Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Bad gateway on logout #814

Open
DesertCookie opened this issue Feb 24, 2024 · 1 comment
Open

Bad gateway on logout #814

DesertCookie opened this issue Feb 24, 2024 · 1 comment
Labels
0. Needs triage

Comments

@DesertCookie
Copy link

Expected behaviour

Following this guide and some experimentation, I expected logging out to work with one of these options as URL Location of IdP where the SP will send the SLO Request:

  1. https://auth.myurl.com/if/session-end/nextcloud/
  2. https://auth.myurl.com/application/saml/nextcloud/slo/binding/post/
  3. https://auth.myurl.com/application/saml/nextcloud/slo/binding/redirect/

Actual behaviour

I encountered a Bad gateway error that I cannot track down. With (1) the error appears with this URL in the browser: https://cloud.myurl.com/apps/user_saml/saml/sls?requesttoken=xxxxxxxxxxxxxxxxxxxxxxxxxx. However, pasting (1) into the address bar correctly logs me out and returns me to the corresponding Authentik screen. (2) and (3) always end with a Bad Request: The SAML request payload is missing. from Authentik.
Furthermore, the Nextcloud web log shows OC\Authentication\Exceptions\InvalidTokenException: Token does not exist: token does not exist within about two minutes of my logout attempts (don't know if it's lag or an unrelated error).

PS: The logout itself seems to take place with (1), despite the bad gateway error. When heading back to cloud.myurl.com it briefly shows Authentik's Redirecting to Nextcloud... which it does not show when a Nextcloud session is still active (as happens with (2) and (3)).
Reloading the bad request page simply logs me back into Nextcloud via Authentik's redirect page.

Configuration

Operating system: unRAID 6.12.6 (Docker)
Nextcloud: Nextcloud AIO 7.12.1 (Nextcloud 27.1.7 RC1)
Browser: Firefox 122.0.1
Operating system: Windows 11
IdP: Authentik
Reverse Proxy: Nginx Proxy Manager

Proxy Configuration

  • Nginx Proxy Manager is first in line. Enabled: Websockets Support, Force SSL, HTTP/2 Support, HSTS Enabled, HSTS Subdomains. It redirects to my.servers.ipv4.address:11000.
  • Nextcloud AIO's default Apache server is second in line. It does not output any logs in the seconds of the bad gateway error.
  • No other of my services that go through Nginx Proxy Manager and use Authentik's SLO URLs (WordPress, Jellyfin, Audiobookshelf) have this issue.
@Trembler34
Copy link

Trembler34 commented Jul 29, 2024
edited
Loading

Expected behaviour

Following this guide and some experimentation, I expected logging out to work with one of these options as URL Location of IdP where the SP will send the SLO Request:

  1. https://auth.myurl.com/if/session-end/nextcloud/
  2. https://auth.myurl.com/application/saml/nextcloud/slo/binding/post/
  3. https://auth.myurl.com/application/saml/nextcloud/slo/binding/redirect/

Actual behaviour

I encountered a Bad gateway error that I cannot track down. With (1) the error appears with this URL in the browser: https://cloud.myurl.com/apps/user_saml/saml/sls?requesttoken=xxxxxxxxxxxxxxxxxxxxxxxxxx. However, pasting (1) into the address bar correctly logs me out and returns me to the corresponding Authentik screen. (2) and (3) always end with a Bad Request: The SAML request payload is missing. from Authentik. Furthermore, the Nextcloud web log shows OC\Authentication\Exceptions\InvalidTokenException: Token does not exist: token does not exist within about two minutes of my logout attempts (don't know if it's lag or an unrelated error).

PS: The logout itself seems to take place with (1), despite the bad gateway error. When heading back to cloud.myurl.com it briefly shows Authentik's Redirecting to Nextcloud... which it does not show when a Nextcloud session is still active (as happens with (2) and (3)). Reloading the bad request page simply logs me back into Nextcloud via Authentik's redirect page.

Configuration

Operating system: unRAID 6.12.6 (Docker) Nextcloud: Nextcloud AIO 7.12.1 (Nextcloud 27.1.7 RC1) Browser: Firefox 122.0.1 Operating system: Windows 11 IdP: Authentik Reverse Proxy: Nginx Proxy Manager

Proxy Configuration

  • Nginx Proxy Manager is first in line. Enabled: Websockets Support, Force SSL, HTTP/2 Support, HSTS Enabled, HSTS Subdomains. It redirects to my.servers.ipv4.address:11000.
  • Nextcloud AIO's default Apache server is second in line. It does not output any logs in the seconds of the bad gateway error.
  • No other of my services that go through Nginx Proxy Manager and use Authentik's SLO URLs (WordPress, Jellyfin, Audiobookshelf) have this issue.

Did you ever get this figured out? This is happening to me now. I notice it only happens if i dont have the option selected in SAML to allow multiple backend logins, like LDAP users.. If i keep that unchecked i get the gateway error on logout. If i have it selected and logout i get taken back to the proper authentik page with options.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
0. Needs triage
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@blizzz @DesertCookie @Trembler34