-provider-authorization-implicit-consent/"}, "model": {"app": "authentik_providers_oauth2", "model_name": "authorizationcode", "name": "Authorization code for OAuth2 Provider Lithnet OpenID for user testuser", "pk": 2}}, "event": "Created Event", "host": "openid-test.company.com", "level": "info", "logger": "authentik.events", "pid": 16, "request_id": "9ccf7495aa0e4c54a3f2709cdb70db3a", "timestamp": "2022-06-20T17:36:44.821671", "user": {"email": "testuser@company.com", "pk": 1546, "username": "testuser"}}
2022-06-20T17:36:44.836124780Z {"event": "Task published", "host": "openid-test.company.com", "level": "info", "logger": "authentik.root.celery", "pid": 16, "request_id": "9ccf7495aa0e4c54a3f2709cdb70db3a", "task_id": "4e9a838d-9cb5-4fe5-a5da-8cb6d49ca9bc", "task_name": "authentik.events.tasks.event_notification_handler", "timestamp": "2022-06-20T17:36:44.835910"}
2022-06-20T17:36:45.572402190Z {"event": "/-/health/ready/", "host": "localhost:9000", "level": "info", "logger": "authentik.asgi", "method": "HEAD", "pid": 16, "remote": "127.0.0.1", "request_id": "b4474f9291d24343bcae928338755272", "runtime": 19, "scheme": "http", "status": 204, "timestamp": "2022-06-20T17:36:45.572199", "user": "", "user_agent": "goauthentik.io lifecycle Healthcheck"}
2022-06-20T17:36:46.188819324Z {"action": "model_created", "client_ip": "10.1.0.217", "context": {"http_request": {"args": {"query": "client_id=45675a1529281068f58c8109352dba2eda58328f&redirect_uri=https%3A%2F%2Flithnet-test.company.com%2Fauth&response_type=code&scope=openid+profile&code_challenge=slPRlKQXzFvpvMq28xXOs5oBCbEGrRZ11vWCVrhGuqc&code_challenge_method=S256&response_mode=form_post&nonce=637913434044872300.ZDliODE0NWYtMmRjZi00ZGUwLTllZTEtMmUzOWRhMmM5OTY5ZWY2MjQ1ODEtNjVhOC00ODhlLThiMmItYzAwZTgyMDZlODM0&state=CfDJ8IBUmBJ4t1ZPjN_9Bi4r4bkVHBugJkAVaSyUm_SM82LpoG1U4DfXuUGJEACiHc4UCV8tGw8ue49VD4hksE0xYcdw5AzrDkUxYIdwcZhe1D7DDl3WPrGtqSNo4-9eAs5u0t_E7qiWOznEKK5-yhERGazuEPOiHvAUgN93dqIgyJVoIY7Q_zLDmKzhso7u3scBS1Tdz2SaLXVmGeYW5wXTdLZYnh12Wc7FbPDV7WdiIUuaBD5nymrphOu3Z-wvcthUUVWBCdCSh05bIypSje9PTjTVYxBTR8PW_-VIY_jEG4FtrhaMXeDpu7ssZopOl7z3EE8iX65TSyTIaY57zPugGBxJWG2JbTxB-Qmz2oXpG5E65WmlbnEUss5CIV2kE2dKfYiry0qrhvmKkz8sz0kQtb-nJFjiwEywSKEpgPQ6m5A0&x-client-SKU=ID_NETSTANDARD2_0&x-client-ver=6.7.1.0"}, "method": "GET", "path": "/api/v3/flows/executor/default-provider-authorization-implicit-consent/"}, "model": {"app": "authentik_providers_oauth2", "model_name": "refreshtoken", "name": "Refresh Token for OAuth2 Provider Lithnet OpenID for user testuser", "pk": 2}}, "event": "Created Event", "host": "openid-test.company.com", "level": "info", "logger": "authentik.events", "pid": 16, "request_id": "9ccf7495aa0e4c54a3f2709cdb70db3a", "timestamp": "2022-06-20T17:36:46.188581", "user": {"email": "testuser@company.com", "pk": 1546, "username": "testuser"}}
2022-06-20T17:36:46.192902937Z {"event": "Task published", "host": "openid-test.company.com", "level": "info", "logger": "authentik.root.celery", "pid": 16, "request_id": "9ccf7495aa0e4c54a3f2709cdb70db3a", "task_id": "e6e7262b-9d6f-42bf-b21d-c7587d1a7514", "task_name": "authentik.events.tasks.event_notification_handler", "timestamp": "2022-06-20T17:36:46.192735"}
2022-06-20T17:36:46.204998374Z {"event": "/api/v3/flows/executor/default-provider-authorization-implicit-consent/?query=client_id%3D45675a1529281068f58c8109352dba2eda58328f%26redirect_uri%3Dhttps%253A%252F%252Flithnet-test.company.com%252Fauth%26response_type%3Dcode%26scope%3Dopenid%2Bprofile%26code_challenge%3DslPRlKQXzFvpvMq28xXOs5oBCbEGrRZ11vWCVrhGuqc%26code_challenge_method%3DS256%26response_mode%3Dform_post%26nonce%3D637913434044872300.ZDliODE0NWYtMmRjZi00ZGUwLTllZTEtMmUzOWRhMmM5OTY5ZWY2MjQ1ODEtNjVhOC00ODhlLThiMmItYzAwZTgyMDZlODM0%26state%3DCfDJ8IBUmBJ4t1ZPjN_9Bi4r4bkVHBugJkAVaSyUm_SM82LpoG1U4DfXuUGJEACiHc4UCV8tGw8ue49VD4hksE0xYcdw5AzrDkUxYIdwcZhe1D7DDl3WPrGtqSNo4-9eAs5u0t_E7qiWOznEKK5-yhERGazuEPOiHvAUgN93dqIgyJVoIY7Q_zLDmKzhso7u3scBS1Tdz2SaLXVmGeYW5wXTdLZYnh12Wc7FbPDV7WdiIUuaBD5nymrphOu3Z-wvcthUUVWBCdCSh05bIypSje9PTjTVYxBTR8PW_-VIY_jEG4FtrhaMXeDpu7ssZopOl7z3EE8iX65TSyTIaY57zPugGBxJWG2JbTxB-Qmz2oXpG5E65WmlbnEUss5CIV2kE2dKfYiry0qrhvmKkz8sz0kQtb-nJFjiwEywSKEpgPQ6m5A0%26x-client-SKU%3DID_NETSTANDARD2_0%26x-client-ver%3D6.7.1.0", "host": "openid-test.company.com", "level": "info", "logger": "authentik.asgi", "method": "GET", "pid": 16, "remote": "10.1.0.217", "request_id": "9ccf7495aa0e4c54a3f2709cdb70db3a", "runtime": 1485, "scheme": "https", "status": 200, "timestamp": "2022-06-20T17:36:46.204774", "user": "testuser", "user_agent": "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/102.0.5005.125 Safari/537.36"}

This is the logs starting from just after signing into authentik but before clicking the Lithnet app.

BeryJu commented 2 years ago

Hmm, the authorization seems to work correctly, but there's no request to the /o/token/ endpoint, not sure if it just uses the access token

water-pc commented 2 years ago

Hmm, the authorization seems to work correctly, but there's no request to the /o/token/ endpoint, not sure if it just uses the access token

Here's the same logs with 2022.4.1 installed (on a clean install, so the IDs won't match; and this was the first login, so it also is setting the redirect URI).

2022-06-20T19:00:03.491972246Z {"auth_via": "secret_key", "event": "/api/v3/core/tenants/", "host": "localhost:8000", "level": "info", "logger": "authentik.asgi", "method": "GET", "pid": 17, "remote": "127.0.0.1", "request_id": "d4cb71964d964d74affc1c0b5d80ca37", "runtime": 42, "scheme": "http", "status": 200, "timestamp": "2022-06-20T19:00:03.491769", "user": "ak-outpost-b40bba6903d5446f966f68d4fb9a92d7", "user_agent": "goauthentik.io/outpost/2022.4.1"}
2022-06-20T19:00:24.259073091Z {"event": "/-/health/live/", "host": "localhost:8000", "level": "info", "logger": "authentik.asgi", "method": "GET", "pid": 16, "remote": "127.0.0.1", "request_id": "460fa503421c4aef9fcfc25884d7d4f1", "runtime": 7, "scheme": "http", "status": 204, "timestamp": "2022-06-20T19:00:24.258897", "user": "", "user_agent": "goauthentik.io/proxy/healthcheck"}
2022-06-20T19:00:27.724100947Z {"event": "/-/health/ready/", "host": "localhost:9000", "level": "info", "logger": "authentik.asgi", "method": "HEAD", "pid": 17, "remote": "127.0.0.1", "request_id": "2bf079a20e484bbfa7dfded9ab5e453f", "runtime": 10, "scheme": "http", "status": 204, "timestamp": "2022-06-20T19:00:27.723912", "user": "", "user_agent": "goauthentik.io lifecycle Healthcheck"}
2022-06-20T19:00:29.529819591Z {"event": "/application/o/lithnet/.well-known/openid-configuration", "host": "openid-test.company.com", "level": "info", "logger": "authentik.asgi", "method": "GET", "pid": 17, "remote": "10.1.1.60", "request_id": "fe6879ac2dff4a4187eda4bea8c39cd6", "runtime": 56, "scheme": "https", "status": 200, "timestamp": "2022-06-20T19:00:29.529609", "user": "", "user_agent": "Microsoft ASP.NET Core OpenIdConnect handler"}
2022-06-20T19:00:29.673055651Z {"event": "/application/o/lithnet/jwks/", "host": "openid-test.company.com", "level": "info", "logger": "authentik.asgi", "method": "GET", "pid": 17, "remote": "10.1.1.60", "request_id": "01da293efd624071aae4123b0383a04a", "runtime": 45, "scheme": "https", "status": 200, "timestamp": "2022-06-20T19:00:29.672868", "user": "", "user_agent": "Microsoft ASP.NET Core OpenIdConnect handler"}
2022-06-20T19:00:29.719887908Z {"event": "Setting redirect for blank redirect_uris", "host": "openid-test.company.com", "level": "info", "logger": "authentik.providers.oauth2.views.authorize", "pid": 17, "redirect": "https://lithnet-test.company.com/auth", "request_id": "0d4251636e2945b9af4187d181aa6091", "timestamp": "2022-06-20T19:00:29.719710"}
2022-06-20T19:00:29.744340833Z {"event": "Task published", "host": "openid-test.company.com", "level": "info", "logger": "authentik.root.celery", "pid": 17, "request_id": "0d4251636e2945b9af4187d181aa6091", "task_id": "09fcf90f-ce08-43ca-a12b-bc0977510106", "task_name": "authentik.outposts.tasks.outpost_post_save", "timestamp": "2022-06-20T19:00:29.744177"}
2022-06-20T19:00:29.755582998Z {"event": "Task published", "host": "openid-test.company.com", "level": "info", "logger": "authentik.root.celery", "pid": 17, "request_id": "0d4251636e2945b9af4187d181aa6091", "task_id": "d0b90495-0a7a-480c-9325-f1d4f4f5a778", "task_name": "authentik.events.tasks.event_notification_handler", "timestamp": "2022-06-20T19:00:29.755337"}
