Authentik OIDC redirects to invalid or localhost URL

[M-Davies]

Overview

I am selfhosting Faction on my cloud server and have an issue where Faction's OIDC redirection logic does not seem to redirect me to the correct callback URL.

Environement

• OIDC Provider is Authentik
• Faction is running inside a docker container as part of the docker compose stack shown below:

Note all real domains have been replaced with my.tld and all real credentials replaced with OMITTED for privacy

version: "3.7"

networks:
  faction-net:
    external: false
  sso:
    external: true

services:
  faction-mongo:
    container_name: faction-mongo
    networks:
      - faction-net
    image: mongo:latest
    ports:
      - "127.0.0.1:27017:27017"
    volumes:
      - '~/.faction/data:/data/db'
    environment:
      - 'MONGO_INITDB_ROOT_USERNAME=OMITTED'
      - 'MONGO_INITDB_ROOT_PASSWORD=OMITTED'
    restart: unless-stopped

  tomcat-service:
    build:
      context: .
      dockerfile: Dockerfile
      target: base_app
    container_name: faction-web
    networks:
      - sso
      - faction-net
    environment:
        - 'FACTION_REPORT_STORAGE=local'
        - 'FACTION_MONGO_HOST=faction-mongo'
        - 'FACTION_MONGO_DATABASE=faction'
        - 'FACTION_MONGO_USER=OMITTED'
        - 'FACTION_MONGO_PASSWORD=OMITTED'
        - 'FACTION_SECRET_KEY=OMITTED'
        - 'FACTION_OAUTH_CALLBACK=https://faction.internal.my.tld/oauth/callback?client_name=OidcClient'
        - 'FACTION_APPSTORE_ENABLED=true'
    links:
      - faction-mongo
    command: ["/usr/local/tomcat/bin/catalina.sh", "run"]
    ports:
      - "127.0.0.1:8081:8080"
    depends_on:
      - faction-mongo
    restart: unless-stopped

postgresql:
    image: docker.io/library/postgres:12-alpine
    restart: unless-stopped
    container_name: authentik-postgresql
    networks:
      - authentik-internals
    healthcheck:
      test: ["CMD-SHELL", "pg_isready -d $${POSTGRES_DB} -U $${POSTGRES_USER}"]
      start_period: 20s
      interval: 30s
      retries: 5
      timeout: 5s
    volumes:
      - database:/var/lib/postgresql/data
    environment:
      POSTGRES_PASSWORD: ${PG_PASS:?database password required}
      POSTGRES_USER: ${PG_USER:-authentik}
      POSTGRES_DB: ${PG_DB:-authentik}
    env_file:
      - .env

  redis:
    image: docker.io/library/redis:alpine
    command: --save 60 1 --loglevel warning
    restart: unless-stopped
    container_name: authentik-redis
    networks:
      - authentik-internals
    healthcheck:
      test: ["CMD-SHELL", "redis-cli ping | grep PONG"]
      start_period: 20s
      interval: 30s
      retries: 5
      timeout: 3s
    volumes:
      - redis:/data

  server:
    image: ${AUTHENTIK_IMAGE:-ghcr.io/goauthentik/server}:latest
    restart: unless-stopped
    container_name: authentik-server
    networks:
      - sso
      - authentik-internals
    command: server
    environment:
      AUTHENTIK_REDIS__HOST: authentik-redis
      AUTHENTIK_POSTGRESQL__HOST: authentik-postgresql
      AUTHENTIK_POSTGRESQL__USER: ${PG_USER:-authentik}
      AUTHENTIK_POSTGRESQL__NAME: ${PG_DB:-authentik}
      AUTHENTIK_POSTGRESQL__PASSWORD: ${PG_PASS}
    volumes:
      - ./media:/media
      - ./custom-templates:/templates
    env_file:
      - .env
    ports:
      - "127.0.0.1:${COMPOSE_PORT_HTTP:-9000}:9000"
      - "127.0.0.1:${COMPOSE_PORT_HTTPS:-9443}:9443"
    depends_on:
      - postgresql
      - redis

  worker:
    image: ${AUTHENTIK_IMAGE:-ghcr.io/goauthentik/server}:latest
    restart: unless-stopped
    container_name: authentik-worker
    networks:
      - authentik-internals
    command: worker
    environment:
      AUTHENTIK_REDIS__HOST: authentik-redis
      AUTHENTIK_POSTGRESQL__HOST: authentik-postgresql
      AUTHENTIK_POSTGRESQL__USER: ${PG_USER:-authentik}
      AUTHENTIK_POSTGRESQL__NAME: ${PG_DB:-authentik}
      AUTHENTIK_POSTGRESQL__PASSWORD: ${PG_PASS}
    user: root
    volumes:
      - /var/run/docker.sock:/var/run/docker.sock
      - ./media:/media
      - ./certs:/certs
      - ./custom-templates:/templates
    env_file:
      - .env
    depends_on:
      - postgresql
      - redis

  authentik-ldap-outpost:
    image: ghcr.io/goauthentik/ldap:latest
    container_name: authentik-ldap-outpost
    restart: unless-stopped
    networks:
      - sso
      - authentik-internals
    ports:
      - 127.0.0.1:389:3389
      - 127.0.0.1:636:6636
    environment:
      AUTHENTIK_HOST: https://auth.my.tld
      AUTHENTIK_INSECURE: "false"
      AUTHENTIK_TOKEN: OMITTED

volumes:
  database:
    driver: local
  redis:
    driver: local

• Faction is configured to use OIDC authentication with the following discovery URI: https://auth.my.tld/application/o/faction/.well-known/openid-configuration
• The authentik OIDC provider looks like this (these are not the full settings, I can provide more details if they are needed):

• The faction interface itself is exposed with nginx to a network range only accessible via a Wireguard VPN range:

server {
    listen 10.66.66.1:443 ssl http2;

    # Set vars
    set $tld "internal.my.tld";
    set $name "faction";
    server_name faction.internal.my.tld;

    # Headers
    add_header 'Strict-Transport-Security' "max-age=31536000" 'always';
    add_header X-XSS-Protection "0"; # Do NOT enable. This is obsolete/dangerous
    add_header X-Content-Type-Options "nosniff";

    # Block access by direct IP
    if ( $host != $server_name ) {
        return 444; #CONNECTION CLOSED WITHOUT RESPONSE
    }

    # Add robots.txt
    location = /robots.txt {
        add_header Content-Type text/plain;
        return 200 "User-agent: *\nDisallow: /\n";
    }
    
    # TLS/SSL Settings
    ssl_certificate /etc/letsencrypt/live/internal.my.tld/fullchain.pem;
    ssl_certificate_key /etc/letsencrypt/live/internal.my.tld/privkey.pem;
    include /etc/letsencrypt/options-ssl-nginx.conf;
    ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem;
    ssl_trusted_certificate /etc/letsencrypt/live/internal.my.tld/chain.pem;
    ssl_stapling on;
    ssl_stapling_verify on;

    # Setup logging
    access_log /var/log/nginx/$name-access.log stripsecrets;
    error_log /var/log/nginx/$name-error.log;

    location / {
        # Allow VPN and local clients, deny all others
        allow 10.66.66.0/24;
        allow 127.0.0.0/24;
        deny all;

        proxy_set_header Host $host;
        proxy_set_header X-Forwarded-Host $host;
        proxy_set_header X-Forwarded-Server $host;
        proxy_set_header X-Forwarded-Proto $scheme;
        proxy_set_header X-Real-IP $remote_addr;
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
        proxy_http_version 1.1;
        proxy_set_header Upgrade $http_upgrade;
        proxy_set_header Connection $connection_upgrade;
        proxy_pass http://127.0.0.1:8081;
    }
}

Error

The problem I have is with the redirect after the user has successfully authenticated to Authentik. If the configuration is identical to the above, the following error is shown after the user has authenticated to Authentik successfully:

An identical error log appears in Authentik:

{"auth_via": "session", "domain_url": "auth.my.tld", "event": "The request fails due to a missing, invalid, or mismatching redirection URI (redirect_uri).", "host": "auth.my.tld", "level": "warning", "logger": "authentik.providers.oauth2.views.authorize", "pid": 80162, "request_id": "15967659903f4fd58fa74df3946fcabc", "schema_name": "public", "timestamp": "2024-11-07T14:00:06.100560"}

This is the final URL: https://auth.my.tld/application/o/authorize/?max_age=0&scope=openid+profile+email&display=popup&response_type=code&redirect_uri=http%3A%2F%2Flocalhost%3A8080%2Foauth%2Fcallback%3Fclient_name%3DOidcClient&state=0aff847c7c&code_challenge_method=S256&prompt=select_account&nonce=OMITTED&client_id=OMITTED&code_challenge=OMITTED

As you can see, the redirect_uri is incorrectly set to a localhost address. If I change the Redirect URIs/Origins (RegEx) setting in Authentik to the insecure wildcard, you can see that I am redirected to an invalid localhost address: http://localhost:8080/oauth/callback?client_name=OidcClient&code=OMITTED

However, the code that I am provided is valid and I can now login to Faction if I change http://localhost:8080 in the URL to the correct https://faction.internal.my.tld. Authentik's logs also show that authentication was successful:

{"auth_via": "session", "domain_url": "auth.my.tld", "event": "/application/o/authorize/?max_age=0&scope=openid+profile+email&display=popup&response_type=code&redirect_uri=http%3A%2F%2Flocalhost%3A8080%2Foauth%2Fcallback%3Fclient_name%3DOidcClient&state=0aff847c7c&code_challenge_method=S256&prompt=select_account&nonce=OMITTED&client_id=OMITTED&code_challenge=OMITTED", "host": "auth.my.tld", "level": "info", "logger": "authentik.asgi", "method": "GET", "pid": 80162, "remote": "10.66.66.2", "request_id": "15967659903f4fd58fa74df3946fcabc", "runtime": 10, "schema_name": "public", "scheme": "https", "status": 400, "timestamp": "2024-11-07T14:00:06.103486", "user": "OMITTED", "user_agent": "Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:132.0) Gecko/20100101 Firefox/132.0"}

My suspicion is that somewhere in either my Authentik or Faction settings, the FACTION_OAUTH_CALLBACK variable is not being honoured but I'm not 100% sure why or where. I'd appreciate a 2nd pair of eyes in discovering what I'm doing wrong. I'm also happy to send over more debugging info if it's needed. Thanks!

[summitt]

Thanks for sending such a detailed report! Really helpful. I'll look at it this weekend and see if I can replicate.

[summitt]

I have not been able to recreate the same issue yet but i did notice one thing thats not right. the environment variable needs to be just the domain. Faction will append the correct path: 'FACTION_OAUTH_CALLBACK=https://faction.internal.my.tld'

[M-Davies]

FACTION_OAUTH_CALLBACK

Thanks @summitt I still get the localhost redirect however. I'll try and dig into this a bit deeper when I have some more time

[M-Davies]

I've been trying to debug this. I'm fairly certain it's something in faction's code as the redirect_url value seems to be coming from Faction, not authentik. I made the faction instance public (https://faction.my.tld) and configured authentik appropriately to account for this to see if it behaves differently outside the VM. No joy though.

One thing I have noticed is there are a couple stack traces in the log immediately after starting up (docker-compose restart):

24-Nov-2024 14:46:12.107 INFO [Thread-1] org.apache.coyote.AbstractProtocol.pause Pausing ProtocolHandler ["http-nio-8080"]
24-Nov-2024 14:46:12.108 INFO [Thread-1] org.apache.catalina.core.StandardService.stopInternal Stopping service [Catalina]
24-Nov-2024 14:46:12.143 WARNING [Thread-1] org.apache.catalina.loader.WebappClassLoaderBase.clearReferencesThreads The web application [ROOT] appears to have started a thread named [cluster-ClusterId{value='67433c04e5e4c42cfa4e7b4b', description='null'}-faction-mongo:27017] but has failed to stop it. This is very likely to create a memory leak. Stack trace of thread:
 [email protected]/jdk.internal.misc.Unsafe.park(Native Method)
 [email protected]/java.util.concurrent.locks.LockSupport.parkNanos(Unknown Source)
 [email protected]/java.util.concurrent.locks.AbstractQueuedSynchronizer$ConditionObject.awaitNanos(Unknown Source)
 com.mongodb.internal.connection.DefaultServerMonitor$ServerMonitorRunnable.waitForSignalOrTimeout(DefaultServerMonitor.java:229)
 com.mongodb.internal.connection.DefaultServerMonitor$ServerMonitorRunnable.waitForNext(DefaultServerMonitor.java:210)
 com.mongodb.internal.connection.DefaultServerMonitor$ServerMonitorRunnable.run(DefaultServerMonitor.java:157)
 [email protected]/java.lang.Thread.run(Unknown Source)
24-Nov-2024 14:46:12.144 WARNING [Thread-1] org.apache.catalina.loader.WebappClassLoaderBase.clearReferencesThreads The web application [ROOT] appears to have started a thread named [CleanCursors-1-thread-1] but has failed to stop it. This is very likely to create a memory leak. Stack trace of thread:
 [email protected]/jdk.internal.misc.Unsafe.park(Native Method)
 [email protected]/java.util.concurrent.locks.LockSupport.parkNanos(Unknown Source)
 [email protected]/java.util.concurrent.locks.AbstractQueuedSynchronizer$ConditionObject.awaitNanos(Unknown Source)
 [email protected]/java.util.concurrent.ScheduledThreadPoolExecutor$DelayedWorkQueue.take(Unknown Source)
 [email protected]/java.util.concurrent.ScheduledThreadPoolExecutor$DelayedWorkQueue.take(Unknown Source)
 [email protected]/java.util.concurrent.ThreadPoolExecutor.getTask(Unknown Source)
 [email protected]/java.util.concurrent.ThreadPoolExecutor.runWorker(Unknown Source)
 [email protected]/java.util.concurrent.ThreadPoolExecutor$Worker.run(Unknown Source)
 [email protected]/java.lang.Thread.run(Unknown Source)
24-Nov-2024 14:46:12.149 INFO [Thread-1] org.apache.coyote.AbstractProtocol.stop Stopping ProtocolHandler ["http-nio-8080"]
24-Nov-2024 14:46:12.160 INFO [Thread-1] org.apache.coyote.AbstractProtocol.destroy Destroying ProtocolHandler ["http-nio-8080"]
NOTE: Picked up JDK_JAVA_OPTIONS:  --add-opens=java.base/java.lang=ALL-UNNAMED --add-opens=java.base/java.io=ALL-UNNAMED --add-opens=java.base/java.util=ALL-UNNAMED --add-opens=java.base/java.util.concurrent=ALL-UNNAMED --add-opens=java.rmi/sun.rmi.transport=ALL-UNNAMED
24-Nov-2024 14:46:14.095 INFO [main] org.apache.catalina.startup.VersionLoggerListener.log Server version name:   Apache Tomcat/9.0.96
24-Nov-2024 14:46:14.097 INFO [main] org.apache.catalina.startup.VersionLoggerListener.log Server built:          Oct 3 2024 19:44:30 UTC
24-Nov-2024 14:46:14.097 INFO [main] org.apache.catalina.startup.VersionLoggerListener.log Server version number: 9.0.96.0
24-Nov-2024 14:46:14.097 INFO [main] org.apache.catalina.startup.VersionLoggerListener.log OS Name:               Linux
24-Nov-2024 14:46:14.097 INFO [main] org.apache.catalina.startup.VersionLoggerListener.log OS Version:            5.15.0-125-generic
24-Nov-2024 14:46:14.097 INFO [main] org.apache.catalina.startup.VersionLoggerListener.log Architecture:          amd64
24-Nov-2024 14:46:14.097 INFO [main] org.apache.catalina.startup.VersionLoggerListener.log Java Home:             /opt/java/openjdk
24-Nov-2024 14:46:14.097 INFO [main] org.apache.catalina.startup.VersionLoggerListener.log JVM Version:           11.0.25+9
24-Nov-2024 14:46:14.097 INFO [main] org.apache.catalina.startup.VersionLoggerListener.log JVM Vendor:            Eclipse Adoptium
24-Nov-2024 14:46:14.097 INFO [main] org.apache.catalina.startup.VersionLoggerListener.log CATALINA_BASE:         /usr/local/tomcat
24-Nov-2024 14:46:14.098 INFO [main] org.apache.catalina.startup.VersionLoggerListener.log CATALINA_HOME:         /usr/local/tomcat
24-Nov-2024 14:46:14.104 INFO [main] org.apache.catalina.startup.VersionLoggerListener.log Command line argument: --add-opens=java.base/java.lang=ALL-UNNAMED
24-Nov-2024 14:46:14.104 INFO [main] org.apache.catalina.startup.VersionLoggerListener.log Command line argument: --add-opens=java.base/java.io=ALL-UNNAMED
24-Nov-2024 14:46:14.104 INFO [main] org.apache.catalina.startup.VersionLoggerListener.log Command line argument: --add-opens=java.base/java.util=ALL-UNNAMED
24-Nov-2024 14:46:14.104 INFO [main] org.apache.catalina.startup.VersionLoggerListener.log Command line argument: --add-opens=java.base/java.util.concurrent=ALL-UNNAMED
24-Nov-2024 14:46:14.104 INFO [main] org.apache.catalina.startup.VersionLoggerListener.log Command line argument: --add-opens=java.rmi/sun.rmi.transport=ALL-UNNAMED
24-Nov-2024 14:46:14.104 INFO [main] org.apache.catalina.startup.VersionLoggerListener.log Command line argument: -Djava.util.logging.config.file=/usr/local/tomcat/conf/logging.properties
24-Nov-2024 14:46:14.104 INFO [main] org.apache.catalina.startup.VersionLoggerListener.log Command line argument: -Djava.util.logging.manager=org.apache.juli.ClassLoaderLogManager
24-Nov-2024 14:46:14.105 INFO [main] org.apache.catalina.startup.VersionLoggerListener.log Command line argument: -Djdk.tls.ephemeralDHKeySize=2048
24-Nov-2024 14:46:14.105 INFO [main] org.apache.catalina.startup.VersionLoggerListener.log Command line argument: -Djava.protocol.handler.pkgs=org.apache.catalina.webresources
24-Nov-2024 14:46:14.105 INFO [main] org.apache.catalina.startup.VersionLoggerListener.log Command line argument: -Dorg.apache.catalina.security.SecurityListener.UMASK=0027
24-Nov-2024 14:46:14.105 INFO [main] org.apache.catalina.startup.VersionLoggerListener.log Command line argument: -Dignore.endorsed.dirs=
24-Nov-2024 14:46:14.105 INFO [main] org.apache.catalina.startup.VersionLoggerListener.log Command line argument: -Dcatalina.base=/usr/local/tomcat
24-Nov-2024 14:46:14.105 INFO [main] org.apache.catalina.startup.VersionLoggerListener.log Command line argument: -Dcatalina.home=/usr/local/tomcat
24-Nov-2024 14:46:14.105 INFO [main] org.apache.catalina.startup.VersionLoggerListener.log Command line argument: -Djava.io.tmpdir=/usr/local/tomcat/temp
24-Nov-2024 14:46:14.108 INFO [main] org.apache.catalina.core.AprLifecycleListener.lifecycleEvent Loaded Apache Tomcat Native library [1.3.1] using APR version [1.7.2].
24-Nov-2024 14:46:14.108 INFO [main] org.apache.catalina.core.AprLifecycleListener.lifecycleEvent APR capabilities: IPv6 [true], sendfile [true], accept filters [false], random [true], UDS [true].
24-Nov-2024 14:46:14.108 INFO [main] org.apache.catalina.core.AprLifecycleListener.lifecycleEvent APR/OpenSSL configuration: useAprConnector [false], useOpenSSL [true]
24-Nov-2024 14:46:14.110 INFO [main] org.apache.catalina.core.AprLifecycleListener.initializeSSL OpenSSL successfully initialized [OpenSSL 3.0.13 30 Jan 2024]
24-Nov-2024 14:46:14.303 INFO [main] org.apache.coyote.AbstractProtocol.init Initializing ProtocolHandler ["http-nio-8080"]
24-Nov-2024 14:46:14.318 INFO [main] org.apache.catalina.startup.Catalina.load Server initialization in [350] milliseconds
24-Nov-2024 14:46:14.351 INFO [main] org.apache.catalina.core.StandardService.startInternal Starting service [Catalina]
24-Nov-2024 14:46:14.351 INFO [main] org.apache.catalina.core.StandardEngine.startInternal Starting Servlet engine: [Apache Tomcat/9.0.96]
24-Nov-2024 14:46:14.362 INFO [main] org.apache.catalina.startup.HostConfig.deployWAR Deploying web application archive [/usr/local/tomcat/webapps/ROOT.war]
24-Nov-2024 14:46:17.256 INFO [main] org.apache.jasper.servlet.TldScanner.scanJars At least one JAR was scanned for TLDs yet contained no TLDs. Enable debug logging for this logger for a complete list of JARs that were scanned but no TLDs were found in them. Skipping unneeded JARs during scanning can improve startup time and JSP compilation time.
[ERROR] 2024-11-24 14:46:17.995 [main] DefaultClassFinder - Unable to read class [com.fuse.actions.Cvss]
java.lang.IllegalArgumentException: null
        at org.objectweb.asm.ClassReader.<init>(Unknown Source) ~[asm-5.2.jar:5.2]
        at org.objectweb.asm.ClassReader.<init>(Unknown Source) ~[asm-5.2.jar:5.2]
        at org.objectweb.asm.ClassReader.<init>(Unknown Source) ~[asm-5.2.jar:5.2]
        at org.apache.struts2.convention.DefaultClassFinder.readClassDef(DefaultClassFinder.java:461) ~[struts2-convention-plugin-2.5.20.jar:2.5.20]
        at org.apache.struts2.convention.DefaultClassFinder.access$200(DefaultClassFinder.java:52) ~[struts2-convention-plugin-2.5.20.jar:2.5.20]
        at org.apache.struts2.convention.DefaultClassFinder$InfoBuildingVisitor.extractSuperInterfaces(DefaultClassFinder.java:514) ~[struts2-convention-plugin-2.5.20.jar:2.5.20]
        at org.apache.struts2.convention.DefaultClassFinder$InfoBuildingVisitor.visit(DefaultClassFinder.java:501) ~[struts2-convention-plugin-2.5.20.jar:2.5.20]
        at org.objectweb.asm.ClassReader.accept(Unknown Source) ~[asm-5.2.jar:5.2]
        at org.objectweb.asm.ClassReader.accept(Unknown Source) ~[asm-5.2.jar:5.2]
        at org.apache.struts2.convention.DefaultClassFinder.readClassDef(DefaultClassFinder.java:462) ~[struts2-convention-plugin-2.5.20.jar:2.5.20]
        at org.apache.struts2.convention.DefaultClassFinder.access$200(DefaultClassFinder.java:52) ~[struts2-convention-plugin-2.5.20.jar:2.5.20]
        at org.apache.struts2.convention.DefaultClassFinder$InfoBuildingVisitor.extractSuperInterfaces(DefaultClassFinder.java:514) ~[struts2-convention-plugin-2.5.20.jar:2.5.20]
        at org.apache.struts2.convention.DefaultClassFinder$InfoBuildingVisitor.visit(DefaultClassFinder.java:501) ~[struts2-convention-plugin-2.5.20.jar:2.5.20]
        at org.objectweb.asm.ClassReader.accept(Unknown Source) ~[asm-5.2.jar:5.2]
        at org.objectweb.asm.ClassReader.accept(Unknown Source) ~[asm-5.2.jar:5.2]
        at org.apache.struts2.convention.DefaultClassFinder.readClassDef(DefaultClassFinder.java:462) ~[struts2-convention-plugin-2.5.20.jar:2.5.20]
        at org.apache.struts2.convention.DefaultClassFinder.access$200(DefaultClassFinder.java:52) ~[struts2-convention-plugin-2.5.20.jar:2.5.20]
        at org.apache.struts2.convention.DefaultClassFinder$InfoBuildingVisitor.extractSuperInterfaces(DefaultClassFinder.java:514) ~[struts2-convention-plugin-2.5.20.jar:2.5.20]
        at org.apache.struts2.convention.DefaultClassFinder$InfoBuildingVisitor.visit(DefaultClassFinder.java:501) ~[struts2-convention-plugin-2.5.20.jar:2.5.20]
        at org.objectweb.asm.ClassReader.accept(Unknown Source) ~[asm-5.2.jar:5.2]
        at org.objectweb.asm.ClassReader.accept(Unknown Source) ~[asm-5.2.jar:5.2]
        at org.apache.struts2.convention.DefaultClassFinder.readClassDef(DefaultClassFinder.java:462) ~[struts2-convention-plugin-2.5.20.jar:2.5.20]
        at org.apache.struts2.convention.DefaultClassFinder.<init>(DefaultClassFinder.java:93) [struts2-convention-plugin-2.5.20.jar:2.5.20]
        at org.apache.struts2.convention.PackageBasedActionConfigBuilder.buildClassFinder(PackageBasedActionConfigBuilder.java:395) [struts2-convention-plugin-2.5.20.jar:2.5.20]
        at org.apache.struts2.convention.PackageBasedActionConfigBuilder.findActions(PackageBasedActionConfigBuilder.java:377) [struts2-convention-plugin-2.5.20.jar:2.5.20]
        at org.apache.struts2.convention.PackageBasedActionConfigBuilder.buildActionConfigs(PackageBasedActionConfigBuilder.java:333) [struts2-convention-plugin-2.5.20.jar:2.5.20]
        at org.apache.struts2.convention.ClasspathPackageProvider.loadPackages(ClasspathPackageProvider.java:52) [struts2-convention-plugin-2.5.20.jar:2.5.20]
        at com.opensymphony.xwork2.config.impl.DefaultConfiguration.reloadContainer(DefaultConfiguration.java:206) [struts2-core-2.5.33.jar:2.5.33]
        at com.opensymphony.xwork2.config.ConfigurationManager.getConfiguration(ConfigurationManager.java:66) [struts2-core-2.5.33.jar:2.5.33]
        at org.apache.struts2.dispatcher.Dispatcher.getContainer(Dispatcher.java:970) [struts2-core-2.5.33.jar:2.5.33]
        at org.apache.struts2.dispatcher.Dispatcher.init_PreloadConfiguration(Dispatcher.java:463) [struts2-core-2.5.33.jar:2.5.33]
        at org.apache.struts2.dispatcher.Dispatcher.init(Dispatcher.java:496) [struts2-core-2.5.33.jar:2.5.33]
        at org.apache.struts2.dispatcher.InitOperations.initDispatcher(InitOperations.java:73) [struts2-core-2.5.33.jar:2.5.33]
        at org.apache.struts2.dispatcher.filter.StrutsPrepareAndExecuteFilter.init(StrutsPrepareAndExecuteFilter.java:61) [struts2-core-2.5.33.jar:2.5.33]
        at org.apache.catalina.core.ApplicationFilterConfig.initFilter(ApplicationFilterConfig.java:244) [catalina.jar:9.0.96]
        at org.apache.catalina.core.ApplicationFilterConfig.getFilter(ApplicationFilterConfig.java:226) [catalina.jar:9.0.96]
        at org.apache.catalina.core.ApplicationFilterConfig.<init>(ApplicationFilterConfig.java:97) [catalina.jar:9.0.96]
        at org.apache.catalina.core.StandardContext.filterStart(StandardContext.java:3854) [catalina.jar:9.0.96]
        at org.apache.catalina.core.StandardContext.startInternal(StandardContext.java:4472) [catalina.jar:9.0.96]
        at org.apache.catalina.util.LifecycleBase.start(LifecycleBase.java:164) [catalina.jar:9.0.96]
        at org.apache.catalina.core.ContainerBase.addChildInternal(ContainerBase.java:599) [catalina.jar:9.0.96]
        at org.apache.catalina.core.ContainerBase.addChild(ContainerBase.java:571) [catalina.jar:9.0.96]
        at org.apache.catalina.core.StandardHost.addChild(StandardHost.java:603) [catalina.jar:9.0.96]
        at org.apache.catalina.startup.HostConfig.deployWAR(HostConfig.java:1014) [catalina.jar:9.0.96]
        at org.apache.catalina.startup.HostConfig$DeployWar.run(HostConfig.java:1866) [catalina.jar:9.0.96]
        at java.base/java.util.concurrent.Executors$RunnableAdapter.call(Unknown Source) [?:?]
        at java.base/java.util.concurrent.FutureTask.run(Unknown Source) [?:?]
        at org.apache.tomcat.util.threads.InlineExecutorService.execute(InlineExecutorService.java:75) [tomcat-util.jar:9.0.96]
        at java.base/java.util.concurrent.AbstractExecutorService.submit(Unknown Source) [?:?]
        at org.apache.catalina.startup.HostConfig.deployWARs(HostConfig.java:816) [catalina.jar:9.0.96]
        at org.apache.catalina.startup.HostConfig.deployApps(HostConfig.java:468) [catalina.jar:9.0.96]
        at org.apache.catalina.startup.HostConfig.start(HostConfig.java:1584) [catalina.jar:9.0.96]
        at org.apache.catalina.startup.HostConfig.lifecycleEvent(HostConfig.java:312) [catalina.jar:9.0.96]
        at org.apache.catalina.util.LifecycleBase.fireLifecycleEvent(LifecycleBase.java:109) [catalina.jar:9.0.96]
        at org.apache.catalina.util.LifecycleBase.setStateInternal(LifecycleBase.java:385) [catalina.jar:9.0.96]
        at org.apache.catalina.util.LifecycleBase.setState(LifecycleBase.java:332) [catalina.jar:9.0.96]
        at org.apache.catalina.core.ContainerBase.startInternal(ContainerBase.java:776) [catalina.jar:9.0.96]
        at org.apache.catalina.core.StandardHost.startInternal(StandardHost.java:721) [catalina.jar:9.0.96]
        at org.apache.catalina.util.LifecycleBase.start(LifecycleBase.java:164) [catalina.jar:9.0.96]
        at org.apache.catalina.core.ContainerBase$StartChild.call(ContainerBase.java:1203) [catalina.jar:9.0.96]
        at org.apache.catalina.core.ContainerBase$StartChild.call(ContainerBase.java:1193) [catalina.jar:9.0.96]
        at java.base/java.util.concurrent.FutureTask.run(Unknown Source) [?:?]
        at org.apache.tomcat.util.threads.InlineExecutorService.execute(InlineExecutorService.java:75) [tomcat-util.jar:9.0.96]
        at java.base/java.util.concurrent.AbstractExecutorService.submit(Unknown Source) [?:?]
        at org.apache.catalina.core.ContainerBase.startInternal(ContainerBase.java:749) [catalina.jar:9.0.96]
        at org.apache.catalina.core.StandardEngine.startInternal(StandardEngine.java:211) [catalina.jar:9.0.96]
        at org.apache.catalina.util.LifecycleBase.start(LifecycleBase.java:164) [catalina.jar:9.0.96]
        at org.apache.catalina.core.StandardService.startInternal(StandardService.java:415) [catalina.jar:9.0.96]
        at org.apache.catalina.util.LifecycleBase.start(LifecycleBase.java:164) [catalina.jar:9.0.96]
        at org.apache.catalina.core.StandardServer.startInternal(StandardServer.java:874) [catalina.jar:9.0.96]
        at org.apache.catalina.util.LifecycleBase.start(LifecycleBase.java:164) [catalina.jar:9.0.96]
        at org.apache.catalina.startup.Catalina.start(Catalina.java:735) [catalina.jar:9.0.96]
        at java.base/jdk.internal.reflect.NativeMethodAccessorImpl.invoke0(Native Method) ~[?:?]
        at java.base/jdk.internal.reflect.NativeMethodAccessorImpl.invoke(Unknown Source) ~[?:?]
        at java.base/jdk.internal.reflect.DelegatingMethodAccessorImpl.invoke(Unknown Source) ~[?:?]
        at java.base/java.lang.reflect.Method.invoke(Unknown Source) ~[?:?]
        at org.apache.catalina.startup.Bootstrap.start(Bootstrap.java:345) [bootstrap.jar:9.0.96]
        at org.apache.catalina.startup.Bootstrap.main(Bootstrap.java:473) [bootstrap.jar:9.0.96]
[ERROR] 2024-11-24 14:46:18.034 [main] DefaultClassFinder - Unable to read class [com.fuse.actions.assessment.TrackChanges$1]
java.lang.IllegalArgumentException: null
        at org.objectweb.asm.ClassReader.<init>(Unknown Source) ~[asm-5.2.jar:5.2]
        at org.objectweb.asm.ClassReader.<init>(Unknown Source) ~[asm-5.2.jar:5.2]
        at org.objectweb.asm.ClassReader.<init>(Unknown Source) ~[asm-5.2.jar:5.2]
        at org.apache.struts2.convention.DefaultClassFinder.readClassDef(DefaultClassFinder.java:461) ~[struts2-convention-plugin-2.5.20.jar:2.5.20]
        at org.apache.struts2.convention.DefaultClassFinder.access$200(DefaultClassFinder.java:52) ~[struts2-convention-plugin-2.5.20.jar:2.5.20]
        at org.apache.struts2.convention.DefaultClassFinder$InfoBuildingVisitor.extractSuperInterfaces(DefaultClassFinder.java:514) ~[struts2-convention-plugin-2.5.20.jar:2.5.20]
        at org.apache.struts2.convention.DefaultClassFinder$InfoBuildingVisitor.visit(DefaultClassFinder.java:501) ~[struts2-convention-plugin-2.5.20.jar:2.5.20]
        at org.objectweb.asm.ClassReader.accept(Unknown Source) ~[asm-5.2.jar:5.2]
        at org.objectweb.asm.ClassReader.accept(Unknown Source) ~[asm-5.2.jar:5.2]
        at org.apache.struts2.convention.DefaultClassFinder.readClassDef(DefaultClassFinder.java:462) ~[struts2-convention-plugin-2.5.20.jar:2.5.20]
        at org.apache.struts2.convention.DefaultClassFinder.<init>(DefaultClassFinder.java:93) [struts2-convention-plugin-2.5.20.jar:2.5.20]
        at org.apache.struts2.convention.PackageBasedActionConfigBuilder.buildClassFinder(PackageBasedActionConfigBuilder.java:395) [struts2-convention-plugin-2.5.20.jar:2.5.20]
        at org.apache.struts2.convention.PackageBasedActionConfigBuilder.findActions(PackageBasedActionConfigBuilder.java:377) [struts2-convention-plugin-2.5.20.jar:2.5.20]
        at org.apache.struts2.convention.PackageBasedActionConfigBuilder.buildActionConfigs(PackageBasedActionConfigBuilder.java:333) [struts2-convention-plugin-2.5.20.jar:2.5.20]
        at org.apache.struts2.convention.ClasspathPackageProvider.loadPackages(ClasspathPackageProvider.java:52) [struts2-convention-plugin-2.5.20.jar:2.5.20]
        at com.opensymphony.xwork2.config.impl.DefaultConfiguration.reloadContainer(DefaultConfiguration.java:206) [struts2-core-2.5.33.jar:2.5.33]
        at com.opensymphony.xwork2.config.ConfigurationManager.getConfiguration(ConfigurationManager.java:66) [struts2-core-2.5.33.jar:2.5.33]
        at org.apache.struts2.dispatcher.Dispatcher.getContainer(Dispatcher.java:970) [struts2-core-2.5.33.jar:2.5.33]
        at org.apache.struts2.dispatcher.Dispatcher.init_PreloadConfiguration(Dispatcher.java:463) [struts2-core-2.5.33.jar:2.5.33]
        at org.apache.struts2.dispatcher.Dispatcher.init(Dispatcher.java:496) [struts2-core-2.5.33.jar:2.5.33]
        at org.apache.struts2.dispatcher.InitOperations.initDispatcher(InitOperations.java:73) [struts2-core-2.5.33.jar:2.5.33]
        at org.apache.struts2.dispatcher.filter.StrutsPrepareAndExecuteFilter.init(StrutsPrepareAndExecuteFilter.java:61) [struts2-core-2.5.33.jar:2.5.33]
        at org.apache.catalina.core.ApplicationFilterConfig.initFilter(ApplicationFilterConfig.java:244) [catalina.jar:9.0.96]
        at org.apache.catalina.core.ApplicationFilterConfig.getFilter(ApplicationFilterConfig.java:226) [catalina.jar:9.0.96]
        at org.apache.catalina.core.ApplicationFilterConfig.<init>(ApplicationFilterConfig.java:97) [catalina.jar:9.0.96]
        at org.apache.catalina.core.StandardContext.filterStart(StandardContext.java:3854) [catalina.jar:9.0.96]
        at org.apache.catalina.core.StandardContext.startInternal(StandardContext.java:4472) [catalina.jar:9.0.96]
        at org.apache.catalina.util.LifecycleBase.start(LifecycleBase.java:164) [catalina.jar:9.0.96]
        at org.apache.catalina.core.ContainerBase.addChildInternal(ContainerBase.java:599) [catalina.jar:9.0.96]
        at org.apache.catalina.core.ContainerBase.addChild(ContainerBase.java:571) [catalina.jar:9.0.96]
        at org.apache.catalina.core.StandardHost.addChild(StandardHost.java:603) [catalina.jar:9.0.96]
        at org.apache.catalina.startup.HostConfig.deployWAR(HostConfig.java:1014) [catalina.jar:9.0.96]
        at org.apache.catalina.startup.HostConfig$DeployWar.run(HostConfig.java:1866) [catalina.jar:9.0.96]
        at java.base/java.util.concurrent.Executors$RunnableAdapter.call(Unknown Source) [?:?]
        at java.base/java.util.concurrent.FutureTask.run(Unknown Source) [?:?]
        at org.apache.tomcat.util.threads.InlineExecutorService.execute(InlineExecutorService.java:75) [tomcat-util.jar:9.0.96]
        at java.base/java.util.concurrent.AbstractExecutorService.submit(Unknown Source) [?:?]
        at org.apache.catalina.startup.HostConfig.deployWARs(HostConfig.java:816) [catalina.jar:9.0.96]
        at org.apache.catalina.startup.HostConfig.deployApps(HostConfig.java:468) [catalina.jar:9.0.96]
        at org.apache.catalina.startup.HostConfig.start(HostConfig.java:1584) [catalina.jar:9.0.96]
        at org.apache.catalina.startup.HostConfig.lifecycleEvent(HostConfig.java:312) [catalina.jar:9.0.96]
        at org.apache.catalina.util.LifecycleBase.fireLifecycleEvent(LifecycleBase.java:109) [catalina.jar:9.0.96]
        at org.apache.catalina.util.LifecycleBase.setStateInternal(LifecycleBase.java:385) [catalina.jar:9.0.96]
        at org.apache.catalina.util.LifecycleBase.setState(LifecycleBase.java:332) [catalina.jar:9.0.96]
        at org.apache.catalina.core.ContainerBase.startInternal(ContainerBase.java:776) [catalina.jar:9.0.96]
        at org.apache.catalina.core.StandardHost.startInternal(StandardHost.java:721) [catalina.jar:9.0.96]
        at org.apache.catalina.util.LifecycleBase.start(LifecycleBase.java:164) [catalina.jar:9.0.96]
        at org.apache.catalina.core.ContainerBase$StartChild.call(ContainerBase.java:1203) [catalina.jar:9.0.96]
        at org.apache.catalina.core.ContainerBase$StartChild.call(ContainerBase.java:1193) [catalina.jar:9.0.96]
        at java.base/java.util.concurrent.FutureTask.run(Unknown Source) [?:?]
        at org.apache.tomcat.util.threads.InlineExecutorService.execute(InlineExecutorService.java:75) [tomcat-util.jar:9.0.96]
        at java.base/java.util.concurrent.AbstractExecutorService.submit(Unknown Source) [?:?]
        at org.apache.catalina.core.ContainerBase.startInternal(ContainerBase.java:749) [catalina.jar:9.0.96]
        at org.apache.catalina.core.StandardEngine.startInternal(StandardEngine.java:211) [catalina.jar:9.0.96]
        at org.apache.catalina.util.LifecycleBase.start(LifecycleBase.java:164) [catalina.jar:9.0.96]
        at org.apache.catalina.core.StandardService.startInternal(StandardService.java:415) [catalina.jar:9.0.96]
        at org.apache.catalina.util.LifecycleBase.start(LifecycleBase.java:164) [catalina.jar:9.0.96]
        at org.apache.catalina.core.StandardServer.startInternal(StandardServer.java:874) [catalina.jar:9.0.96]
        at org.apache.catalina.util.LifecycleBase.start(LifecycleBase.java:164) [catalina.jar:9.0.96]
        at org.apache.catalina.startup.Catalina.start(Catalina.java:735) [catalina.jar:9.0.96]
        at java.base/jdk.internal.reflect.NativeMethodAccessorImpl.invoke0(Native Method) ~[?:?]
        at java.base/jdk.internal.reflect.NativeMethodAccessorImpl.invoke(Unknown Source) ~[?:?]
        at java.base/jdk.internal.reflect.DelegatingMethodAccessorImpl.invoke(Unknown Source) ~[?:?]
        at java.base/java.lang.reflect.Method.invoke(Unknown Source) ~[?:?]
        at org.apache.catalina.startup.Bootstrap.start(Bootstrap.java:345) [bootstrap.jar:9.0.96]
        at org.apache.catalina.startup.Bootstrap.main(Bootstrap.java:473) [bootstrap.jar:9.0.96]
24-Nov-2024 14:46:21.034 INFO [main] org.apache.catalina.startup.HostConfig.deployWAR Deployment of web application archive [/usr/local/tomcat/webapps/ROOT.war] has finished in [6,672] ms
24-Nov-2024 14:46:21.037 INFO [main] org.apache.coyote.AbstractProtocol.start Starting ProtocolHandler ["http-nio-8080"]
24-Nov-2024 14:46:21.043 INFO [main] org.apache.catalina.startup.Catalina.start Server startup in [6725] milliseconds

Is there a way to get verbose logging from Faction that spits out all the queries it makes?

[summitt]

Those stack traces are actually normal. It's related to the struts-annotation-plugin. We are working to mitigate that but it actually does not affect the application so it's been a low priority.

In authentik have you tried setting the redirect URI to https://faction.my.tld/oauth/*.

I have not had the time to set up Authentik and a similar deployment as you. I can confirm all these ENVs work correctly with PING Identity, AUTH0, and GOOGLE OIDC. We have this working in production on several customer sites with our hosted versions as well.

Sorry, this is problematic. I'll see if we can add more logging to the OIDC comms.

[M-Davies]

In authentik have you tried setting the redirect URI to https://faction.my.tld/oauth/*.

I still get the localhost:8080 redirect URL with that. Some extra debug logging would be useful, if nothing else to confirm that it's Authentik that's the issue here and not faction

[M-Davies]

Well I found the solution and it's incredibly stupid of me and docker-compose.

Surrounding the environment variables in the docker file in single quotes doesn't seem to initilise them. If I remove them, the redirect_url is now correct as it's no longer using the default localhost:8080:

BAD

    environment:
        - 'FACTION_REPORT_STORAGE=local'
        - 'FACTION_MONGO_HOST=faction-mongo'
        - 'FACTION_MONGO_DATABASE=faction'
        - 'FACTION_MONGO_USER=OMITTED'
        - 'FACTION_MONGO_PASSWORD=OMITTED'
        - 'FACTION_SECRET_KEY=OMITTED'
        - 'FACTION_OAUTH_CALLBACK=https://faction.internal.my.tld'
        - 'FACTION_APPSTORE_ENABLED=true'

GOOD

    environment:
        - FACTION_REPORT_STORAGE=local
        - FACTION_MONGO_HOST=faction-mongo
        - FACTION_MONGO_DATABASE=faction
        - FACTION_MONGO_USER=OMITTED
        - FACTION_MONGO_PASSWORD=OMITTED
        - FACTION_SECRET_KEY=OMITTED
        - FACTION_OAUTH_CALLBACK=https://faction.internal.my.tld
        - FACTION_APPSTORE_ENABLED=true

Although I do get redirected to a page with no content-type however, so it's just plain HTML:

Albeit that's not a massive issue, it's likely something to do with my nginx configuration

[summitt]

Oh! That last issue should be fixed in the most recent version. If it's not it's because I forgot to check it in.

Glad you got the other issues working in docker-compose.