You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Describe the bug
Hello dear team, i'm here to report a bug (maybe), but first let me explain my setup.
I do have a central authentik server running inside my home homelab using almost the standard docker compose file to bring it up.
In order to expose some of my internal services on the internet i use a VPS running in the cloud (outsitde my homelab) connected via ZeroTier to my homelab. As reverse proxy i use Nginix Proxy Manager.
So i deployed a Proxy outpost on the VPS referring to the Manual Outpost deployment in docker-compose documentation, modifing a bit the compose file to fit my setup. This was made to have a local outpost and avoid unecessary traffic from and to the VPS server.
Here the compose file of the outpost proxy:
version: "3.5"
services:
authentik_proxy:
image: ghcr.io/goauthentik/proxy
environment:
AUTHENTIK_HOST: https://x.x.x.x:9443 <---- Internal IP of the Authentik Server hosted in my homelab
AUTHENTIK_INSECURE: "true"
AUTHENTIK_TOKEN: xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
AUTHENTIK_HOST_BROWSER: https://authentik.mydomain.xxx <---- as suggested on the docs i put here the external host of my authentik server
networks:
dmz-vps:
ipv4_address: 'x.x.x.x'
networks:
dmz-vps:
external:
name: dmz-vps
I can see the Proxy Outpost on the Authentik admin page and i'm able to assign providers to it.
Screenshots
So i configured Nginix Proxy manager using the template (as always done in my local nginix proxy manager inside my homelab) but instead to point to the authentik server i pointed to the Proxy outpost IP/port.
When i try to access the esposed resoruce and i got this log message in the outpost proxy container: warning warning error=oidc: id token issued by a different provider, expected "https://x.x.x.x:9443/application/o/my-app/" got "https://authentik.mydomain.xxx/application/o/my-app/" event=failed to redeem code logger=authentik.outpost.proxyv2.application name=Emby_VPS-proxy timestamp=2024-05-07T08:49:47Z
And this in the browser happens:
Looks like something is not working here...
The only thing that worked for me is to modify the compose file and put hostname (https://authentik.mydomain.xxx) on the AUTHENTIK_HOST instead of the internal IP address. This to me is not an elegant solution because in this way the container reaches the main authentik server using the public internet (cloudflare tunnel ecc..) instead of using the private ip over the ZeroTier tunnel.
Another route i tested was to create a static entry in my host file and attach that on the container so to force the use of the hostname, but pointing to the private IP.
Expected behavior
The expected behavior is to use the private IP to communicate to the main authentik server while being able to use the AUTHENTIK_HOST_BROWSER env to inform the proxy and not have the error 400.
Version and Deployment (please complete the following information):
authentik version: 2024.4.1
Deployment: Docker Compose
The text was updated successfully, but these errors were encountered:
I'm facing a similar issue. In my case, I used AUTHENTIK_HOST: http://authentik-server:9000 and AUTHENTIK_HOST_BROWSER: https://auth.my-domain.xyz.
The connection between the proxy and server seems to work fine according to the logs and web interface, but using the proxy fails with the error message described in the original post.
Describe the bug
Hello dear team, i'm here to report a bug (maybe), but first let me explain my setup.
I do have a central authentik server running inside my home homelab using almost the standard docker compose file to bring it up.
In order to expose some of my internal services on the internet i use a VPS running in the cloud (outsitde my homelab) connected via ZeroTier to my homelab. As reverse proxy i use Nginix Proxy Manager.
So i deployed a Proxy outpost on the VPS referring to the Manual Outpost deployment in docker-compose documentation, modifing a bit the compose file to fit my setup. This was made to have a local outpost and avoid unecessary traffic from and to the VPS server.
Here the compose file of the outpost proxy:
I can see the Proxy Outpost on the Authentik admin page and i'm able to assign providers to it.
Screenshots
So i configured Nginix Proxy manager using the template (as always done in my local nginix proxy manager inside my homelab) but instead to point to the authentik server i pointed to the Proxy outpost IP/port.
When i try to access the esposed resoruce and i got this log message in the outpost proxy container:
warning warning error=oidc: id token issued by a different provider, expected "https://x.x.x.x:9443/application/o/my-app/" got "https://authentik.mydomain.xxx/application/o/my-app/" event=failed to redeem code logger=authentik.outpost.proxyv2.application name=Emby_VPS-proxy timestamp=2024-05-07T08:49:47Z
And this in the browser happens:
Looks like something is not working here...
The only thing that worked for me is to modify the compose file and put hostname (https://authentik.mydomain.xxx) on the AUTHENTIK_HOST instead of the internal IP address. This to me is not an elegant solution because in this way the container reaches the main authentik server using the public internet (cloudflare tunnel ecc..) instead of using the private ip over the ZeroTier tunnel.
Another route i tested was to create a static entry in my host file and attach that on the container so to force the use of the hostname, but pointing to the private IP.
Expected behavior
The expected behavior is to use the private IP to communicate to the main authentik server while being able to use the AUTHENTIK_HOST_BROWSER env to inform the proxy and not have the error 400.
Version and Deployment (please complete the following information):
The text was updated successfully, but these errors were encountered: