What is the name of the domain?
What is the issue you’re encountering
OIDC via Authentik stops working with non SERVICE_AUTH access policies
What are the steps to reproduce the issue?
I successfully set up a CF tunnel to my VPS where nginx is configured as a reverse proxy to forward traffic to several self-hosted web applications (each their own subdomain). I was able to secure my web apps (excluding Authentik) using an email authorization step and geolocation restrictions. All of my web apps are configured to use Authentik (OIDC) as a SSO. However, if I add the same access policy to Authentik (auth.example.com), logging in to any of these web apps no longer works, throwing some arbitrary “failed to login” or “something went wrong” error. My intentions are to not directly expose Authentik to the public internet but hide it behind some other type of authentification (preferrably email). The only method of restricting access that worked for me was using SERVICE_AUTH in combination with IP allowlisting.However, I don’t want to use IP allowlisting to begin with. I was also experimenting with WARP, but SERVICE_AUTH doesn’t support the WARP Gateway restriction.
Is this setup not possible?