Authentik keeps requesting to login after successful login

[excaliburzarau]

Hello guys,

I have been trying to setup the Authentik on docker swarm behing the Caddy Reverse Proxy but i am now stuck on an issue that i don't fully understand of what is wrong.

First i was having and issue while creating the admin user (initial-setup page not found) on a clean install but by gradually upgrading from the 2023.1.1 version to the current 2024.4.2 i was able to create the admin user.

I then was starting to configure the Authentik but, when i login, it redirects me to the home page and refreshes back to the login page. Sometimes i was able to get to the admin page where reports that there is an error Fetching object, i was able to see that the session status is unauthenticated and, redirects to the login page.

When i get to the logs i got what is think is the issue as seen below.

authentik_server.0.3oh90agwck5h@dockerserver    |  {"event":"tracing request to backend","headers":{"Accept":["*/*"],"Accept-Language":["pt-PT,pt;q=0.9,en-US;q=0.8,en;q=0.7"],"Cookie":["authentik_csrf=LLoD9SskaTPgw4uocRstcRB0V04lpIWf"],"Priority":["u=1, i"],"Referer":["https://authentik.mydomain.com/if/user/"],"Sec-Ch-Ua":["\"Google Chrome\";v=\"125\", \"Chromium\";v=\"125\", \"Not.A/Brand\";v=\"24\""],"Sec-Ch-Ua-Mobile":["?0"],"Sec-Ch-Ua-Platform":["\"Windows\""],"Sec-Fetch-Dest":["empty"],"Sec-Fetch-Mode":["cors"],"Sec-Fetch-Site":["same-origin"],"Sentry-Trace":["5977ec98cdf446bfb6cc7e415c09c970-af0141ce53fe7b69-0"],"User-Agent":["Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/125.0.0.0 Safari/537.36"],"X-Authentik-Csrf":["LLoD9SskaTPgw4uocRstcRB0V04lpIWf"],"X-Forwarded-For":["10.0.0.38"],"X-Forwarded-Host":["authentik.mydomain.com"],"X-Forwarded-Proto":["https"]},"level":"trace","logger":"authentik.router","timestamp":"2024-05-25T17:12:46+01:00","url":"http://localhost:8000/api/v3/core/applications/?ordering=name&page=1&page_size=100"}
authentik_server.0.3oh90agwck5h@dockerserver    |  {"auth_via": "unauthenticated", "domain_url": "authentik.mydomain.com", "event": "/api/v3/root/config/", "host": "authentik.mydomain.com", "level": "info", "logger": "authentik.asgi", "method": "GET", "pid": 70, "remote": "10.0.0.38", "request_id": "68df437e1e0649b28cabd8f5ab7b60d8", "runtime": 180, "schema_name": "public", "scheme": "https", "status": 200, "timestamp": "2024-05-25T16:12:46.296933", "user": "", "user_agent": "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/125.0.0.0 Safari/537.36"}

I can attach my docker compose file i use on my docker swarm instance and the Caddyfile.

Is there anyone able to provide me some guidance on the issue i am having?

Best Regards

[excaliburzarau]

Hi guys, i think i might have found the issue.

On docker swarm, to ensure that the containers talk to each other without exposing the door, a network has to be created with overlay type and has to be then declared as an external network on the compose.

I am not sure if authentik is currently supporting this.

I automatically created an internal network when deploying the stack and it is now working without any issue.

The implications of this is that i have to declare the ports of the containers which internally would mess up the Single Sign On concept on some basic http authentication but at least, at the moment, on the services i have running, only 2 applications are affected which work with Auth0 so it will still redirect to Authentik.

At the moment it does seem that the Docker Swarm is not fully supported.

Thank you Best Regards

[cwirz]

Thanks a lot @excaliburzarau that saved me!

[excaliburzarau]

Thanks a lot @excaliburzarau that saved me!

No worries. I got it working after a few tries but it does seem to be working fine for the moment. The Authentik team is doing an awesome job developing this IDP system.

Best Regards

[francescor]

On docker swarm, to ensure that the containers talk to each other without exposing the door, a network has to be created with overlay type and has to be then declared as an external network on the compose.

yes, that's kind of the basic of docker swarm isn't it?

btw: rkokkelk user was so nice to share his swarm configuration with traefik: I had it up and running on my swarm too

https://gist.github.com/rkokkelk/3f2e195dd9f657e99fe77b60cd22fc6c

[hycday]

hi @excaliburzarau i have the exact same issue (the redirect loop after login, sometimes logging in but with fetch error, etc). I also have Caddy (as caddy-docker-proxy). I dont have Docker Swarm however. can you share how did you fix it exactly in terms of lines of code that you added/changed ?

that would be super helpful. maybe @cwirz you know as well as you said it helped you.

Thanks a lot !

