Authentik gets stuck in redirect loop when using newly created application with proxy provider

[miversen33]

Describe the bug
This was discussed a bit in the Application Reverse Proxy Issues thread on the discord but I will do my best to relay the info here as well.

On a fresh install, when I create a new proxy provider for an application (in my example I am using sonarr, though the endpoint is irrelevant), Authentik cannot seem to find the application after setting it up. Pictures are worth a thousand words, so here is a handful to show what I am seeing.

Proxy Provider setup

Example application setup

Authentik Embedded Outpost

Authentik Outpost Configuration

log_level: info
docker_labels: null
authentik_host: https://auth.iserver.me
docker_network: null
container_image: null
docker_map_ports: true
kubernetes_replicas: 1
kubernetes_namespace: default
authentik_host_browser: ""
object_naming_template: ak-outpost-%(name)s
authentik_host_insecure: false
kubernetes_service_type: ClusterIP
kubernetes_image_pull_secrets: []
kubernetes_ingress_class_name: null
kubernetes_disabled_components:
  - deployment
  - secret
kubernetes_ingress_annotations: {}
kubernetes_ingress_secret_name: authentik-outpost-tls

User application page

Firefox dying of redirect loop

Round and round it goes

To Reproduce
Steps to reproduce the behavior:

1. Setup new fresh installation of authentik with docker compose
2. Create new proxy provider with default-authentication-flow as the authentication flow and default-provider-authorization-explicit-consent as the authorization flow (though I tried with implicit and got the same result)
3. Setup external and internal host as requested
4. Create an application that uses the Provider
5. Add the application to the embedded outpost (are we supposed to set that to use the local docker connection integration?? I tried both but don't really know the "correct" way to use that).
6. Go to application page
7. See death

Expected behavior
I would expect the application to properly load when selected. I assume I am doing something wrong but I was unable to find any documentation/examples on how to setup applications/providers. There seems to be quite a bit of assumed knowledge in the docs. Note, previously I was experiencing an authentik 404 when selecting an application. I am unable to recreate this issue now, though I feel like I haven't changed my configuration so 🤷‍♂️

Logs
Output of docker-compose logs or kubectl logs respectively
authentik-server-logs.gz

Version and Deployment (please complete the following information):

• authentik version: 2023.6.1
• Deployment: docker-compose

Additional context
I am noticing that after I setup the basic proxy provider, that any request that come to the base domain (in this case, iserver.me) are being consumed by it at the listed endpoint (so iserver.me/sonarr). That screams misconfiguration to me but I have no idea what I am doing wrong :(

I will provide whatever information is needed, thanks in advanced!

[miversen33]

Is there more information that I need to provide to get some kind of feedback about what I may be doing incorrectly here?

[alyx161]

It's caused by the path
If you use a dedicated subdomain instead of a path it will work

However, I'm curious myself about how to setup it up with a path 🤔

[Node815]

Can't you just use a localIP:port?
I do that with my apps and never encounter issues, then I just tell Cloudflare's tunnels where to point the external domain to, for example, observer.mydomainname.com for uptimekuma.

[alyx161]

Like I said, if you use a dedicated domain there is no issue.
The issue is that it doesn't work for path-specific rules

[miversen33]

This is correct. Subdomains work just fine. I was attempting to use a path instead. Possibly a lack of documentation or lack of knowledge in this area on my part. In any case, using a subdomain does work but isn't really what I wanted.

The issue experienced here is also not related to a program not knowing how to navigate the path as root, but authentik instead just getting stuck itself while trying to navigate the authentication flow. I have since changed my SSL provider (back to lets encrypt since cloudflare does not support free wildcard ssl certs) and am using a subdomain. But that was not what I wanted when I first started digging into this.

[authentik-automation]

This issue has been automatically marked as stale because it has not had recent activity. It will be closed if no further activity occurs. Thank you for your contributions.

[alyx161]

stale bots are so damn annoying..

[authentik-automation]

This issue has been automatically marked as stale because it has not had recent activity. It will be closed if no further activity occurs. Thank you for your contributions.

[alyx161]

stale bots are so damn annoying..