[GH-ISSUE #37] Question regarding Traefik #8

New issue

Closed

opened 2026-02-26 12:16:53 +03:00 by kerem · 10 comments

kerem commented 2026-02-26 12:16:53 +03:00

Owner

Copy link

Originally created by @arcoast on GitHub (Dec 7, 2025).
Original GitHub issue: https://github.com/asalimonov/authelia-admin/issues/37

I've been using authelia for years and have it working with Traefik, but struggling with the routing with authelia-admin.

My Authelia config is as follows, running on a dedicated subdomain

services:
    authelia:
        image: ghcr.io/authelia/authelia:4.39
        container_name: authelia
        command:
            - "authelia"
            - "--config=/deploy/configuration.server.yml"
            - "--config=/deploy/configuration.ldap.yml"
            - "--config=/deploy/configuration.acl.yml"
            - "--config=/deploy/configuration.identity.providers.yml"
            - "--config=/deploy/configuration.oidc.clients.yml"
        networks:
            - authelia
            - ldap
            - traefik
#        ports:
#            - 9091:9091
        environment:
            - TZ=${TZ}
            # Authelia Templating
            - X_AUTHELIA_CONFIG_FILTERS=${X_AUTHELIA_CONFIG_FILTERS}
            # Extras For Templating
            - DOMAIN=domain.com
            - X_AUTHELIA_SMTP_ADDRESS=${X_AUTHELIA_SMTP_ADDRESS}
            - X_AUTHELIA_SMTP_USERNAME=${X_AUTHELIA_SMTP_USERNAME}
            - X_AUTHELIA_EMAIL=${X_AUTHELIA_EMAIL}
            - X_AUTHELIA_SITE_NAME=${X_AUTHELIA_SITE_NAME}
            - X_AUTHELIA_DUO_HOSTNAME=${X_AUTHELIA_DUO_HOSTNAME}
            - X_AUTHELIA_LDAP_DOMAIN=${X_AUTHELIA_LDAP_DOMAIN}
        volumes:
            - ${DEPLOY}/authelia/authelia:/deploy # configuration files
            - ${CONFIG}/authelia/authelia:/config # sqlite database location
        restart: unless-stopped
        labels:
            - "traefik.enable=true"
            - "traefik.docker.network=traefik"
            - "traefik.http.services.authelia.loadbalancer.server.port=${APPLICATION_PORT}"
            - "traefik.http.routers.authelia.service=authelia"
            - "traefik.http.routers.authelia.entrypoints=websecure"
            # - "traefik.http.routers.authelia.rule=Host(`authelia.domain.com`)"
            - "traefik.http.routers.authelia.rule=Host(`authelia.domain.com`) && !PathPrefix(`/auth-admin/`)"
            - "traefik.http.routers.authelia.middlewares=authelia@file, securityHeaders@file"

My authelia-admin configuration is done using environmental variables

    authelia-admin:
        image: ghcr.io/asalimonov/authelia-admin:latest
        container_name: authelia-admin
        networks:
            - authelia
            - ldap
            - traefik
        ports:
            - 9093:9093
        environment:
            - TZ=${TZ}
            - PORT=9093
            - HOST=0.0.0.0
            - TRUSTED_ORIGINS=https://authelia.domain.com
            # - NODE_TLS_REJECT_UNAUTHORIZED=0
            - AAD_AUTHELIA_DOMAIN=authelia.domain.com
            - AAD_AUTHELIA_COOKIE_NAME=authelia_session
            - AAD_AUTHELIA_MIN_AUTH_LEVEL=1
            - AAD_AUTHELIA_ALLOWED_USERS=
            - AAD_DIRECTORY_TYPE=lldap-graphql
            - AAD_DIRECTORY_LLDAP_GRAPHQL_ENDPOINT=http://lldap:17170/api/graphql
            - AAD_DIRECTORY_LLDAP_GRAPHQL_USER=admin
            - AAD_DIRECTORY_LLDAP_GRAPHQL_PASSWORD=LDAPPASSWORD
            - AAD_DIRECTORY_LLDAP_GRAPHQL_LDAP_HOST=lldap
            - AAD_DIRECTORY_LLDAP_GRAPHQL_LDAP_PORT=389
            - AAD_DIRECTORY_LLDAP_GRAPHQL_LDAP_BASE_DN="dc=domain,dc=com"
        volumes:
            # - ${CONFIG}/authelia/authelia-admin/config.yml:/opt/authelia-admin/config.yml:ro
            - ${DEPLOY}/authelia/authelia:/deploy
            - ${CONFIG}/authelia/authelia:/config
            - ${CONFIG}/authelia/authelia-admin/authelia:/data
        restart: no
        depends_on:
            - authelia
        healthcheck:
            test: ["CMD", "wget", "--no-verbose", "--tries=1", "--spider", "http://localhost:9093/"]
            interval: 30s
            timeout: 10s
            retries: 3
        labels:
            - "traefik.enable=true"
            - "traefik.docker.network=traefik"
            - "traefik.http.services.authelia-admin.loadbalancer.server.port=9093"
            - "traefik.http.routers.authelia-admin.service=authelia-admin"
            - "traefik.http.routers.authelia-admin.entrypoints=websecure"
            - "traefik.http.routers.authelia-admin.rule=Host(`authelia.domain.com`) && PathPrefix(`/auth-admin/`)"
            - "traefik.http.routers.authelia-admin.middlewares=authelia@file, securityHeaders@file"

If I go to authelia.domain.com I can successfully use Authelia, however trying to browse to https://authelia.domain.com/auth-admin results in a 500 error code and an internal server error.

Looking in the browser logs

Docker logs for authelia-admin are fine

dtail authelia-admin
2025-12-07T11:06:13.277836359Z Listening on http://0.0.0.0:9093

I can browse to http://SERVER_IP:9093/auth-admin and see the following page

The Authelia link points to http://SERVER_IP:9093 and the Authelia-Admin link points to http://SERVER_IP:9093/auth-admin

I understand this may be out of scope for support as it's almost certainly a Traefik issue, but I did notice that I think you're using Traefik yourself based on the compose file here

I did wonder if it might be a CORS issue, however I'm using the same Traefik routing with PathPrefix in another stack (running /.well-known/matrix/) on my root domain to facilitate OIDC in my Synapse server.

Would be very grateful for any advice, help or insights you might be able to offer.

One other thought I had, is that as you can see I've split my Authelia config file into multiple files to help with readability/editing, and I wondered if that might impact things.

Originally created by @arcoast on GitHub (Dec 7, 2025). Original GitHub issue: https://github.com/asalimonov/authelia-admin/issues/37 I've been using authelia for years and have it working with Traefik, but struggling with the routing with authelia-admin. My Authelia config is as follows, running on a dedicated subdomain ```yaml services: authelia: image: ghcr.io/authelia/authelia:4.39 container_name: authelia command: - "authelia" - "--config=/deploy/configuration.server.yml" - "--config=/deploy/configuration.ldap.yml" - "--config=/deploy/configuration.acl.yml" - "--config=/deploy/configuration.identity.providers.yml" - "--config=/deploy/configuration.oidc.clients.yml" networks: - authelia - ldap - traefik # ports: # - 9091:9091 environment: - TZ=${TZ} # Authelia Templating - X_AUTHELIA_CONFIG_FILTERS=${X_AUTHELIA_CONFIG_FILTERS} # Extras For Templating - DOMAIN=domain.com - X_AUTHELIA_SMTP_ADDRESS=${X_AUTHELIA_SMTP_ADDRESS} - X_AUTHELIA_SMTP_USERNAME=${X_AUTHELIA_SMTP_USERNAME} - X_AUTHELIA_EMAIL=${X_AUTHELIA_EMAIL} - X_AUTHELIA_SITE_NAME=${X_AUTHELIA_SITE_NAME} - X_AUTHELIA_DUO_HOSTNAME=${X_AUTHELIA_DUO_HOSTNAME} - X_AUTHELIA_LDAP_DOMAIN=${X_AUTHELIA_LDAP_DOMAIN} volumes: - ${DEPLOY}/authelia/authelia:/deploy # configuration files - ${CONFIG}/authelia/authelia:/config # sqlite database location restart: unless-stopped labels: - "traefik.enable=true" - "traefik.docker.network=traefik" - "traefik.http.services.authelia.loadbalancer.server.port=${APPLICATION_PORT}" - "traefik.http.routers.authelia.service=authelia" - "traefik.http.routers.authelia.entrypoints=websecure" # - "traefik.http.routers.authelia.rule=Host(`authelia.domain.com`)" - "traefik.http.routers.authelia.rule=Host(`authelia.domain.com`) && !PathPrefix(`/auth-admin/`)" - "traefik.http.routers.authelia.middlewares=authelia@file, securityHeaders@file" ``` My authelia-admin configuration is done using environmental variables ```yaml authelia-admin: image: ghcr.io/asalimonov/authelia-admin:latest container_name: authelia-admin networks: - authelia - ldap - traefik ports: - 9093:9093 environment: - TZ=${TZ} - PORT=9093 - HOST=0.0.0.0 - TRUSTED_ORIGINS=https://authelia.domain.com # - NODE_TLS_REJECT_UNAUTHORIZED=0 - AAD_AUTHELIA_DOMAIN=authelia.domain.com - AAD_AUTHELIA_COOKIE_NAME=authelia_session - AAD_AUTHELIA_MIN_AUTH_LEVEL=1 - AAD_AUTHELIA_ALLOWED_USERS= - AAD_DIRECTORY_TYPE=lldap-graphql - AAD_DIRECTORY_LLDAP_GRAPHQL_ENDPOINT=http://lldap:17170/api/graphql - AAD_DIRECTORY_LLDAP_GRAPHQL_USER=admin - AAD_DIRECTORY_LLDAP_GRAPHQL_PASSWORD=LDAPPASSWORD - AAD_DIRECTORY_LLDAP_GRAPHQL_LDAP_HOST=lldap - AAD_DIRECTORY_LLDAP_GRAPHQL_LDAP_PORT=389 - AAD_DIRECTORY_LLDAP_GRAPHQL_LDAP_BASE_DN="dc=domain,dc=com" volumes: # - ${CONFIG}/authelia/authelia-admin/config.yml:/opt/authelia-admin/config.yml:ro - ${DEPLOY}/authelia/authelia:/deploy - ${CONFIG}/authelia/authelia:/config - ${CONFIG}/authelia/authelia-admin/authelia:/data restart: no depends_on: - authelia healthcheck: test: ["CMD", "wget", "--no-verbose", "--tries=1", "--spider", "http://localhost:9093/"] interval: 30s timeout: 10s retries: 3 labels: - "traefik.enable=true" - "traefik.docker.network=traefik" - "traefik.http.services.authelia-admin.loadbalancer.server.port=9093" - "traefik.http.routers.authelia-admin.service=authelia-admin" - "traefik.http.routers.authelia-admin.entrypoints=websecure" - "traefik.http.routers.authelia-admin.rule=Host(`authelia.domain.com`) && PathPrefix(`/auth-admin/`)" - "traefik.http.routers.authelia-admin.middlewares=authelia@file, securityHeaders@file" ``` If I go to `authelia.domain.com` I can successfully use Authelia, however trying to browse to `https://authelia.domain.com/auth-admin` results in a 500 error code and an internal server error. Looking in the browser logs <img width="886" height="699" alt="Image" src="https://github.com/user-attachments/assets/cc606f3e-ecd0-437d-a11c-0fc7d4d0f21b" /> Docker logs for authelia-admin are fine ``` dtail authelia-admin 2025-12-07T11:06:13.277836359Z Listening on http://0.0.0.0:9093 ``` I can browse to http://SERVER_IP:9093/auth-admin and see the following page <img width="796" height="507" alt="Image" src="https://github.com/user-attachments/assets/c5acbaa9-a2a4-447a-a3fe-c9d6156c2d20" /> The Authelia link points to `http://SERVER_IP:9093` and the Authelia-Admin link points to `http://SERVER_IP:9093/auth-admin` I understand this may be out of scope for support as it's almost certainly a Traefik issue, but I did notice that I think you're using Traefik yourself based on the compose file [here](https://github.com/asalimonov/authelia-admin/blob/main/docker-compose.yml) I did wonder if it might be a CORS issue, however I'm using the same Traefik routing with PathPrefix in another stack (running `/.well-known/matrix/`) on my root domain to facilitate OIDC in my Synapse server. Would be very grateful for any advice, help or insights you might be able to offer. One other thought I had, is that as you can see I've split my Authelia config file into multiple files to help with readability/editing, and I wondered if that might impact things.

kerem closed this issue 2026-02-26 12:16:53 +03:00

kerem commented 2026-02-26 12:16:54 +03:00

Author

Owner

Copy link

@asalimonov commented on GitHub (Dec 7, 2025):

@arcoast ,

Traefik rules(labels) look OK for the first sight.

My hypothesizes:

1. Authelia-Admin has hardcoded HTTPS URL const authResponse = await fetch(`https://${authelia.domain}/api/state`, { ..., so I would check DNS resolutions from this docker network, certificate verification in case of self-signed certificate for authelia.domain.com and network routes in case of enabled VPN on this host with this docker-compose.
2. I would recommend to use priorities instead of not statement in route routes, anthelia-admin Host(`authelia.domain.com`) && PathPrefix(`/auth-admin`) should have higher priority in comparison with Host(`authelia.domain.com`)
3. Add - "traefik.http.services.authelia.loadBalancer.passHostHeader=true" and - "traefik.http.services.authelia-admin.loadBalancer.passHostHeader=true" labels

<!-- gh-comment-id:3622414844 --> @asalimonov commented on GitHub (Dec 7, 2025): @arcoast , Traefik rules(labels) look OK for the first sight. My hypothesizes: 1. Authelia-Admin has hardcoded HTTPS URL ```const authResponse = await fetch(`https://${authelia.domain}/api/state`, { ...```, so I would check DNS resolutions from this docker network, certificate verification in case of self-signed certificate for `authelia.domain.com` and network routes in case of enabled VPN on this host with this docker-compose. 2. I would recommend to use [priorities](https://doc.traefik.io/traefik/reference/routing-configuration/http/routing/rules-and-priority/#example) instead of `not` statement in route routes, anthelia-admin ```Host(`authelia.domain.com`) && PathPrefix(`/auth-admin`)``` should have higher priority in comparison with ```Host(`authelia.domain.com`)``` 3. Add `- "traefik.http.services.authelia.loadBalancer.passHostHeader=true"` and `- "traefik.http.services.authelia-admin.loadBalancer.passHostHeader=true"` labels

kerem commented 2026-02-26 12:16:54 +03:00

Author

Owner

Copy link

@arcoast commented on GitHub (Dec 7, 2025):

Thanks for the reply.

