GitHub Social Login: `Cannot pickle ResolverMatch` error

[johnnyhuy]

Describe the bug

Followed this guide to set up social login for Authentik. However, we've encountered an error when going through the GitHub login.

Tried to test it with users not in the org and it works as expected. It's just been authentication broken with a "Permission Denied" error.

This only occurs in the latest 2022.11 version. Previous versions < 2022.11 work as expected.

To Reproduce
Steps to reproduce the behavior:

1. Follow the GitHub integration guide
2. Login with a user in the GitHub org
3. Encounter error

Expected behavior

Pass authentication with GitHub

Screenshots

Logs

{"auth_via": "unauthenticated", "event": "Policy failed to run", "exc": "PicklingError('Cannot pickle ResolverMatch.')", "host": "auth.ggs.sx", "level": "warning", "logger": "authentik.policies.process", "pid": 20, "request_id": "a5c4a6274cfd494c8f94d9f6465cce62", "timestamp": "2022-12-06T10:31:30.768589"}

Version and Deployment (please complete the following information):

• authentik version: 2022.11
• Deployment: Kubernetes

Additional context

Add any other context about the problem here.

[Aniwan-jin]

Hi, Yes I have the same issue about authentication with Plex enrollment SSO

[inmanturbo]

This ResolverMatch error also occurs when attempting to access the request within an expression policy

if "admin" in request.path:
  return ak_call_policy("is-admin")

return True

which doesn't work
This works (without execution logging):

return True

This does not:

if "admin" in request.path:
  return True

return True

[inmanturbo]

https://docs.python.org/3/library/pickle.html#pickle-picklable
https://docs.python.org/3/library/re.html#match-objects

[inmanturbo]

3251bdc

[inmanturbo]

turns out that what I actually wanted was request.http_request.path
And looks like this is my issue anyway:
#3581

[BeryJu]

this error is fixed in 2022.12

[LM1LC3N7]

Hi @BeryJu,

I might have a similar error using ghcr.io/goauthentik/dev-server:2024.4. It is not ResolverMath but cannot pickle 'RestrictedElement' object".

Traceback (most recent call last):
  File \"/ak-root/venv/lib/python3.12/site-packages/asgiref/sync.py\", line 518, in thread_handler
    raise exc_info[1]
  File \"/ak-root/venv/lib/python3.12/site-packages/django/core/handlers/base.py\", line 253, in _get_response_async
    response = await wrapped_callback(
               ^^^^^^^^^^^^^^^^^^^^^^^
  File \"/ak-root/venv/lib/python3.12/site-packages/asgiref/sync.py\", line 468, in __call__
    ret = await asyncio.shield(exec_coro)
          ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
  File \"/ak-root/venv/lib/python3.12/site-packages/asgiref/current_thread_executor.py\", line 40, in run
    result = self.fn(*self.args, **self.kwargs)
             ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
  File \"/ak-root/venv/lib/python3.12/site-packages/asgiref/sync.py\", line 522, in thread_handler
    return func(*args, **kwargs)
           ^^^^^^^^^^^^^^^^^^^^^
  File \"/ak-root/venv/lib/python3.12/site-packages/django/views/generic/base.py\", line 104, in view
    return self.dispatch(request, *args, **kwargs)
           ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
  File
\"/ak-root/venv/lib/python3.12/site-packages/django/utils/decorators.py\", line 48, in _wrapper
    return bound_method(*args, **kwargs)
           ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
  File \"/ak-root/venv/lib/python3.12/site-packages/django/views/decorators/csrf.py\", line 65, in _view_wrapper
    return view_func(request, *args, **kwargs)
           ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
  File \"/ak-root/venv/lib/python3.12/site-packages/django/views/generic/base.py\", line 143, in dispatch
    return handler(request, *args, **kwargs)
           ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
  File \"/authentik/sources/saml/views.py\", line 165, in post
    return processor.prepare_flow_manager().get_flow()
           ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
  File \"/authentik/core/sources/flow_manager.py\", line 183, in get_flow
    return self.handle_enroll(connection)
           ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
  File \"/authentik/core/sources/flow_manager.py\", line 342, in handle_enroll
    return self._prepare_flow(
           ^^^^^^^^^^^^^^^^^^^
  File \"/authentik/core/sources/flow_manager.py\", line 269, in _prepare_flow
    plan = planner.plan(self.request, kwargs)
           ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
  File \"/authentik/flows/planner.py\", line 206, in plan
    cache.set(cache_key(self.flow, user), plan, CACHE_TIMEOUT)
  File \"/ak-root/venv/lib/python3.12/site-packages/django_redis/cache.py\", line 29, in _decorator
    return method(self, *args, **kwargs)
           ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
  File \"/ak-root/venv/lib/python3.12/site-packages/django_redis/cache.py\", line 81, in set
    return self.client.set(*args, **kwargs)
           ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
  File \"/ak-root/venv/lib/python3.12/site-packages/django_redis/client/default.py\", line 143, in set
    nvalue = self.encode(value)
             ^^^^^^^^^^^^^^^^^^
  File \"/ak-root/venv/lib/python3.12/site-packages/django_redis/client/default.py\", line 461, in encode
    value = self._serializer.dumps(value)
            ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
  File \"/ak-root/venv/lib/python3.12/site-packages/django_redis/serializers/pickle.py\", line 29, in dumps
    return pickle.dumps(value, self._pickle_version)
           ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
builtins.TypeError: cannot pickle 'RestrictedElement' object"

• Context: using default-source-authentication with an external source (federation SAML).

Don't hesitate if you need more tests or logs. I tried to add a Policy (Expression Policy) with a simple ak_message() and print(). This is never triggered, so the problem is inside the authentication default-source-authentication.