search

goauthentik / authentik

The authentication glue you need.
https://goauthentik.io
Other
13.27k stars 884 forks source link

Stuck on loading after logging in - Traefik Ingress on K8S #4601

Open LP0101 opened 1 year ago

LP0101 commented 1 year ago

Describe your question/ I just set up authentik + traefik on a new kubernetes cluster. After logging in to authentik, the webpage is stuck on the loading screen without redirecting back to the app.

Relevant infos Traefik middleware:

apiVersion: traefik.containo.us/v1alpha1
kind: Middleware
metadata:
  name: authentik
  namespace: ingress
spec:
  forwardAuth:
    address: http://authentik.authentik.svc.cluster.local:80/outpost.goauthentik.io/auth/traefik
    authResponseHeaders:
    - X-authentik-username
    - X-authentik-groups
    - X-authentik-email
    - X-authentik-name
    - X-authentik-uid
    - X-authentik-jwt
    - X-authentik-meta-jwks
    - X-authentik-meta-outpost
    - X-authentik-meta-provider
    - X-authentik-meta-app

IngressRoute Resource:

apiVersion: traefik.containo.us/v1alpha1
kind: IngressRoute
metadata:
  name: longhorn-ingressroute
  namespace: longhorn-system
spec:
  entryPoints:
  - web
  - websecure
  routes:
  - kind: Rule
    match: Host(`longhorn.popesco.io`)
    middlewares:
    - name: authentik
      namespace: ingress
    priority: 10
    services:
    - name: longhorn-frontend
      namespace: longhorn-system
      port: 80
      scheme: http
  - kind: Rule
    match: Host(`longhorn.popesco.io`) && PathPrefix(`/outpost.goauthentik.io/`)
    priority: 15
    services:
    - kind: Service
      name: authentik
      namespace: authentik
      port: 9000
  tls:
    secretName: popesco-io

Logs kubectl logs while logging in:

{"auth_via": "unauthenticated", "event": "/api/v3/flows/executor/default-authentication-flow/?query=next%3D%252Fapplication%252Fo%252Fauthorize%252F%253Fclient_id%253DCUG8iXJpOsYvtom2h0BrsABVG49dJr18v62QqGXp%2526redirect_uri%253Dhttps%25253A%25252F%25252Flonghorn.popesco.io%25252Foutpost.goauthentik.io%25252Fcallback%25253FX-authentik-auth-callback%25253Dtrue%2526response_type%253Dcode%2526scope%253Dak_proxy%252Bopenid%252Bemail%252Bprofile%2526state%253DqvEIv7Bp3_-VCflJZszJce90vcdtMEUXkBxEt15oVP4", "host": "auth.popesco.io", "level": "info", "logger": "authentik.asgi", "method": "GET", "pid": 3468, "remote": "192.168.100.39", "request_id": "af40f8dbc09e490ead386b28448fa5cc", "runtime": 89, "scheme": "https", "status": 200, "timestamp": "2023-02-02T04:12:44.901363", "user": "luca", "user_agent": "Mozilla/5.0 (X11; Linux x86_64; rv:109.0) Gecko/20100101 Firefox/109.0"}
{"auth_via": "session", "event": "/application/o/authorize/?client_id=CUG8iXJpOsYvtom2h0BrsABVG49dJr18v62QqGXp&redirect_uri=https%3A%2F%2Flonghorn.popesco.io%2Foutpost.goauthentik.io%2Fcallback%3FX-authentik-auth-callback%3Dtrue&response_type=code&scope=ak_proxy+openid+email+profile&state=qvEIv7Bp3_-VCflJZszJce90vcdtMEUXkBxEt15oVP4", "host": "auth.popesco.io", "level": "info", "logger": "authentik.asgi", "method": "GET", "pid": 3468, "remote": "192.168.100.39", "request_id": "31c9eefa1b7145e5b5cee691dd1f78e5", "runtime": 49, "scheme": "https", "status": 302, "timestamp": "2023-02-02T04:12:45.006707", "user": "luca", "user_agent": "Mozilla/5.0 (X11; Linux x86_64; rv:109.0) Gecko/20100101 Firefox/109.0"}
{"auth_via": "session", "event": "/if/flow/default-provider-authorization-implicit-consent/?client_id=CUG8iXJpOsYvtom2h0BrsABVG49dJr18v62QqGXp&redirect_uri=https%3A%2F%2Flonghorn.popesco.io%2Foutpost.goauthentik.io%2Fcallback%3FX-authentik-auth-callback%3Dtrue&response_type=code&scope=ak_proxy+openid+email+profile&state=qvEIv7Bp3_-VCflJZszJce90vcdtMEUXkBxEt15oVP4", "host": "auth.popesco.io", "level": "info", "logger": "authentik.asgi", "method": "GET", "pid": 3468, "remote": "192.168.100.39", "request_id": "0d5e1b9870544c4aa5050db954f8fc1e", "runtime": 48, "scheme": "https", "status": 200, "timestamp": "2023-02-02T04:12:45.063021", "user": "luca", "user_agent": "Mozilla/5.0 (X11; Linux x86_64; rv:109.0) Gecko/20100101 Firefox/109.0"}
{"event":"/static/dist/flow/FlowInterface-85045f6c.js.map","host":"auth.popesco.io","level":"info","logger":"authentik.router","method":"GET","remote":"192.168.100.39","runtime":"0.485","scheme":"http","size":0,"status":304,"timestamp":"2023-02-02T04:12:45Z","user_agent":"Mozilla/5.0 (X11; Linux x86_64; rv:109.0) Gecko/20100101 Firefox/109.0"}
{"event":"/static/dist/flow/vendor-7bdc1530.js.map","host":"auth.popesco.io","level":"info","logger":"authentik.router","method":"GET","remote":"192.168.100.39","runtime":"1.495","scheme":"http","size":0,"status":304,"timestamp":"2023-02-02T04:12:45Z","user_agent":"Mozilla/5.0 (X11; Linux x86_64; rv:109.0) Gecko/20100101 Firefox/109.0"}
{"action": "authorize_application", "auth_via": "session", "client_ip": "192.168.100.39", "context": {"authorized_application": {"app": "authentik_core", "model_name": "application", "name": "longhorn", "pk": "3b7e75a55b774be899470cc8a035ba88"}, "flow": "b860df90a69e435b9ed9217ca0c8f20a", "http_request": {"args": {"query": "client_id=CUG8iXJpOsYvtom2h0BrsABVG49dJr18v62QqGXp&redirect_uri=https%3A%2F%2Flonghorn.popesco.io%2Foutpost.goauthentik.io%2Fcallback%3FX-authentik-auth-callback%3Dtrue&response_type=code&scope=ak_proxy+openid+email+profile&state=qvEIv7Bp3_-VCflJZszJce90vcdtMEUXkBxEt15oVP4"}, "method": "GET", "path": "/api/v3/flows/executor/default-provider-authorization-implicit-consent/"}, "scopes": "ak_proxy openid email profile"}, "event": "Created Event", "host": "auth.popesco.io", "level": "info", "logger": "authentik.events.models", "pid": 3468, "request_id": "6117d4825010466587587aacb4c96fb0", "timestamp": "2023-02-02T04:12:45.272270", "user": {"email": "luca@popesco.io", "pk": 1, "username": "luca"}}
{"event":"/static/dist/assets/fonts/webfonts/fa-solid-900.woff2","host":"auth.popesco.io","level":"info","logger":"authentik.router","method":"GET","remote":"192.168.100.39","runtime":"0.318","scheme":"http","size":79100,"status":200,"timestamp":"2023-02-02T04:12:45Z","user_agent":"Mozilla/5.0 (X11; Linux x86_64; rv:109.0) Gecko/20100101 Firefox/109.0"}
{"auth_via": "session", "event": "Task published", "host": "auth.popesco.io", "level": "info", "logger": "authentik.root.celery", "pid": 3468, "request_id": "6117d4825010466587587aacb4c96fb0", "task_id": "0289ce69-1f22-4ba4-a1f1-3ae2ca69c44c", "task_name": "authentik.events.tasks.event_notification_handler", "timestamp": "2023-02-02T04:12:45.293933"}
{"action": "model_created", "auth_via": "session", "client_ip": "192.168.100.39", "context": {"http_request": {"args": {"query": "client_id=CUG8iXJpOsYvtom2h0BrsABVG49dJr18v62QqGXp&redirect_uri=https%3A%2F%2Flonghorn.popesco.io%2Foutpost.goauthentik.io%2Fcallback%3FX-authentik-auth-callback%3Dtrue&response_type=code&scope=ak_proxy+openid+email+profile&state=qvEIv7Bp3_-VCflJZszJce90vcdtMEUXkBxEt15oVP4"}, "method": "GET", "path": "/api/v3/flows/executor/default-provider-authorization-implicit-consent/"}, "model": {"app": "authentik_providers_oauth2", "model_name": "authorizationcode", "name": "Authorization code for OAuth2 Provider longhorn for user luca", "pk": 456}}, "event": "Created Event", "host": "auth.popesco.io", "level": "info", "logger": "authentik.events.models", "pid": 3468, "request_id": "6117d4825010466587587aacb4c96fb0", "timestamp": "2023-02-02T04:12:45.300753", "user": {"email": "luca@popesco.io", "pk": 1, "username": "luca"}}
{"auth_via": "session", "event": "Task published", "host": "auth.popesco.io", "level": "info", "logger": "authentik.root.celery", "pid": 3468, "request_id": "6117d4825010466587587aacb4c96fb0", "task_id": "12dbbfe1-d3cf-4251-9111-59dcfeffcf9a", "task_name": "authentik.events.tasks.event_notification_handler", "timestamp": "2023-02-02T04:12:45.305409"}
{"auth_via": "session", "event": "/api/v3/flows/executor/default-provider-authorization-implicit-consent/?query=client_id%3DCUG8iXJpOsYvtom2h0BrsABVG49dJr18v62QqGXp%26redirect_uri%3Dhttps%253A%252F%252Flonghorn.popesco.io%252Foutpost.goauthentik.io%252Fcallback%253FX-authentik-auth-callback%253Dtrue%26response_type%3Dcode%26scope%3Dak_proxy%2Bopenid%2Bemail%2Bprofile%26state%3DqvEIv7Bp3_-VCflJZszJce90vcdtMEUXkBxEt15oVP4", "host": "auth.popesco.io", "level": "info", "logger": "authentik.asgi", "method": "GET", "pid": 3468, "remote": "192.168.100.39", "request_id": "6117d4825010466587587aacb4c96fb0", "runtime": 84, "scheme": "https", "status": 200, "timestamp": "2023-02-02T04:12:45.312998", "user": "luca", "user_agent": "Mozilla/5.0 (X11; Linux x86_64; rv:109.0) Gecko/20100101 Firefox/109.0"}
{"error":"oauth2: cannot fetch token: 400 Bad Request\nResponse: {\"error\": \"invalid_client\", \"error_description\": \"Client authentication failed (e.g., unknown client, no client authentication included, or unsupported authentication method)\"}","event":"failed to redeem code","level":"warning","logger":"authentik.outpost.proxyv2.application","name":"longhorn","timestamp":"2023-02-02T04:12:45Z"}
{"event":"/outpost.goauthentik.io/auth/traefik","host":"longhorn.popesco.io","level":"info","logger":"authentik.outpost.proxyv2.application","method":"GET","name":"longhorn","remote":"192.168.100.39","runtime":"46.421","scheme":"http","size":0,"status":400,"timestamp":"2023-02-02T04:12:45Z","user_agent":"Mozilla/5.0 (X11; Linux x86_64; rv:109.0) Gecko/20100101 Firefox/109.0"}
{"auth_via": "unauthenticated", "event": "/-/health/ready/", "host": "10.0.1.201:9000", "level": "info", "logger": "authentik.asgi", "method": "GET", "pid": 3468, "remote": "10.0.1.231", "request_id": "88c7e9b576314e5d8b38594a7f0b8f1b", "runtime": 22, "scheme": "http", "status": 204, "timestamp": "2023-02-02T04:12:51.307773", "user": "", "user_agent": "kube-probe/1.26"}

And the network debug tool when logging in: image

Version and Deployment (please complete the following information):

LP0101 commented 1 year ago

This only happens on 2023.1.2

I reverted to 2022.12.2 and it works perfectly now. This should probably be changed to "bug" instead?

xakaitetoia commented 6 months ago

why port 9000 on your authentic service btw? 

    - kind: Service
      name: authentik
      namespace: authentik
      port: 9000

Isn't your authentic service on port 80 as you declared on your middleware?

BeryJu commented 5 months ago

With the log entry {"error":"oauth2: cannot fetch token: 400 Bad Request\nResponse: {\"error\": \"invalid_client\", \"error_description\": \"Client authentication failed (e.g., unknown client, no client authentication included, or unsupported authentication method)\"}","event":"failed to redeem code","level":"warning","logger":"authentik.outpost.proxyv2.application","name":"longhorn","timestamp":"2023-02-02T04:12:45Z"} could you post some more of the server container logs? Especially the lines surrounding /o/token/?