OIDC Login Flow Issue with Semaphore & Authentik

[TDX44]

OIDC Login Flow Issue with Semaphore & Authentik

Description
When attempting to log in to Semaphore using OIDC with Authentik as the identity provider, the user is successfully redirected to the authentication page, authenticated, and returned to the configured redirect_url. However, upon redirection to /api/auth/oidc/authentik/redirect/, Semaphore returns a 404 Not Found error, and the login process does not complete. Manually navigating to the Semaphore root URL (e.g., https://semaphore.example.com/) after authentication displays the logged-in dashboard.

###Environment Details
Semaphore Version:
v2.11.2-0e9490c-173521
Deployment Environment:
Docker-based deployment using docker-compose.
Traefik initially used as a reverse proxy but later removed to simplify testing.
OIDC Provider: Authentik
Authentik version: 2024.6
OIDC configuration:
Redirect URL: https://semaphore.example.com/api/auth/oidc/authentik/redirect/
Scopes: openid, profile, email
Claims: preferred_username for both username_claim and name_claim.

Steps to Reproduce
Navigate to the Semaphore login page.
Click "Login with Authentik."
Authenticate via Authentik successfully.
Observe redirection to https://semaphore.example.com/api/auth/oidc/authentik/redirect/.
The page displays a 404 Not Found error.
Manually remove /api/auth/oidc/authentik/redirect/ from the URL to access the Semaphore dashboard, where the user is already logged in.

Expected Behavior

After authenticating via Authentik, the user should be redirected to Semaphore's dashboard without encountering a 404 Not Found error.

Observed Behavior

The redirection to /api/auth/oidc/authentik/redirect/ results in a 404 Not Found error, requiring manual intervention to navigate to the Semaphore root URL.

Impact

Web-Frontend (what users interact with)

Installation method

Docker

Database

MySQL

Browser

Firefox, Chrome, Safari, Microsoft Edge

Semaphore Version

Semaphore Version:
v2.11.2-0e9490c-173521

Manual installation - system information

Traefik, but also replicated without reverse proxy.

Configuration

/

{
    "mysql": {
        "host": "mysql:3306",
        "user": "******************",
        "pass": "******************",
        "name": ""******************"
    },
    "dialect": "mysql",
    "tmp_path": "/tmp/semaphore",
    "cookie_hash": "******************",
    "cookie_encryption": "******************",
    "access_key_encryption": "******************",
    "oidc_providers": {
        "authentik": {
            "display_name": "Sign in with Authentik",
            "provider_url": "https://auth.example.com/application/o/semaphore/",
            "client_id": "******************",
            "client_secret": "******************",
            "redirect_url": "https://semaphore.example.com/api/auth/oidc/authentik/redirect",
            "scopes": ["openid", "profile", "email"],
            "username_claim": "preferred_username",
            "name_claim": "preferred_username"
        }
    }
}

Additional information

Docker Configuration:

services:
  mysql:
    container_name: mysql
    image: docker.io/library/mysql:8.4
    hostname: mysql
    restart: unless-stopped
    networks:
      - frontend
    volumes:
      - semaphore-mysql:/var/lib/mysql

    environment:
      MYSQL_RANDOM_ROOT_PASSWORD: "yes"
      MYSQL_DATABASE: ${SEMAPHORE_DB}
      MYSQL_USER: ${SEMAPHORE_USER}
      MYSQL_PASSWORD: ${MYSQL_PASS}  # Ensure this variable is set properly

  semaphore:
    container_name: semaphore
    image: docker.io/semaphoreui/semaphore:latest
    user: "${UID}:${GID}"
    restart: unless-stopped

    networks:
      - frontend

    ports:
      - "3000:3000"

    environment:
      LOG_LEVEL: "debug"
      SEMAPHORE_DB_USER: ${SEMAPHORE_USER}
      SEMAPHORE_DB_PASS: "${MYSQL_PASS}"  # Ensure this is set correctly
      SEMAPHORE_DB_HOST: "mysql"
      SEMAPHORE_DB_PORT: "3306"
      SEMAPHORE_DB_DIALECT: "mysql"
      SEMAPHORE_DB: "${SEMAPHORE_DB}"
      SEMAPHORE_PLAYBOOK_PATH: "/tmp/semaphore/"
      SEMAPHORE_ADMIN_PASSWORD: "${SEMAPHORE_ADMIN_PASSWORD}"
      SEMAPHORE_ADMIN_NAME: "${SEMAPHORE_ADMIN_NAME}"
      SEMAPHORE_ADMIN_EMAIL: "${SEMAPHORE_ADMIN_EMAIL}"
      SEMAPHORE_ADMIN: "${SEMAPHORE_ADMIN}"
      SEMAPHORE_ACCESS_KEY_ENCRYPTION: "${SEMAPHORE_ACCESS_KEY_ENCRYPTION}"
      ANSIBLE_HOST_KEY_CHECKING: "false"

    volumes:
      - ./inventory/:/inventory:ro
      - ./authorized-keys/:/authorized-keys:ro
      - ./config/:/etc/semaphore:rw

    depends_on:
      - mysql

volumes:
  semaphore-mysql:
    driver: local

networks:
  frontend:
    external: true

[flyingfishflash]

I have the same issue with zitadel oidc #2659

[TDX44]

Weird, when I ran the problem by ChatGPT, it said that semaphore was unable to handle the response request. It sounds like this is a bug that needs to be fixed within semaphore and not necessarily a configuration issue.

Have you tried putting a redirect on the response URL in traffic or NPM to a "example.com/"

Not sure if that would work because the response would have to come through that URL not be redirected as well.

[ed-bogd]

Same issue with authentik for me. Authentication is completed, but redirection to the main page with dashboard doesn't happen.

[MatthewHana]

Hello @TDX44, @flyingfishflash @ed-bogd , could you please see if the workaround in issue #2681 solves your issue.

[ed-bogd]

Hello @TDX44, @flyingfishflash @ed-bogd , could you please see if the workaround in issue #2681 solves your issue.

Worked for me, I haven't had this "web_host" key initially. Just added with a value of "/" as you mentioned and now it works. Thanks a lot @MatthewHana !

[bakito]

The workaround also works on my instance.

[TDX44]

Hello @TDX44, @flyingfishflash @ed-bogd , could you please see if the workaround in issue #2681 solves your issue.

Problem solved. Thank you!