[GH-ISSUE #51] Getting 502 after login via OpenID (Authentik) #22

New issue

Closed

opened 2026-05-07 00:17:46 +02:00 by BreizhHardware · 14 comments

BreizhHardware commented 2026-05-07 00:17:46 +02:00

Owner

Copy link

Originally created by @tomcatcw1980 on GitHub (Nov 1, 2024).
Original GitHub issue: https://github.com/glenndehaan/unifi-voucher-site/issues/51

Originally assigned to: @glenndehaan on GitHub.

The question

Hi Glenn,

still loving your app. As I see you implemented OpenID. Thanx for that.

I installed the feature immediately, but after successfully logging in via Authentik I get a 502 Bad Gateway Error. When I press F5 again to refresh the web page, it shows me the following error:

BadRequestError: invalid_grant (The provided authorization grant or refresh token is invalid, expired, revoked, does not match the redirection URI used in the authorization request, or was issued to another client) at ResponseContext.callback (/app/node_modules/express-openid-connect/lib/context.js:366:15) at process.processTicksAndRejections (node:internal/process/task_queues:95:5) Go back home

Do you have an idea of what's going wrong? I set everything as mentioned in your docs.

Greetings
Christian

Originally created by @tomcatcw1980 on GitHub (Nov 1, 2024). Original GitHub issue: https://github.com/glenndehaan/unifi-voucher-site/issues/51 Originally assigned to: @glenndehaan on GitHub. ### The question Hi Glenn, still loving your app. As I see you implemented OpenID. Thanx for that. I installed the feature immediately, but after successfully logging in via Authentik I get a 502 Bad Gateway Error. When I press F5 again to refresh the web page, it shows me the following error: `BadRequestError: invalid_grant (The provided authorization grant or refresh token is invalid, expired, revoked, does not match the redirection URI used in the authorization request, or was issued to another client) at ResponseContext.callback (/app/node_modules/express-openid-connect/lib/context.js:366:15) at process.processTicksAndRejections (node:internal/process/task_queues:95:5) Go back home` Do you have an idea of what's going wrong? I set everything as mentioned in your docs. Greetings Christian

BreizhHardware 2026-05-07 00:17:46 +02:00

• closed this issue
• added the
  question
  label

BreizhHardware commented 2026-05-07 00:17:47 +02:00

Author

Owner

Copy link

@glenndehaan commented on GitHub (Nov 1, 2024):

Hi @tomcatcw1980,

Could you post the version of both Authentik and UniFi Voucher Site. The thing is, there where a lot of breaking changes and I want to make sure I can replicate your issue locally.

Kind regards,
Glenn

<!-- gh-comment-id:2451846955 --> @glenndehaan commented on GitHub (Nov 1, 2024): Hi @tomcatcw1980, Could you post the version of both Authentik and UniFi Voucher Site. The thing is, there where a lot of breaking changes and I want to make sure I can replicate your issue locally. Kind regards, Glenn

BreizhHardware commented 2026-05-07 00:17:48 +02:00

Author

Owner

Copy link

@tomcatcw1980 commented on GitHub (Nov 1, 2024):

Hi Glenn,

Voucher Site latest: 4.3.3
Authentik: 2024.8.3

Greetings

<!-- gh-comment-id:2451875684 --> @tomcatcw1980 commented on GitHub (Nov 1, 2024): Hi Glenn, Voucher Site latest: 4.3.3 Authentik: 2024.8.3 Greetings

BreizhHardware commented 2026-05-07 00:17:48 +02:00

Author

Owner

Copy link

@glenndehaan commented on GitHub (Nov 1, 2024):

Hi @tomcatcw1980,

I have some bad news. I just setup a local instance with this version and followed the guide and it seems to be working fine. So i'm unsure where the problem may be. Can you verify the steps and make sure the client id and secret are correct?

<!-- gh-comment-id:2452177779 --> @glenndehaan commented on GitHub (Nov 1, 2024): Hi @tomcatcw1980, I have some bad news. I just setup a local instance with this version and followed the guide and it seems to be working fine. So i'm unsure where the problem may be. Can you verify the steps and make sure the client id and secret are correct?

BreizhHardware commented 2026-05-07 00:17:49 +02:00

Author

Owner

Copy link

@glenndehaan commented on GitHub (Jan 4, 2025):

Hi @tomcatcw1980,

Where you able to verify the above ?

<!-- gh-comment-id:2571421529 --> @glenndehaan commented on GitHub (Jan 4, 2025): Hi @tomcatcw1980, Where you able to verify the above ?

BreizhHardware commented 2026-05-07 00:17:49 +02:00

Author

Owner

Copy link

@tomcatcw1980 commented on GitHub (Jan 5, 2025):

Hi Glenn,

sorry still getting the same error "bad gateway". Check everything multiple times but no luck.

greetings.

error message from voucher app

BadRequestError: checks.state argument is missing at ResponseContext.callback (/app/node_modules/express-openid-connect/lib/context.js:366:15)

<!-- gh-comment-id:2571682273 --> @tomcatcw1980 commented on GitHub (Jan 5, 2025): Hi Glenn, sorry still getting the same error "bad gateway". Check everything multiple times but no luck. greetings. error message from voucher app `BadRequestError: checks.state argument is missing at ResponseContext.callback (/app/node_modules/express-openid-connect/lib/context.js:366:15)`

BreizhHardware commented 2026-05-07 00:17:50 +02:00

Author

Owner

Copy link

@glenndehaan commented on GitHub (Jan 5, 2025):

That sounds very strange. I have also never seen that error before, almost leaves me to believe the request is missing the entire state back from authentik. If you want and have time we could jump on a call to see if we can figure this out?

<!-- gh-comment-id:2571710059 --> @glenndehaan commented on GitHub (Jan 5, 2025): That sounds very strange. I have also never seen that error before, almost leaves me to believe the request is missing the entire state back from authentik. If you want and have time we could jump on a call to see if we can figure this out?

BreizhHardware commented 2026-05-07 00:17:50 +02:00

Author

Owner

Copy link

@YouKyi commented on GitHub (Jan 6, 2025):

Hey!
i have the same issue :/
EDIT :
I recreate the docker stack and the Authentik configuration from scratch -> Always 502 and when refreshed I have this error

"BadRequestError: invalid_grant (The provided authorization grant or refresh token is invalid, expired, revoked, does not match the redirection URI used in the authorization request, or was issued to another client)
    at ResponseContext.callback (/app/node_modules/express-openid-connect/lib/context.js:366:15)
    at process.processTicksAndRejections (node:internal/process/task_queues:95:5)"

Maybe because I use a NPM reverse proxy?

<!-- gh-comment-id:2574124508 --> @YouKyi commented on GitHub (Jan 6, 2025): Hey! i have the same issue :/ EDIT : I recreate the docker stack and the Authentik configuration from scratch -> Always 502 and when refreshed I have this error ``` "BadRequestError: invalid_grant (The provided authorization grant or refresh token is invalid, expired, revoked, does not match the redirection URI used in the authorization request, or was issued to another client) at ResponseContext.callback (/app/node_modules/express-openid-connect/lib/context.js:366:15) at process.processTicksAndRejections (node:internal/process/task_queues:95:5)" ``` Maybe because I use a NPM reverse proxy?

BreizhHardware commented 2026-05-07 00:17:51 +02:00

Author

Owner

Copy link

@glenndehaan commented on GitHub (Jan 7, 2025):

Hi @YouKyi,

So I tried setting it up again from scratch to test.
But I don't get the error you see.

To recap what I did, I followed these steps to get Authentik going locally: https://docs.goauthentik.io/docs/install-config/install/docker-compose

I then proceeded following my own guide: https://github.com/glenndehaan/unifi-voucher-site/blob/master/.docs/oidc/authentik/README.md

I run it locally without Proxy so my network looks like this:

Authentik -> http://localhost:9000
UniFi Voucher Site -> http://localhost:3000

I then configured UniFi Voucher site with the following configuration:

{
  "auth_oidc_enabled": true,
  "auth_oidc_issuer_base_url": "http://localhost:9000/application/o/unifi-voucher/.well-known/openid-configuration",
  "auth_oidc_app_base_url": "http://localhost:3000",
  "auth_oidc_client_id": "Qtz039t1dGPL8ZZbtC1HABSkSg2HQAw9VDh0fZc7",
  "auth_oidc_client_secret": "p0HiADHTENIC2ABE9AguR6vlMOhx1zAaqRJzrl2n64Xd9RSz9hgk2nXzGSVfDhkdGwmYmiyapiNJbrOgf98stqWYL5dRpa0snhxtndfBG5YGoL22LZnxejU2Zyaj59Zf",
  "auth_disable": false
}

I then restart UniFi Voucher Site and here is what the flow looks like when trying to login:

The error you get could be a couple of things:

• The proxy is in some way stripping the context of the request from Authentik back to UniFi Voucher Site.
• Misconfiguration within Authentik (maybe a deviation from the guide I wrote, or custom settings within Authentik other then stock)
• Misconfiguration on the UniFi Voucher Site (incorrect auth_oidc_app_base_url or client id/secret)

I also don't understand where your flow now stops. Is it on first page load? Or is it when you click sign in with OpenID Connect?

