Unpredictable behaviour when using different domain names to access Authentik

[wrjlewis]

Hi

Is there something obviously wrong I'm doing in the following setup, because I experience very different behaviour when I access authentik through route 1 compared to route 2.

For example Authentik returns different default flows when you enter https://[domain name]/flows/-/default/authentication/?next=/ depending on the domain name entered. In route 1 I get the username + password + option for webauthn. In route 2 I just get webauthn straight away.

In route 1 I get no applications displayed after login but with route 2 I get all the applications showed as expected. This is the same login details and the same authentik instance. So I must be doing something wrong? I'm not using any outposts if thats relevant, its a very simple setup. I've tried bypassing the cache in cloudflare, setting cache headers in apache, and everything in between, but I can't work out the strange behaviour.

Route 1: Public domain -> Cloudflare proxy -> Apache reverse proxy -> Authentik.

• Everything works, but sometimes no applications show, I get a different login flow, I often can't see new enrollment tokens I create, or other strange errors.

Route 2: Local domain -> Caddy - > Authentik (the same instance as route 1).

• Everything works.

Thanks!

[wrjlewis]

For instance check out the difference in the debug logs, I see:

Accessed through route 1:
server-1 | {"auth_via": "unauthenticated", "domain_url": "[route 1 domain name]", "event": "f(exec): Continuing existing plan", "flow_slug": "custom_passwordless_flow", "host": "[route 1 domain name]", "level": "debug", "logger": "authentik.flows.views.executor", "pid": 7155, "request_id": "2cae319a9f6748148eaba515818b5de4", "schema_name": "public", "timestamp": "2025-02-14T10:48:52.998084"}

or

server-1 | {"auth_via": "unauthenticated", "domain_url": "[route 1 domain name]", "event": "flow_by_policy: flow passing", "flow": "<Flow: Flow custom_passwordless_flow (custom_passwordless_flow)>", "host": "[route 1 domain name]", "level": "debug", "logger": "authentik.flows.views.executor", "pid": 9669, "request_id": "ac9532b737cd787fabed9daae7942da7", "schema_name": "public", "timestamp": "2025-02-14T10:57:09.625518"}

Accessed through route 2:
server-1 | {"auth_via": "unauthenticated", "domain_url": "[route 2 domain name]", "event": "/if/flow/default-authentication-flow/?next=%2F", "host": "[route 2 domain name]", "level": "info", "logger": "authentik.asgi", "method": "GET", "pid": 9669, "remote": "IP", "request_id": "b8538e1ae57c4d4e595ccfce4398cfce", "runtime": 11, "schema_name": "public", "scheme": "https", "status": 200, "timestamp": "2025-02-14T10:51:21.772741", "user": "", "user_agent": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/133.0.0.0 Safari/537.36"}

Route 1 always uses custom_passwordless_flow whereas route 2 correctly uses default-authentication-flow

[rissson]

Do you have any brands setup?

[wrjlewis]

Ah yes I do have brands indeed, forgot about that, setting the default flow to the brand does solve the different login flow issue.

Though I still have weird behaviour when (for example) I create a invitation. I can see the invitation in the list in route 2 but not in route 1. Even though the API calls are identical.

https://[route 1]/api/v3/stages/invitation/invitations/?ordering=expires&page=1&page_size=20&search=

https://[route2]/api/v3/stages/invitation/invitations/?ordering=expires&page=1&page_size=20&search=

Would you expect that to be because of brands as well?

[rissson]

Uhhh I'm not entirely sure for invitations. From a quick read of the code, that shouldn't happen tho.

[wrjlewis]

Uhhh I'm not entirely sure for invitations. From a quick read of the code, that shouldn't happen tho.

Thanks for looking.
FWIW it happens in quite a few places with similar behaviour to what is described above