mirror of
https://github.com/fosrl/pangolin.git
synced 2026-05-21 09:21:15 -05:00
[GH-ISSUE #639] 1.3.0 - error authenticating with authentik #3486
No Assignees
Notifications
Due Date
No due date set.
Dependencies
No dependencies set.
Reference: github-starred/pangolin#3486
Reference in New Issue
Block a user
Delete Branch "%!s()"
Deleting a branch is permanent. Although the deleted branch may continue to exist for a short time before it actually gets removed, it CANNOT be undone in most cases. Continue?
Originally created by @chrispazz on GitHub (May 2, 2025).
Original GitHub issue: https://github.com/fosrl/pangolin/issues/639
Trying to login with new configured Authentik provider (all set up correctly), I get:
User not provisioned in the system
despite the user exists.
Authentik is tracking correct and authorised login but after auth login, I got this error.
@miloschwartz commented on GitHub (May 2, 2025):
Hi this is because auto-provision is disable and you need to create a soft link to the user in Pangolin before Pangolin can "trust" the IdP. In your organization, create a new user, select the idp, and define the role. This way Pangolin knows that user from your IdP has access to the org and role.
@chrispazz commented on GitHub (May 2, 2025):
Hello and thank you for fast answer :)
User was already added in the organisation, with external OIDC selected and admin role.
@miloschwartz commented on GitHub (May 2, 2025):
Make sure the username you set when you provision the user is the exact same as the user identifier claim path you set in the IdP config
@chrispazz commented on GitHub (May 2, 2025):
pls, can you elaborate this?
I added a new username inside Pangolin "mark" with associated OIDC 1 that is authentik configuration.
In authentik I have user mark correctly setup.....
In Server Admin - Manage all User I see user mark associated with Authentik provider.
In that page under the column: Username -> it shows email address instead of username....
@aszurnasirpal commented on GitHub (May 2, 2025):
I have exactly the same problem
@mightyjens commented on GitHub (May 2, 2025):
Switching Subject mode to username did the trick for me.
Corresponding to authentiks documentation: If you choose to map to usernames, disable username changing
Update: Using preferred_username like @skyuk3000 mentioned instead of switching the subject mode works for authentik aswell! So, both works... don't know what's the better approach.
@topostbox92 commented on GitHub (May 2, 2025):
I have the same problem with Authelia
@cirrusflyer commented on GitHub (May 3, 2025):
Same problem with pocket-id.
In Server Admin - Manage all User I see user mark associated with pocket-id provider.
In that page under the column: Username -> it shows email address instead of username.
@skyuk3000 commented on GitHub (May 3, 2025):
I used the following setting which works
@cirrusflyer commented on GitHub (May 3, 2025):
That worked with pocket-id. Thanks!
@topostbox92 commented on GitHub (May 3, 2025):
Thanks a lot this worked like a charm with Authelia
@skyuk3000 commented on GitHub (May 3, 2025):
Thanks for confirming my findings that this method works for Pocket-ID while also works for Authentik and Authelia.
The best resolution would be to change the default "Identifier path" from "Sub" to "preferred_username" or update the documentation to add best setup methods, updating the documentation will would be best solution now as users wouldn't need to search the github issues to find the solution.
Update:
Also adding to the documentation that the "Redirect URL" is generated once the Identity Providers is saved would back setup them up easier too as mentioned on #644.
@Rihan9 commented on GitHub (May 4, 2025):
Hi,
can I ask for help?
