search

goauthentik / authentik

The authentication glue you need.
https://goauthentik.io
Other
13.1k stars 872 forks source link

OIDC Provider Fails Across VLANs/Subnets #9722

Closed julianq closed 2 months ago

julianq commented 4 months ago

Describe the bug When service is on a separate VLAN or subnet from Authentik, OIDC fails to authenticate. This does not seem to be a problem with VLAN traversal / firewall configuration, as authentication via OIDC was possible until a few days ago, when it suddenly stopped working. Similarly, running access wide open between the VLANs does not allow authentication.

This comes in two flavors:

(1) Either the service fails to connect to Authentik entirely, and the event is entirely invisible from the Authentik side; or

(2) The service manages to connect to Authentik, authenticate successfully, but fail to login, and the event shows as a successful authentication from the Authentik side (but no indication of failure to login).

Moving the service in question to the same VLAN as Authentik allows normal login and is a workaround for now.

Note that this is only for OIDC, the proxy provider works as expected when crossing VLANs/Subnets. (I have not tested the other provider options.)

To Reproduce Steps to reproduce the behavior:

  1. Go to service login
  2. Click on "Login with Authentik"
  3. Error occurs (either failure to connect to Authentik, or successful authentication but failure to login).

Expected behavior Successful connection to Authentik, authentication, and login.

Logs All of the logs on the service / application side are some form of the following:

requests.exceptions.ConnectionError: HTTPSConnectionPool(host='auth.mydomain.com', port=443): Max retries exceeded with url: /application/o/token/ (Caused by NewConnectionError('<urllib3.connection.HTTPSConnection object at 0x77d7cfe6f5e0>: Failed to establish a new connection: [Errno 111] Connection refused'))

The connection refused is standard across all application logfiles.

The Authentik side shows nothing or successful authentication as per my description above.

Version and Deployment (please complete the following information):

Additional context I am also seeing that the local docker outpost is unhealthy, but that seems to be related to #7279

ksaadDE commented 4 months ago

Maybe the connections between authentik and the user works, but not between the service and authentik?

Interestingly:

Max retries exceeded

is the occurrence.

Note that this is only for OIDC, the proxy provider works as expected when crossing VLANs/Subnets. (I have not tested the other provider options.)

Weird tho. But hard to debug from outside.

authentik-automation[bot] commented 2 months ago

This issue has been automatically marked as stale because it has not had recent activity. It will be closed if no further activity occurs. Thank you for your contributions.