Portainer OAuth login not working with Authentik

[Videothek]

Hello, i tried to enroll OAuth for Portainer.
I created the entries in my SSO Service as described in the documentation.
I am using Authentik, thats why i were following this link.

I also read through the portainer guide but couldnt get it to work by now.

When i am trying to login to Portainer with OAuth, i am getting the following error:

Portainer returns an 500 error code:

My configuration looks like this:

I have also read through many posts about this error but nothing helped in my case.

Would be great if someone could assist me with fixing this error.

Thank you in adnvace 😄.

[iAmSaugata]

I am not sure if it is related, my authentication configured with github, it was working till yesterday, now while I am trying to authenticate, getting same error. I have tried replacing new client secret, but still same issue.

Not sure what happened.

[Videothek]

I am not sure if it is related, my authentication configured with github, it was working till yesterday, now while I am trying to authenticate, getting same error. I have tried replacing new client secret, but still same issue.

Not sure what happened.

Ok weird, have you upgraded authentik or portainer to a new version before that happend?

[iAmSaugata]

I am not sure if it is related, my authentication configured with github, it was working till yesterday, now while I am trying to authenticate, getting same error. I have tried replacing new client secret, but still same issue.
Not sure what happened.

Ok weird, have you upgraded authentik or portainer to a new version before that happend?

This was related to DNS resolution issue from my docker container, after fixing DNS issue, I am able to logon using GitHub.

[Videothek]

I am not sure if it is related, my authentication configured with github, it was working till yesterday, now while I am trying to authenticate, getting same error. I have tried replacing new client secret, but still same issue.
Not sure what happened.

Ok weird, have you upgraded authentik or portainer to a new version before that happend?

This was related to DNS resolution issue from my docker container, after fixing DNS issue, I am able to logon using GitHub.

Ok great, at least one does work 😄.

[Videothek]

Does anyone have the same issue?

[TMUniversal]

I use authentik OAuth in portainer and have had no issues with it.

[tamarahenson]

@TMUniversal
Can you share your Scopes configuration?

@Videothek
Can you remove profile from your Scopes and see if that works?

Thanks!

[TMUniversal]

I've simply followed the steps layed out in the authentik documentation (https://goauthentik.io/integrations/services/portainer/#step-2---portainer):

• User Identifier: email
• Scopes: email openid profile

[TMUniversal]

Also, @Videothek, I've noticed that your logout URL differs from what I use (and what it says in the documentation).
It should be https://<sso-server>/application/o/<application-slug>/end-session/

See https://goauthentik.io/integrations/services/portainer/#:~:text=https%3A%2F%2Fauthentik.company%2Fapplication%2Fo%2Fportainer%2Fend-session%2F

[Videothek]

Also, @Videothek, I've noticed that your logout URL differs from what I use (and what it says in the documentation). It should be https://<sso-server>/application/o/<application-slug>/end-session/

See https://goauthentik.io/integrations/services/portainer/#:~:text=https%3A%2F%2Fauthentik.company%2Fapplication%2Fo%2Fportainer%2Fend-session%2F

Thanks for your reply.

I have put the scopes as described in the documentation.

I also have copied the link form my Authentik instace, so this should be fine i guess.

So i guess you implemented the SSO without issues?

[TMUniversal]

Also, @Videothek, I've noticed that your logout URL differs from what I use (and what it says in the documentation). It should be https://<sso-server>/application/o/<application-slug>/end-session/
See goauthentik.io/integrations/services/portainer/#:~:text=https%3A%2F%2Fauthentik.company%2Fapplication%2Fo%2Fportainer%2Fend-session%2F

Thanks for your reply.

I have put the scopes as described in the documentation.

I also have copied the link form my Authentik instace, so this should be fine i guess.

So i guess you implemented the SSO without issues?

Yes, it has been working well for me, through several version upgrades of both portainer and authentik.

[Videothek]

Ok, i guess i have to look into my config or its maybe just a bug.

[Videothek]

I checked my configuration and confirmed that i have set it up just like it shows in the documentation on the authentik website.

So if someone have any idea left what this issue could be, i would be very happy 😄.

[Paulpatou]

Hi there,
Same problem here, this is my mistake "Failure unauthorized" ,my configuration in portainer:

@TMUniversal Can you show us how you set up the "Automatic user provisioning" and "Team membership" sections, thanks.

[TMUniversal]

Hi there, Same problem here, this is my mistake "Failure unauthorized" ,my configuration in portainer: @TMUniversal Can you show us how you set up the "Automatic user provisioning" and "Team membership" sections, thanks.

I have not. Although I've confirmed that these also work.

Here are my settings, just don't turn on Hide Internal authentication prompt before everything is working as intended.

[Videothek]

Hi there, Same problem here, this is my mistake "Failure unauthorized" ,my configuration in portainer: @TMUniversal Can you show us how you set up the "Automatic user provisioning" and "Team membership" sections, thanks.

I have not. Although I've confirmed that these also work.

Here are my settings, just don't turn on Hide Internal authentication prompt before everything is working as intended.

Yes sure, my config looks like this:

So it seems pretty similar.

[TechWolfNZ]

Hi Everyone, I seem to be having this issue as well.

It seems from what I can see, that Portainer never calls the Access token URL. Is it possible Authentik isn't formatting the Redirect URL quite right?

This is how Portainer receives the auth code for my config: https://docker.-removed-/?code=[-CODE-]&state=e1f8b3cc-fc3c-4491-b44b-514585c115a3#!/auth

See my config below:

[TMUniversal]

Hi Everyone, I seem to be having this issue as well.

It seems from what I can see, that Portainer never calls the Access token URL. Is it possible Authentik isn't formatting the Redirect URL quite right?

This is how Portainer receives the auth code for my config: https://docker.-removed-/?code=[-CODE-]&state=e1f8b3cc-fc3c-4491-b44b-514585c115a3#!/auth

See my config below:

Seems unlikely, since it works for me. Could you provide your authentik and portainer versions, please?

Also have a look at my above comment: #8187 (comment) , you may want to add the logout URL. This probably won't fix your problem, but it allows you to log out of both portainer and authentik, or log back in when portainer times out your session.

[TechWolfNZ]

Hi Everyone, I seem to be having this issue as well.
It seems from what I can see, that Portainer never calls the Access token URL. Is it possible Authentik isn't formatting the Redirect URL quite right?
This is how Portainer receives the auth code for my config: https://docker.-removed-/?code=[-CODE-]&state=e1f8b3cc-fc3c-4491-b44b-514585c115a3#!/auth
See my config below:

Seems unlikely, since it works for me. Could you provide your authentik and portainer versions, please?

Also have a look at my above comment: #8187 (comment) , you may want to add the logout URL. This probably won't fix your problem, but it allows you to log out of both portainer and authentik, or log back in when portainer times out your session.

Authentik: 2022.12.1
Portainer: 2.16.2

I'll review my Authentic flows maybe, as I have tested Google Auth without issue. I have tested the api using postman and could retrieve the profile that way from Authentik.

Edit: On some poking around, I see this 500 error from Portainer, does this suggest anything I need the amend?

[tldev-de]

I had the same problem and spend way too much time debugging it.

My problem (maybe you have the same issue) is the traefik default certificate, which I use for authentik.

portainer/api/cli/cli.go

Line 64 in 3625ab6

LogLevel: kingpin.Flag("log-level", "Set the minimum logging level to show").Default("INFO").Enum("DEBUG", "INFO", "WARN", "ERROR"),

Starting portainer with the cli param "--log-level DEBUG" (yes, this isn't documented!) shows the following entries in the log:

2023/01/07 11:15PM DBG github.com/portainer/portainer-ee/api/oauth/oauth.go:35 > failed retrieving OAuth token | error="Post \"https://my.authentik.domain/application/o/token/\": x509: certificate is valid for YYY.XXX.traefik.default, not my.authentik.domain"
2023/01/07 11:15PM DBG github.com/portainer/portainer-ee/api/http/handler/auth/authenticate_oauth.go:82 > OAuth authentication error | error="Post \"https://my.authentik.domain/application/o/token/\": x509: certificate is valid for YYY.XXX.traefik.default, not my.authentik.domain"
2023/01/07 11:15PM DBG github.com/portainer/libhttp@v0.0.0-20220916153711-5d61e12f4b0a/error/error.go:34 > HTTP error | error=Unauthorized msg="Unable to authenticate through OAuth" status_code=500

I'm going to replace the certificate with one from lets encrypt and hope, that it will work :)

[TechWolfNZ]

I'm not sure how to set the flags within the docker container to troubleshoot further. I have now installed a Let's Encrypt cert and it didn't change anything on my side. Let us know how you get on.

