Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

OIDC Provider Fails Across VLANs/Subnets #9722

Open
julianq opened this issue May 14, 2024 · 1 comment
Open

OIDC Provider Fails Across VLANs/Subnets #9722

julianq opened this issue May 14, 2024 · 1 comment
Labels
bug Something isn't working

Comments

@julianq
Copy link

julianq commented May 14, 2024
edited

Describe the bug
When service is on a separate VLAN or subnet from Authentik, OIDC fails to authenticate. This does not seem to be a problem with VLAN traversal / firewall configuration, as authentication via OIDC was possible until a few days ago, when it suddenly stopped working. Similarly, running access wide open between the VLANs does not allow authentication.

This comes in two flavors:

(1) Either the service fails to connect to Authentik entirely, and the event is entirely invisible from the Authentik side; or

(2) The service manages to connect to Authentik, authenticate successfully, but fail to login, and the event shows as a successful authentication from the Authentik side (but no indication of failure to login).

Moving the service in question to the same VLAN as Authentik allows normal login and is a workaround for now.

Note that this is only for OIDC, the proxy provider works as expected when crossing VLANs/Subnets. (I have not tested the other provider options.)

To Reproduce
Steps to reproduce the behavior:

  1. Go to service login
  2. Click on "Login with Authentik"
  3. Error occurs (either failure to connect to Authentik, or successful authentication but failure to login).

Expected behavior
Successful connection to Authentik, authentication, and login.

Logs
All of the logs on the service / application side are some form of the following:

requests.exceptions.ConnectionError: HTTPSConnectionPool(host='auth.mydomain.com', port=443): Max retries exceeded with url: /application/o/token/ (Caused by NewConnectionError('<urllib3.connection.HTTPSConnection object at 0x77d7cfe6f5e0>: Failed to establish a new connection: [Errno 111] Connection refused'))

The connection refused is standard across all application logfiles.

The Authentik side shows nothing or successful authentication as per my description above.

Version and Deployment (please complete the following information):

  • authentik version: 2024.4.2
  • Deployment: docker-compose

Additional context
I am also seeing that the local docker outpost is unhealthy, but that seems to be related to #7279
@julianq julianq added the bug Something isn't working label May 14, 2024
@ksaadDE
Copy link

ksaadDE commented May 15, 2024
edited

Maybe the connections between authentik and the user works, but not between the service and authentik?

Interestingly:

Max retries exceeded

is the occurrence.

Note that this is only for OIDC, the proxy provider works as expected when crossing VLANs/Subnets. (I have not tested the other provider options.)

Weird tho. But hard to debug from outside.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
bug Something isn't working
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@julianq @ksaadDE