-
-
Notifications
You must be signed in to change notification settings - Fork 626
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
No API access with OAuth Client #8666
Comments
Did it work with version 2023.10.7? Maybe this is related to 2024.2.1 #8834 |
Same issue after upgrading from |
I've had this issue too and #9910 seems to solve it for me. I think what's going on is that although the API auth process requires the 'goauthentik.io/api' scope, by default the Oauth2 provider can't be configured to grant it. (I get the sense from #9910 this wasn't necessary in the past?) So even if the client requests the scope, the token it receives doesn't have it and this query for a valid access token returns no results. I updated to 2024.6.0-rc2, reapplied the System - OAuth2 Provider - Scopes blueprint, and then was able to add the 'goauthentik.io/api' scope to my provider. Works as expected now, for me at least. |
Thanks for the update @mhampson31 ! I'll find time to try your approach. |
I currently have Gitea setup with OpenID Connect to Authentik, and now recently have been getting "JWT token is expired" errors from Gitea. I found this github issue, and what is referenced in this issue seems like the most plausible explanation for this problem. Your last step mentioning adding the "goauthentik.io/api" scope to the provider, can you clarify how this step is done? Thanks! |
updating this, turns out it was due to one of the cluster servers having a unsynced clock. All is good now! |
Describe your question/
I was trying to fetch all users from the Authentik API through the JWT method as described in the docs.
https://goauthentik.io/developer-docs/api/#jwt-token
However, when I try to access the API with the access token generated, I always get a 401.
What am I missing?
Relevant infos
Authentik Version 2024.2.1
I added the scope goauthentik.io/api to the OAuth request, but it always returns a 403 with the details 'Token invalid/expired'.
In the OAuth Application/Provider configuration I haven't found the scope goauthentik.io/api, so I did not add it. (Maybe the issue is here?)
Screenshots
![grafik](https://private-user-images.githubusercontent.com/46203440/307250591-5f1a616a-2cff-4dbc-9954-e79942075112.png?jwt=eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJpc3MiOiJnaXRodWIuY29tIiwiYXVkIjoicmF3LmdpdGh1YnVzZXJjb250ZW50LmNvbSIsImtleSI6ImtleTUiLCJleHAiOjE3MjIyNTA4MTMsIm5iZiI6MTcyMjI1MDUxMywicGF0aCI6Ii80NjIwMzQ0MC8zMDcyNTA1OTEtNWYxYTYxNmEtMmNmZi00ZGJjLTk5NTQtZTc5OTQyMDc1MTEyLnBuZz9YLUFtei1BbGdvcml0aG09QVdTNC1ITUFDLVNIQTI1NiZYLUFtei1DcmVkZW50aWFsPUFLSUFWQ09EWUxTQTUzUFFLNFpBJTJGMjAyNDA3MjklMkZ1cy1lYXN0LTElMkZzMyUyRmF3czRfcmVxdWVzdCZYLUFtei1EYXRlPTIwMjQwNzI5VDEwNTUxM1omWC1BbXotRXhwaXJlcz0zMDAmWC1BbXotU2lnbmF0dXJlPTAwOWIwMzYzZGZmMTU0MWMzNmViOGE3ZjA0NTA1MjRiZjY3ZTAyZmEyNjMwNjM3OWYyZWUwYWRjNmZhN2FlMDAmWC1BbXotU2lnbmVkSGVhZGVycz1ob3N0JmFjdG9yX2lkPTAma2V5X2lkPTAmcmVwb19pZD0wIn0.YZN9t2DN88Hje0qtK0notGJluyByfBztR1rE4N12a40)
![grafik](https://private-user-images.githubusercontent.com/46203440/307250770-4915c2b7-3f6d-4e26-9cf7-30ea15ba1d79.png?jwt=eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJpc3MiOiJnaXRodWIuY29tIiwiYXVkIjoicmF3LmdpdGh1YnVzZXJjb250ZW50LmNvbSIsImtleSI6ImtleTUiLCJleHAiOjE3MjIyNTA4MTMsIm5iZiI6MTcyMjI1MDUxMywicGF0aCI6Ii80NjIwMzQ0MC8zMDcyNTA3NzAtNDkxNWMyYjctM2Y2ZC00ZTI2LTljZjctMzBlYTE1YmExZDc5LnBuZz9YLUFtei1BbGdvcml0aG09QVdTNC1ITUFDLVNIQTI1NiZYLUFtei1DcmVkZW50aWFsPUFLSUFWQ09EWUxTQTUzUFFLNFpBJTJGMjAyNDA3MjklMkZ1cy1lYXN0LTElMkZzMyUyRmF3czRfcmVxdWVzdCZYLUFtei1EYXRlPTIwMjQwNzI5VDEwNTUxM1omWC1BbXotRXhwaXJlcz0zMDAmWC1BbXotU2lnbmF0dXJlPTE5MzQ1MWM0OGQ1ZDIwMWJiZmQyOGYxODM5NWZkOTdlMzVlNTdiZDM2NjQ4MTA5Y2NlYTQxYmY5ZmQxZjQ5MWUmWC1BbXotU2lnbmVkSGVhZGVycz1ob3N0JmFjdG9yX2lkPTAma2V5X2lkPTAmcmVwb19pZD0wIn0.F1FbDx1lV_-PgLIgY1XCpHHmRa5A-0uNTm-WSP64aNM)
![grafik](https://private-user-images.githubusercontent.com/46203440/307259610-b8f00a94-cf90-4f61-b6dc-986cf5a23f6f.png?jwt=eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJpc3MiOiJnaXRodWIuY29tIiwiYXVkIjoicmF3LmdpdGh1YnVzZXJjb250ZW50LmNvbSIsImtleSI6ImtleTUiLCJleHAiOjE3MjIyNTA4MTMsIm5iZiI6MTcyMjI1MDUxMywicGF0aCI6Ii80NjIwMzQ0MC8zMDcyNTk2MTAtYjhmMDBhOTQtY2Y5MC00ZjYxLWI2ZGMtOTg2Y2Y1YTIzZjZmLnBuZz9YLUFtei1BbGdvcml0aG09QVdTNC1ITUFDLVNIQTI1NiZYLUFtei1DcmVkZW50aWFsPUFLSUFWQ09EWUxTQTUzUFFLNFpBJTJGMjAyNDA3MjklMkZ1cy1lYXN0LTElMkZzMyUyRmF3czRfcmVxdWVzdCZYLUFtei1EYXRlPTIwMjQwNzI5VDEwNTUxM1omWC1BbXotRXhwaXJlcz0zMDAmWC1BbXotU2lnbmF0dXJlPTg4MGI0NmUxYWI4YzY3NWVjYzQyYjI5MDQzODliODhmYjMzNDc3MzdmN2JiMzcyNTg2YzY1ZjgzNWZiM2ZlNTAmWC1BbXotU2lnbmVkSGVhZGVycz1ob3N0JmFjdG9yX2lkPTAma2V5X2lkPTAmcmVwb19pZD0wIn0.DTdonf-pEMhaTWpLeL2QiwbJWRAZYSoKx5emd0LIhEw)
Logs
server-1 | {"cidr":"172.16.0.0/12","event":"Setting proxy headers","level":"trace","remoteAddr":"172.19.0.1","timestamp":"2024-02-23T07:38:00Z"}
server-1 | {"event":"tracing request to backend","headers":{"Accept":["/"],"Authorization":["Bearer eyJhbGciOiJSUzI1NiIsImtpZCI6ImJjMmQyNjYwZTMyNDg4NzBlYmMwYjczOWUwYTM0YmFlIiwidHlwIjoiSldUIn0.eyJpc3MiOiJodHRwOi8vbG9jYWxob3N0OjkwMDAvYXBwbGljYXRpb24vby9wb3N0bWFuLyIsInN1YiI6ImI0YzdhN2M1ZDAyOTE5OTNjZjk2MDA1ZmM0YzU4ZjhkMDUwN2MxZTNmZWI2ZjE4Mjk2OWQ2MzE5YzI5MTA3ZGUiLCJhdWQiOiJ1bDZ6WVlFRkpSUUx1MlM2dHAySzFDSGN3am9aNURHZlRFSTdtQ0cyIiwiZXhwIjoxNzA4Njc2Mzc0LCJpYXQiOjE3MDg2NzM2NzQsImF1dGhfdGltZSI6MTcwODY3MjA1NSwiYWNyIjoiZ29hdXRoZW50aWsuaW8vcHJvdmlkZXJzL29hdXRoMi9kZWZhdWx0IiwiZW1haWwiOiJhZG1pbkBsb2NhbGhvc3QiLCJlbWFpbF92ZXJpZmllZCI6dHJ1ZSwiYXpwIjoidWw2ellZRUZKUlFMdTJTNnRwMksxQ0hjd2pvWjVER2ZURUk3bUNHMiIsInVpZCI6Im5KYVBMdTh6a1pKdFBCU3ozbXI4d1d4VFRxNE9iRGp4d2hNYXIxTEgifQ.cIzlxZCsJZv2mTaUS5txVpf7ocBoc7BuwnJVuaaZixa8QKk5R4zpflm81WCTHuUaumiKKoJ8Gu58ueUROfNidHShPIUHZ9WAug7BoBSdxjMS-N4aB9rcsC2qvvM8JkuV3xEGrGFG2r5LCbhvGdxcPpgPVa0-x9qg6xkSvwuWebX7UBtY_g0qmpB9bSDQj1eKE5nvkrpM3DgonabRygL-GB4sB847j2CBZu9jvDOKitRqXgj-gJhHUhBu5gtuQiG2i1IOKqohqwoD5vTJbXuaIGoSV5Yo1PAwlxbY8bZ623TXWOH9jNWj32PJtG_pbtRLRnPCbv6ZVLvK_JMYoZhxKjRcqFBcVMQZD5xAy9hWIBEP4nJP-VRPRhfWUDkX68TWGpnMKEwfHg3WMfFhzISqc_pfY1hq8YX0mQWlQMFVDT25YhGTm-fh8qmtjHnhQbubHaCx1omfqE5cA8QTZeJX5N-6objjNN4bhl5P2Y11oHZkZWKhq66mL9vWtZoiPWaI5bx_Wb6VVQpNUH-yd5k2sF-0ORe4GLp0HY3uqz5AQLTQnQPDHiRWMo6uDeDn_e_hILTagKptrYlWDoqtRZk3w-q2w9ifvuvkZXkNz0quo80MxtRX0Do8vnkNnNXrNYu-KqYtqPcjQv-GCd3zfqipooZVVUQbnm-zqnHg26bqylA"],"Connection":["keep-alive"],"Postman-Token":["d019704d-5c70-4670-8299-9003ae741487"],"User-Agent":["PostmanRuntime/7.36.3"]},"level":"trace","logger":"authentik.router","timestamp":"2024-02-23T07:38:00Z","url":"http://localhost:8000/api/v3/core/users/"}
server-1 | {"auth_via": "unauthenticated", "domain_url": "localhost", "event": "/api/v3/core/users/", "host": "localhost:9000", "level": "info", "logger": "authentik.asgi", "method": "GET", "pid": 50, "remote": "172.19.0.1", "request_id": "ae6e9c8fb4ab42309b15f2cb2dc0f40f", "runtime": 12, "schema_name": "public", "scheme": "http", "status": 403, "timestamp": "2024-02-23T07:38:00.499548", "user": "", "user_agent": "PostmanRuntime/7.36.3"}
Version and Deployment (please complete the following information):
The text was updated successfully, but these errors were encountered: