Portianer OAuth is broken after update.

[Smallinger]

Describe the bug
Can't Login in my Portianer instance.
'https://domain.me&scope=email%20openid%20profile&state=2a1078bf-bcc2-4300-a6b2-8a41ad511f4b' the error lies in 'domain.me&scope.' i think.

Uncaught (in promise) TypeError: Failed to construct 'URL': Invalid URL
    at n.value (RedirectStage.ts:61:21)
    at n.value (RedirectStage.ts:78:25)
    at n.update (lit-element.js:6:304)
    at n.performUpdate (reactive-element.js:6:4849)
    at n.scheduleUpdate (reactive-element.js:6:4496)
    at n._$Ej (reactive-element.js:6:4404)

To Reproduce

Expected behavior
login normaly

Screenshots
My Portainer configuration

My Authentik configuration

Logs
INF action=login auth_via=unauthenticated client_ip=95.**.**.**.** context={"auth_method":"password","auth_method_args":{},"geo":{"city":"Mönch****","continent":"**","country":"**","lat":**.****,"long":*.*****},"http_request":{"args":{"next":"/application/o/authorize/?response_type=code&client_id=Bs4yO3vcPu21WZiwO4xnUZTaQh09bhjB1h0YXQt6&redirect_uri=https://domain.me&scope=email%20openid%20profile&state=2a1078bf-bcc2-4300-a6b2-8a41ad511f4b"},"method":"GET","path":"/api/v3/flows/executor/default-authentication-flow/"}} event=Created Event host=auth.domain.me logger=authentik.events.models pid=23 request_id=d8a8fc38478c403d8e4a4c21db2f0a6c timestamp=2023-05-24T03:34:26.192330 user={"email":"example@domain.me","pk":6,"username":"SmallPox"}
Version and Deployment (please complete the following information):

• authentik version: [2023.5.1]
• Deployment: Portainer BE 2.18.3

Additional context
Add any other context about the problem here.
I'm sorry, but I'm not sure exactly what's going on. Apparently, the URL is no longer correct. It's possible that Authentik is providing it incorrectly, even though everything is actually accurate.
The problem has only existed since I updated Authentik.
But in my opinion, something is missing after the domain extension. When I try to access the domain 'https://domain.me&scope=email%20openid%20profile&state=2a1078bf-bcc2-4300-a6b2-8a41ad511f4b' myself, I receive a 404 error. In my opinion, the error lies in 'domain.me&scope.'
I have also tried adding a forward slash in Authentik, so the request looked like this: 'domain.me/&scope,' but that didn't help either.
Maybe someone here can help me.

[Smallinger]

hmm if i already logged in in authentik over authentik it self and press then the login button on portainer i got the right "redirect_uri: https://domain.me".

[ZerkerEOD]

I second this and having the same issue. I notice that once I login and get stuck, I need to manually go back to my portainer instance, and click the OAuth login again which will then be redirected properly and I will be logged in.

[Saeverix]

Same issue here. The code in the getURL method is not good. I guess it should be a startsWith check instead of includes.

I see this code changed 3 weeks ago in this commit: 8ded118
Before that commit Authentik would always redirect to this.challenge.to. So I guess we found the issue here.

[Smallinger]

After I built my own Authentik image with the changes that @Saeverix made, I can confirm that all my OAuth connections are working properly. I am using:

• Portainer
• Proxmox
• Nginx Proxy Manager
• Nextcloud
• Gitea
• Coder
• Proxy Auth
• Element / Matrix
• Jellyfin

Everything is working perfectly!

[BeryJu]

I'm thinking the actual root cause for the error is that authentik doesn't check if the URL it sends to the frontend for redirecting is fully URL-encoded, as technically the second :// should be encoded into %3A%2F%2F (which is normally the job of the client, in this case portainer, and also the reason why this doesn't completely break all OAuth)

[Saeverix]

@Smallinger thanks for checking my changes and confirming that it works.

@BeryJu it might also be worth to add the URL encoding feature, but overall the getURL method was a bit too vague. If this.challenge.to contained :// (on any position) then it would be satisfied and think that it's a valid URL.
I changed it to a RegEx check to make sure it checks if the start of this.challenge.to is http:// or https://.

[ZerkerEOD]

So we know when the docker image will be updated?

[Saeverix]

@ZerkerEOD it looks like @BeryJu already merged the fix into branch version-2023.5 so I guess version 2023.5.3 won't take that much longer.