CSRF failed #884
Description
Describe the bug
I set up authentik yesterday for all my services and everything was working fine. Today, I can't access Home Assistant anymore (configured as per authentik documentation), with the error:
403 Permission Denied
CSRF Failed
This happens on all logged in devices (PC and Smartphone). When I open a new browser in incognito mode, however, the login flow works as expected, so it seems it has something to do with caches and/or cookies. I tried clearing the cache and the cookies for the home assistant and authentik domains, but couldn't get it working.
To Reproduce
Expected behavior
Screenshots
Logs
Authentik server:
{"event": "Using state as nonce for OpenID Request", "level": "warning", "logger": "authentik.providers.oauth2.views.authorize", "pid": 18, "request_id": "d4a1a1ec0ef64a34a28971cfd0a12c59", "timestamp": "2021-05-15T10:47:20.277364"}
{"cache_key": "policy_104bf888a3ea413b95996ad84e67049d__304ektaac8tc95w9sic047rdau90ad09#3", "event": "P_ENG: Taking result from cache", "level": "debug", "logger": "authentik.policies.engine", "pid": 18, "policy": null, "request_id": "d4a1a1ec0ef64a34a28971cfd0a12c59", "timestamp": "2021-05-15T10:47:20.283038"}
{"app": "<Application: Home Assistant>", "event": "PolicyAccessView user_has_access", "level": "debug", "logger": "authentik.policies.views", "pid": 18, "request_id": "d4a1a1ec0ef64a34a28971cfd0a12c59", "result": "<PolicyResult passing=True>", "timestamp": "2021-05-15T10:47:20.283737", "user": "<SimpleLazyObject: <User: andreas>>"}
{"event": "f(plan): starting planning process", "flow": "<Flow: Flow Authorize Application (default-provider-authorization-implicit-consent)>", "level": "debug", "logger": "authentik.flows.planner", "pid": 18, "request_id": "d4a1a1ec0ef64a34a28971cfd0a12c59", "timestamp": "2021-05-15T10:47:20.289975"}
{"event": "f(plan): taking plan from cache", "flow": "<Flow: Flow Authorize Application (default-provider-authorization-implicit-consent)>", "key": "flow_922af8b1-de8a-49c9-858d-67892bc2dd34#3", "level": "debug", "logger": "authentik.flows.planner", "pid": 18, "request_id": "d4a1a1ec0ef64a34a28971cfd0a12c59", "timestamp": "2021-05-15T10:47:20.293293"}
{"event": "/application/o/authorize/?approval_prompt=force&client_id=FxSygFEB5dj3qmo4S4QNvcsg9c0X3vp9L8yrjqCF&redirect_uri=https%3A%2F%2Fhome-assistant.mydomain.com%2Fakprox%2Fcallback&response_type=code&scope=openid+email+profile+ak_proxy&state=d96f733e9a12e247fee4ab077d1edd02%3A%2F", "host": "10.10.10.1", "level": "info", "logger": "authentik.asgi", "method": "GET", "pid": 18, "request_id": "d4a1a1ec0ef64a34a28971cfd0a12c59", "runtime": 0, "scheme": "https", "size": 0.092, "status": 302, "timestamp": "2021-05-15T10:47:20.350932"}
{"event":"/if/flow/default-provider-authorization-implicit-consent/?approval_prompt=force\u0026client_id=FxSygFEB5dj3qmo4S4QNvcsg9c0X3vp9L8yrjqCF\u0026redirect_uri=https%3A%2F%2Fhome-assistant.mydomain.com%2Fakprox%2Fcallback\u0026response_type=code\u0026scope=openid+email+profile+ak_proxy\u0026state=d96f733e9a12e247fee4ab077d1edd02%3A%2F","level":"info","method":"GET","remote":"10.10.10.1","timestamp":"2021-05-15T10:47:20Z","took":142428}
{"event": "/api/v2beta/root/config/", "host": "10.10.10.1", "level": "info", "logger": "authentik.asgi", "method": "GET", "pid": 18, "request_id": "dc1a33477d694f919cc588831e4268be", "runtime": 345, "scheme": "https", "size": 0.015, "status": 200, "timestamp": "2021-05-15T10:47:20.617631"}
{"event": "f(exec): Continuing existing plan", "flow_slug": "default-provider-authorization-implicit-consent", "level": "debug", "logger": "authentik.flows.views", "pid": 19, "request_id": "e7b6f742a4c74d35b1009420f550b096", "timestamp": "2021-05-15T10:47:20.620321"}
{"current_stage": "<Stage: In-memory Stage <class 'authentik.providers.oauth2.views.authorize.OAuthFulfillmentStage'>>", "event": "f(exec): Current stage", "flow_slug": "default-provider-authorization-implicit-consent", "level": "debug", "logger": "authentik.flows.views", "pid": 19, "request_id": "e7b6f742a4c74d35b1009420f550b096", "timestamp": "2021-05-15T10:47:20.620879"}
{"event": "f(exec): Passing GET", "flow_slug": "default-provider-authorization-implicit-consent", "level": "debug", "logger": "authentik.flows.views", "pid": 19, "request_id": "e7b6f742a4c74d35b1009420f550b096", "stage": "<Stage: In-memory Stage <class 'authentik.providers.oauth2.views.authorize.OAuthFulfillmentStage'>>", "timestamp": "2021-05-15T10:47:20.621433", "view_class": "authentik.providers.oauth2.views.authorize.OAuthFulfillmentStage"}
{"action": "authorize_application", "client_ip": "10.10.10.1", "context": {"authorized_application": {"app": "authentik_core", "model_name": "application", "name": "Home Assistant", "pk": "b176cd8ac7424583b067e2ee7074e4b5"}, "flow": "922af8b1de8a49c9858d67892bc2dd34", "scopes": "openid, email, profile, ak_proxy"}, "event": "Created Event", "level": "debug", "logger": "authentik.events", "pid": 19, "request_id": "e7b6f742a4c74d35b1009420f550b096", "timestamp": "2021-05-15T10:47:20.627557", "user": {"email": "[email protected]", "pk": 3, "username": "andreas"}}
{"event": "Task published", "level": "debug", "logger": "authentik.root.celery", "pid": 19, "request_id": "e7b6f742a4c74d35b1009420f550b096", "task_id": "b371e6b0-7e0e-4652-bd99-99b50a8ee892", "task_name": "authentik.events.tasks.event_notification_handler", "timestamp": "2021-05-15T10:47:20.639706"}
{"action": "model_created", "client_ip": "10.10.10.1", "context": {"model": {"app": "authentik_providers_oauth2", "model_name": "authorizationcode", "name": "Authorization code for OAuth2 Provider Home Assistant Proxy for user andreas", "pk": 91}}, "event": "Created Event", "level": "debug", "logger": "authentik.events", "pid": 19, "request_id": "e7b6f742a4c74d35b1009420f550b096", "timestamp": "2021-05-15T10:47:20.656663", "user": {"email": "[email protected]", "pk": 3, "username": "andreas"}}
{"event": "Task published", "level": "debug", "logger": "authentik.root.celery", "pid": 19, "request_id": "e7b6f742a4c74d35b1009420f550b096", "task_id": "ce6e23d7-f468-4686-9ecf-4fb94158fda0", "task_name": "authentik.events.tasks.event_notification_handler", "timestamp": "2021-05-15T10:47:20.667616"}
{"current": "/api/v2beta/flows/executor/default-provider-authorization-implicit-consent/", "event": "converting to redirect challenge", "level": "debug", "logger": "authentik.flows.views", "pid": 19, "request_id": "e7b6f742a4c74d35b1009420f550b096", "timestamp": "2021-05-15T10:47:20.669179", "to": "https://home-assistant.mydomain.com/akprox/callback?code=fb78a15a6ae64d7ba7489dbcc99ba5c6&state=d96f733e9a12e247fee4ab077d1edd02%3A%2F"}
{"event": "/api/v2beta/flows/executor/default-provider-authorization-implicit-consent/?query=approval_prompt%3Dforce%26client_id%3DFxSygFEB5dj3qmo4S4QNvcsg9c0X3vp9L8yrjqCF%26redirect_uri%3Dhttps%253A%252F%252Fhome-assistant.mydomain.com%252Fakprox%252Fcallback%26response_type%3Dcode%26scope%3Dopenid%2Bemail%2Bprofile%2Bak_proxy%26state%3Dd96f733e9a12e247fee4ab077d1edd02%253A%252F", "host": "10.10.10.1", "level": "info", "logger": "authentik.asgi", "method": "GET", "pid": 19, "request_id": "e7b6f742a4c74d35b1009420f550b096", "runtime": 161, "scheme": "https", "size": 0.07, "status": 200, "timestamp": "2021-05-15T10:47:20.672822"}
{"event": "updated scope", "level": "debug", "logger": "authentik.providers.oauth2.views.userinfo", "pid": 19, "request_id": "5f6804f07ee94b9196911c61151fcb73", "scope": "<ScopeMapping: Scope Mapping authentik default OAuth Mapping: Proxy outpost (ak_proxy)>", "timestamp": "2021-05-15T10:47:20.813278"}
{"event": "updated scope", "level": "debug", "logger": "authentik.providers.oauth2.views.userinfo", "pid": 19, "request_id": "5f6804f07ee94b9196911c61151fcb73", "scope": "<ScopeMapping: Scope Mapping authentik default OAuth Mapping: OpenID 'email' (email)>", "timestamp": "2021-05-15T10:47:20.814003"}
{"event": "updated scope", "level": "debug", "logger": "authentik.providers.oauth2.views.userinfo", "pid": 19, "request_id": "5f6804f07ee94b9196911c61151fcb73", "scope": "<ScopeMapping: Scope Mapping authentik default OAuth Mapping: OpenID 'openid' (openid)>", "timestamp": "2021-05-15T10:47:20.814589"}
{"event": "updated scope", "level": "debug", "logger": "authentik.providers.oauth2.views.userinfo", "pid": 19, "request_id": "5f6804f07ee94b9196911c61151fcb73", "scope": "<ScopeMapping: Scope Mapping authentik default OAuth Mapping: OpenID 'profile' (profile)>", "timestamp": "2021-05-15T10:47:20.817402"}
{"event": "updated scope", "level": "debug", "logger": "authentik.providers.oauth2.views.userinfo", "pid": 19, "request_id": "5f6804f07ee94b9196911c61151fcb73", "scope": "<ScopeMapping: Scope Mapping authentik default OAuth Mapping: Proxy outpost (ak_proxy)>", "timestamp": "2021-05-15T10:47:20.856328"}
{"event": "updated scope", "level": "debug", "logger": "authentik.providers.oauth2.views.userinfo", "pid": 19, "request_id": "5f6804f07ee94b9196911c61151fcb73", "scope": "<ScopeMapping: Scope Mapping authentik default OAuth Mapping: OpenID 'email' (email)>", "timestamp": "2021-05-15T10:47:20.857070"}
{"event": "updated scope", "level": "debug", "logger": "authentik.providers.oauth2.views.userinfo", "pid": 19, "request_id": "5f6804f07ee94b9196911c61151fcb73", "scope": "<ScopeMapping: Scope Mapping authentik default OAuth Mapping: OpenID 'openid' (openid)>", "timestamp": "2021-05-15T10:47:20.857860"}
{"event": "updated scope", "level": "debug", "logger": "authentik.providers.oauth2.views.userinfo", "pid": 19, "request_id": "5f6804f07ee94b9196911c61151fcb73", "scope": "<ScopeMapping: Scope Mapping authentik default OAuth Mapping: OpenID 'profile' (profile)>", "timestamp": "2021-05-15T10:47:20.860820"}
{"event": "/application/o/token/", "host": "10.10.10.1", "level": "info", "logger": "authentik.asgi", "method": "POST", "pid": 19, "request_id": "5f6804f07ee94b9196911c61151fcb73", "runtime": 2863, "scheme": "https", "size": 0.129, "status": 200, "timestamp": "2021-05-15T10:47:20.895385"}
Authentik Proxy:
[2021/05/15 10:46:48] [logger.go:508] Error loading cookied session: cookie "authentik_proxy" not present, removing session
Version and Deployment (please complete the following information):
- authentik version: 2021.5.1
- Deployment: docker-compose
Additional context
Authentik and Home Assistant run on separate subdomains (authentik.mydomain.com and home-assistant.mydomain.com). Both domains are behind an nginx reverse proxy.
The authentik session lifetime is very long (years). Logging out of authentik and back in does not solve the problem.