OIDC Source causes server error and complains about empty scheme

[svenakela]

Hi champs,
I have an external OIDC authentication service that is today in use with Entra, integrated as an OpenID connect identity provider. I am trying to get the service running with Authentik. It is added as a Source in a local Authentik installation (the .well-known/openid-configuration URL has been used to populate all the fields) and I have added the source in the default-authentication-identification stage. So far so good, a user will be redirected to the service as expected.

When a user is authenticated and the redirect to Authentik occurs, I will only get a "Server Error" and a trace in the logs. I am at least expecting a "User not authenticated" or coming back to the login screen, not an error dialog.

I don't really understand what the error means and need your help to proceed. Something is missing and I am too much of a Authentik noob to see the issue.

Also, I know that the auth service is providing the user ID in a claim named sub. Where do I define a new claim for the source?

Help me here, pretty please.

server-1  | {"event":"tracing request to backend","headers":{"Accept":["text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8"],"Accept-Language":["en-US,en;q=0.5"],"Connection":["keep-alive"],"Cookie":["authentik_csrf=MFudADgUV2p2xYe0QFxgIrUCaR8obF5R; authentik_session=eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJzaWQiOiJwZXozdmcyZGhvYWtkZzU3dHR5bjQwb2cxajc5dWNoMyIsImlzcyI6ImF1dGhlbnRpayIsInN1YiI6ImFub255bW91cyIsImF1dGhlbnRpY2F0ZWQiOmZhbHNlLCJhY3IiOiJnb2F1dGhlbnRpay5pby9jb3JlL2RlZmF1bHQifQ.c5VilBTmQyXyY7RqebI9eX2CsGUe0Tt6O06QzZhsfXg"],"Dnt":["1"],"Priority":["u=0, i"],"Referer":["https://ide**************/"],"Sec-Fetch-Dest":["document"],"Sec-Fetch-Mode":["navigate"],"Sec-Fetch-Site":["cross-site"],"Sec-Gpc":["1"],"Upgrade-Insecure-Requests":["1"],"User-Agent":["Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:132.0) Gecko/20100101 Firefox/132.0"],"X-Forwarded-Proto":["https"]},"level":"trace","logger":"authentik.router","timestamp":"2024-12-19T11:52:05Z","url":"http://localhost:8000/source/oauth/callback/bankid/?response_type=code&state=Rgpt6ptUuvuJ9jIF4DonsFI0ak7ecJ7c&code=99a108ec-39df-437b-a4f0-84f4f407124b"}

server-1  | {"auth_via": "unauthenticated", "domain_url": "localhost", "event": "dispatching OAuth2 request to", "host": "localhost:9443", "kind": "<RequestKind.CALLBACK: 'callback'>", "level": "debug", "logger": "authentik.sources.oauth.views.dispatcher", "pid": 47, "request_id": "edb6c93b898447c899470504261f257e", "schema_name": "public", "timestamp": "2024-12-19T11:52:05.616601", "view": "<class 'authentik.sources.oauth.types.oidc.OpenIDConnectOAuth2Callback'>"}

server-1  | {"auth_via": "unauthenticated", "domain_url": "localhost", "event": "dropping exception", "exc": "MissingSchema(\"Invalid URL '': No scheme supplied. Perhaps you meant https://?\")", "host": "localhost:9443", "level": "debug", "logger": "authentik.lib.sentry", "pid": 47, "request_id": "edb6c93b898447c899470504261f257e", "schema_name": "public", "timestamp": "2024-12-19T11:52:05.696474"}

server-1  | {"auth_via": "unauthenticated", "domain_url": null, "event": "dropping exception", "exc": "MissingSchema(\"Invalid URL '': No scheme supplied. Perhaps you meant https://?\")", "host": "localhost:9443", "level": "debug", "logger": "authentik.lib.sentry", "pid": 47, "request_id": "edb6c93b898447c899470504261f257e", "schema_name": "public", "timestamp": "2024-12-19T11:52:05.712405"}

server-1  | {"event": "Internal Server Error: /source/oauth/callback/bankid/", "exception": [{"exc_type": "MissingSchema", "exc_value": "Invalid URL '': No scheme supplied. Perhaps you meant https://?", "frames": [{"filename": "/ak-root/venv/lib/python3.12/site-packages/asgiref/sync.py", "lineno": 518, "locals": {"args": "'(functools.partial(<function response_for_exception at 0x71b6d35d0680>, <ASGIReq'+228", "exc_info": "'(<class \\'requests.exceptions.MissingSchema\\'>, MissingSchema(\"Invalid URL \\'\\': No '+85", "func": "<built-in method run of _contextvars.Context object at 0x71b6c83c97c0>", "kwargs": "{}", "loop": "<uvloop.Loop running=True closed=False debug=False>", "self": "<asgiref.sync.SyncToAsync object at 0x71b6c8136f30>", "task_context": "[]"}, "name": "thread_handler"}, {"filename": "/ak-root/venv/lib/python3.12/site-packages/django/core/handlers/exception.py", "lineno": 42, "locals": {"exc": "MissingSchema(\"Invalid URL '': No scheme supplied. Perhaps you meant https://?\")", "get_response": "'<bound method BaseHandler._get_response_async of <django.core.handlers.asgi.ASGI'+34", "request": "\"<ASGIRequest: GET '/source/oauth/callback/bankid/?response_type=code&state=Rgpt6\"+71"}, "name": "inner"}, {"filename": "/ak-root/venv/lib/python3.12/site-packages/asgiref/sync.py", "lineno": 518, "locals": {"args": "'(functools.partial(<bound method BaseHandler.process_exception_by_middleware of '+303", "exc_info": "'(<class \\'requests.exceptions.MissingSchema\\'>, MissingSchema(\"Invalid URL \\'\\': No '+85", "func": "<built-in method run of _contextvars.Context object at 0x71b6c83a29c0>", "kwargs": "{}", "loop": "<uvloop.Loop running=True closed=False debug=False>", "self": "<asgiref.sync.SyncToAsync object at 0x71b6c81355b0>", "task_context": "[]"}, "name": "thread_handler"}, {"filename": "/ak-root/venv/lib/python3.12/site-packages/django/core/handlers/base.py", "lineno": 253, "locals": {"callback": "<function View.as_view.<locals>.view at 0x71b6cb80ed40>", "callback_args": "()", "callback_kwargs": "{'source_slug': 'bankid'}", "middleware_method": "<asgiref.sync.SyncToAsync object at 0x71b6c94d1fd0>", "request": "\"<ASGIRequest: GET '/source/oauth/callback/bankid/?response_type=code&state=Rgpt6\"+71", "response": "None", "self": "<django.core.handlers.asgi.ASGIHandler object at 0x71b6c936faa0>", "wrapped_callback": "<asgiref.sync.SyncToAsync object at 0x71b6c8137e30>"}, "name": "_get_response_async"}, {"filename": "/ak-root/venv/lib/python3.12/site-packages/asgiref/sync.py", "lineno": 468, "locals": {"args": "\"(<ASGIRequest: GET '/source/oauth/callback/bankid/?response_type=code&state=Rgpt\"+74", "child": "'functools.partial(<function View.as_view.<locals>.view at 0x71b6c8242200>, <ASGI'+169", "context": "<_contextvars.Context object at 0x71b6c83c0240>", "current_thread_executor": "<asgiref.current_thread_executor.CurrentThreadExecutor object at 0x71b6c81353a0>", "exec_coro": "'<Future finished exception=MissingSchema(\"Invalid URL \\'\\': No scheme supplied. Pe'+28", "executor": "<asgiref.current_thread_executor.CurrentThreadExecutor object at 0x71b6c81353a0>", "func": "<built-in method run of _contextvars.Context object at 0x71b6c83c0240>", "kwargs": "{'source_slug': 'bankid'}", "loop": "<uvloop.Loop running=True closed=False debug=False>", "self": "<asgiref.sync.SyncToAsync object at 0x71b6c8137e30>", "task_context": "[]"}, "name": "__call__"}, {"filename": "/ak-root/venv/lib/python3.12/site-packages/asgiref/current_thread_executor.py", "lineno": 40, "locals": {"self": "None"}, "name": "run"}, {"filename": "/ak-root/venv/lib/python3.12/site-packages/asgiref/sync.py", "lineno": 522, "locals": {"args": "'(functools.partial(<function View.as_view.