New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Proxy provider random incorrect redirects #6886
Comments
I was just thinking... I'm pretty sure back in the day when I used authelia I didn't notice this problem with forward auth. I don't suppose there is something that can be referenced in their code? EDIT: People, no need to comment on this thread and needlessly spam people. To vote on this, just click the thumbs up (👍🏻 ) on the first post! |
Not sure if this information is of any use, but I find this behavior occurs fairly consistently with the docker container for Semaphore (Ansible). Maybe it's of some use for debugging, I don't know. It seems to forward fine the first time, but if the tab is left for a while, and it re-auths on refreshing the page then it fairly consistently ends up at /api/ws instead of whatever page it was previously on. |
I have this problem a LOT on the 'arr stack of software. It's usually API requests that end up getting stuck and it's mighty frustrating. For reference I use NPM as my Proxy Provider and Authentik as a Forward Auth provider. |
I've also been having this issue for quite some time. I figured that I had misconfigured something but maybe not. I'm using Traefik with the standard k8s ingress resource plus Traefik's annotations to set the normal outpost-created middleware, e.g.:
Only maybe-workaround I've noticed: the issue appears when you re-authenticate, so if you increase the length of token validity it becomes progressively less annoying. I find that minutes=60 isn't too bad. Try it at your own risk I guess. |
Having the same issues with Authentik forward auth and Traefik. |
Having the same issues with Authentik forward auth and traefik proxy. |
I've had this issue for a while, and thought it might have been related to or caused by #7464, but after (hopefully) finding the root of that problem, the redirects to CSS and other assets for Actual and Nginx Proxy Manager have continued. I'm using Authentik for forward auth for a few of my services, and using Nginx Proxy Manager for reverse proxy. |
same issue, very frustrating |
I also have this issue for a long time its just really bothering me now because i use a new home dashboard thats app style and wont let you change the url path quickly on mobile. It happens mostly after revisiting an app like the arrs or home assistant with in a certain short time frame only with proxy provider in both proxy mode and forward auth in combination with npm. With authelia back in the days I didn't have this issue but with authentik i always had this from the start mostly redirecting to /api and getting stuck removing everything after / fixes the issue until the next time it happens. A fix would be highly appreciated. |
I don't suppose the proxy outpost could be modified to use unique state values for every request and associate the redirect URL with that state value? |
I am running into this as well with https://github.com/janeczku/calibre-web with static assets not loading correctly. I can reproduce it within a few page loads. Surprisingly, I've only been able to reproduce in Safari - Firefox is working fine.
I converted my app to be a regular proxy provider and I had exactly the same issues. Anything I can offer to help debug this? |
I have the same issue with Authentik and Traefik. Assuming I am running Homer, or any other web app, here it is what I noticed:
So my conclusion is that the bad redirect happends upon the token creation. If the token is valid, the redirect is good. Maybe it is related to #8137 and the issue will be fixed with the next release? |
I closed #8137 shortly after creating it because I realized it's the same thing that's already discussed in a comment above. I don't think it's going to be fixed until someone basically rewrites how the proxy outpost handles it's redirect state. I tried to take a stab at it, but found out that trying to build authentik to test locally to be complicated enough that I can't spare the time for it personally. |
any chance this can be fixed? |
I actually discovered that I was accidentally running a version of Authentik from the spring. I've upgraded, and everything seems to be working fine for me. I'm pulling my back my offer to help debug this 😄 . |
Quite likely not the issue for others, but I believe one of the things I did prior to this issue disappearing was resetting the container names in my Portainer stack. I'd customized them to be less verbose (authentik instead of authentik-server-1 or whatever), and I think leaving the containers to name themselves as they see fit might have fixed it for me. Then again, I tried a number of things back then, and I'm not positive which one actually resolved the issue as a result. |
I am running 2023.10.7… I will upgrade to 2024.2 and test again |
Actually I was on the newest version, 2024.2 was not released yet but I also tried 2024.2 and am facing the same issue |
I've got the same issue. When a load home assistant, the browser loads static content assets, hosted by ha, and randomly the redirect URI in the authentik callback is the url of static content. Is the brower cache try to call authentik in the wrong order (loading first an assets and then having a wrong redirect uri? The solution could be to not filter static assets but only apis endpoints, I'll try. |
Do you have this issue on every site? |
I found out that if you use the internal proxy instead of npm or nginx or whatever that you dont have this issue. I change all my *arrs sonarr etc to internal and now this works fine. Also something got better with the update couple of months back because for example home assistant redirects works 9 of the 10 times some times i still have black page after login but simple refresh fixes that. Wrong api redirect still happens in HA but only very occasionally. Thats my experience at least. |
I have multi websites in others subdomains, also in other vms, for instance a piwigo instance (photo php/nginx/mariadb app), and i've the same wrong random behaviour. |
The proposed fix #8594 is not merged into any of the release yet. Can we have this bumped to priority? |
I have the same issue with traefik forward auth and homer dashboard. After the session timeout and loggin in again in authentik it downloads static assets from homer (config.yml) |
This is a summarising issue for #4732, #5603, #4166, #6253 and a bunch of other ones
The gist of the issue is that the proxy provider will occasionally (depending on application it happens more or less often) redirect to the incorrect URL. As far as I know this only happens with the forward_auth and forward_auth domain mode
This is caused by the provider saving the final redirect URL in the session whenever accessing the forward_auth url without a session, so that the final redirect can be done correctly. When using a website/PWA that loads many things at once, requests for resources can be sent at the same time and overwrite that session value, causing the final redirect to point to a JS/CSS file, or with the forward_auth domain mode even to point to a different domain.
The text was updated successfully, but these errors were encountered: