Portainer OAuth login not working with Authentik

[Videothek]

Hello, i tried to enroll OAuth for Portainer.
I created the entries in my SSO Service as described in the documentation.
I am using Authentik, thats why i were following this link.

I also read through the portainer guide but couldnt get it to work by now.

When i am trying to login to Portainer with OAuth, i am getting the following error:

Portainer returns an 500 error code:

My configuration looks like this:

I have also read through many posts about this error but nothing helped in my case.

Would be great if someone could assist me with fixing this error.

Thank you in adnvace 😄.

[iAmSaugata]

I am not sure if it is related, my authentication configured with github, it was working till yesterday, now while I am trying to authenticate, getting same error. I have tried replacing new client secret, but still same issue.

Not sure what happened.

[Videothek]

I am not sure if it is related, my authentication configured with github, it was working till yesterday, now while I am trying to authenticate, getting same error. I have tried replacing new client secret, but still same issue.

Not sure what happened.

Ok weird, have you upgraded authentik or portainer to a new version before that happend?

[iAmSaugata]

I am not sure if it is related, my authentication configured with github, it was working till yesterday, now while I am trying to authenticate, getting same error. I have tried replacing new client secret, but still same issue.
Not sure what happened.

Ok weird, have you upgraded authentik or portainer to a new version before that happend?

This was related to DNS resolution issue from my docker container, after fixing DNS issue, I am able to logon using GitHub.

[Videothek]

I am not sure if it is related, my authentication configured with github, it was working till yesterday, now while I am trying to authenticate, getting same error. I have tried replacing new client secret, but still same issue.
Not sure what happened.

Ok weird, have you upgraded authentik or portainer to a new version before that happend?

This was related to DNS resolution issue from my docker container, after fixing DNS issue, I am able to logon using GitHub.

Ok great, at least one does work 😄.

[Videothek]

Does anyone have the same issue?

[TMUniversal]

I use authentik OAuth in portainer and have had no issues with it.

[tamarahenson]

@TMUniversal
Can you share your Scopes configuration?

@Videothek
Can you remove profile from your Scopes and see if that works?

Thanks!

[TMUniversal]

I've simply followed the steps layed out in the authentik documentation (https://goauthentik.io/integrations/services/portainer/#step-2---portainer):

• User Identifier: email
• Scopes: email openid profile

[TMUniversal]

Also, @Videothek, I've noticed that your logout URL differs from what I use (and what it says in the documentation).
It should be https://<sso-server>/application/o/<application-slug>/end-session/

See https://goauthentik.io/integrations/services/portainer/#:~:text=https%3A%2F%2Fauthentik.company%2Fapplication%2Fo%2Fportainer%2Fend-session%2F

[Videothek]

Also, @Videothek, I've noticed that your logout URL differs from what I use (and what it says in the documentation). It should be https://<sso-server>/application/o/<application-slug>/end-session/

See https://goauthentik.io/integrations/services/portainer/#:~:text=https%3A%2F%2Fauthentik.company%2Fapplication%2Fo%2Fportainer%2Fend-session%2F

Thanks for your reply.

I have put the scopes as described in the documentation.

I also have copied the link form my Authentik instace, so this should be fine i guess.

So i guess you implemented the SSO without issues?

[TMUniversal]

Also, @Videothek, I've noticed that your logout URL differs from what I use (and what it says in the documentation). It should be https://<sso-server>/application/o/<application-slug>/end-session/
See goauthentik.io/integrations/services/portainer/#:~:text=https%3A%2F%2Fauthentik.company%2Fapplication%2Fo%2Fportainer%2Fend-session%2F

Thanks for your reply.

I have put the scopes as described in the documentation.

I also have copied the link form my Authentik instace, so this should be fine i guess.

So i guess you implemented the SSO without issues?

Yes, it has been working well for me, through several version upgrades of both portainer and authentik.

[Videothek]

Ok, i guess i have to look into my config or its maybe just a bug.

[Videothek]

I checked my configuration and confirmed that i have set it up just like it shows in the documentation on the authentik website.

So if someone have any idea left what this issue could be, i would be very happy 😄.

[Paulpatou]

Hi there,
Same problem here, this is my mistake "Failure unauthorized" ,my configuration in portainer:

@TMUniversal Can you show us how you set up the "Automatic user provisioning" and "Team membership" sections, thanks.