Regarding point 1:

I'm using a FQDN with certs obtained via certbot using Traefik and can confirm DNS resolution from authelia-admin (I run my own authoritative DNS server, with split DNS so the IP address is that of my Traefik host)

docker exec -it authelia-admin nslookup authelia.DOMAIN.COM
Server:         127.0.0.11
Address:        127.0.0.11:53

Non-authoritative answer:

Non-authoritative answer:
Name:   authelia.DOMAIN.COM
Address: 192.168.0.1

I can succesfully hit https://authelia.DOMAIN.COM from the authelia-admin container

# docker exec -it authelia-admin curl https://authelia.DOMAIN.COM/api/state
{"status":"OK","data":{"username":"","authentication_level":0,"factor_knowledge":false}}

Tried adding the suggestions you made so my Authelia labels are now:

        labels:
            - "traefik.enable=true"
            - "traefik.docker.network=traefik"
            - "traefik.http.services.authelia.loadBalancer.passHostHeader=true"
            - "traefik.http.services.authelia.loadbalancer.server.port=9091"
            - "traefik.http.routers.authelia.service=authelia"
            - "traefik.http.routers.authelia.entrypoints=websecure"
            - "traefik.http.routers.authelia.rule=Host(`authelia.domain.com`)"
            - "traefik.http.routers.authelia.priority=1"
            - "traefik.http.routers.authelia.middlewares=authelia@file, securityHeaders@file"

and my Authelia-Admin labels are now:

        labels:
            - "traefik.enable=true"
            - "traefik.docker.network=traefik"
            - "traefik.http.services.authelia-admin.loadBalancer.passHostHeader=true"
            - "traefik.http.services.authelia-admin.loadbalancer.server.port=9093"
            - "traefik.http.routers.authelia-admin.service=authelia-admin"
            - "traefik.http.routers.authelia-admin.entrypoints=websecure"
            - "traefik.http.routers.authelia-admin.priority=2"
            - "traefik.http.routers.authelia-admin.rule=Host(`authelia.domain.com`) && PathPrefix(`/auth-admin`)"
            - "traefik.http.routers.authelia-admin.middlewares=authelia@file, securityHeaders@file"

But nothing seems to change the outcome, at a bit of a loss to know what to try from this point.

<!-- gh-comment-id:3623042673 --> @arcoast commented on GitHub (Dec 7, 2025): Thanks for the reply. Regarding point 1: I'm using a FQDN with certs obtained via certbot using Traefik and can confirm DNS resolution from authelia-admin (I run my own authoritative DNS server, with split DNS so the IP address is that of my Traefik host) ``` docker exec -it authelia-admin nslookup authelia.DOMAIN.COM Server: 127.0.0.11 Address: 127.0.0.11:53 Non-authoritative answer: Non-authoritative answer: Name: authelia.DOMAIN.COM Address: 192.168.0.1 ``` I can succesfully hit https://authelia.DOMAIN.COM from the authelia-admin container ``` # docker exec -it authelia-admin curl https://authelia.DOMAIN.COM/api/state {"status":"OK","data":{"username":"","authentication_level":0,"factor_knowledge":false}} ``` Tried adding the suggestions you made so my Authelia labels are now: ```yaml labels: - "traefik.enable=true" - "traefik.docker.network=traefik" - "traefik.http.services.authelia.loadBalancer.passHostHeader=true" - "traefik.http.services.authelia.loadbalancer.server.port=9091" - "traefik.http.routers.authelia.service=authelia" - "traefik.http.routers.authelia.entrypoints=websecure" - "traefik.http.routers.authelia.rule=Host(`authelia.domain.com`)" - "traefik.http.routers.authelia.priority=1" - "traefik.http.routers.authelia.middlewares=authelia@file, securityHeaders@file" ``` and my Authelia-Admin labels are now: ```yaml labels: - "traefik.enable=true" - "traefik.docker.network=traefik" - "traefik.http.services.authelia-admin.loadBalancer.passHostHeader=true" - "traefik.http.services.authelia-admin.loadbalancer.server.port=9093" - "traefik.http.routers.authelia-admin.service=authelia-admin" - "traefik.http.routers.authelia-admin.entrypoints=websecure" - "traefik.http.routers.authelia-admin.priority=2" - "traefik.http.routers.authelia-admin.rule=Host(`authelia.domain.com`) && PathPrefix(`/auth-admin`)" - "traefik.http.routers.authelia-admin.middlewares=authelia@file, securityHeaders@file" ``` But nothing seems to change the outcome, at a bit of a loss to know what to try from this point.

kerem commented 2026-02-26 12:16:54 +03:00

Author

Owner

Copy link

@asalimonov commented on GitHub (Dec 8, 2025):

@arcoast , try this image with env var for docker container -e AAD_LOGLEVEL=DEBUG \.

ghcr.io/asalimonov/authelia-admin:2025-12-08 or ghcr.io/asalimonov/authelia-admin:sha-9f8b445. It is 0.1.0 version with merged https://github.com/asalimonov/authelia-admin/pull/46. Hope it will help to find a root cause.

You should see something similar to this in case of success authentication:

2025-12-08T08:37:53.774Z [INFO] [config] Configuration loaded from /opt/authelia-admin/config.yml                                                                                11:37:53 [155/1831]
2025-12-08T08:37:53.787Z [DEBUG] [auth] Authelia response: Response {
  status: 200,
  statusText: 'OK',
  headers: Headers {
    'access-control-allow-credentials': 'true',
    'cache-control': 'no-store',
    'content-length': '159',
    'content-security-policy': "default-src 'none'",
    'content-type': 'application/json; charset=utf-8',
    date: 'Mon, 08 Dec 2025 08:37:53 GMT',
    'permissions-policy': 'accelerometer=(), autoplay=(), camera=(), display-capture=(), geolocation=(), gyroscope=(), keyboard-map=(), magnetometer=(), microphone=(), midi=(), payment=(), picture
-in-picture=(), screen-wake-lock=(), sync-xhr=(), xr-spatial-tracking=(), interest-cohort=()',
    pragma: 'no-cache',
    'referrer-policy': 'strict-origin-when-cross-origin',
    vary: 'Origin',
    'x-content-type-options': 'nosniff',
    'x-dns-prefetch-control': 'off',
    'x-frame-options': 'DENY'
  },
  body: ReadableStream { locked: false, state: 'readable', supportsBYOB: true },
  bodyUsed: false,
  ok: true,                                                                                                                                                                      11:37:53 [133/1831]
  redirected: false,
  type: 'basic',
  url: 'https://auth.localhost.test/api/state'
}
2025-12-08T08:37:53.791Z [DEBUG] [auth] Authelia response DATA: {
  status: 'OK',
  data: {
    username: 'admin',
    authentication_level: 1,
    factor_knowledge: true,
    default_redirection_url: 'https://auth.localhost.test/auth-admin'
  }
}
2025-12-08T08:37:53.791Z [INFO] [auth] Got user's details: admin 1
2025-12-08T08:37:53.792Z [DEBUG] [lldap-client] Starting token refresh
2025-12-08T08:37:53.793Z [DEBUG] [lldap-client] Authenticating to LLDAP as user: admin
2025-12-08T08:37:53.946Z [DEBUG] [lldap-client] Token refresh successful
2025-12-08T08:37:53.953Z [DEBUG] [lldap-client] Executing GraphQL query: {
  kind: 'Document',
  definitions: [
    {
  definitions: [
    {
      kind: 'OperationDefinition',
      operation: 'query',
      description: undefined,
      name: [Object],
      variableDefinitions: [Array],
      directives: [],
      selectionSet: [Object]
    }
  ],
  loc: Location {
    start: 0,
    end: 265,
    source: Source {
      body: '\n' +
        '  query GetUser($userId: String!) {\n' + 
        '    user(userId: $userId) {\n' +
        '      id\n' +
        '      email\n' +
        '      displayName\n' +
        '      uuid\n' +                                                                                                                                                          11:37:53 [92/1831]
        '      creationDate\n' +
        '      groups {\n' +
        '        id\n' +
        '        displayName\n' +
        '        uuid\n' +
        '      }\n' +
        '      attributes {\n' +
        '        name\n' +
        '        value\n' +
        '      }\n' +
        '    }\n' +
        '  }\n',
      name: 'GraphQL request',
      locationOffset: [Object]
    }
  }
} { userId: 'admin' }
2025-12-08T08:37:53.979Z [DEBUG] [auth] User admin authenticated with role admin
2025-12-08T08:37:53.979Z [DEBUG] [auth] Authentication succeded: { username: 'admin', authenticationLevel: 1 }
2025-12-08T08:37:53.984Z [DEBUG] [lldap-client] Starting token refresh
2025-12-08T08:37:53.984Z [DEBUG] [lldap-client] Authenticating to LLDAP as user: admin

