Skip to content

CSRF failed #884

@eglia

Description

@eglia

Describe the bug
I set up authentik yesterday for all my services and everything was working fine. Today, I can't access Home Assistant anymore (configured as per authentik documentation), with the error:

403 Permission Denied
CSRF Failed

This happens on all logged in devices (PC and Smartphone). When I open a new browser in incognito mode, however, the login flow works as expected, so it seems it has something to do with caches and/or cookies. I tried clearing the cache and the cookies for the home assistant and authentik domains, but couldn't get it working.

To Reproduce

Expected behavior

Screenshots

Logs
Authentik server:

{"event": "Using state as nonce for OpenID Request", "level": "warning", "logger": "authentik.providers.oauth2.views.authorize", "pid": 18, "request_id": "d4a1a1ec0ef64a34a28971cfd0a12c59", "timestamp": "2021-05-15T10:47:20.277364"}
{"cache_key": "policy_104bf888a3ea413b95996ad84e67049d__304ektaac8tc95w9sic047rdau90ad09#3", "event": "P_ENG: Taking result from cache", "level": "debug", "logger": "authentik.policies.engine", "pid": 18, "policy": null, "request_id": "d4a1a1ec0ef64a34a28971cfd0a12c59", "timestamp": "2021-05-15T10:47:20.283038"}
{"app": "<Application: Home Assistant>", "event": "PolicyAccessView user_has_access", "level": "debug", "logger": "authentik.policies.views", "pid": 18, "request_id": "d4a1a1ec0ef64a34a28971cfd0a12c59", "result": "<PolicyResult passing=True>", "timestamp": "2021-05-15T10:47:20.283737", "user": "<SimpleLazyObject: <User: andreas>>"}
{"event": "f(plan): starting planning process", "flow": "<Flow: Flow Authorize Application (default-provider-authorization-implicit-consent)>", "level": "debug", "logger": "authentik.flows.planner", "pid": 18, "request_id": "d4a1a1ec0ef64a34a28971cfd0a12c59", "timestamp": "2021-05-15T10:47:20.289975"}
{"event": "f(plan): taking plan from cache", "flow": "<Flow: Flow Authorize Application (default-provider-authorization-implicit-consent)>", "key": "flow_922af8b1-de8a-49c9-858d-67892bc2dd34#3", "level": "debug", "logger": "authentik.flows.planner", "pid": 18, "request_id": "d4a1a1ec0ef64a34a28971cfd0a12c59", "timestamp": "2021-05-15T10:47:20.293293"}
{"event": "/application/o/authorize/?approval_prompt=force&client_id=FxSygFEB5dj3qmo4S4QNvcsg9c0X3vp9L8yrjqCF&redirect_uri=https%3A%2F%2Fhome-assistant.mydomain.com%2Fakprox%2Fcallback&response_type=code&scope=openid+email+profile+ak_proxy&state=d96f733e9a12e247fee4ab077d1edd02%3A%2F", "host": "10.10.10.1", "level": "info", "logger": "authentik.asgi", "method": "GET", "pid": 18, "request_id": "d4a1a1ec0ef64a34a28971cfd0a12c59", "runtime": 0, "scheme": "https", "size": 0.092, "status": 302, "timestamp": "2021-05-15T10:47:20.350932"}
{"event":"/if/flow/default-provider-authorization-implicit-consent/?approval_prompt=force\u0026client_id=FxSygFEB5dj3qmo4S4QNvcsg9c0X3vp9L8yrjqCF\u0026redirect_uri=https%3A%2F%2Fhome-assistant.mydomain.com%2Fakprox%2Fcallback\u0026response_type=code\u0026scope=openid+email+profile+ak_proxy\u0026state=d96f733e9a12e247fee4ab077d1edd02%3A%2F","level":"info","method":"GET","remote":"10.10.10.1","timestamp":"2021-05-15T10:47:20Z","took":142428}
{"event": "/api/v2beta/root/config/", "host": "10.10.10.1", "level": "info", "logger": "authentik.asgi", "method": "GET", "pid": 18, "request_id": "dc1a33477d694f919cc588831e4268be", "runtime": 345, "scheme": "https", "size": 0.015, "status": 200, "timestamp": "2021-05-15T10:47:20.617631"}