[excaliburzarau]

hi @excaliburzarau i have the exact same issue (the redirect loop after login, sometimes logging in but with fetch error, etc). I also have Caddy (as caddy-docker-proxy). can you share how did you fix it exactly in terms of lines of code that you added/changed ?

that would be super helpful. maybe @cwirz you know as well as you said it helped you.

Thanks a lot !

Hello.

What i had to do was create an external overlay network manually and use it on the docker composes.

docker network create demo-network -d overlay

I believe this command should create it. You then have to deploy the stacks that you want with the created network.

networks: demo-network: external: true name: demo-network

Something like this.

I dont know if this is the reason why you are having the issue but it did resolve it for me.

Best Regards

[hycday]

@excaliburzarau PERFECT ! it works well :) BUT, this is the command i had to do:

docker network create -d overlay --attachable network-overlay

The --attachable option enables both standalone containers and Swarm services to connect to the overlay network. Without --attachable, only Swarm services can connect to the network.

Then I added the network in docker-compose like normally

by having at the end:

networks:
  network-overlay:
    external: true

and in each service :

    networks:
      - network-overlay

and no more loop and setup was complete and all works well thanks again !

[excaliburzarau]

@excaliburzarau PERFECT ! it works well :) BUT, this is the command i had to do:

docker network create -d overlay --attachable network-overlay

The --attachable option enables both standalone containers and Swarm services to connect to the overlay network. Without --attachable, only Swarm services can connect to the network.

Then I added the network in docker-compose like normally

by having at the end:

networks:
  network-overlay:
    external: true

and in each service :

    networks:
      - network-overlay

and no more loop and setup was complete and all works well thanks again !

On my case was swarm which is a litle bit different. Sorry about that. I AM glad it worked for you also.

Best Regards

[hycday]

@excaliburzarau just in case : on the app that i want to protect https://testapp.domain.ltd i can see the authentik login screen and can login fine, however, the app itself is giving me 502 (the app calls /api/query?=abc for example and i get a 502 to this and sometimes to the favicon, and sometimes to the root of the app). Do you have any idea if it is linked or if that is a totally new issue ? I dont see any issues in logs :/

[excaliburzarau]

@excaliburzarau just in case : on the app that i want to protect https://testapp.domain.ltd i can see the authentik login screen and can login fine, however, the app itself is giving me 502 (the app calls /api/query?=abc for example and i get a 502 to this and sometimes to the favicon, and sometimes to the root of the app). Do you have any idea if it is linked or if that is a totally new issue ? I dont see any issues in logs :/

I believe it my be a different issue. Maybe with the redirects or headers passes on the snippet but i AM unsure.

But it would Be a good place to start the troubleshooting.

Best Regards

[excaliburzarau]

@excaliburzarau just in case : on the app that i want to protect https://testapp.domain.ltd i can see the authentik login screen and can login fine, however, the app itself is giving me 502 (the app calls /api/query?=abc for example and i get a 502 to this and sometimes to the favicon, and sometimes to the root of the app). Do you have any idea if it is linked or if that is a totally new issue ? I dont see any issues in logs :/

I was also thinking about this and maybe try to confirm that the type of network is correct and the config on the inspect of the network is correct. I had to manually set the subnet and gateway on my case. Best Regards.

[hycday]

I am getting a CORS issue ("strict-origin-when-cross-origin") on the subpage, so unsure if it's on authentik side, or caddy side, or else :/ without authentik it works perfectly well btw i created this issue to not hijack your thread : https://github.com/goauthentik/authentik/issues/10557

[excaliburzarau]

I am getting a CORS issue ("strict-origin-when-cross-origin") on the subpage, so unsure if it's on authentik side, or caddy side, or else :/ without authentik it works perfectly well btw i created this issue to not hijack your thread : #10557

It might not be related but i set the custom headers on the snippet like this:

(authentik) {

always forward outpost path to actual outpost

    reverse_proxy /outpost.goauthentik.io/* http://authentik_ip:9900

    # forward authentication to outpost
    forward_auth http://authentik_ip:9900 {
            uri /outpost.goauthentik.io/auth/caddy

        # capitalization of the headers is important, otherwise they will be empty
            copy_headers X-Authentik-Username X-Authentik-Groups X-Authentik-Email X-Authentik-Name X-Authentik-Uid X-Authentik-Jwt X-Authentik-Meta-Jwks X-Authentik-Meta-Outpost X-Authentik-Meta-Provider X-Authentik-Meta-App X-Authentik-Meta-Version X-Forwarded-Host Authorization

    # optional, in this config trust all private ranges, should probably be set to the outposts IP
            #trusted_proxies private_ranges
    }

}

Again, it might not be related but it did some changes on the headers because it sometimes gave me errors while loading the page.

Best Regards

[hycday]

works :) thank you !!

[excaliburzarau]

I AM glad it helped. Best Regards