<!-- gh-comment-id:3625770413 --> @asalimonov commented on GitHub (Dec 8, 2025): @arcoast , try this image with env var for docker container `-e AAD_LOGLEVEL=DEBUG \`. `ghcr.io/asalimonov/authelia-admin:2025-12-08` or `ghcr.io/asalimonov/authelia-admin:sha-9f8b445`. It is `0.1.0` version with merged https://github.com/asalimonov/authelia-admin/pull/46. Hope it will help to find a root cause. You should see something similar to this in case of success authentication: ``` 2025-12-08T08:37:53.774Z [INFO] [config] Configuration loaded from /opt/authelia-admin/config.yml 11:37:53 [155/1831] 2025-12-08T08:37:53.787Z [DEBUG] [auth] Authelia response: Response { status: 200, statusText: 'OK', headers: Headers { 'access-control-allow-credentials': 'true', 'cache-control': 'no-store', 'content-length': '159', 'content-security-policy': "default-src 'none'", 'content-type': 'application/json; charset=utf-8', date: 'Mon, 08 Dec 2025 08:37:53 GMT', 'permissions-policy': 'accelerometer=(), autoplay=(), camera=(), display-capture=(), geolocation=(), gyroscope=(), keyboard-map=(), magnetometer=(), microphone=(), midi=(), payment=(), picture -in-picture=(), screen-wake-lock=(), sync-xhr=(), xr-spatial-tracking=(), interest-cohort=()', pragma: 'no-cache', 'referrer-policy': 'strict-origin-when-cross-origin', vary: 'Origin', 'x-content-type-options': 'nosniff', 'x-dns-prefetch-control': 'off', 'x-frame-options': 'DENY' }, body: ReadableStream { locked: false, state: 'readable', supportsBYOB: true }, bodyUsed: false, ok: true, 11:37:53 [133/1831] redirected: false, type: 'basic', url: 'https://auth.localhost.test/api/state' } 2025-12-08T08:37:53.791Z [DEBUG] [auth] Authelia response DATA: { status: 'OK', data: { username: 'admin', authentication_level: 1, factor_knowledge: true, default_redirection_url: 'https://auth.localhost.test/auth-admin' } } 2025-12-08T08:37:53.791Z [INFO] [auth] Got user's details: admin 1 2025-12-08T08:37:53.792Z [DEBUG] [lldap-client] Starting token refresh 2025-12-08T08:37:53.793Z [DEBUG] [lldap-client] Authenticating to LLDAP as user: admin 2025-12-08T08:37:53.946Z [DEBUG] [lldap-client] Token refresh successful 2025-12-08T08:37:53.953Z [DEBUG] [lldap-client] Executing GraphQL query: { kind: 'Document', definitions: [ { definitions: [ { kind: 'OperationDefinition', operation: 'query', description: undefined, name: [Object], variableDefinitions: [Array], directives: [], selectionSet: [Object] } ], loc: Location { start: 0, end: 265, source: Source { body: '\n' + ' query GetUser($userId: String!) {\n' + ' user(userId: $userId) {\n' + ' id\n' + ' email\n' + ' displayName\n' + ' uuid\n' + 11:37:53 [92/1831] ' creationDate\n' + ' groups {\n' + ' id\n' + ' displayName\n' + ' uuid\n' + ' }\n' + ' attributes {\n' + ' name\n' + ' value\n' + ' }\n' + ' }\n' + ' }\n', name: 'GraphQL request', locationOffset: [Object] } } } { userId: 'admin' } 2025-12-08T08:37:53.979Z [DEBUG] [auth] User admin authenticated with role admin 2025-12-08T08:37:53.979Z [DEBUG] [auth] Authentication succeded: { username: 'admin', authenticationLevel: 1 } 2025-12-08T08:37:53.984Z [DEBUG] [lldap-client] Starting token refresh 2025-12-08T08:37:53.984Z [DEBUG] [lldap-client] Authenticating to LLDAP as user: admin ```

kerem commented 2026-02-26 12:16:54 +03:00

Author

Owner

Copy link

@arcoast commented on GitHub (Dec 8, 2025):

So it seems it can't find the authentication cookie.

2025-12-08T12:26:46.454321048Z Listening on http://0.0.0.0:9093
2025-12-08T12:26:54.388279471Z 2025-12-08T12:26:54.388Z [INFO] [config] Configuration loaded from /opt/authelia-admin/config.yml
2025-12-08T12:26:54.388347367Z 2025-12-08T12:26:54.388Z [DEBUG] [auth] Authentication cookie was not found

Here's the relevant part of my authelia config

session:
  secret: {{ secret "/deploy/secrets/SESSION_SECRET" }}
  name: authelia_session
  same_site: lax
  expiration: 1h
  inactivity: 5m
  remember_me: 1M
  cookies:
  - domain: {{ env "DOMAIN" }}
    authelia_url: 'https://authelia.{{ env "DOMAIN" }}'
    name: 'authelia_session'
    same_site: 'lax'
    inactivity: '5m'
    expiration: '1h'
    remember_me: '1d'
  redis:
    host: authelia-redis
    port: 6379
    database_index: 0
    maximum_active_connections: 8
    minimum_idle_connections: 0

And here's my authelia-admin config

# Logging level (DEBUG, INFO, WARN, ERROR). Default: WARN
# Can be overridden by AAD_LOGLEVEL environment variable
logging_level: DEBUG

authelia:
  # Domain where Authelia is accessible
  domain: authelia.DOMAIN.COM
  # Name of the session cookie used by Authelia
  cookie_name: authelia_session
  # Minimum authentication level required (1=password, 2=2FA)
  min_auth_level: 2
  # Optional: List of allowed users (if not set, all authenticated users are allowed)
  # allowed_users:
  #   - admin
  #   - user2

# Directory service configuration
directory:
  # Type of directory service (currently only lldap-graphql is supported)
  type: lldap-graphql
  # Configuration for LLDAP GraphQL backend
  lldap-graphql:
    endpoint: http://lldap:17170/api/graphql
    user: admin
    password: **********
    ldap_host: lldap
    ldap_port: 389
    # LDAP base DN (required for password changes)
    ldap_base_dn: dc=DOMAIN,dc=COM

Inspecting the browser though the cookie is indeed present

<!-- gh-comment-id:3626737623 --> @arcoast commented on GitHub (Dec 8, 2025): So it seems it can't find the authentication cookie. ``` 2025-12-08T12:26:46.454321048Z Listening on http://0.0.0.0:9093 2025-12-08T12:26:54.388279471Z 2025-12-08T12:26:54.388Z [INFO] [config] Configuration loaded from /opt/authelia-admin/config.yml 2025-12-08T12:26:54.388347367Z 2025-12-08T12:26:54.388Z [DEBUG] [auth] Authentication cookie was not found ``` Here's the relevant part of my authelia config ```yaml session: secret: {{ secret "/deploy/secrets/SESSION_SECRET" }} name: authelia_session same_site: lax expiration: 1h inactivity: 5m remember_me: 1M cookies: - domain: {{ env "DOMAIN" }} authelia_url: 'https://authelia.{{ env "DOMAIN" }}' name: 'authelia_session' same_site: 'lax' inactivity: '5m' expiration: '1h' remember_me: '1d' redis: host: authelia-redis port: 6379 database_index: 0 maximum_active_connections: 8 minimum_idle_connections: 0 ``` And here's my authelia-admin config ```yaml # Logging level (DEBUG, INFO, WARN, ERROR). Default: WARN # Can be overridden by AAD_LOGLEVEL environment variable logging_level: DEBUG authelia: # Domain where Authelia is accessible domain: authelia.DOMAIN.COM # Name of the session cookie used by Authelia cookie_name: authelia_session # Minimum authentication level required (1=password, 2=2FA) min_auth_level: 2 # Optional: List of allowed users (if not set, all authenticated users are allowed) # allowed_users: # - admin # - user2 # Directory service configuration directory: # Type of directory service (currently only lldap-graphql is supported) type: lldap-graphql # Configuration for LLDAP GraphQL backend lldap-graphql: endpoint: http://lldap:17170/api/graphql user: admin password: ********** ldap_host: lldap ldap_port: 389 # LDAP base DN (required for password changes) ldap_base_dn: dc=DOMAIN,dc=COM ``` Inspecting the browser though the cookie is indeed present <img width="1920" height="870" alt="Image" src="https://github.com/user-attachments/assets/6c74d0e8-762e-418e-b92c-05b4e2f051dc" />

kerem commented 2026-02-26 12:16:54 +03:00

Author

Owner

Copy link

@asalimonov commented on GitHub (Dec 8, 2025):

So it seems it can't find the authentication cookie.

Related code:

	// Load config on first request
	const appConfig = await ensureConfigLoaded();
	const { authelia } = appConfig;

	// Check for session cookie using configured cookie name
	const authSessionCookie = event.cookies.get(authelia.cookie_name);
	event.locals.user = undefined;

	if (!authSessionCookie) {
		log.debug("Authentication cookie was not found")
		error(403, m.auth_required());
	}

Looks like authelia-admin doesn't get requests from a balancer with "Cookie" header and key "authelia_session".
I guess some middleware filter out the header.
Or authelia-admin's has a bug with parsing of configs and env vars. The second assumption has low probability but there is no schema validation and unit tests.

<!-- gh-comment-id:3626861858 --> @asalimonov commented on GitHub (Dec 8, 2025): > So it seems it can't find the authentication cookie. Related code: ``` // Load config on first request const appConfig = await ensureConfigLoaded(); const { authelia } = appConfig; // Check for session cookie using configured cookie name const authSessionCookie = event.cookies.get(authelia.cookie_name); event.locals.user = undefined; if (!authSessionCookie) { log.debug("Authentication cookie was not found") error(403, m.auth_required()); } ``` Looks like authelia-admin doesn't get requests from a balancer with "Cookie" header and key "authelia_session". I guess some middleware filter out the header. Or authelia-admin's has a bug with parsing of configs and env vars. The second assumption has low probability but there is no schema validation and unit tests.

kerem commented 2026-02-26 12:16:54 +03:00

Author

Owner

Copy link

@arcoast commented on GitHub (Dec 8, 2025):

So running with no middleware on either authelia & authelia-admin doesn't seem to change anything.

Although, looking at it again, I only get the cookie error when I browse http://192.168.0.1:9093/auth-admin

I get no errors reported in the log when I go to https://authelia.DOMAIN.COM/auth-admin other than a 500 and "Internal Server Error"

I'm really at a loss to no what to try now.

<!-- gh-comment-id:3626930423 --> @arcoast commented on GitHub (Dec 8, 2025): So running with no middleware on either authelia & authelia-admin doesn't seem to change anything. Although, looking at it again, I only get the cookie error when I browse `http://192.168.0.1:9093/auth-admin` I get no errors reported in the log when I go to `https://authelia.DOMAIN.COM/auth-admin` other than a 500 and "Internal Server Error" I'm really at a loss to no what to try now.

kerem commented 2026-02-26 12:16:54 +03:00

Author

Owner

Copy link

@asalimonov commented on GitHub (Dec 8, 2025):

Although, looking at it again, I only get the cookie error when I browse http://192.168.0.1:9093/auth-admin

Error is obvious due to luck of cookies

I get no errors reported in the log when I go to https://authelia.DOMAIN.COM/auth-admin other than a 500 and "Internal Server Error"

Is it error has same page style as for http://SERVER_IP:9093/auth-admin on your screenshot?

Tried to reproduce this issue. Tested cases of missing config file, bad yaml format, wrong authelia domain, wrong cookies name with wrong value of LOGLEVEL. And I couldn't reproduce 500 status code without logs. Very strange error. There is only absolutely standard code of adding paraglide (for i18n) in a pipeline of processing requests, and after that there is loading of configs.

<!-- gh-comment-id:3628743592 --> @asalimonov commented on GitHub (Dec 8, 2025): > Although, looking at it again, I only get the cookie error when I browse http://192.168.0.1:9093/auth-admin Error is obvious due to luck of cookies >I get no errors reported in the log when I go to https://authelia.DOMAIN.COM/auth-admin other than a 500 and "Internal Server Error" Is it error has same page style as for `http://SERVER_IP:9093/auth-admin` on your screenshot? Tried to reproduce this issue. Tested cases of missing config file, bad yaml format, wrong authelia domain, wrong cookies name with wrong value of LOGLEVEL. And I couldn't reproduce 500 status code without logs. Very strange error. There is only absolutely standard code of adding paraglide (for i18n) in a pipeline of processing requests, and after that there is loading of configs.

kerem commented 2026-02-26 12:16:54 +03:00

Author

Owner

Copy link

@arcoast commented on GitHub (Dec 10, 2025):

So, I turned on debug logs in Traefik and found that whenever I tried to access https://authelia.DOMAIN.COM/auth-admin I was getting

500 Internal Server Error error="unsupported protocol scheme \"\""

After a bit of searching I've found that changing my Traefik labels from

        labels:
            - "traefik.enable=true"
            - "traefik.docker.network=traefik"
            - "traefik.http.services.authelia-admin.loadBalancer.passHostHeader=true"
            - "traefik.http.services.authelia-admin.loadbalancer.server.scheme=http"
            - "traefik.http.services.authelia-admin.loadbalancer.server.port=9093"
            - "traefik.http.routers.authelia-admin.service=authelia-admin"
            - "traefik.http.routers.authelia-admin.entrypoints=websecure"
            - "traefik.http.routers.authelia-admin.priority=2"
            - "traefik.http.routers.authelia-admin.rule=Host(`authelia.${DOMAIN}`) && PathPrefix(`/auth-admin`)"
            - "traefik.http.routers.authelia-admin.middlewares=authelia@file, securityHeaders@file"

        labels:
            - "traefik.enable=true"
            - "traefik.docker.network=traefik"
            - "traefik.http.services.authelia-admin.loadBalancer.passHostHeader=true"
            - "traefik.http.services.authelia-admin.loadbalancer.server.scheme=http"
            - "traefik.http.services.authelia-admin.loadbalancer.server.url=http://authelia-admin:9093"
            - "traefik.http.routers.authelia-admin.service=authelia-admin"
            - "traefik.http.routers.authelia-admin.entrypoints=websecure"
            - "traefik.http.routers.authelia-admin.priority=2"
            - "traefik.http.routers.authelia-admin.rule=Host(`authelia.${DOMAIN}`) && PathPrefix(`/auth-admin`)"
            - "traefik.http.routers.authelia-admin.middlewares=authelia@file, securityHeaders@file"

I have no real explanation for why the first configuration doesn't work, yet the second does, as to my eye, they are both identical on a practical level?

