[GH-ISSUE #1522] Login Not Working With Authelia #1073

New issue

Closed

opened 2026-05-07 00:30:03 +02:00 by BreizhHardware · 4 comments

BreizhHardware commented 2026-05-07 00:30:03 +02:00

Owner

Copy link

Originally created by @darkpixelftw on GitHub (Dec 24, 2025).
Original GitHub issue: https://github.com/binwiederhier/ntfy/issues/1522

🐞 Describe the bug

When trying to login to the ntfy (https://github.com/binwiederhier/ntfy - v2.15.0) webapp, the login fails no matter what method the user was created.

I finally tracked this down to authelia, it seems authelia is interpreting the credentials being sent as an Authelia user login attempt, see logs below

Steps to replicate:
Setup ntfy docker container, connected to authelia via a traefik middleware.
Setup ntfy user via file or commands (i tried both and both had this same error)
attempt to login through the ntfy webapp: https://ntfy.example.com/login
recieve error: Login failed: Invalid username or password
Remove authelia middleware from ntfy container
Login now works

💻 Components impacted

Webapp

💡 Screenshots and/or logs

From authelia logs
{"error":"failed to validate Authorization header with basic scheme: failed to validate the credentials of user 'REDACTED' parsed from the Authorization header: authentication failed. Cause: error occurred performing bind: LDAP Result Code 49 "Invalid Credentials": ","level":"error","method":"GET","msg":"Error occurred while attempting to authenticate a request","path":"/api/authz/forward-auth","remote_ip":"REDACTED","time":"REDACTED"}
🔮 Additional context

ntfy logs are empty - presumebly because the credentials are being intercepted by authelia, which doesn't recognise it and sends a signal saying it's not correct?

This appears to be an error with how the username/password are being sent to the web app. Not seen this happen with any other service I've set up with authelia so I'm assuming this is something to do with how ntfy sends the credentials to the server from my pc using the webapp rather than some non-standard behaviour with authelia.

Is there a possibility of sending the credentials in a different way to avoid this problem? or at least adding a warning to the documentation that this occurs.

Originally created by @darkpixelftw on GitHub (Dec 24, 2025). Original GitHub issue: https://github.com/binwiederhier/ntfy/issues/1522 :lady_beetle: **Describe the bug** <!-- A clear and concise description of the problem. --> When trying to login to the ntfy (https://github.com/binwiederhier/ntfy - v2.15.0) webapp, the login fails no matter what method the user was created. I finally tracked this down to authelia, it seems authelia is interpreting the credentials being sent as an Authelia user login attempt, see logs below Steps to replicate: Setup ntfy docker container, connected to authelia via a traefik middleware. Setup ntfy user via file or commands (i tried both and both had this same error) attempt to login through the ntfy webapp: https://ntfy.example.com/login recieve error: Login failed: Invalid username or password Remove authelia middleware from ntfy container Login now works :computer: **Components impacted** <!-- ntfy server, Android app, iOS app, web app --> Webapp :bulb: **Screenshots and/or logs** <!-- If applicable, add screenshots or share logs help explain your problem. To get logs from the ... - ntfy server: Enable "log-level: trace" in your server.yml file - Android app: Go to "Settings" -> "Record logs", then eventually "Copy/upload logs" - web app: Press "F12" and find the "Console" window --> From authelia logs {"error":"failed to validate Authorization header with basic scheme: failed to validate the credentials of user 'REDACTED' parsed from the Authorization header: authentication failed. Cause: error occurred performing bind: LDAP Result Code 49 \"Invalid Credentials\": ","level":"error","method":"GET","msg":"Error occurred while attempting to authenticate a request","path":"/api/authz/forward-auth","remote_ip":"REDACTED","time":"REDACTED"} :crystal_ball: **Additional context** ntfy logs are empty - presumebly because the credentials are being intercepted by authelia, which doesn't recognise it and sends a signal saying it's not correct? <!-- Add any other context about the problem here. --> This appears to be an error with how the username/password are being sent to the web app. Not seen this happen with any other service I've set up with authelia so I'm assuming this is something to do with how ntfy sends the credentials to the server from my pc using the webapp rather than some non-standard behaviour with authelia. Is there a possibility of sending the credentials in a different way to avoid this problem? or at least adding a warning to the documentation that this occurs.

BreizhHardware 2026-05-07 00:30:03 +02:00

• closed this issue
• added the
  🪲 bug
  label

BreizhHardware commented 2026-05-07 00:30:04 +02:00

Author

Owner

Copy link

@wunter8 commented on GitHub (Dec 25, 2025):

Putting an auth service (like Authelia, Authentik, etc.) in front of ntfy is not supported right now

<!-- gh-comment-id:3690774982 --> @wunter8 commented on GitHub (Dec 25, 2025): Putting an auth service (like Authelia, Authentik, etc.) in front of ntfy is not supported right now

BreizhHardware commented 2026-05-07 00:30:04 +02:00

Author

Owner

Copy link

@llaumgui commented on GitHub (Jan 9, 2026):

c.) in front of ntfy is not supported right now

It's not the concern of this feature: https://github.com/binwiederhier/ntfy/pull/812/files#diff-fb0c696bc104f613e5b601c77c2eba916dd636d5948c9b5c8e85ea92ee5b07e6R55 ?

<!-- gh-comment-id:3727736643 --> @llaumgui commented on GitHub (Jan 9, 2026): > c.) in front of ntfy is not supported right now It's not the concern of this feature: https://github.com/binwiederhier/ntfy/pull/812/files#diff-fb0c696bc104f613e5b601c77c2eba916dd636d5948c9b5c8e85ea92ee5b07e6R55 ?

BreizhHardware commented 2026-05-07 00:30:04 +02:00

Author

Owner

Copy link

@wunter8 commented on GitHub (Jan 9, 2026):

@llaumgui that is the purpose of that feature. But that hasn't been added to the project yet, and that code hasn't been worked on since 2023. So, it is not supported right now.

There's a chance it'll be supported in the future. But at least with that specific pull request, there are some outstanding questions about the architecture/design of the feature.

<!-- gh-comment-id:3728923680 --> @wunter8 commented on GitHub (Jan 9, 2026): @llaumgui that is the purpose of that feature. But that hasn't been added to the project yet, and that code hasn't been worked on since 2023. So, it is not supported _right now_. There's a chance it'll be supported in the future. But at least with that specific pull request, there are some outstanding questions about the architecture/design of the feature.

BreizhHardware commented 2026-05-07 00:30:04 +02:00

Author

Owner

Copy link

@binwiederhier commented on GitHub (Feb 1, 2026):

This is a dup of #601 with a WIP PR in #1579

<!-- gh-comment-id:3831286246 --> @binwiederhier commented on GitHub (Feb 1, 2026): This is a dup of #601 with a WIP PR in #1579

Sign in to join this conversation.

No Branch/Tag specified

Branches Tags

main

dependabot/npm_and_yarn/web/fast-uri-3.1.2

email-verification

attachment-no-http2

attachment-fixes

attachment-s3

config-generator

postgres-replica

dockers-v2

postgres-support

postgres-webpush+user+message

postgres-webpush+user

postgres-webpush

1364-copy-action

crashfix

user-header

scalar-api-docs

cancel-scheduled

update-available

windows-server

303-update-notifications

postgres

admin-ui

require-login

http-clipboard

message-cache-lock

debian-stripe

predefined-users

busy-timeout

template-dir

ipv6

client-ip-header

apns-fix

feat_optional_require_login

security-updates

pg-message-cache

templating-disallow

templating-3

templating-2

message-size-limit+delay-limit

remove-rate-topics

html-emails

cf-priority

acl-underscores

auth-user-header

markdown

img-attach

web-improvements

utf8-headers

matrix-507-reject

http-response-writer

new-homepage-design

e2e

canary

windows

electron

update-messages

webhook-templating

v2.22.0

v2.21.0

v2.20.1

v2.20.0

v2.19.2

v2.19.1

v2.19.0

v2.18.0

v2.17.0

v2.16.0

v2.15.0

v2.14.0

v2.13.0

v2.12.0

v2.11.0

v2.10.0

v2.9.0

v2.8.0

v2.7.0

v2.6.2

v2.6.1

v2.6.0

v2.5.0

v2.4.0

v2.3.1

v2.3.0

v2.2.0

v2.1.2

v2.1.1

v2.1.0

v2.0.1

v2.0.0

v1.31.0

v1.30.1

v1.29.1

v1.29.0

v1.28.0

v1.27.2

v1.27.1

v1.26.0

v1.25.2

v1.25.1

v1.25.0

v1.24.0

v1.23.0

v1.22.0

v1.21.2

v1.21.1

v1.21.0

v1.20.0

v1.19.0

v1.18.1

v1.18.0

v1.17.1

v1.17.0

v1.16.0

v1.15.0

v1.14.1

v1.14.0

v1.13.0

v1.12.1

v1.12.0

v1.11.1

v1.11.2

v1.11.0

v1.10.0

v1.9.0

v1.8.0

v1.7.0

v1.6.1

v1.6.0

v1.5.3

v1.5.2

v1.5.1

v1.5.0

v1.4.8

v1.4.7

v1.4.6

v1.4.5

v1.4.4

v1.4.3

v1.4.2

v1.4.1

v1.4.0

v1.3.2

v1.3.3

v1.3.1

v1.3.0

v1.2.5

v1.2.4

v1.2.3

v1.2.2

v1.2.1

v1.2.0

v1.1.3

v1.1.2

v1.1.1

v1.1.0

v1.0.0

v0.0.5

v0.0.4

v0.0.3

v0.0.2

v0.0.1

Labels

Clear labels   

ai-generated

  

android-app

  

android-app

  

android-app

  

🪲 bug

  

build

  

build

  

dependencies

  

docs

  

enhancement

  

enhancement

  

🔥 HOT

  

in-progress 🏃

  

ios

  

prio:low

  

prio:low

  

pull-request

Mirrored from GitHub Pull Request

  

question

  

🔒 security

  

server

  

server

  

unified-push

  

web-app

  

website

No labels

ai-generated

android-app

android-app

android-app

🪲 bug

build

build

dependencies

docs

enhancement

enhancement

🔥 HOT

in-progress 🏃

ios

prio:low

prio:low

pull-request

question

🔒 security

server

server

unified-push

web-app

website

Milestone

Clear milestone

No items

No milestone

Projects

Clear projects

No items

No project

Assignees

Clear assignees

No assignees

1 participant

Notifications

Subscribe

Due date

The due date is invalid or out of range. Please use the format "yyyy-mm-dd".

No due date set.

Dependencies

No dependencies set.

Reference

starred/ntfy#1073

No description provided.