Traefik ForwardAuth with subpath

can someone please share an example cofiguration with authentik + traefik doing forward auth (single application mode in authentik) on an application hosted on a subpath e.g. foo.example.com/myApp?

i'm trying to host multiple apps on one domain (/myApp, /myOtherApp, and so on).

here is my broken config. that's cool if you're able to see the problem with mine, but an example config of something else would probably also be OK.

note that i am not using TLS anywhere backend. TLS only happens later at cloudflare's edge.

my authentik server is available in docker backend as http://authentik:9000 or frontend as https://auth.example.com)

in traefik, i have this middleware defined in a file:

middlewares:
  authentik:
    forwardauth:
      address: http://authentik:9000/outpost.goauthentik.io/auth/traefik
      trustForwardHeader: true
      authResponseHeaders:
        - X-authentik-username
        - X-authentik-groups
        - X-authentik-email
        - X-authentik-name
        - X-authentik-uid
        - X-authentik-jwt
        - X-authentik-meta-jwks
        - X-authentik-meta-outpost
        - X-authentik-meta-provider
        - X-authentik-meta-app
        - X-authentik-meta-version

on authentik server's container, i have these labels set in docker compose:

labels:
  - "traefik.enable=true"
  - "traefik.http.routers.authentik.entryPoints=http"
  - "traefik.http.services.authentik.loadbalancer.server.port=9000"
  - "traefik.http.routers.authentik.rule=Host(`auth.example.com`) || (Host(`traefik.example.com`) && PathPrefix(`/outpost.goauthentik.io/`)) || (Host(`foo.example.com`) && PathPrefix(`/whoami-subpath/outpost.goauthentik.io/`))"

^ that last routing rule has three parts OR'd together:

authentik dash: Host(auth.example.com)
auth to traefik dash: Host(traefik.example.com) && PathPrefix(/outpost.goauthentik.io/)
auth to this subpath demo: Host(foo.example.com) && PathPrefix(/whoami-subpath/outpost.goauthentik.io/)

demo service available internally at http://whoami-subpath and externally at https://foo.example.com/whoami-subpath (docker compose):

whoami-subpath:
    image: traefik/whoami
    container_name: whoami-subpath
    networks:
      - traefik
    labels:
    - "traefik.enable=true"
    - "traefik.http.routers.whoami-subpath.entryPoints=http"
    - "traefik.http.routers.whoami-subpath.rule=Host(`foo.example.com`) && PathPrefix(`/whoami-subpath`)"
    - "traefik.http.routers.whoami-subpath.middlewares=authentik@file"

in authentik's dash, i have the demo service configured like this:

Application:
Name: whoami-subpath
Slug: whoami-subpath
Provider: whoami-subpath
Policy: any

Provider:
Name: whoami-subpath
Authorization flow: default-provider-authorization-implicit-consent
Forward auth (single application):
External host: https://foo.example.com/whoami-subpath

Outpost:
Type: proxy
authentik Embedded Outpost
traefik dash (traefik dash)
whoami-subpath (whoami-subpath)

when i visit https://foo.example.com/whoami-subpath, authentik gives me this error:

Redirect URI Error

The request fails due to a missing, invalid, or mismatching redirection URI (redirect_uri).

when i try this with curl (curl -Lv https://foo.example.com/whoami-subpath):

https://auth.example.com/application/o/authorize/?client_id=Yu9BYY7ztGh1DExc4sy9HiGTaAX41Ps0blAxtTym&redirect_uri=https://foo.example.com/whoami-subpath/outpost.goauthentik.io/callback?X-authentik-auth-callback=true&response_type=code&scope=openid+profile+ak_proxy+email&state=oiqJpOQA_W3tZFvfSVjW78t3iQsozvGKVxVTlHhEN-4

so it looks like redirect_uri = https://foo.example.com/whoami-subpath/outpost.goauthentik.io/callback?X-authentik-auth-callback=true

thanks

authentik version: 2023.5.3
Deployment: docker-compose

goauthentik / authentik

Traefik ForwardAuth with subpath #5924