I can now access https://authelia.DOMAIN.COM/auth-admin but after logging in I'm now faced with the following error

2025-12-10T11:27:59.031058025Z Listening on http://0.0.0.0:9093
2025-12-10T11:28:15.815875954Z 2025-12-10T11:28:15.815Z [INFO] [config] Configuration loaded from /opt/authelia-admin/config.yml
2025-12-10T11:28:15.859636515Z 2025-12-10T11:28:15.858Z [DEBUG] [auth] Authelia response: Response {
2025-12-10T11:28:15.859657453Z   status: 200,
2025-12-10T11:28:15.859660023Z   statusText: 'OK',
2025-12-10T11:28:15.859661601Z   headers: Headers {
2025-12-10T11:28:15.859663046Z     'cache-control': 'no-store',
2025-12-10T11:28:15.859664495Z     'content-length': '162',
2025-12-10T11:28:15.859665925Z     'content-security-policy': "default-src 'none'",
2025-12-10T11:28:15.859669422Z     'content-type': 'application/json; charset=utf-8',
2025-12-10T11:28:15.859670879Z     date: 'Wed, 10 Dec 2025 11:28:15 GMT',
2025-12-10T11:28:15.859672401Z     'permissions-policy': 'accelerometer=(), autoplay=(), camera=(), display-capture=(), geolocation=(), gyroscope=(), keyboard-map=(), magnetometer=(), microphone=(), midi=(), payment=(), picture-in-picture=(), screen-wake-lock=(), sync-xhr=(), xr-spatial-tracking=(), interest-cohort=()',
2025-12-10T11:28:15.859674236Z     pragma: 'no-cache',
2025-12-10T11:28:15.859675612Z     'referrer-policy': 'same-origin',
2025-12-10T11:28:15.859679144Z     'strict-transport-security': 'max-age=63072000; includeSubDomains; preload',
2025-12-10T11:28:15.859680628Z     'x-content-type-options': 'nosniff',
2025-12-10T11:28:15.859682052Z     'x-dns-prefetch-control': 'off',
2025-12-10T11:28:15.859683546Z     'x-forwarded-proto': 'https',
2025-12-10T11:28:15.859684979Z     'x-frame-options': 'DENY',
2025-12-10T11:28:15.859686421Z     'x-robots-tag': 'none,noarchive,nosnippet,notranslate,noimageindex',
2025-12-10T11:28:15.859687921Z     'x-xss-protection': '1; mode=block'
2025-12-10T11:28:15.859689339Z   },
2025-12-10T11:28:15.859690700Z   body: ReadableStream { locked: false, state: 'readable', supportsBYOB: true },
2025-12-10T11:28:15.859692262Z   bodyUsed: false,
2025-12-10T11:28:15.859693649Z   ok: true,
2025-12-10T11:28:15.859695117Z   redirected: false,
2025-12-10T11:28:15.859696621Z   type: 'basic',
2025-12-10T11:28:15.859700595Z   url: 'https://authelia.DOMAIN.COM/api/state'
2025-12-10T11:28:15.859703277Z }
2025-12-10T11:28:15.861685907Z 2025-12-10T11:28:15.861Z [DEBUG] [auth] Authelia response DATA: {
2025-12-10T11:28:15.861697158Z   status: 'OK',
2025-12-10T11:28:15.861706820Z   data: {
2025-12-10T11:28:15.861708861Z     username: 'arcoast',
2025-12-10T11:28:15.861710402Z     authentication_level: 2,
2025-12-10T11:28:15.861714017Z     factor_knowledge: true,
2025-12-10T11:28:15.861717799Z     default_redirection_url: 'https://authelia.DOMAIN.COM/auth-admin'
2025-12-10T11:28:15.861719394Z   }
2025-12-10T11:28:15.861720772Z }
2025-12-10T11:28:15.861730092Z 2025-12-10T11:28:15.861Z [INFO] [auth] Got user's details: arcoast 2
2025-12-10T11:28:15.862325231Z 2025-12-10T11:28:15.862Z [DEBUG] [lldap-client] Starting token refresh
2025-12-10T11:28:15.862477474Z 2025-12-10T11:28:15.862Z [DEBUG] [lldap-client] Authenticating to LLDAP as user: admin
2025-12-10T11:28:15.932159806Z 2025-12-10T11:28:15.932Z [DEBUG] [lldap-client] Token refresh successful
2025-12-10T11:28:15.936524367Z 2025-12-10T11:28:15.935Z [DEBUG] [lldap-client] Executing GraphQL query: {
2025-12-10T11:28:15.936534951Z   kind: 'Document',
2025-12-10T11:28:15.936537157Z   definitions: [
2025-12-10T11:28:15.936538607Z     {
2025-12-10T11:28:15.936539972Z       kind: 'OperationDefinition',
2025-12-10T11:28:15.936541423Z       operation: 'query',
2025-12-10T11:28:15.936542745Z       description: undefined,
2025-12-10T11:28:15.936544093Z       name: [Object],
2025-12-10T11:28:15.936545429Z       variableDefinitions: [Array],
2025-12-10T11:28:15.936546829Z       directives: [],
2025-12-10T11:28:15.936548213Z       selectionSet: [Object]
2025-12-10T11:28:15.936549574Z     }
2025-12-10T11:28:15.936550916Z   ],
2025-12-10T11:28:15.936552386Z   loc: Location {
2025-12-10T11:28:15.936553719Z     start: 0,
2025-12-10T11:28:15.936555027Z     end: 265,
2025-12-10T11:28:15.936556323Z     source: Source {
2025-12-10T11:28:15.936557684Z       body: '\n' +
2025-12-10T11:28:15.936559106Z         '  query GetUser($userId: String!) {\n' +
2025-12-10T11:28:15.936560570Z         '    user(userId: $userId) {\n' +
2025-12-10T11:28:15.936562046Z         '      id\n' +
2025-12-10T11:28:15.936563434Z         '      email\n' +
2025-12-10T11:28:15.936564768Z         '      displayName\n' +
2025-12-10T11:28:15.936566110Z         '      uuid\n' +
2025-12-10T11:28:15.936567471Z         '      creationDate\n' +
2025-12-10T11:28:15.936568855Z         '      groups {\n' +
2025-12-10T11:28:15.936570273Z         '        id\n' +
2025-12-10T11:28:15.936571659Z         '        displayName\n' +
2025-12-10T11:28:15.936588626Z         '        uuid\n' +
2025-12-10T11:28:15.936598028Z         '      }\n' +
2025-12-10T11:28:15.936601582Z         '      attributes {\n' +
2025-12-10T11:28:15.936603321Z         '        name\n' +
2025-12-10T11:28:15.936604734Z         '        value\n' +
2025-12-10T11:28:15.936606173Z         '      }\n' +
2025-12-10T11:28:15.936607596Z         '    }\n' +
2025-12-10T11:28:15.936609023Z         '  }\n',
2025-12-10T11:28:15.936610538Z       name: 'GraphQL request',
2025-12-10T11:28:15.936611973Z       locationOffset: [Object]
2025-12-10T11:28:15.936613460Z     }
2025-12-10T11:28:15.936614851Z   }
2025-12-10T11:28:15.936616220Z } { userId: 'arcoast' }
2025-12-10T11:28:15.947465333Z 2025-12-10T11:28:15.947Z [WARN] [auth] User arcoast does not have a valid role to access this application
2025-12-10T11:28:15.947694938Z 2025-12-10T11:28:15.947Z [ERROR] [auth] Role check failed: HttpError {
2025-12-10T11:28:15.947701384Z   status: 403,
2025-12-10T11:28:15.947703275Z   body: {
2025-12-10T11:28:15.947704850Z     message: 'Access denied: You do not have permission to access this application'
2025-12-10T11:28:15.947708067Z   }
2025-12-10T11:28:15.947709436Z }
2025-12-10T11:28:15.947865862Z 2025-12-10T11:28:15.947Z [ERROR] [auth] Authentication check failed: HttpError {
2025-12-10T11:28:15.947873227Z   status: 403,
2025-12-10T11:28:15.947875186Z   body: {
2025-12-10T11:28:15.947876651Z     message: 'Access denied: You do not have permission to access this application'
2025-12-10T11:28:15.947878293Z   }
2025-12-10T11:28:15.947879683Z }

My authelia-admin configuration is as follows:

# Logging level (DEBUG, INFO, WARN, ERROR). Default: WARN
# Can be overridden by AAD_LOGLEVEL environment variable
logging_level: DEBUG

authelia:
  # Domain where Authelia is accessible
  domain: authelia.DOMAIN.COM
  # Name of the session cookie used by Authelia
  cookie_name: authelia_session
  # Minimum authentication level required (1=password, 2=2FA)
  min_auth_level: 2
  # Optional: List of allowed users (if not set, all authenticated users are allowed)
  allowed_users:
    - arcoast

# Directory service configuration
directory:
  # Type of directory service (currently only lldap-graphql is supported)
  type: lldap-graphql
  # Configuration for LLDAP GraphQL backend
  lldap-graphql:
    endpoint: http://lldap:17170/api/graphql
    user: admin
    password: xxxxxxxxxx
    ldap_host: lldap
    ldap_port: 389
    # LDAP base DN (required for password changes)
    ldap_base_dn: dc=DOMAIN,dc=COM

<!-- gh-comment-id:3636659151 --> @arcoast commented on GitHub (Dec 10, 2025): So, I turned on debug logs in Traefik and found that whenever I tried to access `https://authelia.DOMAIN.COM/auth-admin` I was getting ``` 500 Internal Server Error error="unsupported protocol scheme \"\"" ``` After a bit of searching I've found that changing my Traefik labels from ```yaml labels: - "traefik.enable=true" - "traefik.docker.network=traefik" - "traefik.http.services.authelia-admin.loadBalancer.passHostHeader=true" - "traefik.http.services.authelia-admin.loadbalancer.server.scheme=http" - "traefik.http.services.authelia-admin.loadbalancer.server.port=9093" - "traefik.http.routers.authelia-admin.service=authelia-admin" - "traefik.http.routers.authelia-admin.entrypoints=websecure" - "traefik.http.routers.authelia-admin.priority=2" - "traefik.http.routers.authelia-admin.rule=Host(`authelia.${DOMAIN}`) && PathPrefix(`/auth-admin`)" - "traefik.http.routers.authelia-admin.middlewares=authelia@file, securityHeaders@file" ``` ```yaml labels: - "traefik.enable=true" - "traefik.docker.network=traefik" - "traefik.http.services.authelia-admin.loadBalancer.passHostHeader=true" - "traefik.http.services.authelia-admin.loadbalancer.server.scheme=http" - "traefik.http.services.authelia-admin.loadbalancer.server.url=http://authelia-admin:9093" - "traefik.http.routers.authelia-admin.service=authelia-admin" - "traefik.http.routers.authelia-admin.entrypoints=websecure" - "traefik.http.routers.authelia-admin.priority=2" - "traefik.http.routers.authelia-admin.rule=Host(`authelia.${DOMAIN}`) && PathPrefix(`/auth-admin`)" - "traefik.http.routers.authelia-admin.middlewares=authelia@file, securityHeaders@file" ``` I have no real explanation for why the first configuration doesn't work, yet the second does, as to my eye, they are both identical on a practical level? I can now access `https://authelia.DOMAIN.COM/auth-admin` but after logging in I'm now faced with the following error ``` 2025-12-10T11:27:59.031058025Z Listening on http://0.0.0.0:9093 2025-12-10T11:28:15.815875954Z 2025-12-10T11:28:15.815Z [INFO] [config] Configuration loaded from /opt/authelia-admin/config.yml 2025-12-10T11:28:15.859636515Z 2025-12-10T11:28:15.858Z [DEBUG] [auth] Authelia response: Response { 2025-12-10T11:28:15.859657453Z status: 200, 2025-12-10T11:28:15.859660023Z statusText: 'OK', 2025-12-10T11:28:15.859661601Z headers: Headers { 2025-12-10T11:28:15.859663046Z 'cache-control': 'no-store', 2025-12-10T11:28:15.859664495Z 'content-length': '162', 2025-12-10T11:28:15.859665925Z 'content-security-policy': "default-src 'none'", 2025-12-10T11:28:15.859669422Z 'content-type': 'application/json; charset=utf-8', 2025-12-10T11:28:15.859670879Z date: 'Wed, 10 Dec 2025 11:28:15 GMT', 2025-12-10T11:28:15.859672401Z 'permissions-policy': 'accelerometer=(), autoplay=(), camera=(), display-capture=(), geolocation=(), gyroscope=(), keyboard-map=(), magnetometer=(), microphone=(), midi=(), payment=(), picture-in-picture=(), screen-wake-lock=(), sync-xhr=(), xr-spatial-tracking=(), interest-cohort=()', 2025-12-10T11:28:15.859674236Z pragma: 'no-cache', 2025-12-10T11:28:15.859675612Z 'referrer-policy': 'same-origin', 2025-12-10T11:28:15.859679144Z 'strict-transport-security': 'max-age=63072000; includeSubDomains; preload', 2025-12-10T11:28:15.859680628Z 'x-content-type-options': 'nosniff', 2025-12-10T11:28:15.859682052Z 'x-dns-prefetch-control': 'off', 2025-12-10T11:28:15.859683546Z 'x-forwarded-proto': 'https', 2025-12-10T11:28:15.859684979Z 'x-frame-options': 'DENY', 2025-12-10T11:28:15.859686421Z 'x-robots-tag': 'none,noarchive,nosnippet,notranslate,noimageindex', 2025-12-10T11:28:15.859687921Z 'x-xss-protection': '1; mode=block' 2025-12-10T11:28:15.859689339Z }, 2025-12-10T11:28:15.859690700Z body: ReadableStream { locked: false, state: 'readable', supportsBYOB: true }, 2025-12-10T11:28:15.859692262Z bodyUsed: false, 2025-12-10T11:28:15.859693649Z ok: true, 2025-12-10T11:28:15.859695117Z redirected: false, 2025-12-10T11:28:15.859696621Z type: 'basic', 2025-12-10T11:28:15.859700595Z url: 'https://authelia.DOMAIN.COM/api/state' 2025-12-10T11:28:15.859703277Z } 2025-12-10T11:28:15.861685907Z 2025-12-10T11:28:15.861Z [DEBUG] [auth] Authelia response DATA: { 2025-12-10T11:28:15.861697158Z status: 'OK', 2025-12-10T11:28:15.861706820Z data: { 2025-12-10T11:28:15.861708861Z username: 'arcoast', 2025-12-10T11:28:15.861710402Z authentication_level: 2, 2025-12-10T11:28:15.861714017Z factor_knowledge: true, 2025-12-10T11:28:15.861717799Z default_redirection_url: 'https://authelia.DOMAIN.COM/auth-admin' 2025-12-10T11:28:15.861719394Z } 2025-12-10T11:28:15.861720772Z } 2025-12-10T11:28:15.861730092Z 2025-12-10T11:28:15.861Z [INFO] [auth] Got user's details: arcoast 2 2025-12-10T11:28:15.862325231Z 2025-12-10T11:28:15.862Z [DEBUG] [lldap-client] Starting token refresh 2025-12-10T11:28:15.862477474Z 2025-12-10T11:28:15.862Z [DEBUG] [lldap-client] Authenticating to LLDAP as user: admin 2025-12-10T11:28:15.932159806Z 2025-12-10T11:28:15.932Z [DEBUG] [lldap-client] Token refresh successful 2025-12-10T11:28:15.936524367Z 2025-12-10T11:28:15.935Z [DEBUG] [lldap-client] Executing GraphQL query: { 2025-12-10T11:28:15.936534951Z kind: 'Document', 2025-12-10T11:28:15.936537157Z definitions: [ 2025-12-10T11:28:15.936538607Z { 2025-12-10T11:28:15.936539972Z kind: 'OperationDefinition', 2025-12-10T11:28:15.936541423Z operation: 'query', 2025-12-10T11:28:15.936542745Z description: undefined, 2025-12-10T11:28:15.936544093Z name: [Object], 2025-12-10T11:28:15.936545429Z variableDefinitions: [Array], 2025-12-10T11:28:15.936546829Z directives: [], 2025-12-10T11:28:15.936548213Z selectionSet: [Object] 2025-12-10T11:28:15.936549574Z } 2025-12-10T11:28:15.936550916Z ], 2025-12-10T11:28:15.936552386Z loc: Location { 2025-12-10T11:28:15.936553719Z start: 0, 2025-12-10T11:28:15.936555027Z end: 265, 2025-12-10T11:28:15.936556323Z source: Source { 2025-12-10T11:28:15.936557684Z body: '\n' + 2025-12-10T11:28:15.936559106Z ' query GetUser($userId: String!) {\n' + 2025-12-10T11:28:15.936560570Z ' user(userId: $userId) {\n' + 2025-12-10T11:28:15.936562046Z ' id\n' + 2025-12-10T11:28:15.936563434Z ' email\n' + 2025-12-10T11:28:15.936564768Z ' displayName\n' + 2025-12-10T11:28:15.936566110Z ' uuid\n' + 2025-12-10T11:28:15.936567471Z ' creationDate\n' + 2025-12-10T11:28:15.936568855Z ' groups {\n' + 2025-12-10T11:28:15.936570273Z ' id\n' + 2025-12-10T11:28:15.936571659Z ' displayName\n' + 2025-12-10T11:28:15.936588626Z ' uuid\n' + 2025-12-10T11:28:15.936598028Z ' }\n' + 2025-12-10T11:28:15.936601582Z ' attributes {\n' + 2025-12-10T11:28:15.936603321Z ' name\n' + 2025-12-10T11:28:15.936604734Z ' value\n' + 2025-12-10T11:28:15.936606173Z ' }\n' + 2025-12-10T11:28:15.936607596Z ' }\n' + 2025-12-10T11:28:15.936609023Z ' }\n', 2025-12-10T11:28:15.936610538Z name: 'GraphQL request', 2025-12-10T11:28:15.936611973Z locationOffset: [Object] 2025-12-10T11:28:15.936613460Z } 2025-12-10T11:28:15.936614851Z } 2025-12-10T11:28:15.936616220Z } { userId: 'arcoast' } 2025-12-10T11:28:15.947465333Z 2025-12-10T11:28:15.947Z [WARN] [auth] User arcoast does not have a valid role to access this application 2025-12-10T11:28:15.947694938Z 2025-12-10T11:28:15.947Z [ERROR] [auth] Role check failed: HttpError { 2025-12-10T11:28:15.947701384Z status: 403, 2025-12-10T11:28:15.947703275Z body: { 2025-12-10T11:28:15.947704850Z message: 'Access denied: You do not have permission to access this application' 2025-12-10T11:28:15.947708067Z } 2025-12-10T11:28:15.947709436Z } 2025-12-10T11:28:15.947865862Z 2025-12-10T11:28:15.947Z [ERROR] [auth] Authentication check failed: HttpError { 2025-12-10T11:28:15.947873227Z status: 403, 2025-12-10T11:28:15.947875186Z body: { 2025-12-10T11:28:15.947876651Z message: 'Access denied: You do not have permission to access this application' 2025-12-10T11:28:15.947878293Z } 2025-12-10T11:28:15.947879683Z } ``` My authelia-admin configuration is as follows: ``` # Logging level (DEBUG, INFO, WARN, ERROR). Default: WARN # Can be overridden by AAD_LOGLEVEL environment variable logging_level: DEBUG authelia: # Domain where Authelia is accessible domain: authelia.DOMAIN.COM # Name of the session cookie used by Authelia cookie_name: authelia_session # Minimum authentication level required (1=password, 2=2FA) min_auth_level: 2 # Optional: List of allowed users (if not set, all authenticated users are allowed) allowed_users: - arcoast # Directory service configuration directory: # Type of directory service (currently only lldap-graphql is supported) type: lldap-graphql # Configuration for LLDAP GraphQL backend lldap-graphql: endpoint: http://lldap:17170/api/graphql user: admin password: xxxxxxxxxx ldap_host: lldap ldap_port: 389 # LDAP base DN (required for password changes) ldap_base_dn: dc=DOMAIN,dc=COM ```