<locals>.view at 0x71b6c8242200>, <ASG'+172", "exc_info": "(None, None, None)", "func": "<built-in method run of _contextvars.Context object at 0x71b6c83c0240>", "kwargs": "{}", "loop": "<uvloop.Loop running=True closed=False debug=False>", "self": "<asgiref.sync.SyncToAsync object at 0x71b6c8137e30>", "task_context": "[]"}, "name": "thread_handler"}, {"filename": "/ak-root/venv/lib/python3.12/site-packages/sentry_sdk/integrations/django/views.py", "lineno": 90, "locals": {"DjangoIntegration": "<class 'sentry_sdk.integrations.django.DjangoIntegration'>", "args": "()", "callback": "<function View.as_view.<locals>.view at 0x71b6cb80ed40>", "kwargs": "{'source_slug': 'bankid'}", "request": "\"<ASGIRequest: GET '/source/oauth/callback/bankid/?response_type=code&state=Rgpt6\"+71", "sentry_scope": "<Scope id=0x71b6c82d7e00 name=asgi type=ScopeType.ISOLATION>"}, "name": "sentry_wrapped_callback"}, {"filename": "/ak-root/venv/lib/python3.12/site-packages/django/views/generic/base.py", "lineno": 104, "locals": {"args": "()", "cls": "<class 'authentik.sources.oauth.views.dispatcher.DispatcherView'>", "initkwargs": "{'kind': <RequestKind.CALLBACK: 'callback'>}", "kwargs": "{'source_slug': 'bankid'}", "request": "\"<ASGIRequest: GET '/source/oauth/callback/bankid/?response_type=code&state=Rgpt6\"+71", "self": "'<authentik.sources.oauth.views.dispatcher.DispatcherView object at 0x71b6c8136e4'+2"}, "name": "view"}, {"filename": "/ak-root/venv/lib/python3.12/site-packages/django/utils/decorators.py", "lineno": 48, "locals": {"args": "\"(<ASGIRequest: GET '/source/oauth/callback/bankid/?response_type=code&state=Rgpt\"+74", "bound_method": "<function DispatcherView.dispatch at 0x71b6c835b560>", "dec": "<function csrf_exempt at 0x71b6d25ed440>", "decorators": "[<function csrf_exempt at 0x71b6d25ed440>]", "kwargs": "{'source_slug': 'bankid'}", "method": "<function DispatcherView.dispatch at 0x71b6cb8445e0>", "self": "'<authentik.sources.oauth.views.dispatcher.DispatcherView object at 0x71b6c8136e4'+2"}, "name": "_wrapper"}, {"filename": "/ak-root/venv/lib/python3.12/site-packages/django/views/decorators/csrf.py", "lineno": 65, "locals": {"args": "()", "kwargs": "{'source_slug': 'bankid'}", "request": "\"<ASGIRequest: GET '/source/oauth/callback/bankid/?response_type=code&state=Rgpt6\"+71", "view_func": "'functools.partial(<bound method DispatcherView.dispatch of <authentik.sources.oa'+63"}, "name": "_view_wrapper"}, {"filename": "/authentik/sources/oauth/views/dispatcher.py", "lineno": 26, "locals": {"args": "\"(<ASGIRequest: GET '/source/oauth/callback/bankid/?response_type=code&state=Rgpt\"+74", "kwargs": "{}", "self": "'<authentik.sources.oauth.views.dispatcher.DispatcherView object at 0x71b6c8136e4'+2", "source": "<OAuthSource: OAuth Source bankid>", "source_slug": "'bankid'", "view": "<class 'authentik.sources.oauth.types.oidc.OpenIDConnectOAuth2Callback'>"}, "name": "dispatch"}, {"filename": "/ak-root/venv/lib/python3.12/site-packages/django/views/generic/base.py", "lineno": 104, "locals": {"args": "()", "cls": "<class 'authentik.sources.oauth.types.oidc.OpenIDConnectOAuth2Callback'>", "initkwargs": "{}", "kwargs": "{'source_slug': 'bankid'}", "request": "\"<ASGIRequest: GET '/source/oauth/callback/bankid/?response_type=code&state=Rgpt6\"+71", "self": "'<authentik.sources.oauth.types.oidc.OpenIDConnectOAuth2Callback object at 0x71b6'+9"}, "name": "view"}, {"filename": "/authentik/sources/oauth/views/callback.py", "lineno": 51, "locals": {"_": "()", "client": "'<authentik.sources.oauth.clients.oauth2.UserprofileHeaderAuthClient object at 0x'+13", "kwargs": "{'source_slug': 'bankid'}", "request": "\"<ASGIRequest: GET '/source/oauth/callback/bankid/?response_type=code&state=Rgpt6\"+71", "self": "'<authentik.sources.oauth.types.oidc.OpenIDConnectOAuth2Callback object at 0x71b6'+9", "slug": "'bankid'"}, "name": "dispatch"}, {"filename": "/authentik/sources/oauth/clients/oauth2.py", "lineno": 147, "locals": {"profile_url": "''", "self": "'<authentik.sources.oauth.clients.oauth2.UserprofileHeaderAuthClient object at 0x'+13", "token": "\"{'token_type': 'Bearer', 'access_token': 'eyJhbGciOiJSUzI1NiIsImtpZCI6IjFlY2JjNj\"+1771"}, "name": "get_profile_info"}, {"filename": "/ak-root/venv/lib/python3.12/site-packages/requests/sessions.py", "lineno": 575, "locals": {"allow_redirects": "True", "auth": "None", "cert": "None", "cookies": "None", "data": "None", "files": "None", "headers": "\"{'Authorization': 'Bearer eyJhbGciOiJSUzI1NiIsImtpZCI6IjFlY2JjNjljLTgzYzctNDQ4ZC\"+794", "hooks": "None", "json": "None", "method": "'get'", "params": "None", "proxies": "None", "req": "<Request [GET]>", "self": "<requests.sessions.Session object at 0x71b6c81b88f0>", "stream": "None", "timeout": "None", "url": "''", "verify": "None"}, "name": "request"}, {"filename": "/ak-root/venv/lib/python3.12/site-packages/requests/sessions.py", "lineno": 484, "locals": {"auth": "None", "cookies": "<RequestsCookieJar[]>", "merged_cookies": "<RequestsCookieJar[]>", "p": "<PreparedRequest [GET]>", "request": "<Request [GET]>", "self": "<requests.sessions.Session object at 0x71b6c81b88f0>"}, "name": "prepare_request"}, {"filename": "/ak-root/venv/lib/python3.12/site-packages/requests/models.py", "lineno": 367, "locals": {"auth": "None", "cookies": "<RequestsCookieJar[]>", "data": "{}", "files": "[]", "headers": "\"{'User-Agent': 'authentik@2024.10.5', 'Accept-Encoding': 'gzip, deflate', 'Accep\"+912", "hooks": "{'response': []}", "json": "None", "method": "'GET'", "params": "OrderedDict()", "self": "<PreparedRequest [GET]>", "url": "''"}, "name": "prepare"}, {"filename": "/ak-root/venv/lib/python3.12/site-packages/requests/models.py", "lineno": 438, "locals": {"auth": "None", "fragment": "None", "host": "None", "params": "OrderedDict()", "path": "None", "port": "None", "query": "None", "scheme": "None", "self": "<PreparedRequest [GET]>", "url": "''"}, "name": "prepare_url"}], "is_cause": false, "syntax_error": null}], "level": "error", "logger": "django.request", "timestamp": 1734609125.7128522}

server-1  | {"auth_via": "unauthenticated", "domain_url": "localhost", "event": "/source/oauth/callback/bankid/?response_type=code&state=Rgpt6ptUuvuJ9jIF4DonsFI0ak7ecJ7c&code=99a108ec-39df-437b-a4f0-84f4f407124b", "host": "localhost:9443", "level": "info", "logger": "authentik.asgi", "method": "GET", "pid": 47, "remote": "172.18.0.1", "request_id": "edb6c93b898447c899470504261f257e", "runtime": 115, "schema_name": "public", "scheme": "https", "status": 500, "timestamp": "2024-12-19T11:52:05.717469", "user": "", "user_agent": "Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:132.0) Gecko/20100101 Firefox/132.0"}