[fredmorais]

I'm also having this issue. Would be nice if you can help us add the --log-level flags since there's no documentation on how to do it with docker containers.

[TMUniversal]

I had the same problem and spend way too much time debugging it.

My problem (maybe you have the same issue) is the traefik default certificate, which I use for authentik.

portainer/api/cli/cli.go

Line 64 in 3625ab6

LogLevel: kingpin.Flag("log-level", "Set the minimum logging level to show").Default("INFO").Enum("DEBUG", "INFO", "WARN", "ERROR"),

Starting portainer with the cli param "--log-level DEBUG" (yes, this isn't documented!) shows the following entries in the log:

2023/01/07 11:15PM DBG github.com/portainer/portainer-ee/api/oauth/oauth.go:35 > failed retrieving OAuth token | error="Post \"https://my.authentik.domain/application/o/token/\": x509: certificate is valid for YYY.XXX.traefik.default, not my.authentik.domain"
2023/01/07 11:15PM DBG github.com/portainer/portainer-ee/api/http/handler/auth/authenticate_oauth.go:82 > OAuth authentication error | error="Post \"https://my.authentik.domain/application/o/token/\": x509: certificate is valid for YYY.XXX.traefik.default, not my.authentik.domain"
2023/01/07 11:15PM DBG github.com/portainer/libhttp@v0.0.0-20220916153711-5d61e12f4b0a/error/error.go:34 > HTTP error | error=Unauthorized msg="Unable to authenticate through OAuth" status_code=500

I'm going to replace the certificate with one from lets encrypt and hope, that it will work :)

Yes, please do. I hadn't caught this possibility, but it's not surprising that Portainer would refuse to connect to authentik when the certificate is not valid.

Either try an unencrypted connection (just don't use in production), or use a valid certificate.
Since I see you are using traefik, you can have traefik acquire a LetsEncrypt certificate automatically.

Let me know if you need more details on this, I have traefik set up to do this.

Looking forward to hearing about your results!

@fredmorais, are you using a valid SSL certificate on your authentik server?

[TMUniversal]

I'm not sure how to set the flags within the docker container to troubleshoot further. I have now installed a Let's Encrypt cert and it didn't change anything on my side. Let us know how you get on.

That's unfortunate, I'd hoped this would work.
Assuming you are using a compose file to start portainer, you can add the command property to the service definition.

services:
  portainer:
    image: portainer/portainer-ee:2.16.2
    # Portainer does not require an executable name here, other images might.
    command: --log-level DEBUG # ... other cli args

[fredmorais]

I had the same problem and spend way too much time debugging it.
My problem (maybe you have the same issue) is the traefik default certificate, which I use for authentik.

portainer/api/cli/cli.go

Line 64 in 3625ab6

LogLevel: kingpin.Flag("log-level", "Set the minimum logging level to show").Default("INFO").Enum("DEBUG", "INFO", "WARN", "ERROR"),

Starting portainer with the cli param "--log-level DEBUG" (yes, this isn't documented!) shows the following entries in the log:

2023/01/07 11:15PM DBG github.com/portainer/portainer-ee/api/oauth/oauth.go:35 > failed retrieving OAuth token | error="Post \"https://my.authentik.domain/application/o/token/\": x509: certificate is valid for YYY.XXX.traefik.default, not my.authentik.domain"
2023/01/07 11:15PM DBG github.com/portainer/portainer-ee/api/http/handler/auth/authenticate_oauth.go:82 > OAuth authentication error | error="Post \"https://my.authentik.domain/application/o/token/\": x509: certificate is valid for YYY.XXX.traefik.default, not my.authentik.domain"
2023/01/07 11:15PM DBG github.com/portainer/libhttp@v0.0.0-20220916153711-5d61e12f4b0a/error/error.go:34 > HTTP error | error=Unauthorized msg="Unable to authenticate through OAuth" status_code=500

I'm going to replace the certificate with one from lets encrypt and hope, that it will work :)

Yes, please do. I hadn't caught this possibility, but it's not surprising that Portainer would refuse to connect to authentik when the certificate is not valid.

Either try an unencrypted connection (just don't use in production), or use a valid certificate. Since I see you are using traefik, you can have traefik acquire a LetsEncrypt certificate automatically.

Let me know if you need more details on this, I have traefik set up to do this.

Looking forward to hearing about your results!

@fredmorais, are you using a valid SSL certificate on your authentik server?

I'm actually using Authelia and only realized this is about Authentik now, but I'm pretty sure the problem is with Portainer because I was able to set up OAuth with Nextcloud. I am using a valid SSL from Let's Encrypt with Traefik. Will try to change the log level to see the results.

[tldev-de]

services:
  portainer:
    image: portainer/portainer-ee:2.16.2
    # Portainer does not require an executable name here, other images might.
    command: --log-level DEBUG # ... other cli args

Yes, thats the way to go!

After I changed the default certificate to an lets encrypt certificate it works! Hope this helps some of you! If not you can try to debug it further using the "--log-level" settings :)

[fredmorais]

Quick update on my part for anyone needing it: I was getting a "Account not created beforehand in Portainer and automatic user provisioning not enabled". Turning it on solved my problem! Thanks for the help!

[TechWolfNZ]

Update from me:
Once I set the debug flag I was able to establish I had two issues. I had a similar cert issues to @tldev-de and an incorrect configuration in CloudFlare. I hadn't realised this as my testing should have been all resolved by my local dns... but live and learn.
I've only just started using Cloudflare's service, so I don't fully understand the issue yet, perhaps not forwarding all the headers required or something, disabling the proxy setting corrected this.

[Videothek]

So i finally got around to look at this issue again.
My Portainer instance also throws the certificate error. My biggest problem with this is that i am using my portainer login locally and therefor i only have an local fqdn with a .home at the end.

So in my opinion it should be possible to trust self signed certs for local use. Because not everybody wants to publish their portainer login or use "real" fqdns for their local services.

Maybe some dev from portainer could look into this?

Or just answer this thread why this isnt or shouldnt be possible.

Thank you in adnvance 😄.

[TMUniversal]

So i finally got around to look at this issue again. My Portainer instance also throws the certificate error. My biggest problem with this is that i am using my portainer login locally and therefor i only have an local fqdn with a .home at the end.

So in my opinion it should be possible to trust self signed certs for local use. Because not everybody wants to publish their portainer login or use "real" fqdns for their local services.

Maybe some dev from portainer could look into this?

Or just answer this thread why this isnt or shouldnt be possible.

Thank you in adnvance 😄.

Unfortunately, the URL for Portainer does not matter. I've had it set up so that authentik is reachable on a FQDN, while Portainer was accessible locally via its IP Address, although still using https (portainer self-signed).

So authentik would be on https://authentik.example.com,
and Portainer on https://1.2.3.4:9443.

This configuration worked for me, but I've since put Portainer on a locally accessible fqdn, via a local dns entry.

Does this resemble your setup?

[Videothek]

So i finally got around to look at this issue again. My Portainer instance also throws the certificate error. My biggest problem with this is that i am using my portainer login locally and therefor i only have an local fqdn with a .home at the end.

So in my opinion it should be possible to trust self signed certs for local use. Because not everybody wants to publish their portainer login or use "real" fqdns for their local services.

Maybe some dev from portainer could look into this?

Or just answer this thread why this isnt or shouldnt be possible.

Thank you in adnvance 😄.

Unfortunately, the URL for Portainer does not matter. I've had it set up so that authentik is reachable on a FQDN, while Portainer was accessible locally via its IP Address, although still using https (portainer self-signed).

So authentik would be on https://authentik.example.com,

and Portainer on https://1.2.3.4:9443.

This configuration worked for me, but I've since put Portainer on a locally accessible fqdn, via a local dns entry.

Does this resemble your setup?

Sorry i wasnt clear about my setup.

I have authentik and portainer both on my local network and for both a self signed cert.

It is not an option for me right now to make my authentik instance public since i want authentik for my local services.

I hope my setup i clearer now.

Anyway thank you for your contribution, this would be the idea when hosting it publicly but like i said its something i wouldn't like to do as of now.

So maybe we could get a button to trust our self signed certs or upload the public self signed cert to portainer so that portainer accepts them?

[marouamghar]

Same issue here, just using caddy, which generates its own self cert.

[TMUniversal]

Seems like we've got this issue figured out.

Portainer rejects self-signed certificates by default, but has no mechanism to trust any / the specific certificate.

My solution to this has been to use a LetsEncrypt certificate for my authentik instance, which you can achieve without making your instance public.

To do this, you will have to own a domain, and use a dns challenge to get the certificate (certbot/traefik will create a txt entry through your dns provider), since LetsEncrypt won't be able to access your instance.
Secondly, you would create a local only dns entry for your authentik instance on your domain. You can do this in your hosts file, or a network dns server like bind9 or Pi-Hole.

[Forsskieken]

So I'm using Authentik,Traefik,PiHole and Portainer on a Proxmox host.
I seem to have the same issue...the login to Authentik goes through and I'm redirected to the Portainer page where I have the choice of OAuth / internal authentication...
Every site has a padlock in the browser but stil I can't get Authentik to login me into portainer
This is the error I see when I login and search it's own logs
ERR endpointutils/endpointutils.go:166 > 2023/04/10 02:49PM 2023/04/10 02:49PM ERR 2023/04/10 02:49PM 2023/04/10 02:49PM ERR endpointutils/endpointutils.go:166 > error while detecting storage classes
How can I investigate further?

[tldev-de]

How can I investigate further?

services:
  portainer:
    image: portainer/portainer[...]
    command: --log-level DEBUG # ... other cli args

@Forsskieken try to add the command line to your docker-compose or add it to your startup script / docker run command. this should give you more details in the logs :)

[Forsskieken]

Thanks I did and indeed I see some errors...
2023/04/11 09:50AM INF portainer/main.go:789 > starting Portainer | build_number=24941 go_version=1.19.3 image_tag=linux-amd64-2.16.1 nodejs_version=18.12.1 version=2.16.1 webpack_version=5.68.0 yarn_version=1.22.19
2023/04/11 09:50AM DBG adminmonitor/admin_monitor.go:51 > start initialization monitor
2023/04/11 09:50AM INF http/server.go:337 > starting HTTPS server | bind_address=:9443
2023/04/11 09:50AM INF http/server.go:322 > starting HTTP server | bind_address=:9000
2023/04/11 09:54AM DBG oauth/oauth.go:34 > failed retrieving oauth token | error="Post "https://authentik.exampleNOTreal.net/application/o/token/\": dial tcp 192.168.1.181:443: i/o timeout"
2023/04/11 09:54AM DBG auth/authenticate_oauth.go:75 > OAuth authentication error | error="Post "https://authentik.exampleNOTReal.net/application/o/token/\": dial tcp 192.168.1.181:443: i/o timeout"
2023/04/11 09:54AM DBG error/error.go:34 > HTTP error | error=Unauthorized msg="Unable to authenticate through OAuth" status_code=500
2023/04/11 09:55AM DBG oauth/oauth.go:34 > failed retrieving oauth token | error="Post "https://authentik.exampleNOTReal.net/application/o/token/\": dial tcp 192.168.1.181:443: i/o timeout"
2023/04/11 09:55AM DBG auth/authenticate_oauth.go:75 > OAuth authentication error | error="Post "https://authentik.exampleNOTReal.net/application/o/token/\": dial tcp 192.168.1.181:443: i/o timeout"
2023/04/11 09:55AM DBG error/error.go:34 > HTTP error | error=Unauthorized msg="Unable to authenticate through OAuth" status_code=500
2023/04/11 10:04AM DBG error/error.go:34 > HTTP error | error=Unauthorized msg="A valid authorisation token is missing" status_code=401

Where is this authorisation token generated or placed?

