-
-
Notifications
You must be signed in to change notification settings - Fork 1.1k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
[Bug] OIDC not working with Authentik > 2024.2? #1916
Comments
Same problem here! |
are you sure? so it has something to do with the offlice_access scope. go-oidc also supports the scope https://pkg.go.dev/github.com/coreos/go-oidc/v3/oidc search for "offlice_access" i have added the scope in the headscale config and authentik but it does not bring any noticeable change |
Could you share your config and explain in more detail what you've done? I think I've also added that and no authentik login screen appears anyways. |
Had this exact same problem. For authentik, you'd need an additional You would also need to set a Signing Key (you can use the self-signed one) for the OAuth2 provider of authentik to use RS256 for signing which I think is required for Headscale. Here's a sample portion of the headscale config for the oidc:
|
@sonroyaalmerol @badsmoke I'm now having this exact issue. My headscale config includes:
The OIDC provider on the Authentik side is using the self-signed certificate, not expired, and also has offline_access included in scope. Keep getting: Any ideas? |
In
The address is accessible through the URL with valid LE cert. Here is my config.yaml:
In authentik provider config I have set singing key and the same scopes as in the config file. |
@Ziomal12 I think you and I are having the exact same problem. I cannot figure out why it's not connecting. |
i have not extra params
|
@badsmoke |
Removing |
@Ziomal12 exactly what I have |
@julianq What versions are you using? |
@Ziomal12 2024.4.2 on authentik, on headscale its whatever the latest release (ie non-alpha) is. I forget the build number I'll go look it up. ETA: 0.22.3 |
I have the same config except for the redirect url, which is still very open with |
@Ziomal12 Okay so I seem to have fixed it by putting Headscale and Authentik on the same VLAN (they were on separate VLANs before). I have no idea how this got borked since there were no config changes before it stopped working. I also explicitly allowed all traffic between the VLANs and it still didn't work, only when they were put on the same VLAN. I'll have to do some more digging as to why this happened, but for now, I'm just happy its working. |
@julianq Glad to hear that! Unfortunately I'm unable to do that as both services run on different machines. Hopefully there's a fix soon, not a workaround. |
@Ziomal12 Agreed. |
For what it's worth, I removed |
@Ziomal12 This is an Authentik issue. Second service having authentication issues, which were fixed by moving the service on to the same VLAN as Authentik. I'll file a bug report there. |
Just made headscale work with Authentik. Comparing to what Ziomal12 wrote:
I don't have "offline_access" scope, and expiry is set to 180d, my "allowed_groups:" is set to "headscale" I guess the only bug on headscale side I see here is the invalid callback URL which Authentik complains about if I don't set "." |
Is this a support request?
Is there an existing issue for this?
Current Behavior
after updating to authentik 2024.4.1, the connection to headscale no longer works properly.
after a headscale restart, for example, the exit node no longer works.
I assume that this is the problem?
Starting with authentik 2024.2, applications only receive an access token. To receive a refresh token, both applications and authentik must be configured to request the offline_access scope. In authentik this can be done by selecting the offline_access Scope mapping in the provider settings.
I previously had an authentik smaller 2024, which ran without any problems
Expected Behavior
just like before :-D it should work
unfortunately I can no longer downgrade without further ado to test it further
Steps To Reproduce
headscale set up so that oidc runs via authentik (< 2024)
authentik update, which offline_access needs
connect to headscale, works but exit node does not work (no internet)
exit-node reauth, internet works again-> until the next headscale restart or a time?
Environment
Runtime environment
Anything else?
that's just a guess, but i updated authentik at the weekend and it hasn't worked since then
The text was updated successfully, but these errors were encountered: