🐞 Bug: oidc oauth login with authentik not working

[bucky2780]

Bug Description

Does anyone have the oidc login working with authentik ?
I tried to hook it up yesterday... staying as generic as possible. However fails with a uri re-direct error.
Are you sure the client secret is getting captured ? Does not seem to remember it from login to login.

Happy to post pics of the integration if you think it is working....

Steps To Reproduce

setup authentik sso oauth integration
use UI to setup oauth on arcane side.
URI redirect error will result

Expected Behavior

I would expect a clean login...

Actual Behavior

would expect a clean login

Screenshots

No response

Arcane Version

v 1.30

Operating System

macOS

Browser

brave

Docker Version

latest

[kmendell]

I got it working when anotehr issue popped up about authentik. I know the OIDC logic is working as its how i login to my prodtuon setup.

The secret should be persisted (at least in the login flow) anywhere past using it to "authenticate" to the OIDC provider, beyond that it should never be stored anywhere.

[kmendell]

Post any images or logs from your error and i can certainly help you troubleshoot or find the issue if it is in the code.

[bucky2780]

screen caps posted above. The client secret appears blank... but I assure you I saved it previously. I would have expected a like of asterisks... that way I know its saved.

Might try the environment method... not sure.

I am still new with authentik....

[kmendell]

The client secret is saved I left it blank vs atrixs as it can be changed if a new value is saved.

I think the issue is there mutiple call back urls in authemtik using the strict option, im not a fan of than in authentik, but try remove the callback urls and then logging in it should auto populate the correct callback url

[bucky2780]

I think it is something else... Replaced the redirect uri to regex ".*" which is less secure... but more open. Still gave me the same redirect error.

what should I use for issuer url ?
https://auth.expander.dedyn.io/application/o/arcane/.well-known/openid-configuration (doesint work)
or
https://auth.expander.dedyn.io/application/o/arcane/ (gets me further)

[keonramses]

@bucky2780, are you using the default Authentik certificate? I am having issues getting this to work on my end and I am trying to see if I am missing anything that is causing me to get this error below.

"Failed to generate OIDC auth URL: failed to discover provider: Get \"https://auth.{domain}/application/o/arcane/.well-known/openid-configuration\": tls: failed to verify certificate: x509: certificate signed by unknown authority"

[bucky2780]

Interesting... I am not getting much in the logs... getting unauthenticated lines in the authentik log, and not much in the arcane log.

I note that arcane says at the top of the documentation... that they insist on using PKCE. I assume authentik handles this natively... but now not so sure. Or perhaps authentik has some secret config to help adjust for pkce... not sure.

[kmendell]

Right Arcane needs PKCE the error you are getting is caused by a insecure TLS Certificate some where, see this issue: #527. I cant reproduce it as my instance worked just fine, however there is the posibility i could add the dont verify tls certs switch for OIDC but its not really recommended for obvious reasons

[kmendell]

Can you try the ghcr.io/ofkm/arcane:next image once its done building? I enabled both PKCE and plain auth challenges im curious if that will fix anything.

[bucky2780]

yes... will try soon. Can you make it configuratble via an env variable ? I noticed other services do something similar.

[kmendell]

The auth challenge does need to be configured it automatucally wil use whatever the provider advertises, but the rest of the OIDC settings can be set via environment variables

[bucky2780]

sorry... does not work for me.
I am going to capitulate for the moment... as there are quite a few complexities involved. From what I can tell it is NOT a requirement to have a cert for pkce... and my authentik install is very much basic and standard at this stage.
For my homelab cert handling is done in opnsense/caddy... all access is via the reverse proxy.
Thanks for your efforts... very much appreciated.

[bucky2780]

further to this... taking a page out of immich's book...

in user settings for oauth... in addition to client id etc... they have a combo dropdown - TOKEN_ENDPOINT_AUTH_METHOD. Values are client_secret_post, client_secret_basic. The first takes you on pkce, and the latter drops it.

seems like the way forward to me....

[kmendell]

Well if the OIDC Provider advertises RS256 as a code challenge then PKCE can be used, Arcane now supports both , so it shouldnt matter (on the next image that is). The client secret basic would be client credentials flow, which shouldnt be used for normal OIDC user authneication as its meant to be used to M2M authentication. Though its not to say i couldnt add it.

Its hard to troubleshoot this as i setup authentik and all is working fine for me with it, and all my testsing is done vai Pocket ID (as i use that and am also a maintainer of that).

Ill keep trying to figure it out but overall its something to do with the certificate most likley.

[kmendell]

I setup authentik on a friend of mine envirnment and it worked out of the box, im converting this to a discussion as its something environment specific

[keonramses]

Can you please let us know the version you used?

I'll post my authentik compose later so we can compare.

[keonramses]

Here's my compose. My OS is RockyLinux10

authentik:
    image: authentik/server:2025.8.3
    container_name: authentik
    restart: always
    mem_limit: 2048m
    cpus: "1"
    ports:
      - 9000:9000
      - 9445:9443
    command:
      - server
    user: $UID:$GID
    environment:
      - AUTHENTIK_REDIS__HOST=${REDIS_HOST}
      - AUTHENTIK_POSTGRESQL__HOST=${POSTGRESQL_HOST}
      - AUTHENTIK_POSTGRESQL__NAME=${AUTHENTIK_POSTGRESQL__NAME}
      - AUTHENTIK_POSTGRESQL__USER=${AUTHENTIK_POSTGRESQL__USER}
      - AUTHENTIK_POSTGRESQL__PASSWORD=${AUTHENTIK_POSTGRESQL__PASSWORD}
      - AUTHENTIK_SECRET_KEY=${AUTHENTIK_SECRET_KEY}
      - AUTHENTIK_LOG_LEVEL=info
      - AUTHENTIK_DISABLE_STARTUP_ANALYTICS=true
      - AUTHENTIK_DISABLE_UPDATE_CHECK=true
      - AUTHENTIK_ERROR_REPORTING__ENABLED=false
    volumes:
      - ${DOCKER_DATA_DIR}/authentik/media:/media
      - ${DOCKER_DATA_DIR}/authentik/custom-templates:/templates
    labels:
      - dockflare.enable=true
      - dockflare.hostname=auth.${DOMAIN}
      - dockflare.service=https://traefik:443
      - cloudflare.tunnel.originsrvname=traefik.${DOMAIN}
      - traefik.enable=true
      - traefik.http.routers.authentik.rule=Host(`auth.${DOMAIN}`)
      - traefik.http.routers.authentik.entrypoints=websecure
      - traefik.http.routers.authentik.tls=true
      - traefik.http.routers.authentik.tls.certresolver=cloudflare
      - traefik.http.services.authentik.loadbalancer.server.port=9000
      - traefik.http.middlewares.authentik.forwardauth.address=http://authentik:9000/outpost.goauthentik.io/auth/traefik
      - traefik.http.middlewares.authentik.forwardauth.trustForwardHeader=true
      - traefik.http.middlewares.authentik.forwardauth.authResponseHeaders=X-authentik-username,X-authentik-groups,X-authentik-entitlements,X-authentik-email,X-authentik-name,X-authentik-uid,X-authentik-jwt,X-authentik-meta-jwks,X-authentik-meta-outpost,X-authentik-meta-provider,X-authentik-meta-app,X-authentik-meta-version
    networks:
      - homelab
    depends_on:
      - postgresql
      - redis

authentik-worker:
    image: authentik/server:2025.8.3
    container_name: authentik-worker
    restart: always
    mem_limit: 2048m
    cpus: "1"
    command:
      - worker
    user: $UID:$GID
    environment:
      - AUTHENTIK_REDIS__HOST=${REDIS_HOST}
      - AUTHENTIK_POSTGRESQL__HOST=${POSTGRESQL_HOST}
      - AUTHENTIK_POSTGRESQL__NAME=${AUTHENTIK_POSTGRESQL__NAME}
      - AUTHENTIK_POSTGRESQL__USER=${AUTHENTIK_POSTGRESQL__USER}
      - AUTHENTIK_POSTGRESQL__PASSWORD=${AUTHENTIK_POSTGRESQL__PASSWORD}
      - AUTHENTIK_SECRET_KEY=${AUTHENTIK_SECRET_KEY}
      - AUTHENTIK_LOG_LEVEL=info
      - AUTHENTIK_DISABLE_STARTUP_ANALYTICS=true
      - AUTHENTIK_DISABLE_UPDATE_CHECK=true
      - AUTHENTIK_ERROR_REPORTING__ENABLED=false
    volumes:
      - /var/run/docker.sock:/var/run/docker.sock
      - ${DOCKER_DATA_DIR}/authentik/media:/media
      - ${DOCKER_DATA_DIR}/authentik/certs:/certs
      - ${DOCKER_DATA_DIR}/authentik/custom-templates:/templates
    networks:
      - homelab
    depends_on:
      - postgresql
      - redis

[bucky2780]

can you please post the issue url, and the redirect uri you used with authentik ? Did you use a private cert ?

[keonramses]

@bucky2780, to fix this, set the arcane APP_URL env var to your arcane domain.

ex: - APP_URL=https://arcane.${DOMAIN}

arcane:
    image: ghcr.io/ofkm/arcane:v1.7.2
    container_name: arcane
    restart: unless-stopped
    #mem_limit: 512m
    #cpus: "0.5"
    ports:
      - 3552:3552
    environment:
      - ANALYTICS_DISABLED=true
      - APP_URL=https://arcane.${DOMAIN}
      - PUID=1000
      - PGID=1001
      - ENCRYPTION_KEY=${ARCANE_ENCRYPTION_KEY}
      - JWT_SECRET=${ARCANE_JWT_SECRET}
      - DATABASE_URL=file:data/arcane.db?_pragma=journal_mode(WAL)&_pragma=busy_timeout(2500)&_txlock=immediate
    volumes:
      - /var/run/docker.sock:/var/run/docker.sock
      - ${DOCKER_DATA_DIR}/arcane:/app/data
      - ${DOCKER_STACKS_DIR}:/app/data/projects
    networks:
      - homelab