Comments (2)
I have been struggling with getting Guac to work with OIDC in Authentik as well. I may have slightly different issues than you but one thing I learned may be of use to you. It appears that when you access Authentik via IP address, it will always serve up the default self-signed certificate (which may or may not be the same as the default self-signed cert that you can see in the GUI for use with providers). If you want Authentik to serve up the certificate that you created you will have to access it via hostname. If you don't have one configured you can always use the container name and an entry in your hosts file.
One other important note is that I believe the certificate configured in the provider is going to be used to sign the JWTs and NOT necessarily for the HTTPS connection. The way I was able to ensure that my own cert was used for HTTPS when accessing Authentik via hostname was to set the certificate to be used by the default brand and restart the Authentik container (System > Brands > Edit the authentik-default branhd > Other Global Settings > Web Certificate).
Don't forget to also make sure the certificates you are using have been added to the Guacamole truststore.
Doing all this has not fully solved my issue but it does get you to a point where curl via hostname will serve the correct certificate. Currently my issue is that even adding these certificates to the Guacamole truststore results in failure during JWT validation all due to various javax.net.ssl.SSLHandshakeExceptions listed below.
Using only my self-signed certs results in an apparent inability of Guac to find the correct certificate even when the configured URLs are using hostname. (sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target)
Additionally adding the default certificate that gets served with accessing Authentik via IP results in a verification error due to Guac being unable to find a certificate with a valid SAN matching the Authentik hostname. (javax.net.ssl.SSLHandshakeException: No subject alternative DNS name matching authentik-server-1 found.) This new error appearing as a result of adding this certificate suggests to me that the default certificate is still being used for some reason when it should not be.
Lastly, I updated my self-signed certificate to have an SAN set for the Authentik hostname and receive a certificate verification failure suggesting that the certificate being used for HTTPS signing is still the default certificate rather than the one I have set with an SAN value.
The main problem with this is that the default certificate being used is generated fresh at every container startup so there is no way to change it. At this point the only thing I have left to try is to set up a reverse proxy which I had been avoiding as it wasn't really necessary for my use case. I'm hoping that now that I understand more about which certs are served up and when, putting a proxy between the two services will result in the correct certs being used/expected on both sides.
If you have any breakthroughs please post them here. This is driving me insane.
from authentik.
I don't have much to add but thanks for the comment Huckleberry. I've tried various reverse proxy setups myself, since I already have one deployed for Guacamole and TLS termination. The problem with throwing both Authentik and Guac behind the TLS reverse proxy is that at some point, the browser needs to redirect in the flow and relying on internal IPs doesn't work. I'm sure there's an aspect of my configuration that was incorrect at that point, but I never got Authentik to work behind a reverse proxy either.
The only time I had Authentik+Guac working was on a completely "internal" setup with all HTTP connections and no TLS anywhere, which is totally unsuited for internet access.
from authentik.
Related Issues (20)
- Proxy provider unauthenticated blacklist
- Broken macOS/Safari support
- An option to sync LDAP sources partially
- Deadlock reported by database HOT 1
- Missing Space in Login Screen for Applications HOT 2
- Jellyfin LDAP Bind User Permissions HOT 2
- OIDC Error - POST default-provider-authorization-explicit-consent - duplicate key value violates unique constraint HOT 1
- Generated recovery link doesn't bypass email stage
- Automatic Outpost Deployment via Docker Integration prodouces invalid Traefik Labels
- Creating application or provider via core API causes validation errors HOT 4
- federated
- ldap_sync shows last synced with "[object Object]" with no further error details
- [OAuth2] How to handle migration to 2024.4.2 HOT 1
- German login message misses a blank HOT 4
- Canβt log in : showing [objet] [object] instead user login field HOT 2
- Not getting custom user attribute in LDAP
- SAML Provider with ecdsa certificate HOT 1
- Authentik + traefik labels doesn't promt for authentication.Β
- Harbor documentation is incorrect and should include offline_access OIDC scope
- Check password policy against a custom service HOT 1
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
π Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. πππ
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google β€οΈ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from authentik.