outpost/proxyv2: revalidate auth if session fails to load

[chetan]

Bug

The forward auth handler in the outpost does not properly handle a session load failure. When the session fails to load, it simply bails out, returning a 200 to the reverse proxy which then allows the request to proceed. Depending on the configuration of the upstream service, this can result in a 401, basic auth prompt, or simply allowing access. With one of my applications, the app set it's own cookies which still granted access despite the invalid authentik session.

Similar issue is mentioned in #2023 (comment)

Setup:

• https://auth.example.com
• https://app.example.com (using fwd auth to outpost [I'm using traefik but should apply to others])

Flow:

1. Visit https://app.example.com -> redir to auth, sign in -> redir to app
2. Visit https://auth.example.com -> sign out
3. Session is properly invalidated at the outpost, e.g.:

{"event":"Logging out","level":"debug","logger":"authentik.outpost.proxyv2","provider":"app.example.com","timestamp":"2025-11-10T17:22:54Z"}
{"event":"deleting session","level":"trace","logger":"authentik.outpost.proxyv2.application","name":"provider-app","path":"/dev/shm/session_6JCRTWRRAVWIPWGLBIWZZPLTYUI27PYAVIEQKH5YSDQOMBNMMIWA","timestamp":"2025-11-10T17:22:54Z"}

4. Visit https://app.example.com - warning logged but fwd auth returns 200 - app returns 401

Step 2 can also be a restart of the outpost due to crash, reboot, or redeployment.

Fix

After session validation falls through, fix the session/state setup so we can redirect to the auth server and complete the flow. User will either be prompted to log in or, if they had already logged back in again, they will be sent back and the new session will be established properly.

[netlify]

✅ Deploy Preview for authentik-docs canceled.

Name	Link
🔨 Latest commit	cb47b17
🔍 Latest deploy log	https://app.netlify.com/projects/authentik-docs/deploys/69161a286162040008b9b54c

[netlify]

✅ Deploy Preview for authentik-integrations canceled.

Name	Link
🔨 Latest commit	cb47b17
🔍 Latest deploy log	https://app.netlify.com/projects/authentik-integrations/deploys/69161a281d2d7a000815d49c

[netlify]

✅ Deploy Preview for authentik-storybook canceled.

Name	Link
🔨 Latest commit	cb47b17
🔍 Latest deploy log	https://app.netlify.com/projects/authentik-storybook/deploys/69161a280819e2000862b2b5

[codecov]

Codecov Report

✅ All modified and coverable lines are covered by tests.
✅ Project coverage is 93.23%. Comparing base (e90c249) to head (91e2829).
⚠️ Report is 96 commits behind head on main.

Additional details and impacted files

@@            Coverage Diff             @@
##             main   #18063      +/-   ##
==========================================
- Coverage   93.24%   93.23%   -0.01%     
==========================================
  Files         968      968              
  Lines       53331    53331              
==========================================
- Hits        49726    49722       -4     
- Misses       3605     3609       +4     

Flag	Coverage Δ
conformance	38.07% <ø> (+<0.01%)	⬆️
e2e	44.08% <ø> (+<0.01%)	⬆️
integration	22.87% <ø> (-0.06%)	⬇️
unit	91.41% <ø> (+<0.01%)	⬆️
unit-migrate	91.46% <ø> (+0.05%)	⬆️

Flags with carried forward coverage won't be shown. Click here to find out more.

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

[dominic-r]

LGTM. Thanks!

[dominic-r]

.

[dewi-tik]

Closes #19740

[chetan]

Rebased/resolved conflict

[authentik-automation]

🍒 Cherry-pick to version-2025.10 created: #20058

[authentik-automation]

🍒 Cherry-pick to version-2025.12 created: #20059

[dewi-tik]

Thanks for this @chetan !