I'm trying to set-up authelia but it doesn't seems to work correctly.
https://pangolin.mydomain.net/auth/resource/8?redirect=https%3A%2F%2Ffiles.mydomain.net%2F
https://auth.mydomain.net/?response_type=code&client_id={{OMITTED}}&redirect_uri=https%3A%2F%2Fpangolin.mydomain.net%2Fauth%2Fidp%2F1%2Foidc%2Fcallback&state=hzAVrT7JATYRLnrji0E3AqjN4VPqt2G6OI5GMHY4zQk&code_challenge_method=S256&code_challenge=unGr5ip5Z5jKI81tT1gKaDc11l5kVaeTmXCsM69gfSU&scope=openid+profile+email
https://portal.mydomain.net/auth/authorize?response_type=code&redirect_uri=https%3A%2F%2Fportal.mydomain.net%2F%3Fauth_callback%3D1&client_id=https%3A%2F%2Fportal.mydomain.net%2F&state=eyJoYXNzVXJsIjoiaHR0cHM6Ly9wb3J0YWwuaG9tZWF0cHMuaXQiLCJjbGllbnRJZCI6Imh0dHBzOi8vcG9ydGFsLmhvbWVhdHBzLml0LyJ9
If I try to access to the first site mentined (files.mydomain.net) when I'm already logged in authalia, I don't get redirected to porta.mydomain.net but I got stack to the authelia confirmation page:
I'll post my token configuration here:
But I didn't find the configuration mentioned in this post, if someone can share with me how to find it I'll appreciate it:
P.S. I think it's better to consider to convert this issue into a conversation
@topostbox92 commented on GitHub (May 4, 2025):
Do you use Cloudflare for your domains? Maybe try to set a wildcard entry pointing to your VPS (if using)
A record for *.example.com pointing to IP of your server running pangolin
@Rihan9 commented on GitHub (May 4, 2025):
Nope, I'm not using Cloudflare. I'm using IONOS has VPS and domain provider. the subdomain pangolin, files, portal and auth and the main domain are all correctly registered in the DNS with the VPS IP. I cannot add the subdomain with wildcard, IONOS doesn't allow me to do it. I guess for some security reasons.
@Rihan9 commented on GitHub (May 4, 2025):
This problem doesn't appear if I use a "local" user of pangolin
@polamoros commented on GitHub (May 4, 2025):
@topostbox92 could you share you client config from Authelia?
@topostbox92 commented on GitHub (May 4, 2025):
Sure here you go
- client_name: 'Pangolin' client_id: 'pangolin' client_secret: '$pbkdf2-secretstuff' public: false authorization_policy: 'one_factor' claims_policy: 'default' pre_configured_consent_duration: 4w redirect_uris: - 'https://pangolin.domain.com/auth/idp/1/oidc/callback' scopes: - 'openid' - 'profile' - 'email' token_endpoint_auth_method: 'client_secret_basic'@github-actions[bot] commented on GitHub (May 19, 2025):
This issue has been automatically marked as stale due to 14 days of inactivity. It will be closed in 14 days if no further activity occurs.
@themadcodger commented on GitHub (May 21, 2025):
I have authentik set up, and configured correctly. I've pre-added the user in the org I want them in using Authentik as the external user, matching the username. I've changed
subtopreferred_usernameand changed the subject mode to username. At this point the saved user shows up with their email as their username, but in All Users it's captured correctly.Once I then log in with that user via Authentik, they're provisioned, but in their own org not the one I created them in. If I check the created user, it's been removed from the original org but still exists in All Users as it was, though the email address is now some form of username@server.tld instead of the original email@server.tld.
So it's like pangolin sees it's the same as the pre-created user, but something's not matching correctly, so it removes it from the org and sticks it in a new org with and modifies the email.
edit: This is discussed and (temporarily?) solved in https://github.com/fosrl/pangolin/issues/737
@github-actions[bot] commented on GitHub (Jun 5, 2025):
This issue has been automatically marked as stale due to 14 days of inactivity. It will be closed in 14 days if no further activity occurs.
@github-actions[bot] commented on GitHub (Jun 19, 2025):
This issue has been automatically closed due to inactivity. If you believe this is still relevant, please open a new issue with up-to-date information.
@kgoode517 commented on GitHub (Feb 15, 2026):
God bless you @mightyjens same issue and same fix I have submitted a merge request that the authentik pangolin sso configuration documentation reflect this.