Skip to content

Proxy outpost in authentik 2025.10 fails with spaces in Postgres password #18175

New issue
New issue
Closed
Bug
#18211
Closed
Proxy outpost in authentik 2025.10 fails with spaces in Postgres password#18175
Bug
#18211
Assignees
dominic-r
Labels
bug/confirmedConfirmed bugs
@JohnTheNerd

Description

@JohnTheNerd
JohnTheNerd
opened on Nov 15, 2025

Describe the bug

Since authentik 2025.10, I believe #16628, the proxy outpost stopped working if there are any spaces in the postgres password. I think the exact function that causes this failure is https://github.com/dominic-r/authentik/blob/631a05183573720766d0abd9fb81b2e49e138a4a/internal/outpost/proxyv2/postgresstore/postgresstore.go#L53-L108 - where spaces are used to concatenate parts of the connection string.

How to reproduce

  1. Change the authentik role's Postgres password to a "passphrase" - one that includes spaces
  2. Set AUTHENTIK_POSTGRESQL__PASSWORD accordingly
  3. Restart authentik
  4. Proxy outpost should be completely broken now

Expected behavior

The behavior I expect to see is authentik handling spaces in passwords like other special characters.

Screenshots

No response

Additional context

The server also reports an incorrect password - one can add the below to postgresql.conf and look at the logs to observe the failure:

log_connections = on          # logs each connection attempt
log_line_prefix = '%t [%p]: [%l-1] user=%u,db=%d,addr=%h '
log_error_verbosity = default

The respective logs from my Postgres server:

2025-11-15 18:18:25 NST [15168]: [1-1] user=[unknown],db=[unknown],addr=10.1.1.11 LOG:  connection received: host=10.1.1.11 port=43972

2025-11-15 18:18:25 NST [15168]: [2-1] user=authentik,db=authentik,addr=10.1.1.11 FATAL:  password authentication failed for user "authentik"

2025-11-15 18:18:25 NST [15168]: [3-1] user=authentik,db=authentik,addr=10.1.1.11 DETAIL:  Connection matched file "/etc/postgresql/17/main/pg_hba.conf" line 93: "  host      all                      all                      10.0.0.0/8               scram-sha-256"

Since all other parts of authentik connect to the database just fine, you will still observe successful connections/transactions on the Postgres side of things.

Deployment Method

Docker

Version

2025.10.1

Relevant log output

authentik_server.1.i66w2knha8yn@docker3    | {"error":"failed to setup database: failed to connect to PostgreSQL: failed to connect to `user=authentik database=authentik`: 10.1.3.30:5432 (postgres.johnthenerd.com): failed SASL auth: FATAL: password authentication failed for user \"authentik\" (SQLSTATE 28P01)","event":"failed to setup application","level":"warning","logger":"authentik.outpost.proxyv2","timestamp":"2025-11-15T21:28:06Z"}

Metadata

Metadata

Assignees

Labels

bug/confirmedConfirmed bugs

Type

Bug

Projects

authentik Core

Status

Done

Milestone

No milestone

Relationships

None yet

Development

No branches or pull requests

Issue actions