<!-- gh-comment-id:2574606386 --> @glenndehaan commented on GitHub (Jan 7, 2025): Hi @YouKyi, So I tried setting it up again from scratch to test. But I don't get the error you see. To recap what I did, I followed these steps to get Authentik going locally: https://docs.goauthentik.io/docs/install-config/install/docker-compose I then proceeded following my own guide: https://github.com/glenndehaan/unifi-voucher-site/blob/master/.docs/oidc/authentik/README.md I run it locally without Proxy so my network looks like this: ```text Authentik -> http://localhost:9000 UniFi Voucher Site -> http://localhost:3000 ``` I then configured UniFi Voucher site with the following configuration: ```json { "auth_oidc_enabled": true, "auth_oidc_issuer_base_url": "http://localhost:9000/application/o/unifi-voucher/.well-known/openid-configuration", "auth_oidc_app_base_url": "http://localhost:3000", "auth_oidc_client_id": "Qtz039t1dGPL8ZZbtC1HABSkSg2HQAw9VDh0fZc7", "auth_oidc_client_secret": "p0HiADHTENIC2ABE9AguR6vlMOhx1zAaqRJzrl2n64Xd9RSz9hgk2nXzGSVfDhkdGwmYmiyapiNJbrOgf98stqWYL5dRpa0snhxtndfBG5YGoL22LZnxejU2Zyaj59Zf", "auth_disable": false } ``` I then restart UniFi Voucher Site and here is what the flow looks like when trying to login: <img width="1552" alt="afbeelding" src="https://github.com/user-attachments/assets/68a4cd41-1e4c-4c96-8560-6f464bff58b9" /> <img width="1552" alt="afbeelding" src="https://github.com/user-attachments/assets/0db8b5a6-f28b-4080-832b-63031642d957" /> <img width="1552" alt="afbeelding" src="https://github.com/user-attachments/assets/9112d934-ac8a-4f54-a7ce-30d76df70222" /> The error you get could be a couple of things: - The proxy is in some way stripping the context of the request from Authentik back to UniFi Voucher Site. - Misconfiguration within Authentik (maybe a deviation from the guide I wrote, or custom settings within Authentik other then stock) - Misconfiguration on the UniFi Voucher Site (incorrect auth_oidc_app_base_url or client id/secret) I also don't understand where your flow now stops. Is it on first page load? Or is it when you click sign in with OpenID Connect?

BreizhHardware commented 2026-05-07 00:17:51 +02:00

Author

Owner

Copy link

@glenndehaan commented on GitHub (Jan 7, 2025):

So small update I also tried is over an ngrok proxy/tunnel:

Where there is even a mixed http/https environment this also works. So i'm almost convinced it must be a configuration error.

<!-- gh-comment-id:2574693492 --> @glenndehaan commented on GitHub (Jan 7, 2025): So small update I also tried is over an ngrok proxy/tunnel: <img width="410" alt="afbeelding" src="https://github.com/user-attachments/assets/cfc97824-59d1-4bd3-b9d3-fe1ef46c880a" /> Where there is even a mixed http/https environment this also works. So i'm almost convinced it must be a configuration error.

BreizhHardware commented 2026-05-07 00:17:51 +02:00

Author

Owner

Copy link

@YouKyi commented on GitHub (Jan 8, 2025):

I'll try again at another time.
A configuration error is likely, but I have 30 or so OIDC SSO applications, so I know how to configure pretty well...:/
Nevertheless, I'm using proxy configuration
I'll keep you posted :)

<!-- gh-comment-id:2576816917 --> @YouKyi commented on GitHub (Jan 8, 2025): I'll try again at another time. A configuration error is likely, but I have 30 or so OIDC SSO applications, so I know how to configure pretty well...:/ Nevertheless, I'm using proxy configuration I'll keep you posted :)

BreizhHardware commented 2026-05-07 00:17:52 +02:00

Author

Owner

Copy link

@tomcatcw1980 commented on GitHub (Jan 8, 2025):

Hi Glenn,

same to me. I use a reverse proxy (nginx proxy manager). I think this could be the problem. Like YouKyi this ist not my first oidc config with Authentik and others work perfectly.

