-
-
Notifications
You must be signed in to change notification settings - Fork 566
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
OIDC Provider Fails Across VLANs/Subnets #9722
Labels
bug
Something isn't working
Comments
Maybe the connections between authentik and the user works, but not between the service and authentik? Interestingly:
is the occurrence.
Weird tho. But hard to debug from outside. |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Describe the bug
When service is on a separate VLAN or subnet from Authentik, OIDC fails to authenticate. This does not seem to be a problem with VLAN traversal / firewall configuration, as authentication via OIDC was possible until a few days ago, when it suddenly stopped working. Similarly, running access wide open between the VLANs does not allow authentication.
This comes in two flavors:
(1) Either the service fails to connect to Authentik entirely, and the event is entirely invisible from the Authentik side; or
(2) The service manages to connect to Authentik, authenticate successfully, but fail to login, and the event shows as a successful authentication from the Authentik side (but no indication of failure to login).
Moving the service in question to the same VLAN as Authentik allows normal login and is a workaround for now.
Note that this is only for OIDC, the proxy provider works as expected when crossing VLANs/Subnets. (I have not tested the other provider options.)
To Reproduce
Steps to reproduce the behavior:
Expected behavior
Successful connection to Authentik, authentication, and login.
Logs
All of the logs on the service / application side are some form of the following:
requests.exceptions.ConnectionError: HTTPSConnectionPool(host='auth.mydomain.com', port=443): Max retries exceeded with url: /application/o/token/ (Caused by NewConnectionError('<urllib3.connection.HTTPSConnection object at 0x77d7cfe6f5e0>: Failed to establish a new connection: [Errno 111] Connection refused'))
The
connection refused
is standard across all application logfiles.The Authentik side shows nothing or successful authentication as per my description above.
Version and Deployment (please complete the following information):
Additional context
I am also seeing that the local docker outpost is unhealthy, but that seems to be related to #7279
The text was updated successfully, but these errors were encountered: