Forward Auth Cookie Expiration Recovery #1992
Noggog
started this conversation in
Issue Triage
Replies: 0 comments
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Uh oh!
There was an error while loading. Please reload this page.
Uh oh!
There was an error while loading. Please reload this page.
-
What went wrong?
I have a Pangolin + Authentik setup that sits in front of my Grimmory. Grimmory uses authentik to identify which user is visiting, via OIDC provider.
Additionally, though, when visiting my grimmory.mysite.com URL, Pangolin first intercepts and confirms the user is logged into Authentik before even forwarding to Grimmory whatsoever. Docs here
The idea is that sites cannot be visited and exploited at all until a user has logged into Authentik. This provides a layer of security in case an individual app is not set up as securely as it could be. Once logged in, the user is able to visit the site, and normal OIDC mechanisms kick in to inform the site of who is logged in.
This seems to work, up until cookies expire. At that point, the Grimmory website continues to barrage
grimmory.mysite.com/api/v1/settingsand similar endpoints. However, since the cookie has expired, Pangolin is no longer letting requests hit the Grimmory backend, and they all get rerouted toauthentik.mysite.comin an attempt to have the user log in again.CORS kicks in at this point and blocks all the requests, and the result is a black screen in the browser, with lots of console errors like
I'm not quite sure what best practice is, but I will say that Grimmory is the only app among dozens of mine that has this cookie expiration issue. Somehow the other apps are handling it more gracefully.
Random research has suggested that the site should/could potentially detect it's being rerouted to a different origin (authentik.mysite.com rather than grimmory.mysite.com) and then trigger a full-page window.location navigation to re-auth, instead of letting the failed fetch bubble up as a fatal error.
How can we reproduce it?
Set up Grimmory behind a Forward Auth structure, and wait for cookies to expire
What Build of Grimmory are you on?
Stable
Your setup
Screenshots or error messages (optional)
No response
Before submitting
Beta Was this translation helpful? Give feedback.
All reactions