Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Access to my "resource"/Application using curl and a bearer token #12645

Open
Zananok opened this issue Jan 11, 2025 · 0 comments
Open

Access to my "resource"/Application using curl and a bearer token #12645

Zananok opened this issue Jan 11, 2025 · 0 comments
Labels
question Further information is requested

Comments

@Zananok
Copy link

Zananok commented Jan 11, 2025
edited
Loading

Describe your question/
How to access to my "resource"/Application using a bearer token? In this case, I am just testing with Curl

I am unable to access my "resource"/Application using curl with either bearer token nor a "Token" generated from the Admin->Directory->Tokens and App passwords.

The access token I have created are with the goauthentik.io/api scope, yet no access to the resource/application that the provider manages.

Tried:

  • Access token for a 'Normal user' account (Internal) to a provider 'OAuth2/OpenID Provider'

  • Access token for a 'Normal user account to a provider 'Proxy Provider'

  • Service account to a provider 'OAuth2/OpenID Provider'

  • Service account to a provider 'Proxy Provider'

  • Normal user token created from "Tokens and App passwords" to a provider 'OAuth2/OpenID Provider'

  • Normal user token created from "Tokens and App passwords" to a provider 'Proxy Provider'

  • Also tried with ak_proxy scope (don't know what it means, but it didn't help)

Getting the access token (success):

    RESPONSE="$(curl -s -X POST \
      "https://${AUTH_DOMAIN}/application/o/token/" \
      -H "Content-Type: application/x-www-form-urlencoded" \
      -d "grant_type=client_credentials" \
      -d "client_id=${CLIENT_ID}" \
      -d "username=${USERNAME}" \
      -d "password=${PASSWORD}" \
      -d "scope=${SCOPE}" \
    )"
    # --data-urlencode "client_secret=${CLIENT_SECRET}" \

    ACCESS_TOKEN=$(echo "${RESPONSE}" | jq -r '.access_token // empty')

Actually accessing the resource (where it fails):

curl -s --location-trusted -L -H "Authorization: Bearer $ACCESS_TOKEN" --location 'https://${TARGET_URL}'

Expected response is what my resource should return, but instead I receive the HTML of Authentik's login page:

<!DOCTYPE html>

<html>
    <head>
        <meta charset="UTF-8">
        <meta name="viewport" content="width=device-width, initial-scale=1, maximum-scale=1">
        <title>Authentik Authentication</title>
        <link rel="icon" href="/media/some-auth-logo.png">
        <link rel="shortcut icon" href="/media/some-auth-logo.png">



<link rel="prefetch" href="/static/dist/assets/images/flow_background.jpg" />

<script>ShadyDOM = { force: !navigator.webdriver };</script>




<script>
    window.authentik = {
        locale: "en-us",
        config: JSON.parse('{\u0022error_reporting\u0022: {\u0022enabled\u0022: true, \u0022sentry_dsn\u0022: \u0022https://[email protected]\u002Dreporting.a7k.io/4504163677503489\u0022, \u0022environment\u0022: \u0022customer\u0022, \u0022send_pii\u0022: false, \u0022traces_sample_rate\u0022: 0.1}, \u0022capabilities\u0022: [\u0022can_save_media\u0022, \u0022can_asn\u0022, \u0022can_geo_ip\u0022, \u0022can_impersonate\u0022, \u0022is_enterprise\u0022], \u0022cache_timeout\u0022: 300, \u0022cache_timeout_flows\u0022: 300, \u0022cache_timeout_policies\u0022: 300, \u0022cache_timeout_reputation\u0022: 0}'),
        brand: JSON.parse('{\u0022matched_domain\u0022: \u0022authentik.somedomain.com\u0022, \u0022branding_title\u0022: \u0022Authentik Authentication\u0022, \u0022branding_logo\u0022: \u0022/media/some\u002Dauth.webp\u0022, \u0022branding_favicon\u0022: \u0022/media/some\u002Dauth\u002Dlogo.png\u0022, \u0022ui_footer_links\u0022: [], \u0022ui_theme\u0022: \u0022automatic\u0022, \u0022flow_authentication\u0022: \u0022default\u002Dauthentication\u002Dflow\u0022, \u0022flow_invalidation\u0022: \u0022default\u002Dinvalidation\u002Dflow\u0022, \u0022flow_user_settings\u0022: \u0022default\u002Duser\u002Dsettings\u002Dflow\u0022, \u0022default_locale\u0022: \u0022\u0022}'),
        versionFamily: "2024.12",
        versionSubdomain: "version-2024-12",
        build: "",
        api: {
            base: "https://authentik.somedomain.com/",
        },
    };
    window.addEventListener("DOMContentLoaded", function () {