2022-06-20T19:00:29.789691393Z {"event": "/application/o/authorize/?client_id=6314bc884bc1d9a9fa94a68efbb3192d71fd0ab3&redirect_uri=https%3A%2F%2Flithnet-test.company.com%2Fauth&response_type=code&scope=openid%20profile&code_challenge=sasEhAyrttUt9iwKQFBQOMKaXQw4ZPQWsMBI5p118bE&code_challenge_method=S256&response_mode=form_post&nonce=637913484296876145.ODgyZjIzZjAtZWU1Mi00NjEwLWI3MjAtYjM5MTQ1NjFkMTIyOGVlNjRmYTYtODExNS00ODE0LTkwMmQtZGVjNjQwNmZjZWJl&state=CfDJ8IBUmBJ4t1ZPjN_9Bi4r4bm-JxsBh1AqEf7q7goxy1OO3Jz_bxpSGCHnfGcCx0MyV1qX3KK2BfwU-07HF_nmWmv-DTH4CV4QoIapzAxLmU0abFNlxrTh92JZkvIaY8MdZR-WTjMxPzqznL1SfASp0o_Gktn0TQahLRUfnYfYBDbv7VG5g70LIUXW_TZ9a0ooK3BNsd0Xsry-_i0fgIW6uSSljuKUFkwP9eHApnrW9Lp1X8B_0n5IYwnXZE1O3zGWP_X1XuXMoIgYNMoZbfCXsNmLu6Xot5s50cSRkgB6Kf-fq-PWp6GaYMENIomnMDuZgjlwqDlk9CevXjJUIe7_vLCuSaOU0tZk1jIUuZ_4P_KeNiIbtwzYU5ERlQy28yu-dspOa2jzRtzf56dVxo33o1EdFq5BEr9fxsExLxnd54Dy&x-client-SKU=ID_NETSTANDARD2_0&x-client-ver=6.7.1.0", "host": "openid-test.company.com", "level": "info", "logger": "authentik.asgi", "method": "GET", "pid": 17, "remote": "10.1.0.217", "request_id": "0d4251636e2945b9af4187d181aa6091", "runtime": 85, "scheme": "https", "status": 302, "timestamp": "2022-06-20T19:00:29.789496", "user": "testuser", "user_agent": "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/102.0.5005.125 Safari/537.36"}
2022-06-20T19:00:29.823617789Z {"event": "/if/flow/default-provider-authorization-implicit-consent/?client_id=6314bc884bc1d9a9fa94a68efbb3192d71fd0ab3&redirect_uri=https%3A%2F%2Flithnet-test.company.com%2Fauth&response_type=code&scope=openid+profile&code_challenge=sasEhAyrttUt9iwKQFBQOMKaXQw4ZPQWsMBI5p118bE&code_challenge_method=S256&response_mode=form_post&nonce=637913484296876145.ODgyZjIzZjAtZWU1Mi00NjEwLWI3MjAtYjM5MTQ1NjFkMTIyOGVlNjRmYTYtODExNS00ODE0LTkwMmQtZGVjNjQwNmZjZWJl&state=CfDJ8IBUmBJ4t1ZPjN_9Bi4r4bm-JxsBh1AqEf7q7goxy1OO3Jz_bxpSGCHnfGcCx0MyV1qX3KK2BfwU-07HF_nmWmv-DTH4CV4QoIapzAxLmU0abFNlxrTh92JZkvIaY8MdZR-WTjMxPzqznL1SfASp0o_Gktn0TQahLRUfnYfYBDbv7VG5g70LIUXW_TZ9a0ooK3BNsd0Xsry-_i0fgIW6uSSljuKUFkwP9eHApnrW9Lp1X8B_0n5IYwnXZE1O3zGWP_X1XuXMoIgYNMoZbfCXsNmLu6Xot5s50cSRkgB6Kf-fq-PWp6GaYMENIomnMDuZgjlwqDlk9CevXjJUIe7_vLCuSaOU0tZk1jIUuZ_4P_KeNiIbtwzYU5ERlQy28yu-dspOa2jzRtzf56dVxo33o1EdFq5BEr9fxsExLxnd54Dy&x-client-SKU=ID_NETSTANDARD2_0&x-client-ver=6.7.1.0", "host": "openid-test.company.com", "level": "info", "logger": "authentik.asgi", "method": "GET", "pid": 17, "remote": "10.1.0.217", "request_id": "2c5d83738c014b728505dbf605ad429d", "runtime": 16, "scheme": "https", "status": 200, "timestamp": "2022-06-20T19:00:29.823409", "user": "testuser", "user_agent": "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/102.0.5005.125 Safari/537.36"}
2022-06-20T19:00:30.184845082Z {"event": "/api/v3/core/tenants/current/", "host": "openid-test.company.com", "level": "info", "logger": "authentik.asgi", "method": "GET", "pid": 17, "remote": "10.1.0.217", "request_id": "18cff9a40ba74176a88215e103a1e67d", "runtime": 132, "scheme": "https", "status": 200, "timestamp": "2022-06-20T19:00:30.184557", "user": "testuser", "user_agent": "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/102.0.5005.125 Safari/537.36"}
2022-06-20T19:00:30.224886260Z {"event": "/api/v3/root/config/", "host": "openid-test.company.com", "level": "info", "logger": "authentik.asgi", "method": "GET", "pid": 16, "remote": "10.1.0.217", "request_id": "ac781d5afba848838b16332318574485", "runtime": 155, "scheme": "https", "status": 200, "timestamp": "2022-06-20T19:00:30.222109", "user": "testuser", "user_agent": "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/102.0.5005.125 Safari/537.36"}