Thank you for your support.

greetings.

<!-- gh-comment-id:2576852460 --> @tomcatcw1980 commented on GitHub (Jan 8, 2025): Hi Glenn, same to me. I use a reverse proxy (nginx proxy manager). I think this could be the problem. Like YouKyi this ist not my first oidc config with Authentik and others work perfectly. Thank you for your support. greetings.

BreizhHardware commented 2026-05-07 00:17:52 +02:00

Author

Owner

Copy link

@glenndehaan commented on GitHub (Jan 8, 2025):

Hi @YouKyi and @tomcatcw1980,

I get both points but my problem is that currently I can't replicate it. And with all my testing even over different proxy's I don't have the issue.

I'm never going to fully replicate the environment that you both have running. So my only way to debug would be to plan a screenshare session so I can have a look. Because it's not feasable for me to fully replicate the entire environment, I have tried that to the best of my abilities.

<!-- gh-comment-id:2578336944 --> @glenndehaan commented on GitHub (Jan 8, 2025): Hi @YouKyi and @tomcatcw1980, I get both points but my problem is that currently I can't replicate it. And with all my testing even over different proxy's I don't have the issue. I'm never going to fully replicate the environment that you both have running. So my only way to debug would be to plan a screenshare session so I can have a look. Because it's not feasable for me to fully replicate the entire environment, I have tried that to the best of my abilities.

BreizhHardware commented 2026-05-07 00:17:52 +02:00

Author

Owner

Copy link

@glenndehaan commented on GitHub (Jan 21, 2025):

Closing this stale issue

<!-- gh-comment-id:2605241124 --> @glenndehaan commented on GitHub (Jan 21, 2025): Closing this stale issue

BreizhHardware commented 2026-05-07 00:17:53 +02:00

Author

Owner

Copy link

@YouKyi commented on GitHub (Mar 10, 2025):

Hello,
Without any modifications, it's work now!
Have a nice day,

<!-- gh-comment-id:2711800109 --> @YouKyi commented on GitHub (Mar 10, 2025): Hello, Without any modifications, it's work now! Have a nice day,

Sign in to join this conversation.

No Branch/Tag specified

Branches Tags

master

l10n_master

8.10.0

8.9.2

8.9.1

8.9.0

8.8.0

8.7.0

8.6.3

8.6.2

8.6.1

8.6.0

8.5.0

8.4.1

8.4.0

8.3.2

8.3.1

8.3.0

8.2.2

8.2.1

8.2.0

8.1.1

8.1.0

8.0.0

7.2.2

7.2.1

7.2.0

7.1.1

7.1.0

7.0.1

7.0.0

6.1.1

6.1.0

6.0.4

6.0.3

6.0.2

6.0.1

6.0.0

5.2.0

5.1.3

5.1.2

5.1.1

5.1.0

5.0.2

5.0.1

5.0.0

4.7.0

4.6.1

4.6.0

4.5.2

4.5.1

4.5.0

4.4.1

4.4.0

4.3.6

4.3.5

4.3.4

4.3.3

4.3.2

4.3.1

4.3.0

4.2.0

4.1.5

4.1.4

4.1.3

4.1.2

4.1.1

4.1.0

4.0.4

4.0.3

4.0.2

4.0.1

4.0.0

3.8.2

3.8.1

3.8.0

3.7.1

3.7.0

3.6.0

3.5.4

3.5.3

3.5.2

3.5.1

3.5.0

3.4.1

3.4.0

3.3.1

3.3.0

3.2.1

3.2.0

3.1.1

3.1.0

3.0.1

3.0.0

2.7.3

2.7.2

2.7.1

2.7.0

2.6.4

2.6.3

2.6.2

2.6.1

2.6.0

2.5.3

2.5.2

2.5.1

2.5.0

2.4.1

2.4.0

2.3.2

2.3.1

2.3.0

2.2.0

2.1.0

2.0.0

1.1.0

1.0.0

Labels

Clear labels   

bug

  

enhancement

  

pull-request

Mirrored from GitHub Pull Request

  

question

  

question

  

question

  

wontfix

No labels

bug

enhancement

pull-request

question

question

question

wontfix

Milestone

Clear milestone

No items

No milestone

Projects

Clear projects

No items

No project

Assignees

Clear assignees

No assignees

1 participant

Notifications

Subscribe

Due date

The due date is invalid or out of range. Please use the format "yyyy-mm-dd".

No due date set.

Dependencies

No dependencies set.

Reference

starred/unifi-voucher-site#22

No description provided.