    });
</script>

<script>
window.authentik.flow = {
    "layout": "stacked",
};
</script>

        <link rel="stylesheet" type="text/css" href="/static/dist/authentik.css">
        <link rel="stylesheet" type="text/css" href="/static/dist/custom.css" data-inject>
        <script src="/static/dist/poly-2024.12.2.js" type="module"></script>
        <script src="/static/dist/standalone/loading/index-2024.12.2.js" type="module"></script>

<script src="/static/dist/flow/FlowInterface-2024.12.2.js" type="module"></script>
<style>
:root {
    --ak-flow-background: url("/static/dist/assets/images/flow_background.jpg");
}
</style>

        <meta name="sentry-trace" content="1f60315dcc4342b9b089b21c27636c63-97292e8274fa8571-1" />
    </head>
    <body>

<ak-message-container></ak-message-container>
<ak-flow-executor flowSlug="default-authentication-flow">
    <ak-loading></ak-loading>
</ak-flow-executor>



    </body>
</html>

No success on any of these. My goal is to access the resources behind 'OAuth2/OpenID' and 'Proxy' Providers.
Accessing these resources using normal Chrome/Edge works by using the 'normal' UI login for both the Normal user and the Service account (I set a password on the service account using the admin panel)

The login flow is just the default standard implicit flow. I ensured that the application/providers have been checked with intercepting headers for login.

Relevant info
Tried both Authentik version 2024.12.2 and version 2024.8.3. No success on either

