ID token issued by a different provider - Error 404

[inventorematto]

Describe the bug
Hello dear team, i'm here to report a bug (maybe), but first let me explain my setup.

I do have a central authentik server running inside my home homelab using almost the standard docker compose file to bring it up.

In order to expose some of my internal services on the internet i use a VPS running in the cloud (outsitde my homelab) connected via ZeroTier to my homelab. As reverse proxy i use Nginix Proxy Manager.

So i deployed a Proxy outpost on the VPS referring to the Manual Outpost deployment in docker-compose documentation, modifing a bit the compose file to fit my setup. This was made to have a local outpost and avoid unecessary traffic from and to the VPS server.

Here the compose file of the outpost proxy:

version: "3.5"
services:
    authentik_proxy:
        image: ghcr.io/goauthentik/proxy
        environment:
            AUTHENTIK_HOST: https://x.x.x.x:9443          <---- Internal IP of the Authentik Server hosted in my homelab
            AUTHENTIK_INSECURE: "true"
            AUTHENTIK_TOKEN: xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
            AUTHENTIK_HOST_BROWSER: https://authentik.mydomain.xxx      <---- as suggested on the docs i put here the external host of my authentik server
        networks:
          dmz-vps:
            ipv4_address: 'x.x.x.x'
networks:
  dmz-vps:
    external:
      name: dmz-vps

I can see the Proxy Outpost on the Authentik admin page and i'm able to assign providers to it.

Screenshots

So i configured Nginix Proxy manager using the template (as always done in my local nginix proxy manager inside my homelab) but instead to point to the authentik server i pointed to the Proxy outpost IP/port.

When i try to access the esposed resoruce and i got this log message in the outpost proxy container:
warning warning error=oidc: id token issued by a different provider, expected "https://x.x.x.x:9443/application/o/my-app/" got "https://authentik.mydomain.xxx/application/o/my-app/" event=failed to redeem code logger=authentik.outpost.proxyv2.application name=Emby_VPS-proxy timestamp=2024-05-07T08:49:47Z

And this in the browser happens:

Looks like something is not working here...

The only thing that worked for me is to modify the compose file and put hostname (https://authentik.mydomain.xxx) on the AUTHENTIK_HOST instead of the internal IP address. This to me is not an elegant solution because in this way the container reaches the main authentik server using the public internet (cloudflare tunnel ecc..) instead of using the private ip over the ZeroTier tunnel.

Another route i tested was to create a static entry in my host file and attach that on the container so to force the use of the hostname, but pointing to the private IP.

Expected behavior
The expected behavior is to use the private IP to communicate to the main authentik server while being able to use the AUTHENTIK_HOST_BROWSER env to inform the proxy and not have the error 400.

Version and Deployment (please complete the following information):

• authentik version: 2024.4.1
• Deployment: Docker Compose

[tuxmainy]

Yeah, can confirm the behavior which I also would consider being a bug. Especially as there is an older bug (#4715)

[temperance447]

I confirm. I have exactly the same problem with the second outpost I created. A remote address solves this problem but looks ugly.