{"event": "f(exec): Continuing existing plan", "flow_slug": "default-provider-authorization-implicit-consent", "level": "debug", "logger": "authentik.flows.views", "pid": 19, "request_id": "e7b6f742a4c74d35b1009420f550b096", "timestamp": "2021-05-15T10:47:20.620321"}
{"current_stage": "<Stage: In-memory Stage <class 'authentik.providers.oauth2.views.authorize.OAuthFulfillmentStage'>>", "event": "f(exec): Current stage", "flow_slug": "default-provider-authorization-implicit-consent", "level": "debug", "logger": "authentik.flows.views", "pid": 19, "request_id": "e7b6f742a4c74d35b1009420f550b096", "timestamp": "2021-05-15T10:47:20.620879"}
{"event": "f(exec): Passing GET", "flow_slug": "default-provider-authorization-implicit-consent", "level": "debug", "logger": "authentik.flows.views", "pid": 19, "request_id": "e7b6f742a4c74d35b1009420f550b096", "stage": "<Stage: In-memory Stage <class 'authentik.providers.oauth2.views.authorize.OAuthFulfillmentStage'>>", "timestamp": "2021-05-15T10:47:20.621433", "view_class": "authentik.providers.oauth2.views.authorize.OAuthFulfillmentStage"}
{"action": "authorize_application", "client_ip": "10.10.10.1", "context": {"authorized_application": {"app": "authentik_core", "model_name": "application", "name": "Home Assistant", "pk": "b176cd8ac7424583b067e2ee7074e4b5"}, "flow": "922af8b1de8a49c9858d67892bc2dd34", "scopes": "openid, email, profile, ak_proxy"}, "event": "Created Event", "level": "debug", "logger": "authentik.events", "pid": 19, "request_id": "e7b6f742a4c74d35b1009420f550b096", "timestamp": "2021-05-15T10:47:20.627557", "user": {"email": "[email protected]", "pk": 3, "username": "andreas"}}
{"event": "Task published", "level": "debug", "logger": "authentik.root.celery", "pid": 19, "request_id": "e7b6f742a4c74d35b1009420f550b096", "task_id": "b371e6b0-7e0e-4652-bd99-99b50a8ee892", "task_name": "authentik.events.tasks.event_notification_handler", "timestamp": "2021-05-15T10:47:20.639706"}
{"action": "model_created", "client_ip": "10.10.10.1", "context": {"model": {"app": "authentik_providers_oauth2", "model_name": "authorizationcode", "name": "Authorization code for OAuth2 Provider Home Assistant Proxy for user andreas", "pk": 91}}, "event": "Created Event", "level": "debug", "logger": "authentik.events", "pid": 19, "request_id": "e7b6f742a4c74d35b1009420f550b096", "timestamp": "2021-05-15T10:47:20.656663", "user": {"email": "[email protected]", "pk": 3, "username": "andreas"}}
{"event": "Task published", "level": "debug", "logger": "authentik.root.celery", "pid": 19, "request_id": "e7b6f742a4c74d35b1009420f550b096", "task_id": "ce6e23d7-f468-4686-9ecf-4fb94158fda0", "task_name": "authentik.events.tasks.event_notification_handler", "timestamp": "2021-05-15T10:47:20.667616"}
{"current": "/api/v2beta/flows/executor/default-provider-authorization-implicit-consent/", "event": "converting to redirect challenge", "level": "debug", "logger": "authentik.flows.views", "pid": 19, "request_id": "e7b6f742a4c74d35b1009420f550b096", "timestamp": "2021-05-15T10:47:20.669179", "to": "https://home-assistant.mydomain.com/akprox/callback?code=fb78a15a6ae64d7ba7489dbcc99ba5c6&state=d96f733e9a12e247fee4ab077d1edd02%3A%2F"}
{"event": "/api/v2beta/flows/executor/default-provider-authorization-implicit-consent/?query=approval_prompt%3Dforce%26client_id%3DFxSygFEB5dj3qmo4S4QNvcsg9c0X3vp9L8yrjqCF%26redirect_uri%3Dhttps%253A%252F%252Fhome-assistant.mydomain.com%252Fakprox%252Fcallback%26response_type%3Dcode%26scope%3Dopenid%2Bemail%2Bprofile%2Bak_proxy%26state%3Dd96f733e9a12e247fee4ab077d1edd02%253A%252F", "host": "10.10.10.1", "level": "info", "logger": "authentik.asgi", "method": "GET", "pid": 19, "request_id": "e7b6f742a4c74d35b1009420f550b096", "runtime": 161, "scheme": "https", "size": 0.07, "status": 200, "timestamp": "2021-05-15T10:47:20.672822"}
{"event": "updated scope", "level": "debug", "logger": "authentik.providers.oauth2.views.userinfo", "pid": 19, "request_id": "5f6804f07ee94b9196911c61151fcb73", "scope": "<ScopeMapping: Scope Mapping authentik default OAuth Mapping: Proxy outpost (ak_proxy)>", "timestamp": "2021-05-15T10:47:20.813278"}
{"event": "updated scope", "level": "debug", "logger": "authentik.providers.oauth2.views.userinfo", "pid": 19, "request_id": "5f6804f07ee94b9196911c61151fcb73", "scope": "<ScopeMapping: Scope Mapping authentik default OAuth Mapping: OpenID 'email' (email)>", "timestamp": "2021-05-15T10:47:20.814003"}
{"event": "updated scope", "level": "debug", "logger": "authentik.providers.oauth2.views.userinfo", "pid": 19, "request_id": "5f6804f07ee94b9196911c61151fcb73", "scope": "<ScopeMapping: Scope Mapping authentik default OAuth Mapping: OpenID 'openid' (openid)>", "timestamp": "2021-05-15T10:47:20.814589"}
{"event": "updated scope", "level": "debug", "logger": "authentik.providers.oauth2.views.userinfo", "pid": 19, "request_id": "5f6804f07ee94b9196911c61151fcb73", "scope": "<ScopeMapping: Scope Mapping authentik default OAuth Mapping: OpenID 'profile' (profile)>", "timestamp": "2021-05-15T10:47:20.817402"}
{"event": "updated scope", "level": "debug", "logger": "authentik.providers.oauth2.views.userinfo", "pid": 19, "request_id": "5f6804f07ee94b9196911c61151fcb73", "scope": "<ScopeMapping: Scope Mapping authentik default OAuth Mapping: Proxy outpost (ak_proxy)>", "timestamp": "2021-05-15T10:47:20.856328"}
{"event": "updated scope", "level": "debug", "logger": "authentik.providers.oauth2.views.userinfo", "pid": 19, "request_id": "5f6804f07ee94b9196911c61151fcb73", "scope": "<ScopeMapping: Scope Mapping authentik default OAuth Mapping: OpenID 'email' (email)>", "timestamp": "2021-05-15T10:47:20.857070"}
{"event": "updated scope", "level": "debug", "logger": "authentik.providers.oauth2.views.userinfo", "pid": 19, "request_id": "5f6804f07ee94b9196911c61151fcb73", "scope": "<ScopeMapping: Scope Mapping authentik default OAuth Mapping: OpenID 'openid' (openid)>", "timestamp": "2021-05-15T10:47:20.857860"}
{"event": "updated scope", "level": "debug", "logger": "authentik.providers.oauth2.views.userinfo", "pid": 19, "request_id": "5f6804f07ee94b9196911c61151fcb73", "scope": "<ScopeMapping: Scope Mapping authentik default OAuth Mapping: OpenID 'profile' (profile)>", "timestamp": "2021-05-15T10:47:20.860820"}
{"event": "/application/o/token/", "host": "10.10.10.1", "level": "info", "logger": "authentik.asgi", "method": "POST", "pid": 19, "request_id": "5f6804f07ee94b9196911c61151fcb73", "runtime": 2863, "scheme": "https", "size": 0.129, "status": 200, "timestamp": "2021-05-15T10:47:20.895385"}

Authentik Proxy:

[2021/05/15 10:46:48] [logger.go:508] Error loading cookied session: cookie "authentik_proxy" not present, removing session

Version and Deployment (please complete the following information):

  • authentik version: 2021.5.1
  • Deployment: docker-compose

Additional context
Authentik and Home Assistant run on separate subdomains (authentik.mydomain.com and home-assistant.mydomain.com). Both domains are behind an nginx reverse proxy.
The authentik session lifetime is very long (years). Logging out of authentik and back in does not solve the problem.

Metadata

Metadata

Assignees

Labels

bugSomething isn't workingbug/confirmedConfirmed bugs

Type

No type

Projects

No projects

Milestone

No milestone

Relationships

None yet

Development

No branches or pull requests

Issue actions