What is the TLS version of the OIDC provider of Authentik?

[victormorenodev]

Describe your question/
I'm trying to set up Authentik as an OIDC provider for Incus (linux containers), but Incus is complaining about the TLS version (Incus only supports TLS 1.3). I have created my own self-signed 1.3 certificate, assigned it to the Authentik default, and made the needed configurations in Incus.

Relevant info
Authentik running inside an Incus container called "authentik-tests" and Incus Server is running inside another Incus container called "authentik-incus-server2". I am not using a reverse proxy.

Screenshots

Logs
{"auth_via": "unauthenticated", "domain_url": "0.0.0.0", "event": "/-/health/live/", "host": "0.0.0.0:9000", "level": "info", "logger": "authentik.asgi", "method": "HEAD", "pid": 47, "remote": "127.0.0.1", "request_id": "f6e09905bb754892b969cbddf52f52a0", "runtime": 5, "schema_name": "public", "scheme": "http", "status": 204, "timestamp": "2024-07-16T15:07:46.607917", "user": "", "user_agent": "goauthentik.io/healthcheck"}
2024/07/16 15:07:53 http: TLS handshake error from 10.11.21.222:44298: remote error: tls: bad certificate
{"auth_via": "secret_key", "domain_url": "0.0.0.0", "event": "/api/v3/crypto/certificatekeypairs/b9a1244f-fb76-4d93-9ffa-a3237a187851/", "host": "0.0.0.0:9000", "level": "info", "logger": "authentik.asgi", "method": "GET", "pid": 46, "remote": "127.0.0.1", "request_id": "2c591fcc351840ceaa8efb58638b2a53", "runtime": 72, "schema_name": "public", "scheme": "http", "status": 200, "timestamp": "2024-07-16T15:08:13.860103", "user": "ak-outpost-2b96316806964d60a837faf2247876b5", "user_agent": "goauthentik.io/outpost/2024.6.0"}
2024/07/16 15:08:13 http: TLS handshake error from 10.11.16.51:40836: remote error: tls: unknown certificate
{"auth_via": "secret_key", "domain_url": "0.0.0.0", "event": "/api/v3/crypto/certificatekeypairs/b9a1244f-fb76-4d93-9ffa-a3237a187851/", "host": "0.0.0.0:9000", "level": "info", "logger": "authentik.asgi", "method": "GET", "pid": 46, "remote": "127.0.0.1", "request_id": "c2cda6caa2514e609610cf6e2b49a920", "runtime": 44, "schema_name": "public", "scheme": "http", "status": 200, "timestamp": "2024-07-16T15:08:14.025804", "user": "ak-outpost-2b96316806964d60a837faf2247876b5", "user_agent": "goauthentik.io/outpost/2024.6.0"}
2024/07/16 15:08:14 http: TLS handshake error from 10.11.16.51:42484: remote error: tls: unknown certificate

Version and Deployment (please complete the following information):

• authentik version: 2024.6.0
• Deployment: docker-compose

Additional context
Add any other context about the problem here.

[BeryJu]

We currently only support TLS 1.2 on the HTTPS port of authentik. (see

authentik/internal/utils/tls.go

Lines 6 to 9 in 795e0ff

	tlsConfig := &tls.Config{
	MinVersion: tls.VersionTLS12,
	MaxVersion: tls.VersionTLS12,
	}

)

You can nginx as a reverse proxy for authentik to configure this yourself: https://docs.goauthentik.io/docs/install-config/reverse-proxy

cc @authentik-db-cooper maybe we can add TLS 1.3 to our config? we'll need to test if this causes any issues with FIPS

[stignarnia]

Why is this still an issue? This outright breaks many clients like erlang or gio, curl and browsers are smart enough but they try 1.3, get error 70, and create a brand new 1.2 connection instead of doing a proper handshake. If you want to pin 1.2 do it properly and support handshakes