Infinite redirect loop on proxy providers since 2024.10

[Buco7854]

Describe the bug
Every proxy providers i have now are blocked in an infinite loop. Even new one i create are affected.

To Reproduce
Go to an application that use a proxy provider

Expected behavior
The authorization process should be passed and the website displayed

Logs
REDACTED

Version and Deployment(please complete the following information):

authentik version: 2024.10.0
Deployment: docker-compose

Additional context
Anything else works fine.
chnaging docker image version back to 2024.8 doesnt work tho seems like the scheme are incompatible.
Was forced to restore a backup to go back to 2024.8

[devzwf]

i have the same issue.
also worker as well is on infinite loop

[dmfrey]

+1 to this issue

[MineTech13]

+1 here too

[vish9812]

I'm getting the following errors:

Error 1

authentik_worker  | Running migrations:
authentik_worker  |   Applying authentik_core.0040_provider_invalidation_flow...
authentik_db      | 2024-11-01 18:37:38.953 UTC [44] ERROR:  duplicate key value violates unique constraint "django_migrations_pkey"
authentik_db      | 2024-11-01 18:37:38.953 UTC [44] DETAIL:  Key (id)=(497) already exists.

Error 2
column "invalidation_flow_id" of relation "authentik_core_provider" already exists

authentik_worker  | Running migrations:
authentik_worker  |   Applying authentik_core.0040_provider_invalidation_flow...
authentik_db      | 2024-11-01 18:16:28.043 UTC [87] ERROR:  column "invalidation_flow_id" of relation "authentik_core_provider" already exists
authentik_db      | 2024-11-01 18:16:28.043 UTC [87] STATEMENT:  ALTER TABLE "authentik_core_provider" ADD COLUMN "invalidation_flow_id" uuid NULL CONSTRAINT "authentik_core_provi_invalidation_flow_id_69c4fd1b_fk_authentik" REFERENCES "authentik_flows_flow"("flow_uuid") DEFERRABLE INITIALLY DEFERRED; SET CONSTRAINTS "authentik_core_provi_invalidation_flow_id_69c4fd1b_fk_authentik" IMMEDIATE
authentik_worker  | {"domain_url": null, "event": "releasing database lock", "level": "info", "logger": "lifecycle.migrate", "pid": 7, "schema_name": "public", "timestamp": "2024-11-01T18:16:28.043831"}
authentik_server  | 2024-11-01 18:16:28 [info     ] applying django migrations
authentik_worker  | Traceback (most recent call last):
authentik_worker  |   File "/ak-root/venv/lib/python3.12/site-packages/django/db/backends/utils.py", line 103, in _execute
authentik_worker  |     return self.cursor.execute(sql)
authentik_worker  |            ^^^^^^^^^^^^^^^^^^^^^^^^
authentik_worker  |   File "/ak-root/venv/lib/python3.12/site-packages/django_prometheus/db/common.py", line 69, in execute
authentik_worker  |     return super().execute(*args, **kwargs)
authentik_worker  |            ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
authentik_worker  |   File "/ak-root/venv/lib/python3.12/site-packages/psycopg/cursor.py", line 97, in execute
authentik_worker  |     raise ex.with_traceback(None)
authentik_worker  | psycopg.errors.DuplicateColumn: column "invalidation_flow_id" of relation "authentik_core_provider" already exists

[miccico]

+1

[TiiFuchs]

+1

[MichaelSp]

I also have column "invalidation_flow_id" of relation "authentik_core_provider" already exists in my k8s helm based deployment

edit: this is now captured in #11895

[HumnResources]

Confirm same issue. Interestingly, when I initially setup 2024.10 my proxies were working fine. But by the time I finished getting all my config setup (branding/flows/etc) they were looping and unrecoverable.

[gergosimonyi]

Based on the error in the logs, this should be fixed by #11879

Aside: the INSERT INTO statements in your pasted logs contain a JWT which contains credentials. They are now leaked, you should rotate all of them. We can't really filter docker-compose output so if you post any logs as part of a ticket in the future, please look through them and remove sensitive data by hand.

[Buco7854]

Based on the error in the logs, this should be fixed by #11879

Aside: the INSERT INTO statements in your pasted logs contain a JWT which contains credentials. They are now leaked, you should rotate all of them. We can't really filter docker-compose output so if you post any logs as part of a ticket in the future, please look through them and remove sensitive data by hand.

Thank you, I'll try when a new image will be available. How do I actually rotate the JWTs? Are those specific to a user or the Authentik App itself?

[gergosimonyi]

Oh, I didn't mean rotate the JWT. Rotate the credentials encoded in the JWT. You can see what was exposed if you plug the JWT into a service like https://jwt.io/#debugger-io

[Buco7854]

Oh, I didn't mean rotate the JWT. Rotate the credentials encoded in the JWT. You can see what was exposed if you plug the JWT into a service like https://jwt.io/#debugger-io

Well I deleted the logs. The jwt contained the application URL and some temporary tokens I guess so it's fine but while looking at the logs I realised my email wasnt properly replaced everywhere😅. Thanks.

[BeryJu]

@Buco7854 FYI the edit history of your issue is still public so the logs are still visible, and so are the credentials. We recommend you rotate the passwords in calibre and another application that is not named. We can also delete the issue.

[Buco7854]

@Buco7854 FYI the edit history of your issue is still public so the logs are still visible, and so are the credentials. We recommend you rotate the passwords in calibre and another application that is not named. We can also delete the issue.

Well I can rotate the calibre password easily enough the only thing was my email but I'm already receiving tons of spam so I guess it doesn't matter.
I reviewed yesterday late in the night but based on the services accessed in the logs there's only calibre, user attributes, my email and the unamed service.

If it's fine with you I guess deleting the issue would be best but I can just rotate all of them otherwise (edit: done)

Thanks for the warning 😀.

[bryceprutsos]

I just updated the 2024.10.1 and the problem is still there so 🤷

[MrBE4R]

Hi,

The image for 2024.10.1 (sha256:b6b2fc02ea1c77943b8aa519af7f392bc1fcc2fc6341279bf7b54a9bc7fbe4e7) did correct this bug on my deployments.

Cheers.

[bnctth]

For me it wouldn't work with an alternative server name (aka the outpost has AUTHENTIK_HOST: http://server:9000 and AUTHENTIK_HOST_BROWSER: https://[public domain]). The only solution was to the public domain as AUTHENTIK_HOST for both the deployment of the outpost and its configuration in authentik

[dandrade-wave]

error: "oidc: id token issued by a different provider

• expected "https://auth.xxx.localhost/application/o/app1/" (AUTHENTIK_HOST_BROWSER)
• got "http://authentik-server:9000/application/o/app1/" (AUTHENTIK_HOST)

[mgrove36]

Hiya, I'm getting this infinite redirect loop as well. The event logs in the admin dashboard show the application being authorised, and then a generic system exception that UUID Objects aren't JSON serialisable. Appears it may be a slightly different issue with the same symptoms?

Traceback (most recent call last):
  File "/ak-root/venv/lib/python3.12/site-packages/asgiref/sync.py", line 518, in thread_handler
    raise exc_info[1]
  File "/ak-root/venv/lib/python3.12/site-packages/django/core/handlers/base.py", line 253, in _get_response_async
    response = await wrapped_callback(
               ^^^^^^^^^^^^^^^^^^^^^^^
  File "/ak-root/venv/lib/python3.12/site-packages/asgiref/sync.py", line 468, in __call__
    ret = await asyncio.shield(exec_coro)
          ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
  File "/ak-root/venv/lib/python3.12/site-packages/asgiref/current_thread_executor.py", line 40, in run
    result = self.fn(*self.args, **self.kwargs)
             ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
  File "/ak-root/venv/lib/python3.12/site-packages/asgiref/sync.py", line 522, in thread_handler
    return func(*args, **kwargs)
           ^^^^^^^^^^^^^^^^^^^^^
  File "/ak-root/venv/lib/python3.12/site-packages/django/views/generic/base.py", line 104, in view
    return self.dispatch(request, *args, **kwargs)
           ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
  File "/ak-root/venv/lib/python3.12/site-packages/django/utils/decorators.py", line 48, in _wrapper
    return bound_method(*args, **kwargs)
           ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
  File "/ak-root/venv/lib/python3.12/site-packages/django/views/decorators/csrf.py", line 65, in _view_wrapper
    return view_func(request, *args, **kwargs)
           ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
  File "/authentik/providers/oauth2/views/token.py", line 497, in dispatch
    response = super().dispatch(request, *args, **kwargs)
               ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
  File "/ak-root/venv/lib/python3.12/site-packages/django/views/generic/base.py", line 143, in dispatch
    return handler(request, *args, **kwargs)
           ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
  File "/authentik/providers/oauth2/views/token.py", line 526, in post
    return TokenResponse(self.create_code_response())
                         ^^^^^^^^^^^^^^^^^^^^^^^^^^^
  File "/authentik/providers/oauth2/views/token.py", line 561, in create_code_response
    access_token.id_token = access_id_token
    ^^^^^^^^^^^^^^^^^^^^^
  File "/authentik/providers/oauth2/models.py", line 438, in id_token
    self.token = value.to_access_token(self.provider)
                 ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
  File "/authentik/providers/oauth2/id_token.py", line 174, in to_access_token
    return provider.encode(final)
           ^^^^^^^^^^^^^^^^^^^^^^
  File "/authentik/providers/oauth2/models.py", line 310, in encode
    encoded = encode(payload, key, algorithm=alg, headers=headers)
              ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
  File "/ak-root/venv/lib/python3.12/site-packages/jwt/api_jwt.py", line 68, in encode
    json_payload = self._encode_payload(
                   ^^^^^^^^^^^^^^^^^^^^^
  File "/ak-root/venv/lib/python3.12/site-packages/jwt/api_jwt.py", line 95, in _encode_payload
    return json.dumps(
           ^^^^^^^^^^^
  File "/usr/local/lib/python3.12/json/__init__.py", line 238, in dumps
    **kw).encode(obj)
          ^^^^^^^^^^^
  File "/usr/local/lib/python3.12/json/encoder.py", line 200, in encode
    chunks = self.iterencode(o, _one_shot=True)
             ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
  File "/usr/local/lib/python3.12/json/encoder.py", line 258, in iterencode
    return _iterencode(o, 0)
           ^^^^^^^^^^^^^^^^^
  File "/usr/local/lib/python3.12/json/encoder.py", line 180, in default
    raise TypeError(f'Object of type {o.__class__.__name__} '
builtins.TypeError: Object of type UUID is not JSON serializable

[tomtom5152]

I'm also seeing the exact same error as @mgrove36 now.

For reference this is image

ghcr.io/goauthentik/server:2024.10.1
ghcr.io/goauthentik/server@sha256:52611cf73ec6880b76a2e437f57ac3f2213b1000f7c82080edc6201b33718803

[martadams89]

I am also getting the same as @mgrove36 - i'm using the helm chart in k8s from https://artifacthub.io/packages/helm/goauthentik/authentik?modal=values with the output running locally.

I use traefik and my middleware & ingressroute is the following if that helps?

---
apiVersion: traefik.io/v1alpha1
kind: Middleware
metadata:
  name: authentik
spec:
  forwardAuth:
    address: http://authentik-server.authentik/outpost.goauthentik.io/auth/traefik
    trustForwardHeader: true
    authResponseHeaders:
      - X-authentik-username
      - X-authentik-groups
      - X-authentik-email
      - X-authentik-name
      - X-authentik-uid
      - X-authentik-jwt
      - X-authentik-meta-jwks
      - X-authentik-meta-outpost
      - X-authentik-meta-provider
      - X-authentik-meta-app
      - X-authentik-meta-version
 
---
apiVersion: traefik.io/v1alpha1
kind: IngressRoute
metadata:
  name: authentik-server
spec:
  entryPoints:
    - websecure
  routes:
    - kind: Rule
      match: PathPrefix(`/outpost.goauthentik.io/`)
      priority: 15
      services:
        - kind: Service
          name: authentik-server
          port: 80

[mgrove36]

Looks like this may be caused by/linked to #11949

[dmfrey]

This is still happening after I upgraded to 2024.10.2

[dmfrey]

seems to have resolved itself

[martadams89]

I just updated to 2024.10.2 and I appeared to still have the same issue, had to downgrade to get working agian.

[Silvan-M]

Same problem. Anyone able to resolve the issue? Still happens for me on 2024.10.2.

[mgrove36]

Same for me. I'm getting the same error as I posted above still. @BeryJu do you have any insights?

[tomtom5152]

Also still getting this, with the same error about UUID serialisation

[Silvan-M]

Issue just resolved itself for me. Not sure what caused it to work. The only thing I changed was fixing an error I got in the authentik worker described here (e.g. I gave read/write permissions for /media/public). However not sure if that was the issue, since it didn't resolve the redirection loop until about one day later.