-
-
Notifications
You must be signed in to change notification settings - Fork 559
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
ID token issued by a different provider - Error 404 #9622
Labels
bug
Something isn't working
Comments
Yeah, can confirm the behavior which I also would consider being a bug. Especially as there is an older bug (#4715) |
I confirm. I have exactly the same problem with the second outpost I created. A remote address solves this problem but looks ugly. |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Describe the bug
Hello dear team, i'm here to report a bug (maybe), but first let me explain my setup.
I do have a central authentik server running inside my home homelab using almost the standard docker compose file to bring it up.
In order to expose some of my internal services on the internet i use a VPS running in the cloud (outsitde my homelab) connected via ZeroTier to my homelab. As reverse proxy i use Nginix Proxy Manager.
So i deployed a Proxy outpost on the VPS referring to the Manual Outpost deployment in docker-compose documentation, modifing a bit the compose file to fit my setup. This was made to have a local outpost and avoid unecessary traffic from and to the VPS server.
Here the compose file of the outpost proxy:
I can see the Proxy Outpost on the Authentik admin page and i'm able to assign providers to it.
Screenshots
So i configured Nginix Proxy manager using the template (as always done in my local nginix proxy manager inside my homelab) but instead to point to the authentik server i pointed to the Proxy outpost IP/port.
When i try to access the esposed resoruce and i got this log message in the outpost proxy container:
warning warning error=oidc: id token issued by a different provider, expected "https://x.x.x.x:9443/application/o/my-app/" got "https://authentik.mydomain.xxx/application/o/my-app/" event=failed to redeem code logger=authentik.outpost.proxyv2.application name=Emby_VPS-proxy timestamp=2024-05-07T08:49:47Z
And this in the browser happens:
Looks like something is not working here...
The only thing that worked for me is to modify the compose file and put hostname (https://authentik.mydomain.xxx) on the AUTHENTIK_HOST instead of the internal IP address. This to me is not an elegant solution because in this way the container reaches the main authentik server using the public internet (cloudflare tunnel ecc..) instead of using the private ip over the ZeroTier tunnel.
Another route i tested was to create a static entry in my host file and attach that on the container so to force the use of the hostname, but pointing to the private IP.
Expected behavior
The expected behavior is to use the private IP to communicate to the main authentik server while being able to use the AUTHENTIK_HOST_BROWSER env to inform the proxy and not have the error 400.
Version and Deployment (please complete the following information):
The text was updated successfully, but these errors were encountered: