Filling passwords in Authentik SSO login forms not working as it should.

[ttk]

I have a setup where i am securing some applications with an Authentik SSO server. It does not work very well with Enpass. This is my problem: 

1. I open the URL to the application. It is forwarded to the SSO login form. The form has the callback URL to the application as HTTP GET parameters in the address bar, e.g. "https://authentik.simonszu.de/if/flow/default-authentication-flow/?next=%2Fapplication%2Fo%2Fauthorize%2F%3Fclient_id%3DSCEmh1dhqxFlmPM30asa7dPqxs3dMBskX87Kx8DE%26redirect_uri%3Dhttps%3A%2F%2Fcomics.simonszu.de%2Foutpost.goauthentik.io%2Fcallback%3FX-authentik-auth-callback%3Dtrue%26response_type%3Dcode%26scope%3Demail%2Bprofile%2Bak_proxy%2Bopenid%26state%3D1qTRKfZVO07F-Hh7I44_8vaurt9GzaNTETUy1igmH08"

2. I select the Authentik Login item in Enpass via the Chrome extension. The item has "https://authentik.simonszu.de" as the saved URL, since that is the most common denominator between all SSO-secured applications as well as the admin interface of the SSO server. 

3. As a result, the Enpass extension causes Chrome to open a new tab, with the address bar containing only "https://authentik.simonszu.de/if/flow/default-authentication-flow/?next=%2F", so, no reference to the callback URL to the actual application any more. 

4. If i try to do step 2 again in the new tab, Enpass does not fill the credentials, but rather opens a third tab, containing the same address in the address bar as in step 3. 

5. I can repeat step 3 and for for infinite time, causing Enpass and Chrome to open more and more tabs, and not logging in properly. 

Is there a flag where i can tell Enpass to simply fill in the credentials, and not trying to open the URL it has defined in the login item in a new tab? That would be nice. 

[Abhishek Dewan]

Hi @ttk

Kindly share the version of the Enpass app, OS, Enpass Extension and Chrome browser you are using and I'll have this checked for you.

[ttk]

Sure. 

It is on Windows 10 Pro, Patchlevel 19044.2486. However, i think this also happens on a Mac with OS X Ventura. Does not happen on iOS. 

Enpass is version 6.8.4. 

Chrome is version 109.0.5414.120 - but this issue occurs on Firefox as well. 

Enpass Extension is 6.8.0. 

 

[Abhishek Dewan]

Hi @ttk

Thank you for sharing the requested details.

I'm discussing this case with my dedicated team and will get back to you soon with an update. Your patience in the interim is appreciated.

#SI-3263

[Abhishek Dewan]

Hi @ttk

We were able to reproduce the bug on our end, due to which this issue is occurring. Our development team is working on a fix which will be available for future Enpass versions. We appreciate your cooperation and support in the interim.

[ttk]

Hi, that are good news. I will have an eye on new enpass versions and try it out subsequentially. 

[ttk]

@Abhishek Dewan Do you already have some updates? This issue is quite annoying and keeps me from fully rolling out Authentik in my environment. Should i keep an eye on Enpass releases or on Extension releases? 

[Abhishek Dewan]

Hi @ttk

Our development team is already aware of this concern and are working on a fix. I will be unable to share any ETA right now but I will be sure to update this forum once this issue is fixed. Your kind understanding in this matter is appreciated and any inconvenience caused is deeply regretted.

[ttk]

@Abhishek Dewan it has been several weeks now...how hard can it be?

[nicoduck]

Hi,

any update on this? This is getting a bit frustrating

[Amandeep Kumar]

Hi @nicoduck,

I'm sorry to inform you that our technical team faced challenges while trying to resolve the issue reported by @ttk. Actually, as stated previously, we were able to reproduce it, but while working on it, the URL shared by the user has unfortunately stopped working/responding. This has hindered our team's efforts to fix the problem, and consequently, we have been unable to address this issue effectively.

[ttk]

@Amandeep Kumar Are you serious?

 

I have switched from Authentik to Keycloak because of the lack of updates in this thread for several weeks. I wasn't aware that you completeley stopped working on this issue, because the availability of my Authentik instance is crucial for your development work - but good to know that you planned with testing against my instance without ever notifying me. I would have assumed that a serious development company would be able to quickly deploy their own Authentik instance to be not depending on other instances they have no control over. Besides that, you would have landed in my fail2ban filters nevertheless, since it is rather unusual for requests with IPs originating from india to access the landing page but not try any login attempts, or try them and fail because you would not have any valid passwords.

But yeah, i switched my SSO provider because of this issue, maybe i should look into switching my password manager as well, since this is not the trustworthy behaviour i would expect.