[Keyinator]

Seems like we've got this issue figured out.

Portainer rejects self-signed certificates by default, but has no mechanism to trust any / the specific certificate.

My solution to this has been to use a LetsEncrypt certificate for my authentik instance, which you can achieve without making your instance public.

To do this, you will have to own a domain, and use a dns challenge to get the certificate (certbot/traefik will create a txt entry through your dns provider), since LetsEncrypt won't be able to access your instance. Secondly, you would create a local only dns entry for your authentik instance on your domain. You can do this in your hosts file, or a network dns server like bind9 or Pi-Hole.

I've installed a letsencrypt wildcard certificate to authentik but still oauth did not work. Only fix was removing the s in https from the oauth configuration urls pointing to the authentik server.

[TMUniversal]

Seems like we've got this issue figured out.
Portainer rejects self-signed certificates by default, but has no mechanism to trust any / the specific certificate.
My solution to this has been to use a LetsEncrypt certificate for my authentik instance, which you can achieve without making your instance public.
To do this, you will have to own a domain, and use a dns challenge to get the certificate (certbot/traefik will create a txt entry through your dns provider), since LetsEncrypt won't be able to access your instance. Secondly, you would create a local only dns entry for your authentik instance on your domain. You can do this in your hosts file, or a network dns server like bind9 or Pi-Hole.

I've installed a letsencrypt wildcard certificate to authentik but still oauth did not work. Only fix was removing the s in https from the oauth configuration urls pointint to the authentik server.

That doesn't sound like what you would want.
Have you entered the full domain used in the certificate (i.e. https://authentik.example.com/...), and have a DNS record in place that allows you (your browser, and portainer) to access the instance under the certificates domain?

[RotusMaximus]

So i finally got around to look at this issue again. My Portainer instance also throws the certificate error. My biggest problem with this is that i am using my portainer login locally and therefor i only have an local fqdn with a .home at the end.

So in my opinion it should be possible to trust self signed certs for local use. Because not everybody wants to publish their portainer login or use "real" fqdns for their local services.

Maybe some dev from portainer could look into this?

Or just answer this thread why this isnt or shouldnt be possible.

Thank you in adnvance 😄.

Unfortunately, the URL for Portainer does not matter. I've had it set up so that authentik is reachable on a FQDN, while Portainer was accessible locally via its IP Address, although still using https (portainer self-signed).
So authentik would be on https://authentik.example.com,
and Portainer on https://1.2.3.4:9443.
This configuration worked for me, but I've since put Portainer on a locally accessible fqdn, via a local dns entry.
Does this resemble your setup?

Sorry i wasnt clear about my setup.

I have authentik and portainer both on my local network and for both a self signed cert.

It is not an option for me right now to make my authentik instance public since i want authentik for my local services.

I hope my setup i clearer now.

Anyway thank you for your contribution, this would be the idea when hosting it publicly but like i said its something i wouldn't like to do as of now.

So maybe we could get a button to trust our self signed certs or upload the public self signed cert to portainer so that portainer accepts them?

I've managed to make it work with a self-signed certificate (and a .home TLD) by trusting the CA that created the certificate (in this case my own CA) inside the container. The host machine that is running my containers already trusts my CA so I managed to solve the problem by mounting the existing ca-certificate.crt file of my host machine into the container.

You can simply do this by adding this line to the volumes part of the docker-compose file of the Portainer setup: - /etc/ssl/certs/ca-certificates.crt:/etc/ssl/certs/ca-certificates.crt.

Please note that this does require your host machine to already trust the CA that created the certificate.

[github-actions]

This issue has been marked as stale as it has not had recent activity, it will be closed if no further activity occurs in the next 7 days. If you believe that it has been incorrectly labelled as stale, leave a comment and the label will be removed.

[github-actions]

Since no further activity has appeared on this issue it will be closed. If you believe that it has been incorrectly closed, leave a comment mentioning portainer/support and one of our staff will then review the issue. Note - If it is an old bug report, make sure that it is reproduceable in the latest version of Portainer as it may have already been fixed.

[ElectricityMachine]

Thanks I did and indeed I see some errors... 2023/04/11 09:50AM INF portainer/main.go:789 > starting Portainer | build_number=24941 go_version=1.19.3 image_tag=linux-amd64-2.16.1 nodejs_version=18.12.1 version=2.16.1 webpack_version=5.68.0 yarn_version=1.22.19 2023/04/11 09:50AM DBG adminmonitor/admin_monitor.go:51 > start initialization monitor 2023/04/11 09:50AM INF http/server.go:337 > starting HTTPS server | bind_address=:9443 2023/04/11 09:50AM INF http/server.go:322 > starting HTTP server | bind_address=:9000 2023/04/11 09:54AM DBG oauth/oauth.go:34 > failed retrieving oauth token | error="Post "[https://authentik.exampleNOTreal.net/application/o/token/](https://authentik.exampleNOTreal.net/application/o/token/%5C)": dial tcp 192.168.1.181:443: i/o timeout" 2023/04/11 09:54AM DBG auth/authenticate_oauth.go:75 > OAuth authentication error | error="Post "[https://authentik.exampleNOTReal.net/application/o/token/](https://authentik.exampleNOTReal.net/application/o/token/%5C)": dial tcp 192.168.1.181:443: i/o timeout" 2023/04/11 09:54AM DBG error/error.go:34 > HTTP error | error=Unauthorized msg="Unable to authenticate through OAuth" status_code=500 2023/04/11 09:55AM DBG oauth/oauth.go:34 > failed retrieving oauth token | error="Post "[https://authentik.exampleNOTReal.net/application/o/token/](https://authentik.exampleNOTReal.net/application/o/token/%5C)": dial tcp 192.168.1.181:443: i/o timeout" 2023/04/11 09:55AM DBG auth/authenticate_oauth.go:75 > OAuth authentication error | error="Post "[https://authentik.exampleNOTReal.net/application/o/token/](https://authentik.exampleNOTReal.net/application/o/token/%5C)": dial tcp 192.168.1.181:443: i/o timeout" 2023/04/11 09:55AM DBG error/error.go:34 > HTTP error | error=Unauthorized msg="Unable to authenticate through OAuth" status_code=500 2023/04/11 10:04AM DBG error/error.go:34 > HTTP error | error=Unauthorized msg="A valid authorisation token is missing" status_code=401

Where is this authorisation token generated or placed?

Did you resolve this? I am having the exact same issue. It seems that there isn't a route between Portainer and the host machine, but I'm not sure, and the only solution I'm able to find is to use the Authentik server's name instead of the FQDN, which didn't even work for me.

[paulcsiki]

I've had a similar issue where there was a NAT loopback issue and log level debug has helped as I have recognized the SSL CN from my router rather than the one traefik uses.

[samumatic]

Quick update on my part for anyone needing it: I was getting a "Account not created beforehand in Portainer and automatic user provisioning not enabled". Turning it on solved my problem! Thanks for the help!

I was getting a "Error: Unauthorized" but after turning "automatic user provisioning" on, I could log in.

[Chrispikaan]

Hi, i'm trying to use the username in Portainer instead of the email address.
Example. Username is John and the email is John.Baker@example.com.
Email works with user identifier: email
and Scopes: email openid profile

But how can I use the username as user identifier? I tried user and username but it doesn't work.
What am I doing wrong?

[mooglestiltzkin]

So in my opinion it should be possible to trust self signed certs for local use. Because not everybody wants to publish their portainer login or use "real" fqdns for their local services.

wolfgang posted a lets encrypt for local homelab setting. downside is he uses nginx proxy manager, whereas i am using traefik.
https://www.youtube.com/watch?v=qlcVx-k-02E

i tested it and it does work. u also get valid certs and no longer told its insecure.

but i wanted to get this to work for traefik unfortunately.

i can however verify for you that the certificate issue is resolved when trying to login to portainer using oauth authentik (i tested and confirmed this myself). If you want to try that instead.

but i also 2nd an option to allow makecert certificates for a local lan homelab environment please.

[amour86]

Thanks I did and indeed I see some errors... 2023/04/11 09:50AM INF portainer/main.go:789 > starting Portainer | build_number=24941 go_version=1.19.3 image_tag=linux-amd64-2.16.1 nodejs_version=18.12.1 version=2.16.1 webpack_version=5.68.0 yarn_version=1.22.19 2023/04/11 09:50AM DBG adminmonitor/admin_monitor.go:51 > start initialization monitor 2023/04/11 09:50AM INF http/server.go:337 > starting HTTPS server | bind_address=:9443 2023/04/11 09:50AM INF http/server.go:322 > starting HTTP server | bind_address=:9000 2023/04/11 09:54AM DBG oauth/oauth.go:34 > failed retrieving oauth token | error="Post "https://authentik.exampleNOTreal.net/application/o/token/": dial tcp 192.168.1.181:443: i/o timeout" 2023/04/11 09:54AM DBG auth/authenticate_oauth.go:75 > OAuth authentication error | error="Post "https://authentik.exampleNOTReal.net/application/o/token/": dial tcp 192.168.1.181:443: i/o timeout" 2023/04/11 09:54AM DBG error/error.go:34 > HTTP error | error=Unauthorized msg="Unable to authenticate through OAuth" status_code=500 2023/04/11 09:55AM DBG oauth/oauth.go:34 > failed retrieving oauth token | error="Post "https://authentik.exampleNOTReal.net/application/o/token/": dial tcp 192.168.1.181:443: i/o timeout" 2023/04/11 09:55AM DBG auth/authenticate_oauth.go:75 > OAuth authentication error | error="Post "https://authentik.exampleNOTReal.net/application/o/token/": dial tcp 192.168.1.181:443: i/o timeout" 2023/04/11 09:55AM DBG error/error.go:34 > HTTP error | error=Unauthorized msg="Unable to authenticate through OAuth" status_code=500 2023/04/11 10:04AM DBG error/error.go:34 > HTTP error | error=Unauthorized msg="A valid authorisation token is missing" status_code=401
Where is this authorisation token generated or placed?

Did you resolve this? I am having the exact same issue. It seems that there isn't a route between Portainer and the host machine, but I'm not sure, and the only solution I'm able to find is to use the Authentik server's name instead of the FQDN, which didn't even work for me.

did you find a way to fix this, I'm having exactly the same issue

[fertkir]

@Forsskieken, @ElectricityMachine, @amour86
I had the same timeout issue. I then logged into one of my docker containers and figured out that my docker host isn't accessible from inside docker containers.
This was due to:

/etc/docker/daemon.json
{
  ...
  "userland-proxy": false,
  ...
}

I removed the field, restarted the docker daemon and could authenticate to portainer

[icvdok]

Hello, this issue has a final solution? I've exactly the same issue explained in the first post after two years. I've follow the documentation step by step and everything looks good.

Authentik and Portainer can be accessed from internet via nginx proxy manager, both instances are published with Let's Encrypt valid certificates.

I'm not an expert but Authentik confirm the Application authorized bit Portainer doesn't allow the login.

Thanks for the help.

[quincarter]

i had to do some finagling with this too. But i had to setup the internal container network connections for the resource URL and the access token url. In my case my container name for my authentik server is authentik-server and it runs on port 8000 (portainer runs on 9000 by default and conflicts)

i also had to adjust the scopes a little but this did the trick and i am in

[icvdok]

Hello quincarter, thanks for the hint, just a question, as far as I've untderstood, on your setup both dockers, authentik and portainer are on the same docker virtual network?

[icvdok]

update, solved installing a valid public certificate...

[quincarter]

Hello quincarter, thanks for the hint, just a question, as far as I've untderstood, on your setup both dockers, authentik and portainer are on the same docker virtual network?

Yes this is correct

[rmarijn]

i had to do some finagling with this too. But i had to setup the internal container network connections for the resource URL and the access token url. In my case my container name for my authentik server is authentik-server and it runs on port 8000 (portainer runs on 9000 by default and conflicts)

i also had to adjust the scopes a little but this did the trick and i am in

I 'am also struggling for more than a week now to get it running.
Can you show me how you run authentik on port 8000?

Thnx in advance!