[TMUniversal]

Hi there, Same problem here, this is my mistake "Failure unauthorized" ,my configuration in portainer: @TMUniversal Can you show us how you set up the "Automatic user provisioning" and "Team membership" sections, thanks.

I have not. Although I've confirmed that these also work.

Here are my settings, just don't turn on Hide Internal authentication prompt before everything is working as intended.

[Videothek]

Hi there, Same problem here, this is my mistake "Failure unauthorized" ,my configuration in portainer: @TMUniversal Can you show us how you set up the "Automatic user provisioning" and "Team membership" sections, thanks.

I have not. Although I've confirmed that these also work.

Here are my settings, just don't turn on Hide Internal authentication prompt before everything is working as intended.

Yes sure, my config looks like this:

So it seems pretty similar.

[TechWolfNZ]

Hi Everyone, I seem to be having this issue as well.

It seems from what I can see, that Portainer never calls the Access token URL. Is it possible Authentik isn't formatting the Redirect URL quite right?

This is how Portainer receives the auth code for my config: https://docker.-removed-/?code=[-CODE-]&state=e1f8b3cc-fc3c-4491-b44b-514585c115a3#!/auth

See my config below:

[TMUniversal]

Hi Everyone, I seem to be having this issue as well.

It seems from what I can see, that Portainer never calls the Access token URL. Is it possible Authentik isn't formatting the Redirect URL quite right?

This is how Portainer receives the auth code for my config: https://docker.-removed-/?code=[-CODE-]&state=e1f8b3cc-fc3c-4491-b44b-514585c115a3#!/auth

See my config below:

Seems unlikely, since it works for me. Could you provide your authentik and portainer versions, please?

Also have a look at my above comment: #8187 (comment) , you may want to add the logout URL. This probably won't fix your problem, but it allows you to log out of both portainer and authentik, or log back in when portainer times out your session.

[TechWolfNZ]

Hi Everyone, I seem to be having this issue as well.
It seems from what I can see, that Portainer never calls the Access token URL. Is it possible Authentik isn't formatting the Redirect URL quite right?
This is how Portainer receives the auth code for my config: https://docker.-removed-/?code=[-CODE-]&state=e1f8b3cc-fc3c-4491-b44b-514585c115a3#!/auth
See my config below:

Seems unlikely, since it works for me. Could you provide your authentik and portainer versions, please?

Also have a look at my above comment: #8187 (comment) , you may want to add the logout URL. This probably won't fix your problem, but it allows you to log out of both portainer and authentik, or log back in when portainer times out your session.

Authentik: 2022.12.1
Portainer: 2.16.2

I'll review my Authentic flows maybe, as I have tested Google Auth without issue. I have tested the api using postman and could retrieve the profile that way from Authentik.

Edit: On some poking around, I see this 500 error from Portainer, does this suggest anything I need the amend?

[tldev-de]

I had the same problem and spend way too much time debugging it.

My problem (maybe you have the same issue) is the traefik default certificate, which I use for authentik.

portainer/api/cli/cli.go

Line 64 in 3625ab6

LogLevel: kingpin.Flag("log-level", "Set the minimum logging level to show").Default("INFO").Enum("DEBUG", "INFO", "WARN", "ERROR"),

Starting portainer with the cli param "--log-level DEBUG" (yes, this isn't documented!) shows the following entries in the log:

2023/01/07 11:15PM DBG github.com/portainer/portainer-ee/api/oauth/oauth.go:35 > failed retrieving OAuth token | error="Post \"https://my.authentik.domain/application/o/token/\": x509: certificate is valid for YYY.XXX.traefik.default, not my.authentik.domain"
2023/01/07 11:15PM DBG github.com/portainer/portainer-ee/api/http/handler/auth/authenticate_oauth.go:82 > OAuth authentication error | error="Post \"https://my.authentik.domain/application/o/token/\": x509: certificate is valid for YYY.XXX.traefik.default, not my.authentik.domain"
2023/01/07 11:15PM DBG github.com/portainer/libhttp@v0.0.0-20220916153711-5d61e12f4b0a/error/error.go:34 > HTTP error | error=Unauthorized msg="Unable to authenticate through OAuth" status_code=500

I'm going to replace the certificate with one from lets encrypt and hope, that it will work :)

[TechWolfNZ]

I'm not sure how to set the flags within the docker container to troubleshoot further. I have now installed a Let's Encrypt cert and it didn't change anything on my side. Let us know how you get on.

[TMUniversal]

I had the same problem and spend way too much time debugging it.

My problem (maybe you have the same issue) is the traefik default certificate, which I use for authentik.

portainer/api/cli/cli.go

Line 64 in 3625ab6

LogLevel: kingpin.Flag("log-level", "Set the minimum logging level to show").Default("INFO").Enum("DEBUG", "INFO", "WARN", "ERROR"),

Starting portainer with the cli param "--log-level DEBUG" (yes, this isn't documented!) shows the following entries in the log:

2023/01/07 11:15PM DBG github.com/portainer/portainer-ee/api/oauth/oauth.go:35 > failed retrieving OAuth token | error="Post \"https://my.authentik.domain/application/o/token/\": x509: certificate is valid for YYY.XXX.traefik.default, not my.authentik.domain"
2023/01/07 11:15PM DBG github.com/portainer/portainer-ee/api/http/handler/auth/authenticate_oauth.go:82 > OAuth authentication error | error="Post \"https://my.authentik.domain/application/o/token/\": x509: certificate is valid for YYY.XXX.traefik.default, not my.authentik.domain"
2023/01/07 11:15PM DBG github.com/portainer/libhttp@v0.0.0-20220916153711-5d61e12f4b0a/error/error.go:34 > HTTP error | error=Unauthorized msg="Unable to authenticate through OAuth" status_code=500

I'm going to replace the certificate with one from lets encrypt and hope, that it will work :)

Yes, please do. I hadn't caught this possibility, but it's not surprising that Portainer would refuse to connect to authentik when the certificate is not valid.

Either try an unencrypted connection (just don't use in production), or use a valid certificate.
Since I see you are using traefik, you can have traefik acquire a LetsEncrypt certificate automatically.

Let me know if you need more details on this, I have traefik set up to do this.

Looking forward to hearing about your results!

@fredmorais, are you using a valid SSL certificate on your authentik server?

[TMUniversal]

I'm not sure how to set the flags within the docker container to troubleshoot further. I have now installed a Let's Encrypt cert and it didn't change anything on my side. Let us know how you get on.

That's unfortunate, I'd hoped this would work.
Assuming you are using a compose file to start portainer, you can add the command property to the service definition.

services:
  portainer:
    image: portainer/portainer-ee:2.16.2
    # Portainer does not require an executable name here, other images might.
    command: --log-level DEBUG # ... other cli args

[tldev-de]

services:
  portainer:
    image: portainer/portainer-ee:2.16.2
    # Portainer does not require an executable name here, other images might.
    command: --log-level DEBUG # ... other cli args

Yes, thats the way to go!

After I changed the default certificate to an lets encrypt certificate it works! Hope this helps some of you! If not you can try to debug it further using the "--log-level" settings :)

[TechWolfNZ]

Update from me:
Once I set the debug flag I was able to establish I had two issues. I had a similar cert issues to @tldev-de and an incorrect configuration in CloudFlare. I hadn't realised this as my testing should have been all resolved by my local dns... but live and learn.
I've only just started using Cloudflare's service, so I don't fully understand the issue yet, perhaps not forwarding all the headers required or something, disabling the proxy setting corrected this.

[Videothek]

So i finally got around to look at this issue again.
My Portainer instance also throws the certificate error. My biggest problem with this is that i am using my portainer login locally and therefor i only have an local fqdn with a .home at the end.

So in my opinion it should be possible to trust self signed certs for local use. Because not everybody wants to publish their portainer login or use "real" fqdns for their local services.

Maybe some dev from portainer could look into this?

Or just answer this thread why this isnt or shouldnt be possible.

Thank you in adnvance 😄.

[TMUniversal]

So i finally got around to look at this issue again. My Portainer instance also throws the certificate error. My biggest problem with this is that i am using my portainer login locally and therefor i only have an local fqdn with a .home at the end.

So in my opinion it should be possible to trust self signed certs for local use. Because not everybody wants to publish their portainer login or use "real" fqdns for their local services.

Maybe some dev from portainer could look into this?

Or just answer this thread why this isnt or shouldnt be possible.

Thank you in adnvance 😄.

Unfortunately, the URL for Portainer does not matter. I've had it set up so that authentik is reachable on a FQDN, while Portainer was accessible locally via its IP Address, although still using https (portainer self-signed).

So authentik would be on https://authentik.example.com,
and Portainer on https://1.2.3.4:9443.

This configuration worked for me, but I've since put Portainer on a locally accessible fqdn, via a local dns entry.

Does this resemble your setup?

[marouamghar]

Same issue here, just using caddy, which generates its own self cert.

[TMUniversal]

Seems like we've got this issue figured out.

Portainer rejects self-signed certificates by default, but has no mechanism to trust any / the specific certificate.

My solution to this has been to use a LetsEncrypt certificate for my authentik instance, which you can achieve without making your instance public.

To do this, you will have to own a domain, and use a dns challenge to get the certificate (certbot/traefik will create a txt entry through your dns provider), since LetsEncrypt won't be able to access your instance.
Secondly, you would create a local only dns entry for your authentik instance on your domain. You can do this in your hosts file, or a network dns server like bind9 or Pi-Hole.

[Forsskieken]

So I'm using Authentik,Traefik,PiHole and Portainer on a Proxmox host.
I seem to have the same issue...the login to Authentik goes through and I'm redirected to the Portainer page where I have the choice of OAuth / internal authentication...
Every site has a padlock in the browser but stil I can't get Authentik to login me into portainer
This is the error I see when I login and search it's own logs
ERR endpointutils/endpointutils.go:166 > 2023/04/10 02:49PM 2023/04/10 02:49PM ERR 2023/04/10 02:49PM 2023/04/10 02:49PM ERR endpointutils/endpointutils.go:166 > error while detecting storage classes
How can I investigate further?

[tldev-de]

How can I investigate further?

services:
  portainer:
    image: portainer/portainer[...]
    command: --log-level DEBUG # ... other cli args

@Forsskieken try to add the command line to your docker-compose or add it to your startup script / docker run command. this should give you more details in the logs :)

[Forsskieken]

Thanks I did and indeed I see some errors...
2023/04/11 09:50AM INF portainer/main.go:789 > starting Portainer | build_number=24941 go_version=1.19.3 image_tag=linux-amd64-2.16.1 nodejs_version=18.12.1 version=2.16.1 webpack_version=5.68.0 yarn_version=1.22.19
2023/04/11 09:50AM DBG adminmonitor/admin_monitor.go:51 > start initialization monitor
2023/04/11 09:50AM INF http/server.go:337 > starting HTTPS server | bind_address=:9443
2023/04/11 09:50AM INF http/server.go:322 > starting HTTP server | bind_address=:9000
2023/04/11 09:54AM DBG oauth/oauth.go:34 > failed retrieving oauth token | error="Post "https://authentik.exampleNOTreal.net/application/o/token/\": dial tcp 192.168.1.181:443: i/o timeout"
2023/04/11 09:54AM DBG auth/authenticate_oauth.go:75 > OAuth authentication error | error="Post "https://authentik.exampleNOTReal.net/application/o/token/\": dial tcp 192.168.1.181:443: i/o timeout"
2023/04/11 09:54AM DBG error/error.go:34 > HTTP error | error=Unauthorized msg="Unable to authenticate through OAuth" status_code=500
2023/04/11 09:55AM DBG oauth/oauth.go:34 > failed retrieving oauth token | error="Post "https://authentik.exampleNOTReal.net/application/o/token/\": dial tcp 192.168.1.181:443: i/o timeout"
2023/04/11 09:55AM DBG auth/authenticate_oauth.go:75 > OAuth authentication error | error="Post "https://authentik.exampleNOTReal.net/application/o/token/\": dial tcp 192.168.1.181:443: i/o timeout"
2023/04/11 09:55AM DBG error/error.go:34 > HTTP error | error=Unauthorized msg="Unable to authenticate through OAuth" status_code=500
2023/04/11 10:04AM DBG error/error.go:34 > HTTP error | error=Unauthorized msg="A valid authorisation token is missing" status_code=401

Where is this authorisation token generated or placed?

[Keyinator]

Seems like we've got this issue figured out.

Portainer rejects self-signed certificates by default, but has no mechanism to trust any / the specific certificate.

My solution to this has been to use a LetsEncrypt certificate for my authentik instance, which you can achieve without making your instance public.

