Cannot sign_out of Forwadh auth (Single application)

[info-path]

Describe the bug Single app login is fully functional, but I can't log out. This address: https://homepage.domain.com/outpost.goauthentik.io/sign_out

Generates an error: Application error: a client-side exception has occurred (see the browser console for more information).

WebConsole:

Uncaught (in promise) SyntaxError: "[object Object]" is not valid JSON
    at JSON.parse (<anonymous>)
    at l._storageChangeDispatcher (content.js:2:855976)
    at _storageChangeDispatcherCallback (content.js:2:855424)
onCopyContentscript.js:157 A listener indicated an asynchronous response by returning true, but the message channel closed before a response was received
toolbarContentscript.js:113 {"message":"A listener indicated an asynchronous response by returning true, but the message channel closed before a response was received"}

Note: The gethomepage application, which does not have integrated user authentication.

Expected behavior Ordinary logout from the session

Version and Deployment (please complete the following information):

• authentik version: [e.g. 2024.4.2]
• Deployment: docker-compose
• Traefik v3 (Docker) as reverse proxy

Traefik config

http:
  routers:
    homepage-public:
      middlewares:
        - authentik
      rule: "Host(`homepage.domain.com`)"
      priority: 10
      tls:
        certResolver: cloudflare            
      service: homepage-public
    homepage-auth:
      rule: "Host(`homepage.domain.com`) && PathPrefix(`/outpost.goauthentik.io/`)"
      priority: 15
      service: authentik

  services:
    authentik:
      loadBalancer:
        servers:
          - url: https://192.168.30.30:9443/outpost.goauthentik.io
    homepage-public:
      loadBalancer:
        servers:
          - url: http://192.168.30.111:3000 #
  middlewares:
    authentik:
      forwardAuth:
        address: http://192.168.30.30:9000/outpost.goauthentik.io/auth/traefik
        trustForwardHeader: true
        authResponseHeaders:
          - X-authentik-username
          - X-authentik-groups
          - X-authentik-email
          - X-authentik-name
          - X-authentik-uid
          - X-authentik-jwt
          - X-authentik-meta-jwks
          - X-authentik-meta-outpost
          - X-authentik-meta-provider
          - X-authentik-meta-app
          - X-authentik-meta-version

What could be the problem?

[excaliburzarau]

Hi guys,

Also as @info-path, i AM trying to invalidate de session.

At the moment i AM just trying to invalidate de session from authentik so, if i logout from authentik or the session expires, all the forwarded applications, independent of the authentication method, should require a login on authentik. Right now it kinda does it but on some situations it bypasses the verification for some reason and redirects it to the forwarded application even though i have logged out of the authentik.

Can anyone explain me how can i properly setup this to work properly as i AM unable to understand how to do it with the official documentation.

Than you all, Best Regards

[info-path]

Right now it kinda does it but on some situations it bypasses the verification for some reason and redirects it to the forwarded application even though i have logged out of the authentik.

I also encountered a situation where I logged out of Authentic, but the app remained accessible. I discovered that there was an issue with auth.domain.com because Firefox repeatedly indicated that the site was not secure, even though other browsers confirmed its security. I had registered this domain through Zero Trust Cloudflare.

I resolved this by registering the domain outside the Cloudflare tunnel. Once the security issue was fixed, the logout issue was also resolved. Now, the app logs out correctly with every authentication logout.

[excaliburzarau]

Hello,

Thank you for your Reply. I do indeed use Cloudflare. Are you suggesting to use another DNS provider instead cloudflare? I currently have everything setup with cloudflare.

Best Regards

[info-path]

I stayed with Cloudflare, only for auth.domain.com, which I use for Authentik I don't use a tunnel, but a standard reverse proxy of Traefik.

There might not even be a problem with the tunnel itself, because I tried another subdomain that didn't do these problems.

[excaliburzarau]

After a quick search regarding what you spoke about i was able to find a user that Gave some guidance on this thread.

https://github.com/sebw/blog.wains.be/blob/master/content/posts/2023/2023-01-07-cloudflare-zero-trust-authentik.md?plain=1

I Will try it to adapt this to my setup and update this thread with my finds.

But i Will try to avoud using the zero trust due to the fact that they haver more Control of the information that passes

Thanks you

[excaliburzarau]

I stayed with Cloudflare, only for auth.domain.com, which I use for Authentik I don't use a tunnel, but a standard reverse proxy of Traefik.

There might not even be a problem with the tunnel itself, because I tried another subdomain that didn't do these problems.

Hello again,

I was able to resolve the issue by passing the authentication header onto my authentik snippet.

Best Regards

[authentik-automation[bot]]

This issue has been automatically marked as stale because it has not had recent activity. It will be closed if no further activity occurs. Thank you for your contributions.