OIDC Name Resolution Error

[EBS-DarkD]

I've set everything up for local users and it's working fine but I've just tried to turn on OIDC with my authentik provider and I'm facing the following issue...

Error loading metadata: HTTPSConnectionPool(host='auth.goat-lovers.xxx', port=443): Max retries exceeded with url: /application/o/time-tracker/.well-known/openid-configuration (Caused by NameResolutionError("<urllib3.connection.HTTPSConnection object at 0x7f3b1e477810>: Failed to resolve 'auth.goat-lovers.xxx' ([Errno -2] Name or service not known)"))

Note that I'm running both applications through portainer stacks and they are on different stacks but the same subnet
The setup also has nginx proxy manager integrated with openappsec
DNS for both the Authentik and TimeTracker is working fine - note the TimeTracker is on a different domain to the Authentik
If I try to curl https://auth.goat-lovers.xxx/application/o/time-tracker/.well-known/openid-configuration from within the TimeTracker docker container, I get the correct response so theres correct DNS resolution happening at the container level!

Anyone any ideas on what I need to tweak here?

[evilguy4000]

@EBS-DarkD
You can try the following:

Solution 1: Configure DNS Servers in Docker/Portainer (Recommended)

Explicitly configure DNS servers in your Portainer stack or docker-compose.yml:

For Portainer Stacks:

1. Edit your stack configuration
2. Find the app service (or your TimeTracker service)
3. Add DNS configuration under the service definition:

services:
  app:
    # ... other configuration ...
    dns:
      - 8.8.8.8          # Google DNS
      - 8.8.4.4          # Google DNS secondary
      # OR use your internal DNS server
      - 192.168.1.1      # Your router/internal DNS

For docker-compose.yml:
Add the dns section to your app service:

services:
  app:
    build: .
    dns:
      - 8.8.8.8
      - 8.8.4.4
    # ... rest of configuration

After updating, restart the container/stack.

Solution 2: Use Docker Internal Networking

If both Authentik and TimeTracker are running on the same Docker network (same subnet in Portainer), you can use Docker's internal DNS resolution by using the container/service name instead of the external domain.

1. Find your Authentik container/service name:

   • In Portainer, check the Authentik stack for the service name
   • Or use: docker network inspect <network_name> to see connected containers

2. Update OIDC_ISSUER environment variable:

   • Instead of: OIDC_ISSUER=https://auth.goat-lovers.xxx/application/o/time-tracker/
   • Use: OIDC_ISSUER=https://authentik:9443/application/o/time-tracker/
     • Replace authentik with your actual Authentik service/container name
     • Replace 9443 with the internal port (check your Authentik configuration)

3. Ensure both stacks are on the same Docker network:

   • In Portainer, both stacks should use the same network
   • Or create an external network and attach both services to it

Note: This only works if both containers can communicate internally. External redirects (like OIDC callbacks) will still need the public domain.

Solution 3: Add extra_hosts Mapping

Map the domain to an IP address in your Docker configuration:

For Portainer Stacks:

services:
  app:
    # ... other configuration ...
    extra_hosts:
      - "auth.goat-lovers.xxx:192.168.1.100"  # Replace with actual Authentik IP

For docker-compose.yml:

services:
  app:
    build: .
    extra_hosts:
      - "auth.goat-lovers.xxx:192.168.1.100"
    # ... rest of configuration

To find the IP address:

# From within the TimeTracker container
docker exec -it timetracker-app ping -c 1 auth.goat-lovers.xxx
# Or from host
ping auth.goat-lovers.xxx

[EBS-DarkD]

Tried all of the above and it's still not playing!
dig from within the container gives the right IP address
curl of the url from within the container gives the configuration information
also tried using http://authentik:9000 with no joy!

I think for now, I'm going to stick with internal auth only, setup the accounts, turn off registration and add an ACL on NPM so I can make it available externally.

[evilguy4000]

@EBS-DarkD , can you send me how you setup everything? if possible with docker-compose files so i can try out and debug.

[EBS-DarkD]

TT Stack....

networks:
  default:
    driver: bridge
  t2_proxy:
    name: t2_proxy
    external: true
########################### EXTENSION FIELDS
x-common-keys-apps: &common-keys-apps
  security_opt:
    - no-new-privileges:true
  restart: unless-stopped
########################### SERVICES
services:
  #TimeTracker DB
  ttdb:
    <<: *common-keys-apps
    image: postgres:16-alpine
    container_name: timetracker-db
    environment:
      - POSTGRES_DB=${PGDB}
      - POSTGRES_USER=${PGU}
      - POSTGRES_PASSWORD=${PGUP}
      - TZ=${OTZ}
    volumes:
      - ./timetrack/db_data:/var/lib/postgresql/data
    networks:
      t2_proxy:
        ipv4_address: ***.***.92.***
    healthcheck:
      test: ["CMD-SHELL", "pg_isready -U $$POSTGRES_USER -d $$POSTGRES_DB"]
      interval: 10s
      timeout: 5s
      retries: 5
      start_period: 30s
    env_file:
      - stack.env

  #TimeTracker App
  ttapp:
    <<: *common-keys-apps
    image: ghcr.io/drytrix/timetracker:latest
    container_name: timetracker-app
    environment:
      - TZ=${OTZ}
      - CURRENCY=QAR
      - ROUNDING_MINUTES=${ROUNDING_MINUTES:-1}
      - SINGLE_ACTIVE_TIMER=true
      - ALLOW_SELF_REGISTER=true
      - IDLE_TIMEOUT_MINUTES=60
      - ADMIN_USERNAMES=goat-man
     # Security (required in production)
      - SECRET_KEY=${SKEY}
      - FLASK_ENV=producton
      - FLASK_DEBUG=false
      - AUTH_METHOD=both
      # OIDC
      - OIDC_ISSUER=${OD_ISSUER}
      - OIDC_CLIENT_ID=${OD_CLIENT_ID}
      - OIDC_CLIENT_SECRET=${OD_CLIENT_SECRET}
      - OIDC_REDIRECT_URI=${OD_REDIRECT_URI}
      - OIDC_SCOPES=openid profile email
      - OIDC_USERNAME_CLAIM=preferred_username
      - OIDC_FULL_NAME_CLAIM=name
      - OIDC_EMAIL_CLAIM=email
      - OIDC_GROUPS_CLAIM=groups
      # Database (bundled Postgres)
      - DATABASE_URL=${DBU}
      - POSTGRES_DB=${PGDB}
      - POSTGRES_USER=${PGDU}
      - POSTGRES_PASSWORD=${PGUP}
      - POSTGRES_HOST=ttdb
      # CSRF & cookies (safe for HTTP local; tighten for HTTPS)
      - WTF_CSRF_ENABLED=true
      - WTF_CSRF_TIME_LIMIT=3600
      - WTF_CSRF_SSL_STRICT=false
      - WTF_CSRF_TRUSTED_ORIGINS=https://main-site.biz,https://auth.main-site.com
      - SESSION_COOKIE_SECURE=true
      - SESSION_COOKIE_HTTPONLY=true
      - PERMANENT_SESSION_LIFETIME=86400
      - REMEMBER_COOKIE_SECURE=true
      - CSRF_COOKIE_SECURE=true
      - CSRF_COOKIE_HTTPONLY=false
      - CSRF_COOKIE_SAMESITE=Lax
      - CSRF_COOKIE_NAME=XSRF-TOKEN
      - SESSION_COOKIE_SAMESITE=Lax
      - PREFERRED_URL_SCHEME=http
     ports:
      - "8882:8080"
    networks:
      t2_proxy:
        ipv4_address: ***.***.92.***
    volumes:
      - ./timetrack/app/data:/data
      - ./timetrack/app/uploads:/app/app/static/uploads
      - ./logs/timetrack:/app/logs
    depends_on:
      ttdb:
        condition: service_healthy
    restart: unless-stopped
    #extra_hosts:
      #- "auth.main-site.com:***.***.92.***"
    dns:
      - ***.***.100.***
    healthcheck:
      test: ["CMD", "curl", "-f", "http://***.***.100.***:8882/_health"]  #Main Docker Host
      interval: 30s
      timeout: 10s
      retries: 3
      start_period: 40s
    env_file:
      - stack.env

Authentik App part of authentik stack (there's a lot in there)

service:  
  #App
  authentik:
    <<: [*common-keys-apps, *common-keys-dep]
    image: ${AUTHENTIK_IMAGE:-ghcr.io/goauthentik/server}:${AUTHENTIK_TAG:-2025.8.4}
    container_name: authentik
    command: server
    environment:
      AUTHENTIK_SECRET_KEY: ${AUTHENTIK_SECRET_KEY}
      AUTHENTIK_REDIS__HOST: ${REDIS_HOST}
      AUTHENTIK_POSTGRESQL__HOST: ${DB_HOST}
      AUTHENTIK_POSTGRESQL__USER: ${DB_USER}
      AUTHENTIK_POSTGRESQL__NAME: ${DB_DB}
      AUTHENTIK_POSTGRESQL__PASSWORD: ${DB_PASS}
      AUTHENTIK_EMAIL__HOST: ${EMAIL_HOST}
      AUTHENTIK_EMAIL__PORT: ${EMAIL_PORT}
      AUTHENTIK_EMAIL__USERNAME: ${EMAIL_USERNAME}
      AUTHENTIK_EMAIL__PASSWORD: ${EMAIL_PASSWORD}
      AUTHENTIK_EMAIL__USE_TLS: ${EMAIL_TLS}
      AUTHENTIK_EMAIL__USE_SSL: ${EMAIL_SSL}
      AUTHENTIK_EMAIL__TIMEOUT: ${EMAIL_TIMEOUT}
      AUTHENTIK_EMAIL__FROM: ${EMAIL_FROM}
     #AUTHENTIK_EMAIL__TIMEOUT: 10
    volumes:
      - ./authentik/app/media:/media
      - ./authentik/app/templates:/templates
      - ./authentik/app/email-templates:/authentik/stages/email/templates/email
    env_file:
      - stack.env
    networks:
      t2_proxy:
        ipv4_address: ***.***.92.***
    ports:
      - 9000:9000
      - 9443:9443
      - 9300:9300

`

[EBS-DarkD]

This is running on a single node instance in portainer BE. The host is a Debian 12 system

[EBS-DarkD]

On the Authentik side. i've setup the app as an OAuth2/OpenID provider with a strict redirect back to
https://main-site.biz/auth/oidc/callback
There are 8 other apps using the OAuth2 connections with no issues

[evilguy4000]

@EBS-DarkD have you been able to test with the latest versions?