Screenshots
image
image

Logs
Logs for authentik-server-1

{"domain_url": null, "event": "/ws/client/", "level": "info", "logger": "authentik.asgi", "pid": 61741, "remote": "192.168.XXX.XXX", "schema_name": "public", "scheme": "ws", "timestamp": "2025-01-11T15:47:14.680616", "user_agent": "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/131.0.0.0 Safari/537.36 Edg/131.0.0.0"}
{"action": "login", "auth_via": "oauth_client_secret", "client_ip": "192.168.XXX.XXX", "context": {"application": {"app": "authentik_core", "model_name": "application", "name": "ServiceApplication", "pk": "0b700314632346ff8df791387d5491fa"}, "auth_method": "token", "auth_method_args": {"identifier": "Main-Pass"}, "http_request": {"args": {}, "method": "POST", "path": "/application/o/token/", "request_id": "7c149dd1cf50460c8890b0cbd5587265", "user_agent": "curl/7.88.1"}}, "domain_url": "authentik.somedomain.com", "event": "Created Event", "host": "authentik.somedomain.com", "level": "info", "logger": "authentik.events.models", "pid": 86362, "request_id": "7c149dd1cf50460c8890b0cbd5587265", "schema_name": "public", "timestamp": "2025-01-11T15:47:15.626786", "user": {"email": "[email protected]", "pk": 7, "username": "SomeUsername"}}
{"auth_via": "oauth_client_secret", "domain_url": "authentik.somedomain.com", "event": "Task published", "host": "authentik.somedomain.com", "level": "info", "logger": "authentik.root.celery", "pid": 86362, "request_id": "7c149dd1cf50460c8890b0cbd5587265", "schema_name": "public", "task_id": "7cd4282a829d4a5281eac4909bd24665", "task_name": "authentik.events.tasks.event_notification_handler", "timestamp": "2025-01-11T15:47:15.680003"}
{"auth_via": "oauth_client_secret", "domain_url": "authentik.somedomain.com", "event": "/application/o/token/", "host": "authentik.somedomain.com", "level": "info", "logger": "authentik.asgi", "method": "POST", "pid": 86362, "remote": "192.168.XXX.XXX", "request_id": "7c149dd1cf50460c8890b0cbd5587265", "runtime": 464, "schema_name": "public", "scheme": "https", "status": 200, "timestamp": "2025-01-11T15:47:16.056397", "user": "", "user_agent": "curl/7.88.1"}
{"auth_via": "unauthenticated", "domain_url": "authentik.somedomain.com", "event": "/application/o/authorize/?client_id=5saqQOM3txSSSP4U12sfEJWeCKt0nG8mPPSCwA98&redirect_uri=http%3A%2F%2Flocalhost%3A5222%2Fsignin-authentik&response_type=code&scope=openid%20profile%20email%20goauthentik.io%2Fapi&code_challenge=FSerFga5Yr9QJLN7bEaYMc2d6OaRltw4RC-u2zrR_FY&code_challenge_method=S256&response_mode=form_post&nonce=638722072362445101.YjYzNTkxZDktZmU0YS00N2NjLTgxNWMtMDFkZjY4NmM3ODRjNGUyNzgxZGMtZDk3Ni00NmEwLTg0ZmUtNjY3ODJlZmVlY2My&state=CfDJ8C2Uw9yW7YxOvq_ngl-2jdor7Gndo4ZSpm9Fis9AUCug76vfxYQi8Rwjsd4r5p81BLRR_Tihz_7UdMbn8oFD0x3skTaUmiz2s-H95TULPgb4Z3PSuUZABKRCWhAJ1XpX1pmvjHFf4_WbYnaoEF4tTNw95D3F42NZl8HndS93AvRYB88O2D9T9K3NwiDgACc81gRTAVVLGp7l6Qy0wT_cE_LBsyWL7ndJXVrCeGYxxFzUjEVndIx7hglg_j5nedX8eOO9BTgyad9eezjjxOunyFhbDI0H8ZIqSn29v435eBKMrpCk7bjNBo6zUJm1udXec0JeqQghJXTpSaGQyW6vCYBb3WmU5ryM5mtXBvcB87Au4K7WLE-rGT0_czu9tlFA6LkeOoRdUp40BSzFb5ZgnlwX1BH_21mZYMpi-_FpIq_v&x-client-SKU=ID_NET9_0&x-client-ver=8.0.1.0", "host": "authentik.somedomain.com", "level": "info", "logger": "authentik.asgi", "method": "GET", "pid": 86362, "remote": "192.168.XXX.XXX", "request_id": "81fdd65ff2cd4b35a0a7f600f8a40233", "runtime": 17, "schema_name": "public", "scheme": "https", "status": 302, "timestamp": "2025-01-11T15:47:16.392232", "user": "", "user_agent": "curl/7.88.1"}
