New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Portainer OAuth login not working with Authentik #8187
Comments
I am not sure if it is related, my authentication configured with github, it was working till yesterday, now while I am trying to authenticate, getting same error. I have tried replacing new client secret, but still same issue. Not sure what happened. |
Ok weird, have you upgraded authentik or portainer to a new version before that happend? |
This was related to DNS resolution issue from my docker container, after fixing DNS issue, I am able to logon using GitHub. |
Ok great, at least one does work 😄. |
Does anyone have the same issue? |
I use authentik OAuth in portainer and have had no issues with it. |
@TMUniversal @Videothek Thanks! |
I've simply followed the steps layed out in the authentik documentation (https://goauthentik.io/integrations/services/portainer/#step-2---portainer):
|
Also, @Videothek, I've noticed that your logout URL differs from what I use (and what it says in the documentation). |
Thanks for your reply. I have put the scopes as described in the documentation. I also have copied the link form my Authentik instace, so this should be fine i guess. So i guess you implemented the SSO without issues? |
Yes, it has been working well for me, through several version upgrades of both portainer and authentik. |
Ok, i guess i have to look into my config or its maybe just a bug. |
I checked my configuration and confirmed that i have set it up just like it shows in the documentation on the authentik website. So if someone have any idea left what this issue could be, i would be very happy 😄. |
Hi there, |
I have not. Although I've confirmed that these also work. Here are my settings, just don't turn on |
Yes sure, my config looks like this: So it seems pretty similar. |
Hi Everyone, I seem to be having this issue as well. It seems from what I can see, that Portainer never calls the Access token URL. Is it possible Authentik isn't formatting the Redirect URL quite right? This is how Portainer receives the auth code for my config: https://docker.-removed-/?code=[-CODE-]&state=e1f8b3cc-fc3c-4491-b44b-514585c115a3#!/auth |
Seems unlikely, since it works for me. Could you provide your authentik and portainer versions, please? Also have a look at my above comment: #8187 (comment) , you may want to add the logout URL. This probably won't fix your problem, but it allows you to log out of both portainer and authentik, or log back in when portainer times out your session. |
Authentik: 2022.12.1 I'll review my Authentic flows maybe, as I have tested Google Auth without issue. I have tested the api using postman and could retrieve the profile that way from Authentik. Edit: On some poking around, I see this 500 error from Portainer, does this suggest anything I need the amend? |
I had the same problem and spend way too much time debugging it. My problem (maybe you have the same issue) is the traefik default certificate, which I use for authentik. Line 64 in 3625ab6
Starting portainer with the cli param "--log-level DEBUG" (yes, this isn't documented!) shows the following entries in the log:
I'm going to replace the certificate with one from lets encrypt and hope, that it will work :) |
I'm not sure how to set the flags within the docker container to troubleshoot further. I have now installed a Let's Encrypt cert and it didn't change anything on my side. Let us know how you get on. |
I'm also having this issue. Would be nice if you can help us add the --log-level flags since there's no documentation on how to do it with docker containers. |
Yes, please do. I hadn't caught this possibility, but it's not surprising that Portainer would refuse to connect to authentik when the certificate is not valid. Either try an unencrypted connection (just don't use in production), or use a valid certificate. Let me know if you need more details on this, I have traefik set up to do this. Looking forward to hearing about your results! @fredmorais, are you using a valid SSL certificate on your authentik server? |
That's unfortunate, I'd hoped this would work. services:
portainer:
image: portainer/portainer-ee:2.16.2
# Portainer does not require an executable name here, other images might.
command: --log-level DEBUG # ... other cli args |
I'm actually using Authelia and only realized this is about Authentik now, but I'm pretty sure the problem is with Portainer because I was able to set up OAuth with Nextcloud. I am using a valid SSL from Let's Encrypt with Traefik. Will try to change the log level to see the results. |
Yes, thats the way to go! After I changed the default certificate to an lets encrypt certificate it works! Hope this helps some of you! If not you can try to debug it further using the "--log-level" settings :) |
Quick update on my part for anyone needing it: I was getting a "Account not created beforehand in Portainer and automatic user provisioning not enabled". Turning it on solved my problem! Thanks for the help! |
Update from me: |
So i finally got around to look at this issue again. So in my opinion it should be possible to trust self signed certs for local use. Because not everybody wants to publish their portainer login or use "real" fqdns for their local services. Maybe some dev from portainer could look into this? Or just answer this thread why this isnt or shouldnt be possible. Thank you in adnvance 😄. |
Unfortunately, the URL for Portainer does not matter. I've had it set up so that authentik is reachable on a FQDN, while Portainer was accessible locally via its IP Address, although still using https (portainer self-signed). So authentik would be on This configuration worked for me, but I've since put Portainer on a locally accessible fqdn, via a local dns entry. Does this resemble your setup? |
Sorry i wasnt clear about my setup. I have authentik and portainer both on my local network and for both a self signed cert. It is not an option for me right now to make my authentik instance public since i want authentik for my local services. I hope my setup i clearer now. Anyway thank you for your contribution, this would be the idea when hosting it publicly but like i said its something i wouldn't like to do as of now. So maybe we could get a button to trust our self signed certs or upload the public self signed cert to portainer so that portainer accepts them? |
Same issue here, just using caddy, which generates its own self cert. |
Seems like we've got this issue figured out. Portainer rejects self-signed certificates by default, but has no mechanism to trust any / the specific certificate. My solution to this has been to use a LetsEncrypt certificate for my authentik instance, which you can achieve without making your instance public. To do this, you will have to own a domain, and use a dns challenge to get the certificate (certbot/traefik will create a txt entry through your dns provider), since LetsEncrypt won't be able to access your instance. |
So I'm using Authentik,Traefik,PiHole and Portainer on a Proxmox host. |
@Forsskieken try to add the |
Thanks I did and indeed I see some errors... Where is this authorisation token generated or placed? |
I've installed a letsencrypt wildcard certificate to authentik but still oauth did not work. Only fix was removing the |
That doesn't sound like what you would want. |
I've managed to make it work with a self-signed certificate (and a .home TLD) by trusting the CA that created the certificate (in this case my own CA) inside the container. The host machine that is running my containers already trusts my CA so I managed to solve the problem by mounting the existing You can simply do this by adding this line to the volumes part of the docker-compose file of the Portainer setup: Please note that this does require your host machine to already trust the CA that created the certificate. |
This issue has been marked as stale as it has not had recent activity, it will be closed if no further activity occurs in the next 7 days. If you believe that it has been incorrectly labelled as stale, leave a comment and the label will be removed. |
Since no further activity has appeared on this issue it will be closed. If you believe that it has been incorrectly closed, leave a comment mentioning |
Did you resolve this? I am having the exact same issue. It seems that there isn't a route between Portainer and the host machine, but I'm not sure, and the only solution I'm able to find is to use the Authentik server's name instead of the FQDN, which didn't even work for me. |
I've had a similar issue where there was a NAT loopback issue and log level debug has helped as I have recognized the SSL CN from my router rather than the one traefik uses. |
I was getting a "Error: Unauthorized" but after turning "automatic user provisioning" on, I could log in. |
Hi, i'm trying to use the username in Portainer instead of the email address. But how can I use the username as user identifier? I tried user and username but it doesn't work. |
wolfgang posted a lets encrypt for local homelab setting. downside is he uses nginx proxy manager, whereas i am using traefik. i tested it and it does work. u also get valid certs and no longer told its insecure. but i wanted to get this to work for traefik unfortunately. i can however verify for you that the certificate issue is resolved when trying to login to portainer using oauth authentik (i tested and confirmed this myself). If you want to try that instead. but i also 2nd an option to allow makecert certificates for a local lan homelab environment please. |
did you find a way to fix this, I'm having exactly the same issue |
@Forsskieken, @ElectricityMachine, @amour86
I removed the field, restarted the docker daemon and could authenticate to portainer |
Hello, this issue has a final solution? I've exactly the same issue explained in the first post after two years. I've follow the documentation step by step and everything looks good. Authentik and Portainer can be accessed from internet via nginx proxy manager, both instances are published with Let's Encrypt valid certificates. I'm not an expert but Authentik confirm the Application authorized bit Portainer doesn't allow the login. Thanks for the help. |
Hello quincarter, thanks for the hint, just a question, as far as I've untderstood, on your setup both dockers, authentik and portainer are on the same docker virtual network? |
update, solved installing a valid public certificate... |
Yes this is correct |
Hello, i tried to enroll OAuth for Portainer.
I created the entries in my SSO Service as described in the documentation.
I am using Authentik, thats why i were following this link.
I also read through the portainer guide but couldnt get it to work by now.
When i am trying to login to Portainer with OAuth, i am getting the following error:
Portainer returns an 500 error code:
My configuration looks like this:
I have also read through many posts about this error but nothing helped in my case.
Would be great if someone could assist me with fixing this error.
Thank you in adnvace 😄.
The text was updated successfully, but these errors were encountered: