[GH-ISSUE #134] Issuer mismatch with authentik

kerem commented

2026-02-27 15:54:55 +03:00

Owner

Originally created by @ngregrichardson on GitHub (Oct 26, 2025).
Original GitHub issue: https://github.com/RayLabsHQ/gitea-mirror/issues/134

Originally assigned to: @arunavo4 on GitHub.

I am trying to set up SSO with authentik and hitting an issue. I believe is is different than #73, but please feel free to close this if it is related.

gitea-mirror properly redirects me to authentik for login, but when authentik sends me back, it gives me an "issuer mismatch" (e.g. redirected to https://gitsync.mydomain.tld/api/auth/error/error?error=invalid_provider&error_description=issuer_mismatch) . My thought is that the missing trailing slash is causing this, but whenever I add the slash and save the OIDC config, it removes it again.

Here is my EIP config:

My authentik issuer url:

My authentik redirect URI config:

I don't see any server-side errors at all. Let me know if there is any more info I can share to help debug this. Thanks!

Originally created by @ngregrichardson on GitHub (Oct 26, 2025). Original GitHub issue: https://github.com/RayLabsHQ/gitea-mirror/issues/134 Originally assigned to: @arunavo4 on GitHub. I am trying to set up SSO with authentik and hitting an issue. I _believe_ is is different than #73, but please feel free to close this if it is related. gitea-mirror properly redirects me to authentik for login, but when authentik sends me back, it gives me an "issuer mismatch" (e.g. redirected to https://gitsync.mydomain.tld/api/auth/error/error?error=invalid_provider&error_description=issuer_mismatch) . My thought is that the missing trailing slash is causing this, but whenever I add the slash and save the OIDC config, it removes it again. Here is my EIP config: <img width="495" height="900" alt="Image" src="https://github.com/user-attachments/assets/1ba896ed-7806-47e7-8863-112fd4e1ee2b" /> My authentik issuer url: <img width="406" height="71" alt="Image" src="https://github.com/user-attachments/assets/5d81653a-1254-4edc-b103-9c24e9349324" /> My authentik redirect URI config: <img width="630" height="74" alt="Image" src="https://github.com/user-attachments/assets/4376b3a8-8107-4714-8b82-90c8f2a2ec20" /> I don't see any server-side errors at all. Let me know if there is any more info I can share to help debug this. Thanks!

kerem closed this issue

2026-02-27 15:54:55 +03:00

kerem commented

2026-02-27 15:54:56 +03:00

Author

Owner

@arunavo4 commented on GitHub (Oct 26, 2025):

Hi @ngregrichardson can you try this image ghcr.io/raylabshq/gitea-mirror:pr-135 from this PR #135 which disables the the trailing slash remover you suspected. check if that helps.

@arunavo4 commented on GitHub (Oct 26, 2025): Hi @ngregrichardson can you try this image `ghcr.io/raylabshq/gitea-mirror:pr-135` from this PR #135 which disables the the trailing slash remover you suspected. check if that helps.

kerem commented

2026-02-27 15:54:56 +03:00

Author

Owner

@ngregrichardson commented on GitHub (Oct 26, 2025):

Hey, that does work! I appreciate the quick turnaround :D The only thing i'm wondering now (and this may be a dumb question) is how I'd link a user? I have an authentik user with the same email as the gitea mirror user, but I get a "not linked" error (e.g. /api/auth/error/error?error=account%20not%20linked)

@ngregrichardson commented on GitHub (Oct 26, 2025): Hey, that does work! I appreciate the quick turnaround :D The only thing i'm wondering now (and this may be a dumb question) is how I'd link a user? I have an authentik user with the same email as the gitea mirror user, but I get a "not linked" error (e.g. /api/auth/error/error?error=account%20not%20linked)

kerem commented

2026-02-27 15:54:56 +03:00

Author

Owner

@arunavo4 commented on GitHub (Oct 26, 2025):

@ngregrichardson Glad to hear the login works now! I just pushed an update that trusts the email_verified claim from your SSO provider. So as long as the Authentik user has the same email and Authentik reports it as verified, the account should auto link you don’t need to do anything else on the Gitea Mirror side. Try signing in again with that user after confirming the email is verified in Authentik.

Use this image to test docker pull ghcr.io/raylabshq/gitea-mirror:12488bb

@arunavo4 commented on GitHub (Oct 26, 2025): @ngregrichardson Glad to hear the login works now! I just pushed an update that trusts the `email_verified` claim from your SSO provider. So as long as the Authentik user has the same email and Authentik reports it as verified, the account should auto link you don’t need to do anything else on the Gitea Mirror side. Try signing in again with that user after confirming the email is verified in Authentik. Use this image to test `docker pull ghcr.io/raylabshq/gitea-mirror:12488bb`

kerem commented

2026-02-27 15:54:56 +03:00

Author

Owner

@arunavo4 commented on GitHub (Oct 26, 2025):

Also @ngregrichardson would appreciate your help on these issues #122 and #73 maybe you can just add what config worked for you. As I dont really use Authentik so I dont have much idea about the exact setup.

@arunavo4 commented on GitHub (Oct 26, 2025): Also @ngregrichardson would appreciate your help on these issues #122 and #73 maybe you can just add what config worked for you. As I dont really use Authentik so I dont have much idea about the exact setup.

kerem commented

2026-02-27 15:54:56 +03:00

Author

Owner

@ngregrichardson commented on GitHub (Oct 26, 2025):

Just tried 12488bb and am getting a new error it seems. I still have the "unable to link account" but this time I get an actual error:

2025-10-26T12:49:26.084Z ERROR [Better Auth]: Unable to link account 123 |                      if (orGroup.length) clause.push(orClause);
124 |                   return clause;
125 |           }
126 |           function checkMissingFields(schema, model, values) {
127 |                   if (!schema) throw new BetterAuthError("Drizzle adapter failed to initialize. Schema not found. Please provide a schema object in the adapter options object.");
128 |                   for (const key in values) if (!schema[key]) throw new BetterAuthError(`The field "${key}" does not exist in the "${model}" schema. Please update your drizzle schema or re-generate using "npx @better-auth/cli generate".`);
                                                               ^
BetterAuthError: The field "idToken" does not exist in the "accounts" schema. Please update your drizzle schema or re-generate using "npx @better-auth/cli generate".
 cause: undefined,

      at /app/node_modules/better-auth/dist/adapters/drizzle-adapter/index.js:128:58

@ngregrichardson commented on GitHub (Oct 26, 2025): Just tried `12488bb` and am getting a new error it seems. I still have the "unable to link account" but this time I get an actual error: ``` 2025-10-26T12:49:26.084Z ERROR [Better Auth]: Unable to link account 123 | if (orGroup.length) clause.push(orClause); 124 | return clause; 125 | } 126 | function checkMissingFields(schema, model, values) { 127 | if (!schema) throw new BetterAuthError("Drizzle adapter failed to initialize. Schema not found. Please provide a schema object in the adapter options object."); 128 | for (const key in values) if (!schema[key]) throw new BetterAuthError(`The field "${key}" does not exist in the "${model}" schema. Please update your drizzle schema or re-generate using "npx @better-auth/cli generate".`); ^ BetterAuthError: The field "idToken" does not exist in the "accounts" schema. Please update your drizzle schema or re-generate using "npx @better-auth/cli generate". cause: undefined, at /app/node_modules/better-auth/dist/adapters/drizzle-adapter/index.js:128:58 ```

kerem commented

2026-02-27 15:54:56 +03:00

Author

Owner

@arunavo4 commented on GitHub (Oct 26, 2025):

@ngregrichardson so when we moved to better-auth we deleted from db columns, have added them back that should work now.
Try this docker pull ghcr.io/raylabshq/gitea-mirror:574834d

@arunavo4 commented on GitHub (Oct 26, 2025): @ngregrichardson so when we moved to better-auth we deleted from db columns, have added them back that should work now. Try this `docker pull ghcr.io/raylabshq/gitea-mirror:574834d`

kerem commented

2026-02-27 15:54:56 +03:00

Author

Owner

@ngregrichardson commented on GitHub (Oct 26, 2025):

🎉 works like a charm!!

@ngregrichardson commented on GitHub (Oct 26, 2025): 🎉 works like a charm!!

kerem commented

2026-02-27 15:54:56 +03:00

Author

Owner

@arunavo4 commented on GitHub (Oct 26, 2025):

@ngregrichardson Awesome.

@arunavo4 commented on GitHub (Oct 26, 2025): @ngregrichardson Awesome.

kerem commented

2026-02-27 15:54:56 +03:00

Author

Owner

@arunavo4 commented on GitHub (Oct 26, 2025):

@ngregrichardson Is it possible for you to contribute a small docker-compose file with both gitea-mirror and authentik in it and then have a small readme on how to set it up. I think that would be a great baseline for a working setup for people looking for OIDC with authentik.
you can PR on this repo on a dir just like the kube helm chart. and update the main readme to point to it. This contribution will be much appreciated.

@arunavo4 commented on GitHub (Oct 26, 2025): @ngregrichardson Is it possible for you to contribute a small docker-compose file with both gitea-mirror and authentik in it and then have a small readme on how to set it up. I think that would be a great baseline for a working setup for people looking for OIDC with authentik. you can PR on this repo on a dir just like the kube helm chart. and update the main readme to point to it. This contribution will be much appreciated.

kerem commented

2026-02-27 15:54:56 +03:00

Author

Owner

@ngregrichardson commented on GitHub (Oct 26, 2025):

So unfortunately (as far as I'm aware, at least) authentik is mainly a "GUI configuration" type app. It has a lot of complex configs, so I don't think it'd be easily distillable into a single docker-compose.yml. I'd be happy to make a docs PR with an authentik section in the OIDC part (and I can include authentik screenshots there too?)

@ngregrichardson commented on GitHub (Oct 26, 2025): So unfortunately (as far as I'm aware, at least) authentik is mainly a "GUI configuration" type app. It has a lot of complex configs, so I don't think it'd be easily distillable into a single docker-compose.yml. I'd be happy to make a docs PR with an authentik section in the OIDC part (and I can include authentik screenshots there too?)

kerem commented

2026-02-27 15:54:56 +03:00

Author

Owner

@arunavo4 commented on GitHub (Oct 26, 2025):

@ngregrichardson Yes that will be aweome if you can do screnshots and detailed steps what you did. and make a sepeetre readme for it and then we can take off the small OIDC section in main readme and refer your readme. Other wise the main readme. is too long right now. I wish to clean it up. too much info.

@arunavo4 commented on GitHub (Oct 26, 2025): @ngregrichardson Yes that will be aweome if you can do screnshots and detailed steps what you did. and make a sepeetre readme for it and then we can take off the small OIDC section in main readme and refer your readme. Other wise the main readme. is too long right now. I wish to clean it up. too much info.

kerem referenced this issue

2026-02-27 15:55:12 +03:00

[PR #67] [MERGED] 🐧 Added hero image for mobile #119

Rows
Columns

[GH-ISSUE #134] Issuer mismatch with authentik #67