{"auth_via": "unauthenticated", "domain_url": "authentik.somedomain.com", "event": "/flows/-/default/authentication/?next=/application/o/authorize/%3Fclient_id%3D5saqQOM3txSSSP4U12sfEJWeCKt0nG8mPPSCwA98%26redirect_uri%3Dhttp%253A%252F%252Flocalhost%253A5222%252Fsignin-authentik%26response_type%3Dcode%26scope%3Dopenid%2520profile%2520email%2520goauthentik.io%252Fapi%26code_challenge%3DFSerFga5Yr9QJLN7bEaYMc2d6OaRltw4RC-u2zrR_FY%26code_challenge_method%3DS256%26response_mode%3Dform_post%26nonce%3D638722072362445101.YjYzNTkxZDktZmU0YS00N2NjLTgxNWMtMDFkZjY4NmM3ODRjNGUyNzgxZGMtZDk3Ni00NmEwLTg0ZmUtNjY3ODJlZmVlY2My%26state%3DCfDJ8C2Uw9yW7YxOvq_ngl-2jdor7Gndo4ZSpm9Fis9AUCug76vfxYQi8Rwjsd4r5p81BLRR_Tihz_7UdMbn8oFD0x3skTaUmiz2s-H95TULPgb4Z3PSuUZABKRCWhAJ1XpX1pmvjHFf4_WbYnaoEF4tTNw95D3F42NZl8HndS93AvRYB88O2D9T9K3NwiDgACc81gRTAVVLGp7l6Qy0wT_cE_LBsyWL7ndJXVrCeGYxxFzUjEVndIx7hglg_j5nedX8eOO9BTgyad9eezjjxOunyFhbDI0H8ZIqSn29v435eBKMrpCk7bjNBo6zUJm1udXec0JeqQghJXTpSaGQyW6vCYBb3WmU5ryM5mtXBvcB87Au4K7WLE-rGT0_czu9tlFA6LkeOoRdUp40BSzFb5ZgnlwX1BH_21mZYMpi-_FpIq_v%26x-client-SKU%3DID_NET9_0%26x-client-ver%3D8.0.1.0", "host": "authentik.somedomain.com", "level": "info", "logger": "authentik.asgi", "method": "GET", "pid": 86362, "remote": "192.168.XXX.XXX", "request_id": "2ae1cf51562f4061a885c4602c6814e0", "runtime": 9, "schema_name": "public", "scheme": "https", "status": 302, "timestamp": "2025-01-11T15:47:16.424197", "user": "", "user_agent": "curl/7.88.1"}
{"auth_via": "unauthenticated", "domain_url": "authentik.somedomain.com", "event": "/if/flow/default-authentication-flow/?next=%2Fapplication%2Fo%2Fauthorize%2F%3Fclient_id%3D5saqQOM3txSSSP4U12sfEJWeCKt0nG8mPPSCwA98%26redirect_uri%3Dhttp%253A%252F%252Flocalhost%253A5222%252Fsignin-authentik%26response_type%3Dcode%26scope%3Dopenid%2520profile%2520email%2520goauthentik.io%252Fapi%26code_challenge%3DFSerFga5Yr9QJLN7bEaYMc2d6OaRltw4RC-u2zrR_FY%26code_challenge_method%3DS256%26response_mode%3Dform_post%26nonce%3D638722072362445101.YjYzNTkxZDktZmU0YS00N2NjLTgxNWMtMDFkZjY4NmM3ODRjNGUyNzgxZGMtZDk3Ni00NmEwLTg0ZmUtNjY3ODJlZmVlY2My%26state%3DCfDJ8C2Uw9yW7YxOvq_ngl-2jdor7Gndo4ZSpm9Fis9AUCug76vfxYQi8Rwjsd4r5p81BLRR_Tihz_7UdMbn8oFD0x3skTaUmiz2s-H95TULPgb4Z3PSuUZABKRCWhAJ1XpX1pmvjHFf4_WbYnaoEF4tTNw95D3F42NZl8HndS93AvRYB88O2D9T9K3NwiDgACc81gRTAVVLGp7l6Qy0wT_cE_LBsyWL7ndJXVrCeGYxxFzUjEVndIx7hglg_j5nedX8eOO9BTgyad9eezjjxOunyFhbDI0H8ZIqSn29v435eBKMrpCk7bjNBo6zUJm1udXec0JeqQghJXTpSaGQyW6vCYBb3WmU5ryM5mtXBvcB87Au4K7WLE-rGT0_czu9tlFA6LkeOoRdUp40BSzFb5ZgnlwX1BH_21mZYMpi-_FpIq_v%26x-client-SKU%3DID_NET9_0%26x-client-ver%3D8.0.1.0", "host": "authentik.somedomain.com", "level": "info", "logger": "authentik.asgi", "method": "GET", "pid": 86362, "remote": "192.168.XXX.XXX", "request_id": "e1e330de4dd44a53add2399d291f0681", "runtime": 15, "schema_name": "public", "scheme": "https", "status": 200, "timestamp": "2025-01-11T15:47:16.460734", "user": "", "user_agent": "curl/7.88.1"}

Interestingly, the second log for oauth_client_secret shows the user as '' (empty).
However, querying userinfo returns expected result with the access token:

# https://authentik.somedomain.com/application/o/userinfo/
{"sub": "8bf215cb689902f83745XXXXXXXXXXXXXXXXXXXXXXXX", "name": "Some Name", "given_name": "Some Name", "preferred_username": "Some Username", "nickname": "Some Username", "groups": ["authentik Admins", "some", "groups"]}```

Version and Deployment (please complete the following information):

  • authentik version: 2024.12.2 (but also tried 2024.8.3)
  • Deployment: docker-compose

Additional Information:
The oauth2 provider is being accessed directly (testing with localhost/local IP), whereas the proxy provider is being accessed behind haproxy. Both can be access properly from the web browser, so I am sure its nothing related to my proxy.
@Zananok Zananok added the question Further information is requested label Jan 11, 2025
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
question Further information is requested
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@Zananok