2022-06-20T19:00:30.243811202Z {"event": "Task published", "host": "openid-test.company.com", "level": "info", "logger": "authentik.root.celery", "pid": 16, "request_id": "2b7624781d624be4b58deb9d6d20c3ec", "task_id": "e3e6a935-efc2-44dd-8097-30078ba5c47e", "task_name": "authentik.events.tasks.event_notification_handler", "timestamp": "2022-06-20T19:00:30.243124"}
2022-06-20T19:00:30.254897868Z {"event": "Task published", "host": "openid-test.company.com", "level": "info", "logger": "authentik.root.celery", "pid": 16, "request_id": "2b7624781d624be4b58deb9d6d20c3ec", "task_id": "d33ccfd4-706b-4a8a-80e6-e2d56ef39c31", "task_name": "authentik.events.tasks.event_notification_handler", "timestamp": "2022-06-20T19:00:30.254513"}
2022-06-20T19:00:30.267636629Z {"event": "/api/v3/flows/executor/default-provider-authorization-implicit-consent/?query=client_id%3D6314bc884bc1d9a9fa94a68efbb3192d71fd0ab3%26redirect_uri%3Dhttps%253A%252F%252Flithnet-test.company.com%252Fauth%26response_type%3Dcode%26scope%3Dopenid%2Bprofile%26code_challenge%3DsasEhAyrttUt9iwKQFBQOMKaXQw4ZPQWsMBI5p118bE%26code_challenge_method%3DS256%26response_mode%3Dform_post%26nonce%3D637913484296876145.ODgyZjIzZjAtZWU1Mi00NjEwLWI3MjAtYjM5MTQ1NjFkMTIyOGVlNjRmYTYtODExNS00ODE0LTkwMmQtZGVjNjQwNmZjZWJl%26state%3DCfDJ8IBUmBJ4t1ZPjN_9Bi4r4bm-JxsBh1AqEf7q7goxy1OO3Jz_bxpSGCHnfGcCx0MyV1qX3KK2BfwU-07HF_nmWmv-DTH4CV4QoIapzAxLmU0abFNlxrTh92JZkvIaY8MdZR-WTjMxPzqznL1SfASp0o_Gktn0TQahLRUfnYfYBDbv7VG5g70LIUXW_TZ9a0ooK3BNsd0Xsry-_i0fgIW6uSSljuKUFkwP9eHApnrW9Lp1X8B_0n5IYwnXZE1O3zGWP_X1XuXMoIgYNMoZbfCXsNmLu6Xot5s50cSRkgB6Kf-fq-PWp6GaYMENIomnMDuZgjlwqDlk9CevXjJUIe7_vLCuSaOU0tZk1jIUuZ_4P_KeNiIbtwzYU5ERlQy28yu-dspOa2jzRtzf56dVxo33o1EdFq5BEr9fxsExLxnd54Dy%26x-client-SKU%3DID_NETSTANDARD2_0%26x-client-ver%3D6.7.1.0", "host": "openid-test.company.com", "level": "info", "logger": "authentik.asgi", "method": "GET", "pid": 16, "remote": "10.1.0.217", "request_id": "2b7624781d624be4b58deb9d6d20c3ec", "runtime": 202, "scheme": "https", "status": 200, "timestamp": "2022-06-20T19:00:30.267396", "user": "testuser", "user_agent": "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/102.0.5005.125 Safari/537.36"}
2022-06-20T19:00:30.613943769Z {"event": "/application/o/token/", "host": "openid-test.company.com", "level": "info", "logger": "authentik.asgi", "method": "POST", "pid": 16, "remote": "10.1.1.60", "request_id": "c71502798d154d17ad6c7fa1a3c2aeef", "runtime": 251, "scheme": "https", "status": 200, "timestamp": "2022-06-20T19:00:30.613737", "user": "", "user_agent": "Microsoft ASP.NET Core OpenIdConnect handler"}
2022-06-20T19:00:30.989569819Z {"event": "/application/o/userinfo/", "host": "openid-test.company.com", "level": "info", "logger": "authentik.asgi", "method": "GET", "pid": 16, "remote": "10.1.1.60", "request_id": "57597ac31bdd415593b95536a97dd42e", "runtime": 33, "scheme": "https", "status": 200, "timestamp": "2022-06-20T19:00:30.989363", "user": "", "user_agent": "Microsoft ASP.NET Core OpenIdConnect handler"}
BeryJu commented 2 years ago

Ok, I'm pretty sure the error is because lithnet sends response_mode=form_post, which was not supported in authentik 2022.4 (it was just ignored, the response mode would be set based on response_type. Starting with 2022.5, support for form_post was added, and I can reproduce the issue with 22.6.3

BeryJu commented 2 years ago

@water-pc can you try the latest beta build? https://goauthentik.io/docs/installation/beta

water-pc commented 2 years ago

@water-pc can you try the latest beta build? https://goauthentik.io/docs/installation/beta

Yes. It works on the beta.