To do this, you will have to own a domain, and use a dns challenge to get the certificate (certbot/traefik will create a txt entry through your dns provider), since LetsEncrypt won't be able to access your instance. Secondly, you would create a local only dns entry for your authentik instance on your domain. You can do this in your hosts file, or a network dns server like bind9 or Pi-Hole.

I've installed a letsencrypt wildcard certificate to authentik but still oauth did not work. Only fix was removing the s in https from the oauth configuration urls pointing to the authentik server.

[TMUniversal]

Seems like we've got this issue figured out.
Portainer rejects self-signed certificates by default, but has no mechanism to trust any / the specific certificate.
My solution to this has been to use a LetsEncrypt certificate for my authentik instance, which you can achieve without making your instance public.
To do this, you will have to own a domain, and use a dns challenge to get the certificate (certbot/traefik will create a txt entry through your dns provider), since LetsEncrypt won't be able to access your instance. Secondly, you would create a local only dns entry for your authentik instance on your domain. You can do this in your hosts file, or a network dns server like bind9 or Pi-Hole.

I've installed a letsencrypt wildcard certificate to authentik but still oauth did not work. Only fix was removing the s in https from the oauth configuration urls pointint to the authentik server.

That doesn't sound like what you would want.
Have you entered the full domain used in the certificate (i.e. https://authentik.example.com/...), and have a DNS record in place that allows you (your browser, and portainer) to access the instance under the certificates domain?

[RotusMaximus]

So i finally got around to look at this issue again. My Portainer instance also throws the certificate error. My biggest problem with this is that i am using my portainer login locally and therefor i only have an local fqdn with a .home at the end.

So in my opinion it should be possible to trust self signed certs for local use. Because not everybody wants to publish their portainer login or use "real" fqdns for their local services.

Maybe some dev from portainer could look into this?

Or just answer this thread why this isnt or shouldnt be possible.

Thank you in adnvance 😄.

Unfortunately, the URL for Portainer does not matter. I've had it set up so that authentik is reachable on a FQDN, while Portainer was accessible locally via its IP Address, although still using https (portainer self-signed).
So authentik would be on https://authentik.example.com,
and Portainer on https://1.2.3.4:9443.
This configuration worked for me, but I've since put Portainer on a locally accessible fqdn, via a local dns entry.
Does this resemble your setup?

Sorry i wasnt clear about my setup.

I have authentik and portainer both on my local network and for both a self signed cert.

It is not an option for me right now to make my authentik instance public since i want authentik for my local services.

I hope my setup i clearer now.

Anyway thank you for your contribution, this would be the idea when hosting it publicly but like i said its something i wouldn't like to do as of now.

So maybe we could get a button to trust our self signed certs or upload the public self signed cert to portainer so that portainer accepts them?

I've managed to make it work with a self-signed certificate (and a .home TLD) by trusting the CA that created the certificate (in this case my own CA) inside the container. The host machine that is running my containers already trusts my CA so I managed to solve the problem by mounting the existing ca-certificate.crt file of my host machine into the container.

You can simply do this by adding this line to the volumes part of the docker-compose file of the Portainer setup: - /etc/ssl/certs/ca-certificates.crt:/etc/ssl/certs/ca-certificates.crt.

Please note that this does require your host machine to already trust the CA that created the certificate.

[github-actions]

This issue has been marked as stale as it has not had recent activity, it will be closed if no further activity occurs in the next 7 days. If you believe that it has been incorrectly labelled as stale, leave a comment and the label will be removed.

[github-actions]

Since no further activity has appeared on this issue it will be closed. If you believe that it has been incorrectly closed, leave a comment mentioning portainer/support and one of our staff will then review the issue. Note - If it is an old bug report, make sure that it is reproduceable in the latest version of Portainer as it may have already been fixed.

[ElectricityMachine]

Thanks I did and indeed I see some errors... 2023/04/11 09:50AM INF portainer/main.go:789 > starting Portainer | build_number=24941 go_version=1.19.3 image_tag=linux-amd64-2.16.1 nodejs_version=18.12.1 version=2.16.1 webpack_version=5.68.0 yarn_version=1.22.19 2023/04/11 09:50AM DBG adminmonitor/admin_monitor.go:51 > start initialization monitor 2023/04/11 09:50AM INF http/server.go:337 > starting HTTPS server | bind_address=:9443 2023/04/11 09:50AM INF http/server.go:322 > starting HTTP server | bind_address=:9000 2023/04/11 09:54AM DBG oauth/oauth.go:34 > failed retrieving oauth token | error="Post "[https://authentik.exampleNOTreal.net/application/o/token/](https://authentik.exampleNOTreal.net/application/o/token/%5C)": dial tcp 192.168.1.181:443: i/o timeout" 2023/04/11 09:54AM DBG auth/authenticate_oauth.go:75 > OAuth authentication error | error="Post "[https://authentik.exampleNOTReal.net/application/o/token/](https://authentik.exampleNOTReal.net/application/o/token/%5C)": dial tcp 192.168.1.181:443: i/o timeout" 2023/04/11 09:54AM DBG error/error.go:34 > HTTP error | error=Unauthorized msg="Unable to authenticate through OAuth" status_code=500 2023/04/11 09:55AM DBG oauth/oauth.go:34 > failed retrieving oauth token | error="Post "[https://authentik.exampleNOTReal.net/application/o/token/](https://authentik.exampleNOTReal.net/application/o/token/%5C)": dial tcp 192.168.1.181:443: i/o timeout" 2023/04/11 09:55AM DBG auth/authenticate_oauth.go:75 > OAuth authentication error | error="Post "[https://authentik.exampleNOTReal.net/application/o/token/](https://authentik.exampleNOTReal.net/application/o/token/%5C)": dial tcp 192.168.1.181:443: i/o timeout" 2023/04/11 09:55AM DBG error/error.go:34 > HTTP error | error=Unauthorized msg="Unable to authenticate through OAuth" status_code=500 2023/04/11 10:04AM DBG error/error.go:34 > HTTP error | error=Unauthorized msg="A valid authorisation token is missing" status_code=401

Where is this authorisation token generated or placed?

Did you resolve this? I am having the exact same issue. It seems that there isn't a route between Portainer and the host machine, but I'm not sure, and the only solution I'm able to find is to use the Authentik server's name instead of the FQDN, which didn't even work for me.

[paulcsiki]

I've had a similar issue where there was a NAT loopback issue and log level debug has helped as I have recognized the SSL CN from my router rather than the one traefik uses.

[samumatic]

Quick update on my part for anyone needing it: I was getting a "Account not created beforehand in Portainer and automatic user provisioning not enabled". Turning it on solved my problem! Thanks for the help!

I was getting a "Error: Unauthorized" but after turning "automatic user provisioning" on, I could log in.

[Chrispikaan]

Hi, i'm trying to use the username in Portainer instead of the email address.
Example. Username is John and the email is John.Baker@example.com.
Email works with user identifier: email
and Scopes: email openid profile

But how can I use the username as user identifier? I tried user and username but it doesn't work.
What am I doing wrong?

[mooglestiltzkin]

So in my opinion it should be possible to trust self signed certs for local use. Because not everybody wants to publish their portainer login or use "real" fqdns for their local services.

wolfgang posted a lets encrypt for local homelab setting. downside is he uses nginx proxy manager, whereas i am using traefik.
https://www.youtube.com/watch?v=qlcVx-k-02E

i tested it and it does work. u also get valid certs and no longer told its insecure.

but i wanted to get this to work for traefik unfortunately.

i can however verify for you that the certificate issue is resolved when trying to login to portainer using oauth authentik (i tested and confirmed this myself). If you want to try that instead.

but i also 2nd an option to allow makecert certificates for a local lan homelab environment please.

[amour86]

Thanks I did and indeed I see some errors... 2023/04/11 09:50AM INF portainer/main.go:789 > starting Portainer | build_number=24941 go_version=1.19.3 image_tag=linux-amd64-2.16.1 nodejs_version=18.12.1 version=2.16.1 webpack_version=5.68.0 yarn_version=1.22.19 2023/04/11 09:50AM DBG adminmonitor/admin_monitor.go:51 > start initialization monitor 2023/04/11 09:50AM INF http/server.go:337 > starting HTTPS server | bind_address=:9443 2023/04/11 09:50AM INF http/server.go:322 > starting HTTP server | bind_address=:9000 2023/04/11 09:54AM DBG oauth/oauth.go:34 > failed retrieving oauth token | error="Post "https://authentik.exampleNOTreal.net/application/o/token/": dial tcp 192.168.1.181:443: i/o timeout" 2023/04/11 09:54AM DBG auth/authenticate_oauth.go:75 > OAuth authentication error | error="Post "https://authentik.exampleNOTReal.net/application/o/token/": dial tcp 192.168.1.181:443: i/o timeout" 2023/04/11 09:54AM DBG error/error.go:34 > HTTP error | error=Unauthorized msg="Unable to authenticate through OAuth" status_code=500 2023/04/11 09:55AM DBG oauth/oauth.go:34 > failed retrieving oauth token | error="Post "https://authentik.exampleNOTReal.net/application/o/token/": dial tcp 192.168.1.181:443: i/o timeout" 2023/04/11 09:55AM DBG auth/authenticate_oauth.go:75 > OAuth authentication error | error="Post "https://authentik.exampleNOTReal.net/application/o/token/": dial tcp 192.168.1.181:443: i/o timeout" 2023/04/11 09:55AM DBG error/error.go:34 > HTTP error | error=Unauthorized msg="Unable to authenticate through OAuth" status_code=500 2023/04/11 10:04AM DBG error/error.go:34 > HTTP error | error=Unauthorized msg="A valid authorisation token is missing" status_code=401
Where is this authorisation token generated or placed?

Did you resolve this? I am having the exact same issue. It seems that there isn't a route between Portainer and the host machine, but I'm not sure, and the only solution I'm able to find is to use the Authentik server's name instead of the FQDN, which didn't even work for me.

did you find a way to fix this, I'm having exactly the same issue

[fertkir]

@Forsskieken, @ElectricityMachine, @amour86
I had the same timeout issue. I then logged into one of my docker containers and figured out that my docker host isn't accessible from inside docker containers.
This was due to:

/etc/docker/daemon.json
{
  ...
  "userland-proxy": false,
  ...
}

I removed the field, restarted the docker daemon and could authenticate to portainer

[icvdok]

Hello, this issue has a final solution? I've exactly the same issue explained in the first post after two years. I've follow the documentation step by step and everything looks good.

Authentik and Portainer can be accessed from internet via nginx proxy manager, both instances are published with Let's Encrypt valid certificates.

I'm not an expert but Authentik confirm the Application authorized bit Portainer doesn't allow the login.

Thanks for the help.

[quincarter]

i had to do some finagling with this too. But i had to setup the internal container network connections for the resource URL and the access token url. In my case my container name for my authentik server is authentik-server and it runs on port 8000 (portainer runs on 9000 by default and conflicts)

i also had to adjust the scopes a little but this did the trick and i am in

[icvdok]

Hello quincarter, thanks for the hint, just a question, as far as I've untderstood, on your setup both dockers, authentik and portainer are on the same docker virtual network?

[icvdok]

update, solved installing a valid public certificate...

[quincarter]

Hello quincarter, thanks for the hint, just a question, as far as I've untderstood, on your setup both dockers, authentik and portainer are on the same docker virtual network?

Yes this is correct

[rmarijn]

i had to do some finagling with this too. But i had to setup the internal container network connections for the resource URL and the access token url. In my case my container name for my authentik server is authentik-server and it runs on port 8000 (portainer runs on 9000 by default and conflicts)

i also had to adjust the scopes a little but this did the trick and i am in

I 'am also struggling for more than a week now to get it running.
Can you show me how you run authentik on port 8000?

Thnx in advance!

[sik231]

It appears there are many things that can cause this behavior. Using the debug command and checking portainer's logs can help narrow it down (added command --log-level=DEBUG to my docker compose). In my case, Portainer couldn't resolve the access and resource URLs (had 127.0.0.11:53 server is misbehaving entries). If that's the case for you, please see below.

I resolved it by only changing the beginning of Portainer's access token and resource urls (similar to quincarter). I made both entries start with "http://authentik-server:9000/". "authentik-server" is my container's name and runs on port 9000 by default. I use Traefik, so I dont have any conflicts between Authentik and Portainer. So you would need to use yours in that place. I guess Portainer couldn't resolve the https entries from Authentik and it can by using the container's name and port via http. Hope this helps anyone still having this issue.

[DaveTSG]

Hi everyone. I've been having the same issues as noted throughout this thread, and found a solution. Having read every single comment above mine, I realise this might not be the answer for everyone, but it is something other people can consider trying.

At the end of this guide for setting up Authentik with Portainer, the last line of step 3 includes the Launch URL. I foolishly glossed over this when I was creating the application in Authentik (because the Authentik interface says "If left empty, authentik will try to extract the launch URL based on the selected provider.", so I incorrectly assumed it'd just work if left empty).

To be clear, I am using Authentik with Traefik with a Lets Encrypt certificate already. I also have an FQDN defined for Portainer and Authentik in my Pi-Hole instance, which is also running on the same Docker host.

I realise this is just "RTFM", but hopefully it helps someone else in future...

[lfnt3]

access token and resource urls

It appears there are many things that can cause this behavior. Using the debug command and checking portainer's logs can help narrow it down (added command --log-level=DEBUG to my docker compose). In my case, Portainer couldn't resolve the access and resource URLs (had 127.0.0.11:53 server is misbehaving entries). If that's the case for you, please see below.

I resolved it by only changing the beginning of Portainer's access token and resource urls (similar to quincarter). I made both entries start with "http://authentik-server:9000/". "authentik-server" is my container's name and runs on port 9000 by default. I use Traefik, so I dont have any conflicts between Authentik and Portainer. So you would need to use yours in that place. I guess Portainer couldn't resolve the https entries from Authentik and it can by using the container's name and port via http. Hope this helps anyone still having this issue.

After frustrating days of fruitless research I finally found this comment and it worked for me, too! 👍

I checked the logs of portainer (--log-level=DEBUG) and found this:

DBG github.com/portainer/portainer/api/http/handler/auth/authenticate_oauth.go:76 > OAuth authentication error | error="Post "https://authentik.mydomain.com/application/o/token/\": dial tcp: lookup authentik.mydomain.com on 127.0.0.11:53: no such host"
2024/09/16 02:20PM DBG github.com/portainer/portainer/api/http/security/bouncer.go:514 > HTTP error | error=Unauthorized msg="Unable to authenticate through OAuth" status_code=500
2024/09/16 02:20PM DBG github.com/portainer/portainer/api/http/middlewares/slow_request_logger.go:33 > slow request | elapsed_ms=16070.429156 method=POST url=/api/auth/oauth/validate

So I modifying the following access token and resource urls in the portainer authentication settings to http and using the docker container names:
http://authentik-server:9000/application/o/token/
http://authentik-server:9000/application/o/userinfo/

Now the authentication works and the portainer web interface opens.

However, this feels like a workaround, and I still don't quite understand the root cause of the problem. Why can portainer/authentik not handle https and the FQDN for the token and resource urls? Is there an issue with the traefik or pihole configs?

By the way, I still get this error=Unauthorized from the portainer logs:
DBG github.com/portainer/portainer/api/http/security/bouncer.go:309 > HTTP error | error=Unauthorized msg="A valid authorization token is missing" status_code=401

Any ideas how to solve this for good?

[Kartel1]

Hello

For those who still have this issue with the missing token and the 401 error I found out it was a DNS issue as mentioned by @iAmSaugata

I helped me from those two links:
DNS issue with docker container
Docker should use the host network DNS server

Here is how I was able to fix this.
First thing I had to allocate a static private ip V4 to the portainer container inside the docker compose file :

networks:
            <yourNetwork>:
              ipv4_address: <yourIpAddress>

Some people might said it's not a good practice to associate a static ip address to a container but I didn't find a better trade off for now.

Then I had a file into the following path: /etc/NetworkManager/dnsmasq.d/docker-bridge.conf
(it's a comma separated file)
you put the following line : listen-address=<yourIpAddress>
If you have dnsmasq service activated (which was not my case but I'm using pihole which is looking at this config file) you have to run this command:
systemctl restart dnsmasq.service

Lastly edit /etc/docker/daemon.json, append dns config (create it if it doesn't exist):

{
  "dns": [
    "<yourIpAddress>",
    "<serverIpAddress>",
        "8.8.8.8",
        "8.8.4.4"
  ]
}

The 8.8.8.8 and 8.8.4.4 are for google dns resolution
And you need to restart docker:
sudo service docker restart

And the SSO with Authentik for Portainer should work fine (it worked for me 😄 )
I hope it can help many people who are facing this issue