Problems with authentik

Hi Team!

I am having some issues with the OAuthv2/Authentik combo.

I set up my seahub_settings.py file this way:

ENABLE_OAUTH = True
OAUTH_CREATE_UNKNOWN_USER = True
OAUTH_ACTIVATE_USER_AFTER_CREATION = True
OAUTH_ENABLE_INSECURE_TRANSPORT = True
OAUTH_CLIENT_ID = "xxxxx"
OAUTH_CLIENT_SECRET = "xxxx"
OAUTH_REDIRECT_URL = "https://drive.example.com/oauth/callback/"
OAUTH_PROVIDER_DOMAIN = "id.example.com"
OAUTH_AUTHORIZATION_URL = "https://id.example.com/application/o/authorize/"
OAUTH_TOKEN_URL = "https://id.example.com/application/o/token/"
OAUTH_USER_INFO_URL = "https://id.example.com/application/o/userinfo/"
OAUTH_SCOPE = ["openid", "profile", "email"]
OAUTH_ATTRIBUTE_MAP = {
    "id": (False, "not used"),
    "name": (False, "name"),
    "email": (True, "email"),
}

And this is my Authentik configuration:

Provider:

Authorization flow: default-provider-authorization-implicit-consent (Authorize Application)
Redirect URIs/oOrigins: Strict, https://drive.example.com/oauth/callback/

Application:

Name: seafile
Slig: seafile
Launch URL: https://drive.example.com

Everything else are defaults, but whenever I try to log in with SSO I get this error:

Error, please contact administrator.

And this is the event on Authentik:

{
    "asn": {
        "asn": 3352,
        "as_org": "XXXX",
        "network": "XXXXXX"
    },
    "geo": {
        "lat": XXXX,
        "city": "XXXX",
        "long": XXXX,
        "country": "XX",
        "continent": "XX"
    },
    "flow": "5cac64d74fec466aba981570812fb3c3",
    "scopes": "profile openid email",
    "http_request": {
        "args": {
            "scope": "openid profile email",
            "state": "UTjEtWu2N2fhfkh3SOmiwsXgHpVY68",
            "client_id": "XXXXX",
            "redirect_uri": "https://drive.example.com/oauth/callback/",
            "response_type": "code"
        },
        "path": "/application/o/authorize/",
        "method": "GET",
        "request_id": "716ce7a9a1de48dfb3ab0d532398bf8f",
        "user_agent": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:137.0) Gecko/20100101 Firefox/137.0"
    },
    "authorized_application": {
        "pk": "f09bcd253d69429fb63143c6674cd58a",
        "app": "authentik_core",
        "name": "seafile",
        "model_name": "application"
    }
}

I have NO clue of what is happening.

Thanks!

EDIT: FOUND IT! It was, of course, the stupidest of things.

FILE_SERVER_ROOT and SERVICE_URL were set to:

http://drive.example.com…

When they should be (as I am serving it with npm):

https://drive.example.com…

Modified it on the adin interface and solved.

Hello!

I just got Authentik working with Seafile earlier this week, along with Authelia as well.

I need to leave at the moment but I’ll be back in a few hours, and I can do a deeper dive then on my configuration. I did notice the following:

OAUTH_ENABLE_INSECURE_TRANSPORT = True

But you’re using HTTPS right? I also got it working with explicit (not implicit) consent. Go ahead and double check those settings and respond back, and if you’re still having trouble, I can later delve into my home lab setup, as I also recently was examining that region of Seafile’s OAuth code that gives the error you are describing.

Hey!

Tried with explicit consent and OAUTH_ENABLE_INSECURE_TRANSPORT commented out, still same issue.

Thanks anyway! Would you mind sending me your full configuration details (with relevant data edited for privacy of course)? Just to compare.

Hello! Sure thing:

# settings for Authentik OAuth in seahub_settings.py

ENABLE_OAUTH = True

OAUTH_CREATE_UNKNOWN_USER = True

OAUTH_ACTIVATE_USER_AFTER_CREATION = True

OAUTH_CLIENT_ID = "<CLIENT_ID>"
OAUTH_CLIENT_SECRET = "<CLIENT_SECRET>"

OAUTH_REDIRECT_URL = 'https://<SEAFILE_FQDN>/oauth/callback/'

OAUTH_PROVIDER_DOMAIN = '<AUTHENTIK_FQDN>'
OAUTH_AUTHORIZATION_URL = 'https://<AUTHENTIK_FQDN>/application/o/authorize/'
OAUTH_TOKEN_URL = 'https://AUTHENTIK_FQDN>/application/o/token/'
OAUTH_USER_INFO_URL = 'https://AUTHENTIK_FQDN>/application/o/userinfo/'
OAUTH_SCOPE = [ "openid", "profile", "email",]
OAUTH_ATTRIBUTE_MAP = {
    "email": (True, "email"), 
    "name": (False, "name"),
    "id": (False, "not used"), 
}

In Authentik interface:

• For the application, I have the Policy Engine mode set to “any”.

• For the provider, I’m using the explicit-consent authorization flow, Confidential client type, a Strict redirect origin (https://<SEAFILE_FQDN>/oauth/callback/), along with the client ID & Secret, and the selected Authentik default scope mappings are OpenID [email|openid|profile]. And just those three have been added.

The last thing I would note is that Seafile’s OAUTH_REDIRECT_URL & Authentik’s Strict redirect origin need to be exactly the same. And I just confirmed that this still works for me. Let me know if you’re able to make any headway!

EDIT 1: Fixed misspelling.

Hi!

Still not working, triple checked everything.

One important piece of information I ommited is that I am running both Authentik and Seafile under a reverse proxy (nginx proxy manager).

However there are other services working perfectly fine with this schema.

Seafile, Authentik and npm are all three running on the same docker network.

This is the configuration of npm (nothing in the advanced tab):

1603×629 16.4 KB

The other screenshot as being a new user I cannot attach more than one image at once:

FOUND IT! It was, of course, the stupidest of things

FILE_SERVER_ROOT and SERVICE_URL were set to:

http://drive.example.com…

When they should be (as I am serving it with npm):

https://drive.example.com…

Modified it on the admin interface and solved.

Ah excellent!!! So happy you found the solution!!! If anything, setting up both Authelia & Authentik myself has reinforced for me that OAuth setup in general can be quite complex, and small anomalies, deviations & differences can break it.

So well done!!!