Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Reloading loop after update to 2023.10.1 #7342

Closed
Dual-0 opened this issue Oct 27, 2023 · 14 comments · Fixed by #7385
Closed

Reloading loop after update to 2023.10.1 #7342

Dual-0 opened this issue Oct 27, 2023 · 14 comments · Fixed by #7385
Labels
bug Something isn't working

Comments

@Dual-0
Copy link

Dual-0 commented Oct 27, 2023

Hello,

after the update to 2023.10.1 I notice a reloading loop after the authentication to my Prometheus site.
I use Proxy Provider with default-source-authentication (Welcome to authentik!) and default-provider-authorization-implicit-consent (Authorize Application) flow but I also try the default-authentication-flow (Welcome to authentik!) flow.

To Reproduce
Steps to reproduce the behavior:

  1. go to https://prometheus.mydomain.tld
  2. login with username + password
  3. type totp or use webauth

Expected behavior
Just login

Screenshots
image

Logs

docker-compose server log 
{"auth_via": "session", "event": "/application/o/authorize/?client_id=UNLD8W5HQ0EF8bGKDJjeibPpBYjaGtynRjgJU6zR&redirect_uri=https%3A%2F%2Fprometheus.mydomain.tld%2Foutpost.goauthentik.io%2Fcallback%3FX-authentik-auth-callback%3Dtrue&response_type=code&scope=email+ak_proxy+profile+openid&state=WS0YaYkNCzXGmK0HUiaOB5h6Crpja_qVXVcthdwEF7A", "host": "auth.mydomain.tld", "level": "info", "logger": "authentik.asgi", "method": "GET", "pid": 204645, "remote": "1.2.3.4", "request_id": "a7b9fdd8db374879a392d09307b38221", "runtime": 89, "scheme": "https", "status": 302, "timestamp": "2023-10-27T10:51:44.044205", "user": "myuser", "user_agent": "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/118.0.0.0 Safari/537.36"}
{"auth_via": "session", "event": "/if/flow/default-provider-authorization-implicit-consent/?client_id=UNLD8W5HQ0EF8bGKDJjeibPpBYjaGtynRjgJU6zR&redirect_uri=https%3A%2F%2Fprometheus.mydomain.tld%2Foutpost.goauthentik.io%2Fcallback%3FX-authentik-auth-callback%3Dtrue&response_type=code&scope=email+ak_proxy+profile+openid&state=WS0YaYkNCzXGmK0HUiaOB5h6Crpja_qVXVcthdwEF7A", "host": "auth.mydomain.tld", "level": "info", "logger": "authentik.asgi", "method": "GET", "pid": 204645, "remote": "1.2.3.4", "request_id": "0dd8162c2d3845b6975bbeca170ce7af", "runtime": 65, "scheme": "https", "status": 200, "timestamp": "2023-10-27T10:51:44.135165", "user": "myuser", "user_agent": "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/118.0.0.0 Safari/537.36"}
{"event": "/ws/client/", "level": "info", "logger": "authentik.asgi", "pid": 204645, "remote": "1.2.3.4", "scheme": "ws", "timestamp": "2023-10-27T10:51:44.250939", "user_agent": "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/118.0.0.0 Safari/537.36"}
{"action": "authorize_application", "auth_via": "session", "client_ip": "1.2.3.4", "context": {"authorized_application": {"app": "authentik_core", "model_name": "application", "name": "Prometheus", "pk": "760e94c87e2348f4be08fa7fd0dda582"}, "flow": "736a469f79d045de9a03745a4791cd12", "geo": {"city": "Michelstadt", "continent": "EU", "country": "DE", "lat": 49.677, "long": 8.9925}, "http_request": {"args": {"client_id": "UNLD8W5HQ0EF8bGKDJjeibPpBYjaGtynRjgJU6zR", "redirect_uri": "https://prometheus.mydomain.tld/outpost.goauthentik.io/callback?X-authentik-auth-callback=true", "response_type": "code", "scope": "email ak_proxy profile openid", "state": "WS0YaYkNCzXGmK0HUiaOB5h6Crpja_qVXVcthdwEF7A"}, "method": "GET", "path": "/api/v3/flows/executor/default-provider-authorization-implicit-consent/"}, "scopes": "email ak_proxy profile openid"}, "event": "Created Event", "host": "auth.mydomain.tld", "level": "info", "logger": "authentik.events.models", "pid": 204645, "request_id": "70e4784e4b3b46dbabc0d0a70bbcc74b", "timestamp": "2023-10-27T10:51:44.285462", "user": {"email": "myuserver@myseconddomain.tld", "pk": 4, "username": "myuser"}}
{"auth_via": "session", "event": "Task published", "host": "auth.mydomain.tld", "level": "info", "logger": "authentik.root.celery", "pid": 204645, "request_id": "70e4784e4b3b46dbabc0d0a70bbcc74b", "task_id": "59debf88d6b84b45b1c05069f99e1177", "task_name": "authentik.events.tasks.event_notification_handler", "timestamp": "2023-10-27T10:51:44.309565"}
{"auth_via": "session", "event": "/api/v3/flows/executor/default-provider-authorization-implicit-consent/?query=client_id%3DUNLD8W5HQ0EF8bGKDJjeibPpBYjaGtynRjgJU6zR%26redirect_uri%3Dhttps%253A%252F%252Fprometheus.mydomain.tld%252Foutpost.goauthentik.io%252Fcallback%253FX-authentik-auth-callback%253Dtrue%26response_type%3Dcode%26scope%3Demail%2Bak_proxy%2Bprofile%2Bopenid%26state%3DWS0YaYkNCzXGmK0HUiaOB5h6Crpja_qVXVcthdwEF7A", "host": "auth.mydomain.tld", "level": "info", "logger": "authentik.asgi", "method": "GET", "pid": 204645, "remote": "1.2.3.4", "request_id": "70e4784e4b3b46dbabc0d0a70bbcc74b", "runtime": 94, "scheme": "https", "status": 200, "timestamp": "2023-10-27T10:51:44.322200", "user": "myuser", "user_agent": "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/118.0.0.0 Safari/537.36"}
{"auth_via": "unauthenticated", "event": "/application/o/token/", "host": "auth.mydomain.tld", "level": "info", "logger": "authentik.asgi", "method": "POST", "pid": 204645, "remote": "127.0.0.1", "request_id": "78718fb199044b8db780119ee071fc17", "runtime": 96, "scheme": "https", "status": 200, "timestamp": "2023-10-27T10:51:44.557762", "user": "", "user_agent": "goauthentik.io/outpost/2023.10.1 (provider=Prometheus)"}
{"event":"/outpost.goauthentik.io/callback?X-authentik-auth-callback=true&code=9cb4d2b1e9074737a5a97c33d85761d0&state=WS0YaYkNCzXGmK0HUiaOB5h6Crpja_qVXVcthdwEF7A","host":"prometheus.mydomain.tld","level":"info","logger":"authentik.outpost.proxyv2.application","method":"GET","name":"Prometheus","remote":"10.0.0.2:53698","runtime":"101.622","scheme":"http","size":49,"status":302,"timestamp":"2023-10-27T10:51:44Z","user_agent":"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/118.0.0.0 Safari/537.36"}
{"event":"/outpost.goauthentik.io/auth/nginx","host":"prometheus.mydomain.tld","level":"info","logger":"authentik.outpost.proxyv2.application","method":"GET","name":"Prometheus","remote":"10.0.0.2:53714","runtime":"0.526","scheme":"http","size":21,"status":401,"timestamp":"2023-10-27T10:51:44Z","user_agent":"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/118.0.0.0 Safari/537.36"}
{"event":"/outpost.goauthentik.io/start?rd=https://prometheus.mydomain.tld/","host":"prometheus.mydomain.tld","level":"info","logger":"authentik.outpost.proxyv2.application","method":"GET","name":"Prometheus","remote":"10.0.0.2:53720","runtime":"0.554","scheme":"http","size":355,"status":302,"timestamp":"2023-10-27T10:51:44Z","user":"myuser","user_agent":"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/118.0.0.0 Safari/537.36"}
{"auth_via": "session", "event": "/application/o/authorize/?client_id=UNLD8W5HQ0EF8bGKDJjeibPpBYjaGtynRjgJU6zR&redirect_uri=https%3A%2F%2Fprometheus.mydomain.tld%2Foutpost.goauthentik.io%2Fcallback%3FX-authentik-auth-callback%3Dtrue&response_type=code&scope=email+ak_proxy+profile+openid&state=WS0YaYkNCzXGmK0HUiaOB5h6Crpja_qVXVcthdwEF7A", "host": "auth.mydomain.tld", "level": "info", "logger": "authentik.asgi", "method": "GET", "pid": 204645, "remote": "1.2.3.4", "request_id": "050e2ef5826247e4b68bf01d1ba0aa98", "runtime": 85, "scheme": "https", "status": 302, "timestamp": "2023-10-27T10:51:44.719550", "user": "myuser", "user_agent": "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/118.0.0.0 Safari/537.36"}
{"auth_via": "session", "event": "/if/flow/default-provider-authorization-implicit-consent/?client_id=UNLD8W5HQ0EF8bGKDJjeibPpBYjaGtynRjgJU6zR&redirect_uri=https%3A%2F%2Fprometheus.mydomain.tld%2Foutpost.goauthentik.io%2Fcallback%3FX-authentik-auth-callback%3Dtrue&response_type=code&scope=email+ak_proxy+profile+openid&state=WS0YaYkNCzXGmK0HUiaOB5h6Crpja_qVXVcthdwEF7A", "host": "auth.mydomain.tld", "level": "info", "logger": "authentik.asgi", "method": "GET", "pid": 204645, "remote": "1.2.3.4", "request_id": "a879c0ce104f4b139a72ec614d132910", "runtime": 68, "scheme": "https", "status": 200, "timestamp": "2023-10-27T10:51:44.814714", "user": "myuser", "user_agent": "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/118.0.0.0 Safari/537.36"}
{"event": "/ws/client/", "level": "info", "logger": "authentik.asgi", "pid": 204412, "remote": "1.2.3.4", "scheme": "ws", "timestamp": "2023-10-27T10:51:44.944475", "user_agent": "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/118.0.0.0 Safari/537.36"}
{"action": "authorize_application", "auth_via": "session", "client_ip": "1.2.3.4", "context": {"authorized_application": {"app": "authentik_core", "model_name": "application", "name": "Prometheus", "pk": "760e94c87e2348f4be08fa7fd0dda582"}, "flow": "736a469f79d045de9a03745a4791cd12", "geo": {"city": "Michelstadt", "continent": "EU", "country": "DE", "lat": 49.677, "long": 8.9925}, "http_request": {"args": {"client_id": "UNLD8W5HQ0EF8bGKDJjeibPpBYjaGtynRjgJU6zR", "redirect_uri": "https://prometheus.mydomain.tld/outpost.goauthentik.io/callback?X-authentik-auth-callback=true", "response_type": "code", "scope": "email ak_proxy profile openid", "state": "WS0YaYkNCzXGmK0HUiaOB5h6Crpja_qVXVcthdwEF7A"}, "method": "GET", "path": "/api/v3/flows/executor/default-provider-authorization-implicit-consent/"}, "scopes": "email ak_proxy profile openid"}, "event": "Created Event", "host": "auth.mydomain.tld", "level": "info", "logger": "authentik.events.models", "pid": 204645, "request_id": "c580234d25904137a76cae31909bb237", "timestamp": "2023-10-27T10:51:44.969950", "user": {"email": "myuserver@myseconddomain.tld", "pk": 4, "username": "myuser"}}
{"auth_via": "session", "event": "Task published", "host": "auth.mydomain.tld", "level": "info", "logger": "authentik.root.celery", "pid": 204645, "request_id": "c580234d25904137a76cae31909bb237", "task_id": "da8a3fea2a704137bb293b5cfc708fe6", "task_name": "authentik.events.tasks.event_notification_handler", "timestamp": "2023-10-27T10:51:44.983304"}
{"auth_via": "session", "event": "/api/v3/flows/executor/default-provider-authorization-implicit-consent/?query=client_id%3DUNLD8W5HQ0EF8bGKDJjeibPpBYjaGtynRjgJU6zR%26redirect_uri%3Dhttps%253A%252F%252Fprometheus.mydomain.tld%252Foutpost.goauthentik.io%252Fcallback%253FX-authentik-auth-callback%253Dtrue%26response_type%3Dcode%26scope%3Demail%2Bak_proxy%2Bprofile%2Bopenid%26state%3DWS0YaYkNCzXGmK0HUiaOB5h6Crpja_qVXVcthdwEF7A", "host": "auth.mydomain.tld", "level": "info", "logger": "authentik.asgi", "method": "GET", "pid": 204645, "remote": "1.2.3.4", "request_id": "c580234d25904137a76cae31909bb237", "runtime": 76, "scheme": "https", "status": 200, "timestamp": "2023-10-27T10:51:44.992212", "user": "myuser", "user_agent": "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/118.0.0.0 Safari/537.36"}
{"auth_via": "unauthenticated", "event": "/application/o/token/", "host": "auth.mydomain.tld", "level": "info", "logger": "authentik.asgi", "method": "POST", "pid": 204645, "remote": "127.0.0.1", "request_id": "87f3d28d682d483388727e6e6e9522cc", "runtime": 105, "scheme": "https", "status": 200, "timestamp": "2023-10-27T10:51:45.207773", "user": "", "user_agent": "goauthentik.io/outpost/2023.10.1 (provider=Prometheus)"}
{"event":"/outpost.goauthentik.io/callback?X-authentik-auth-callback=true&code=44c773e6ef494fd7912d9265f89b63ec&state=WS0YaYkNCzXGmK0HUiaOB5h6Crpja_qVXVcthdwEF7A","host":"prometheus.mydomain.tld","level":"info","logger":"authentik.outpost.proxyv2.application","method":"GET","name":"Prometheus","remote":"10.0.0.2:53752","runtime":"111.063","scheme":"http","size":49,"status":302,"timestamp":"2023-10-27T10:51:45Z","user_agent":"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/118.0.0.0 Safari/537.36"}
{"event":"/outpost.goauthentik.io/auth/nginx","host":"prometheus.mydomain.tld","level":"info","logger":"authentik.outpost.proxyv2.application","method":"GET","name":"Prometheus","remote":"10.0.0.2:53758","runtime":"1.121","scheme":"http","size":21,"status":401,"timestamp":"2023-10-27T10:51:45Z","user_agent":"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/118.0.0.0 Safari/537.36"}
{"event":"/outpost.goauthentik.io/start?rd=https://prometheus.mydomain.tld/","host":"prometheus.mydomain.tld","level":"info","logger":"authentik.outpost.proxyv2.application","method":"GET","name":"Prometheus","remote":"10.0.0.2:53764","runtime":"0.900","scheme":"http","size":355,"status":302,"timestamp":"2023-10-27T10:51:45Z","user":"myuser","user_agent":"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/118.0.0.0 Safari/537.36"}
{"auth_via": "session", "event": "/application/o/authorize/?client_id=UNLD8W5HQ0EF8bGKDJjeibPpBYjaGtynRjgJU6zR&redirect_uri=https%3A%2F%2Fprometheus.mydomain.tld%2Foutpost.goauthentik.io%2Fcallback%3FX-authentik-auth-callback%3Dtrue&response_type=code&scope=email+ak_proxy+profile+openid&state=WS0YaYkNCzXGmK0HUiaOB5h6Crpja_qVXVcthdwEF7A", "host": "auth.mydomain.tld", "level": "info", "logger": "authentik.asgi", "method": "GET", "pid": 204645, "remote": "1.2.3.4", "request_id": "85faeeff10b14081b86c1251cdf4239c", "runtime": 88, "scheme": "https", "status": 302, "timestamp": "2023-10-27T10:51:45.373149", "user": "myuser", "user_agent": "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/118.0.0.0 Safari/537.36"}
{"auth_via": "session", "event": "/if/flow/default-provider-authorization-implicit-consent/?client_id=UNLD8W5HQ0EF8bGKDJjeibPpBYjaGtynRjgJU6zR&redirect_uri=https%3A%2F%2Fprometheus.mydomain.tld%2Foutpost.goauthentik.io%2Fcallback%3FX-authentik-auth-callback%3Dtrue&response_type=code&scope=email+ak_proxy+profile+openid&state=WS0YaYkNCzXGmK0HUiaOB5h6Crpja_qVXVcthdwEF7A", "host": "auth.mydomain.tld", "level": "info", "logger": "authentik.asgi", "method": "GET", "pid": 204645, "remote": "1.2.3.4", "request_id": "494493ad65f74cae8ac2cbe48f442b78", "runtime": 66, "scheme": "https", "status": 200, "timestamp": "2023-10-27T10:51:45.468381", "user": "myuser", "user_agent": "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/118.0.0.0 Safari/537.36"}
{"auth_via": "unauthenticated", "event": "/-/health/live/", "host": "localhost:8000", "level": "info", "logger": "authentik.asgi", "method": "GET", "pid": 204645, "remote": "255.255.255.255", "request_id": "844d441e095b458b8004f76cd76b41f6", "runtime": 41, "scheme": "http", "status": 204, "timestamp": "2023-10-27T10:51:46.292887", "user": "", "user_agent": "goauthentik.io/router/healthcheck"}
{"event":"updating tenant certificates","level":"info","logger":"authentik.router.tenant_tls","timestamp":"2023-10-27T10:51:48Z"}
{"auth_via": "secret_key", "event": "/api/v3/core/tenants/", "host": "0.0.0.0:9000", "level": "info", "logger": "authentik.asgi", "method": "GET", "pid": 204412, "remote": "127.0.0.1", "request_id": "859b18aa275d4283bd72bfdec87de00a", "runtime": 600, "scheme": "http", "status": 200, "timestamp": "2023-10-27T10:51:49.105568", "user": "ak-outpost-5d519aba45e24101b1edc324102bc38c", "user_agent": "goauthentik.io/outpost/2023.10.1"}
{"event":"/outpost.goauthentik.io/auth/nginx","host":"rss.mydomain.tld","level":"info","logger":"authentik.outpost.proxyv2.application","method":"GET","name":"RSS","remote":"10.0.0.2:48158","runtime":"0.877","scheme":"http","size":0,"status":200,"timestamp":"2023-10-27T10:52:10Z","user":"myuser","user_agent":"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/118.0.0.0 Safari/537.36"}
{"event":"/outpost.goauthentik.io/auth/nginx","host":"rss.mydomain.tld","level":"info","logger":"authentik.outpost.proxyv2.application","method":"GET","name":"RSS","remote":"10.0.0.2:48164","runtime":"0.312","scheme":"http","size":0,"status":200,"timestamp":"2023-10-27T10:52:10Z","user":"myuser","user_agent":"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/118.0.0.0 Safari/537.36"}
{"auth_via": "unauthenticated", "event": "/-/health/live/", "host": "localhost:8000", "level": "info", "logger": "authentik.asgi", "method": "GET", "pid": 204645, "remote": "255.255.255.255", "request_id": "0898170afe3f4f57ab91b8085625b2aa", "runtime": 36, "scheme": "http", "status": 204, "timestamp": "2023-10-27T10:52:16.289025", "user": "", "user_agent": "goauthentik.io/router/healthcheck"}
{"event": "/ws/client/", "level": "info", "logger": "authentik.asgi", "pid": 204645, "remote": "1.2.3.4", "scheme": "ws", "timestamp": "2023-10-27T10:52:23.510589", "user_agent": "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/118.0.0.0 Safari/537.36"}
{"auth_via": "unauthenticated", "event": "/-/health/live/", "host": "localhost:8000", "level": "info", "logger": "authentik.asgi", "method": "GET", "pid": 204645, "remote": "255.255.255.255", "request_id": "ae02d2159fd44b3bb68f599fc2d29813", "runtime": 45, "scheme": "http", "status": 204, "timestamp": "2023-10-27T10:52:46.298055", "user": "", "user_agent": "goauthentik.io/router/healthcheck"}
{"auth_via": "unauthenticated", "event": "/-/health/live/", "host": "localhost:8000", "level": "info", "logger": "authentik.asgi", "method": "GET", "pid": 204645, "remote": "255.255.255.255", "request_id": "1c22c57426e4474e9b35fcf7886d6c08", "runtime": 53, "scheme": "http", "status": 204, "timestamp": "2023-10-27T10:53:16.306369", "user": "", "user_agent": "goauthentik.io/router/healthcheck"}
{"event": "/ws/client/", "level": "info", "logger": "authentik.asgi", "pid": 204645, "remote": "1.2.3.4", "scheme": "ws", "timestamp": "2023-10-27T10:53:24.510672", "user_agent": "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/118.0.0.0 Safari/537.36"}
{"auth_via": "unauthenticated", "event": "/-/health/live/", "host": "localhost:8000", "level": "info", "logger": "authentik.asgi", "method": "GET", "pid": 204645, "remote": "255.255.255.255", "request_id": "e27746ff98944d509e81b6a984625268", "runtime": 46, "scheme": "http", "status": 204, "timestamp": "2023-10-27T10:53:46.307131", "user": "", "user_agent": "goauthentik.io/router/healthcheck"}

Version and Deployment (please complete the following information):

  • authentik version: 2023.10.1
  • Deployment: docker-compose
@Dual-0 Dual-0 added the bug Something isn't working label Oct 27, 2023
@BeryJu
Copy link
Member

BeryJu commented Oct 27, 2023

should be fixed by #7324, you can test with the images linked in that PR

@BeryJu BeryJu closed this as completed Oct 27, 2023
@Kaaybi
Copy link

Kaaybi commented Oct 29, 2023

I can still reproduce after updating to 2023.10.2

@yaakovfeldman
Copy link

I can still reproduce after updating to 2023.10.2

So can I - I don't think that fix is in 2023.10.2

@yaakovfeldman yaakovfeldman mentioned this issue Oct 29, 2023
Closed
@aceat64
Copy link

aceat64 commented Oct 29, 2023

I had this issue under 2023.10.1 and can confirm that it still occurring in 2023.10.2. I also tested with default-provider-authorization-explicit-consent to no avail.

@lexxxel
Copy link

lexxxel commented Oct 29, 2023

@Kaaybi @yaakovfeldman @aceat64 Have you deleted the cookies for the URL? I had to delete the 2 cookies for the domain I tried to reach (after the update to 2023.10.2), then I could reach the site without a loop, again.

@aceat64
Copy link

aceat64 commented Oct 29, 2023

I did, which will let me through, but the issue returns once the cookie named authentik_proxy_<redacted> expires. I have the "Token validity" setting hours=24, which means clearing my cookies is only good for a day.

@nismanoku
Copy link

I have the exact same issue with redis and postgress when i updated to version 2023.10.1. After the "Token validity" setting expires i get the login screen and enter my credentials. After that i can see login successful top right of the screen and then it keeps looping the same screen with the loading logo spinning. This happens with the forward auth middleware build in to traefik and update to 2023.10.2)

Authentik is proxied withouth the forward auth middleware and i can access it as normal. Also have one service (docker) running local using the OAuth2/OpenID Provider and this also has no issues when repeatedly logging in and out.

Seeing the redis errors in noted by #7374 in my logs.

Set a new database on redis and postgres and let authentik build it completely new and restored the old database for the case any tables where missing > issues still happening.

The only thing working is removing the cookies from the browser (chrome) and then login with forward auth works until the "Token validity" setting expires.

Also getting the error when authentik starts up:
{"app_name": "authentik.stages.authenticator", "event": "Could not import app's URLs", "exc": "ModuleNotFoundError(\"No module named 'authentik.stages.authenticator.urls'\")", "level": "warning", "logger": "authentik.api.v3.urls", "pid": 28, "timestamp": "2023-10-30T15:50:09.943172"} {"app_name": "authentik.stages.authenticator", "event": "Could not import app's URLs", "exc": "ModuleNotFoundError(\"No module named 'authentik.stages.authenticator.urls'\")", "level": "warning", "logger": "authentik.api.v3.urls", "pid": 27, "timestamp": "2023-10-30T15:50:10.394534"} {"app_name": "authentik.stages.authenticator", "event": "Could not import app's URLs", "exc": "ModuleNotFoundError(\"No module named 'authentik.stages.authenticator.urls'\")", "level": "warning", "logger": "authentik.api.v3.urls", "pid": 29, "timestamp": "2023-10-30T15:50:10.725651"} {"app_name": "authentik.stages.authenticator", "event": "Could not import app's URLs", "exc": "ModuleNotFoundError(\"No module named 'authentik.stages.authenticator.urls'\")", "level": "warning", "logger": "authentik.api.v3.urls", "pid": 30, "timestamp": "2023-10-30T15:50:10.823260"}

If any information is needed for debugging let me know as i'm happy to help improving this great product.

@raldnor
Copy link

raldnor commented Oct 30, 2023

I am bitten by exactly the same bug. Running Authentik 2023.10.1 behind Nginx. Deletion of cookies works until the new cookie expires.

@BeryJu BeryJu reopened this Oct 30, 2023
@BeryJu BeryJu mentioned this issue Oct 30, 2023
Merged
7 tasks
@BeryJu
Copy link
Member

BeryJu commented Oct 30, 2023

@raldnor @nismanoku @aceat64 @lexxxel please test the images from here #7385 (comment)

@aceat64
Copy link

aceat64 commented Oct 31, 2023

I cleared all cookies for my domains and updated to those images for testing. Same results. I was able to access the proxied service but once the access token expired the issue came back. (I deleted the cookie to simulate expiration)

@nismanoku
Copy link

nismanoku commented Oct 31, 2023
edited
Loading

I haven't yet updated to the images from #7385. Because yesterday i removed some of the providers and applications that where created before the update and recreated them. Afterwards i added them back to the embedded outpost and when logging in i got a clientid error notification. After refreshing the page i got the login page again and entered my credentials again after which i was authorized and redirect (traefik) to the service i was trying to access.

Today i tried to login to those services again and i was successfully authorized and redirected to the services i was trying to reach. Well beyond the token validity setting duration of multiple services (single proxy authentication applications). Also haven't seen any of the errors with redis and/or authentik in the logs as prior to recreating the providers and applications. So i don't want to upgrade right away and give it some time for the token validity to expire again to test further if the loop comes back again or not without changing any other variables.

Will follow if the loop comes back again or not. Has anyone of the others already tried recreating the providers and applications and re-adding them to the outpost for their services?

Add-on:
Just tried again and had to enter my credentials again to login to authentik. After that any service i try to access get back in the loop again. Wanted to give te mentioned pr release a try but don't know how to enter the provided details below correctly
AUTHENTIK_IMAGE=ghcr.io/goauthentik/dev-server
AUTHENTIK_TAG=gh-providers-proxy-fix-closed-redis-client-1698699753-596c16b
AUTHENTIK_OUTPOSTS__CONTAINER_IMAGE_BASE=ghcr.io/goauthentik/dev-%(type)s:gh-%(build_hash)s

Entered details as below in the repository field and started up. Entered the outpost setting as a environment variable but the outpost in authentik still gives 2023.10.2 (build 596c16b) as version while authentik gives the correct version [596c16b] Based on 2023.10.2. i'm running as a docker on unraid with the provided community setup through ibracorp.
Repository: beryju/authentik:latest > Repository: ghcr.io/goauthentik/dev-server:gh-providers-proxy-fix-closed-redis-client-1698699753-596c16b

@justSem
Copy link
Contributor

justSem commented Nov 1, 2023

@nismanoku I'm seeing the exact same issue with a Kubernetes deployment on 2023.10.2.
For me, the PR didn't make any difference. Tried in different browsers, made sure to re-create both the outpost and the applications/providers, didn't seem to make a difference.

@cbc02009
Copy link

cbc02009 commented Nov 2, 2023

@BeryJu The image you linked me to on discord (#7385) seemed to fix the issue, but after a couple days it has now come back.

@nismanoku
Copy link

@BeryJu Haven't had the loop again till this day with #7385 ,will follow up.

@brujoand brujoand mentioned this issue Nov 8, 2023
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
bug Something isn't working
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

providers/proxy: fix closed redis client goauthentik/authentik
10 participants
@aceat64 @BeryJu @lexxxel @raldnor @Kaaybi @yaakovfeldman @Dual-0 @cbc02009 @nismanoku @justSem