Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

OIDC Login Flow Issue with Semaphore & Authentik #2666

Open
TDX44 opened this issue Dec 28, 2024 · 10 comments
Open

OIDC Login Flow Issue with Semaphore & Authentik #2666

TDX44 opened this issue Dec 28, 2024 · 10 comments

Comments

@TDX44
Copy link

TDX44 commented Dec 28, 2024

OIDC Login Flow Issue with Semaphore & Authentik

Description
When attempting to log in to Semaphore using OIDC with Authentik as the identity provider, the user is successfully redirected to the authentication page, authenticated, and returned to the configured redirect_url. However, upon redirection to /api/auth/oidc/authentik/redirect/, Semaphore returns a 404 Not Found error, and the login process does not complete. Manually navigating to the Semaphore root URL (e.g., https://semaphore.example.com/) after authentication displays the logged-in dashboard.

###Environment Details
Semaphore Version:
v2.11.2-0e9490c-173521
Deployment Environment:
Docker-based deployment using docker-compose.
Traefik initially used as a reverse proxy but later removed to simplify testing.
OIDC Provider: Authentik
Authentik version: 2024.6
OIDC configuration:
Redirect URL: https://semaphore.example.com/api/auth/oidc/authentik/redirect/
Scopes: openid, profile, email
Claims: preferred_username for both username_claim and name_claim.

Steps to Reproduce
Navigate to the Semaphore login page.
Click "Login with Authentik."
Authenticate via Authentik successfully.
Observe redirection to https://semaphore.example.com/api/auth/oidc/authentik/redirect/.
The page displays a 404 Not Found error.
Manually remove /api/auth/oidc/authentik/redirect/ from the URL to access the Semaphore dashboard, where the user is already logged in.

Expected Behavior

After authenticating via Authentik, the user should be redirected to Semaphore's dashboard without encountering a 404 Not Found error.

Observed Behavior

The redirection to /api/auth/oidc/authentik/redirect/ results in a 404 Not Found error, requiring manual intervention to navigate to the Semaphore root URL.

Impact

Web-Frontend (what users interact with)

Installation method

Docker

Database

MySQL

Browser

Firefox, Chrome, Safari, Microsoft Edge

Semaphore Version

Semaphore Version:
v2.11.2-0e9490c-173521

Manual installation - system information

Traefik, but also replicated without reverse proxy.

Configuration

/

{
    "mysql": {
        "host": "mysql:3306",
        "user": "******************",
        "pass": "******************",
        "name": ""******************"
    },
    "dialect": "mysql",
    "tmp_path": "/tmp/semaphore",
    "cookie_hash": "******************",
    "cookie_encryption": "******************",
    "access_key_encryption": "******************",
    "oidc_providers": {
        "authentik": {
            "display_name": "Sign in with Authentik",
            "provider_url": "https://auth.example.com/application/o/semaphore/",
            "client_id": "******************",
            "client_secret": "******************",
            "redirect_url": "https://semaphore.example.com/api/auth/oidc/authentik/redirect",
            "scopes": ["openid", "profile", "email"],
            "username_claim": "preferred_username",
            "name_claim": "preferred_username"
        }
    }
}

Additional information

Docker Configuration:

services:
  mysql:
    container_name: mysql
    image: docker.io/library/mysql:8.4
    hostname: mysql
    restart: unless-stopped
    networks:
      - frontend
    volumes:
      - semaphore-mysql:/var/lib/mysql

    environment:
      MYSQL_RANDOM_ROOT_PASSWORD: "yes"
      MYSQL_DATABASE: ${SEMAPHORE_DB}
      MYSQL_USER: ${SEMAPHORE_USER}
      MYSQL_PASSWORD: ${MYSQL_PASS}  # Ensure this variable is set properly

  semaphore:
    container_name: semaphore
    image: docker.io/semaphoreui/semaphore:latest
    user: "${UID}:${GID}"
    restart: unless-stopped

    networks:
      - frontend

    ports:
      - "3000:3000"

    environment:
      LOG_LEVEL: "debug"
      SEMAPHORE_DB_USER: ${SEMAPHORE_USER}
      SEMAPHORE_DB_PASS: "${MYSQL_PASS}"  # Ensure this is set correctly
      SEMAPHORE_DB_HOST: "mysql"
      SEMAPHORE_DB_PORT: "3306"
      SEMAPHORE_DB_DIALECT: "mysql"
      SEMAPHORE_DB: "${SEMAPHORE_DB}"
      SEMAPHORE_PLAYBOOK_PATH: "/tmp/semaphore/"
      SEMAPHORE_ADMIN_PASSWORD: "${SEMAPHORE_ADMIN_PASSWORD}"
      SEMAPHORE_ADMIN_NAME: "${SEMAPHORE_ADMIN_NAME}"
      SEMAPHORE_ADMIN_EMAIL: "${SEMAPHORE_ADMIN_EMAIL}"
      SEMAPHORE_ADMIN: "${SEMAPHORE_ADMIN}"
      SEMAPHORE_ACCESS_KEY_ENCRYPTION: "${SEMAPHORE_ACCESS_KEY_ENCRYPTION}"
      ANSIBLE_HOST_KEY_CHECKING: "false"

    volumes:
      - ./inventory/:/inventory:ro
      - ./authorized-keys/:/authorized-keys:ro
      - ./config/:/etc/semaphore:rw

    depends_on:
      - mysql

volumes:
  semaphore-mysql:
    driver: local

networks:
  frontend:
    external: true
@flyingfishflash
Copy link

flyingfishflash commented Dec 29, 2024

I have the same issue with zitadel oidc #2659

@TDX44
Copy link
Author

TDX44 commented Dec 29, 2024

Weird, when I ran the problem by ChatGPT, it said that semaphore was unable to handle the response request. It sounds like this is a bug that needs to be fixed within semaphore and not necessarily a configuration issue.

Have you tried putting a redirect on the response URL in traffic or NPM to a "example.com/"

Not sure if that would work because the response would have to come through that URL not be redirected as well.

@fiftin fiftin self-assigned this Dec 30, 2024
@fiftin fiftin added this to the 2.11 milestone Dec 30, 2024
@ed-bogd
Copy link

ed-bogd commented Jan 6, 2025

Same issue with authentik for me. Authentication is completed, but redirection to the main page with dashboard doesn't happen.

@MatthewHana
Copy link

Hello @TDX44, @flyingfishflash @ed-bogd , could you please see if the workaround in issue #2681 solves your issue.

@ed-bogd
Copy link

ed-bogd commented Jan 7, 2025

Hello @TDX44, @flyingfishflash @ed-bogd , could you please see if the workaround in issue #2681 solves your issue.

Worked for me, I haven't had this "web_host" key initially. Just added with a value of "/" as you mentioned and now it works. Thanks a lot @MatthewHana !

@bakito
Copy link
Contributor

bakito commented Jan 7, 2025

The workaround also works on my instance.

@TDX44
Copy link
Author

TDX44 commented Jan 7, 2025

Hello @TDX44, @flyingfishflash @ed-bogd , could you please see if the workaround in issue #2681 solves your issue.

Problem solved. Thank you!

@cyberjohn60
Copy link

Hello @TDX44, @flyingfishflash @ed-bogd , could you please see if the workaround in issue #2681 solves your issue.

Problem solved. Thank you!

I am having the same problem. Where did you make the entry to fix this issue?

@TDX44
Copy link
Author

TDX44 commented Jan 21, 2025

I am having the same problem. Where did you make the entry to fix this issue?

Add this line to your config.json

"web_host": "/",

It should resolve your issue.

@cyberjohn60
Copy link

I am having the same problem. Where did you make the entry to fix this issue?

Add this line to your config.json

"web_host": "/",

It should resolve your issue.

Thanks. I now got to the login page.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
Development

No branches or pull requests

7 participants