linkwarden / linkwarden

⚡️⚡️⚡️Self-hosted collaborative bookmark manager to collect, organize, and preserve webpages, articles, and more...
https://linkwarden.app
GNU Affero General Public License v3.0
8.87k stars 329 forks source link

SSO Fails After Authentik Update #503

Open mfeuhrer opened 8 months ago

mfeuhrer commented 8 months ago

Describe the bug After updating Authentik from 2023.10 to 2024.1 (and continuing into 2024.2), Linkwarden no longer allows logins from Authentik. "Sign in with provider" forwards to the idP appropriately, but upon return no login occurs and &error=OAuthAccountNotLinked is appended to the callback URL.

To Reproduce Steps to reproduce the behavior:

  1. Have a working Authentik OAUTH provider using 2023.10 of Authentik
  2. Use the idP to login and create the user account
  3. Update Authentik to 2024.1 (or 2024.2)
  4. Try to login with provider
  5. Redirect to provider and confirm authentication
  6. Redirect to linkwarden and see the login screen again
  7. Notice that in URL bar, &error=OAuthAccountNotLinked has been appended. Each subsequent login attempt adds another &error=OAuthAccountNotLinked to the URL

Expected behavior Rather than redirecting to a login screen, I expect to be logged into the application.

Screenshots If applicable, add screenshots to help explain your problem.

Desktop (please complete the following information):

Additional context Not super informative to me, but these are the associated logs that generate during the sign in attempt: [0] prisma:query SELECT "public"."Account"."id", "public"."Account"."userId" FROM "public"."Account" WHERE (("public"."Account"."provider" = $1 AND "public"."Account"."providerAccountId" = $2) AND 1=1) LIMIT $3 OFFSET $4

[0] prisma:query SELECT "public"."Account"."id", "public"."Account"."userId", "public"."Account"."type", "public"."Account"."provider", "public"."Account"."providerAccountId", "public"."Account"."refresh_token", "public"."Account"."access_token", "public"."Account"."expires_at", "public"."Account"."token_type", "public"."Account"."scope", "public"."Account"."id_token", "public"."Account"."session_state" FROM "public"."Account" WHERE "public"."Account"."providerAccountId" = $1 LIMIT $2 OFFSET $3

[0] prisma:query SELECT "public"."Account"."id", "public"."Account"."userId" FROM "public"."Account" WHERE (("public"."Account"."provider" = $1 AND "public"."Account"."providerAccountId" = $2) AND 1=1) LIMIT $3 OFFSET $4

[0] prisma:query SELECT "public"."User"."id", "public"."User"."name", "public"."User"."username", "public"."User"."email", "public"."User"."emailVerified", "public"."User"."image", "public"."User"."password", "public"."User"."collectionOrder", "public"."User"."linksRouteTo", "public"."User"."preventDuplicateLinks", "public"."User"."archiveAsScreenshot", "public"."User"."archiveAsPDF", "public"."User"."archiveAsWaybackMachine", "public"."User"."isPrivate", "public"."User"."createdAt", "public"."User"."updatedAt" FROM "public"."User" WHERE ("public"."User"."email" = $1 AND 1=1) LIMIT $2 OFFSET $3

For what it's worth, other Oauth bound services are not having this same problem after update. Updating Linkwarden itself has not helped either.

modem7 commented 2 weeks ago

Can confirm I am also receiving the same behaviour on Authentik 2024.10.1

Mentioning @daniel31x13 for visibility just in case this issue has fallen off the radar.

[0] prisma:query SELECT "public"."Account"."id", "public"."Account"."userId" FROM "public"."Account" WHERE (("public"."Account"."provider" = $1 AND "public"."Account"."providerAccountId" = $2) AND 1=1) LIMIT $3 OFFSET $4

[0] prisma:query SELECT "public"."Account"."id", "public"."Account"."userId", "public"."Account"."type", "public"."Account"."provider", "public"."Account"."providerAccountId", "public"."Account"."refresh_token", "public"."Account"."access_token", "public"."Account"."expires_at", "public"."Account"."token_type", "public"."Account"."scope", "public"."Account"."id_token", "public"."Account"."session_state" FROM "public"."Account" WHERE "public"."Account"."providerAccountId" = $1 LIMIT $2 OFFSET $3

[0] prisma:query SELECT "public"."Account"."id", "public"."Account"."userId" FROM "public"."Account" WHERE (("public"."Account"."provider" = $1 AND "public"."Account"."providerAccountId" = $2) AND 1=1) LIMIT $3 OFFSET $4

[0] prisma:query SELECT "public"."User"."id", "public"."User"."name", "public"."User"."username", "public"."User"."email", "public"."User"."emailVerified", "public"."User"."unverifiedNewEmail", "public"."User"."image", "public"."User"."password", "public"."User"."locale", "public"."User"."collectionOrder", "public"."User"."linksRouteTo", "public"."User"."preventDuplicateLinks", "public"."User"."archiveAsScreenshot", "public"."User"."archiveAsMonolith", "public"."User"."archiveAsPDF", "public"."User"."archiveAsWaybackMachine", "public"."User"."isPrivate", "public"."User"."createdAt", "public"."User"."updatedAt" FROM "public"."User" WHERE ("public"."User"."email" = $1 AND 1=1) LIMIT $2 OFFSET $3

If I do a preview on Authentik, it gives me the following values (:

{
    "iss": "https://myurl/application/o/linkwarden/",
    "sub": "obfuscated",
    "aud": "obfuscated",
    "exp": obfuscated,
    "iat": obfuscated,
    "auth_time": obfuscated,
    "acr": "goauthentik.io/providers/oauth2/default",
    "email": "obfuscated",
    "email_verified": true,
    "name": "obfuscated",
    "given_name": "obfuscated",
    "preferred_username": "obfuscated",
    "nickname": "obfuscated",
    "groups": [
        "authentik-admins",
        "authentik-users"
    ]
}