kerem commented 2026-02-26 12:16:54 +03:00

Author

Owner

Copy link

@asalimonov commented on GitHub (Dec 10, 2025):

@arcoast ,
I guess the second error occurs because the user is not a member of any of the following groups in LLDAP:

    protectedGroups: [
        'lldap_admin',
        'lldap_password_manager',
        'lldap_strict_readonly',
        'authelia_user_manager',
    ],

I changed behavior of the app when removed read-only access for any other user from LDAP. And forget to describe this part of configuration. Sorry about this, I will update README.md tomorrow.

<!-- gh-comment-id:3639089988 --> @asalimonov commented on GitHub (Dec 10, 2025): @arcoast , I guess the second error occurs because the user is not a member of any of the following groups in LLDAP: ``` protectedGroups: [ 'lldap_admin', 'lldap_password_manager', 'lldap_strict_readonly', 'authelia_user_manager', ], ``` I changed behavior of the app when removed read-only access for any other user from LDAP. And forget to describe this part of configuration. Sorry about this, I will update README.md tomorrow.

kerem commented 2026-02-26 12:16:54 +03:00

Author

Owner

Copy link

@asalimonov commented on GitHub (Dec 22, 2025):

@arcoast, how are you doing? Did this solve the problem?

<!-- gh-comment-id:3681669747 --> @asalimonov commented on GitHub (Dec 22, 2025): @arcoast, how are you doing? Did this solve the problem?

kerem referenced this issue 2026-02-26 12:16:56 +03:00

[PR #8] [CLOSED] docker(deps): bump node from 20-alpine to 24-alpine #15

kerem referenced this issue 2026-03-15 02:25:33 +03:00

[PR #8] [CLOSED] docker(deps): bump node from 20-alpine to 24-alpine #110

Sign in to join this conversation.

No Branch/Tag specified

Branches Tags

main

fix/new-user-password-not-set

dependabot/npm_and_yarn/svelte-6535ca4039

dependabot/npm_and_yarn/vite-35a443a342

dependabot/npm_and_yarn/tailwind-97bcedbae3

dependabot/npm_and_yarn/types-054763cb3e

dependabot/npm_and_yarn/eslint-plugin-svelte-3.16.0

dependabot/npm_and_yarn/inlang/paraglide-js-2.15.1

dependabot/npm_and_yarn/typescript-eslint-8.57.1

dependabot/npm_and_yarn/yaml-2.8.3

dependabot/npm_and_yarn/sqlite3-6.0.1

dependabot/npm_and_yarn/serve-14.2.6

dependabot/github_actions/docker/metadata-action-6

dependabot/github_actions/docker/setup-buildx-action-4

dependabot/github_actions/docker/login-action-4

dependabot/github_actions/docker/build-push-action-7

feature/postgres

feature/playwright

feature/group-management

feature/i18n

feature/lldap-graphql

feauture/lldap-graphql

docs/license

bug/unhealthy-docker

v1.1.0

v1.0.0

v0.1.0

v0.0.3

v0.0.2

v0.0.1

Labels

Clear labels   

enhancement

  

pull-request

Mirrored from GitHub Pull Request

No labels

enhancement

pull-request

Milestone

Clear milestone

No items

No milestone

Projects

Clear projects

No items

No project

Assignees

Clear assignees

No assignees

1 participant

Notifications

Subscribe

Due date

The due date is invalid or out of range. Please use the format "yyyy-mm-dd".

No due date set.

Dependencies

No dependencies set.

Reference

starred/authelia-admin#8

No description provided.