Now Trending
Pangolin Not Working with Authentik? Fix It Fast

Pangolin Not Working with Authentik? Fix It Fast

Pangolin and Authentik should work together like best friends. One handles access. The other manages identity. But sometimes they fight. Logins fail. Redirects loop forever. Cookies disappear. And you are left staring at a spinning browser tab. Don’t worry. This guide will walk you through fixing it fast, in plain English.

TLDR: If Pangolin is not working with Authentik, the issue is usually incorrect redirect URLs, cookie settings, domain mismatch, or proxy misconfiguration. Check your OIDC settings first. Then confirm your ports, headers, and SSL setup. Most problems can be fixed in under 30 minutes once you know where to look.

First, Understand What’s Supposed to Happen

Before fixing anything, you need to understand the flow.

  • User visits Pangolin.
  • Pangolin sends the user to Authentik.
  • User logs in.
  • Authentik sends the user back to Pangolin with a token.
  • Pangolin verifies the token and grants access.

Simple in theory. Tricky in practice.

When something breaks, it is usually one of these steps.

Common Problem #1: Redirect Loop

This is the most common issue. You log in. Then you are redirected. Then redirected again. Forever.

Why this happens:

  • Incorrect redirect URI
  • Domain mismatch between Pangolin and Authentik
  • Wrong protocol (HTTP vs HTTPS)
  • Cookie domain misconfiguration

How to Fix It

Start in Authentik:

  • Go to Applications.
  • Select your Pangolin app.
  • Check the Redirect URI.

It must exactly match what Pangolin expects. Exact means exact. Even a missing slash can break it.

For example:

  • ✅ https://pangolin.example.com/oauth/callback
  • ❌ https://pangolin.example.com/
  • ❌ http://pangolin.example.com/oauth/callback

Notice the protocol. HTTPS and HTTP are not interchangeable.

Now check Pangolin’s configuration file. Look for:

  • Client ID
  • Client Secret
  • Issuer URL
Also read  Software Companies Switch To Instead of Prefect for Workflow Orchestration

If one character is wrong, authentication fails.

Common Problem #2: “Invalid Token” Error

This usually means Pangolin cannot verify what Authentik sent.

Possible causes:

  • Wrong issuer URL
  • JWK endpoint not reachable
  • Time mismatch between servers

Step 1: Verify the Issuer URL

In Pangolin, the issuer should look like:

https://auth.example.com/application/o/your-app-slug/

Not the root domain. Not the admin page. The actual OIDC endpoint.

Step 2: Check Server Time

If your server time is off by more than a few minutes, tokens may be rejected.

Run:

  • timedatectl status

If time is wrong, enable NTP:

  • sudo timedatectl set-ntp true

Small detail. Big impact.

Common Problem #3: 502 or 504 Gateway Errors

This usually means your reverse proxy is not forwarding requests properly.

If you are using:

  • Nginx
  • Traefik
  • Caddy
  • Cloudflare Tunnel

You must forward these headers:

  • Host
  • X-Forwarded-For
  • X-Forwarded-Proto

If X-Forwarded-Proto is missing, Authentik may think the request is HTTP even if it is HTTPS. That breaks cookies and redirects.

Quick Nginx Example

proxy_set_header Host $host;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;

Small lines. Huge difference.

Common Problem #4: Cookies Not Being Set

No cookies. No login.

This problem usually appears when:

  • Your domain uses subdomains.
  • HTTPS is not enforced.
  • SameSite settings block cross-site requests.

Fix the Domain Strategy

Let’s say:

  • Authentik = auth.example.com
  • Pangolin = panel.example.com

Your cookie domain should allow sharing within example.com.

Inside Authentik settings, confirm cookie domain is:

.example.com

Note the dot at the beginning.

Also ensure:

  • Secure flag enabled
  • HTTPS enabled everywhere

No mixed content. Ever.

Common Problem #5: Wrong Scopes or Claims

Sometimes login works. But Pangolin shows limited access. Or no role assigned.

This is not a failure. It is a mapping issue.

Check Scopes in Authentik

  • Open your provider.
  • Review configured scopes.
  • Ensure email and profile are included.

Then check attribute mapping.

If Pangolin expects:

  • username
  • email
  • groups

Make sure Authentik actually sends them.

You can inspect the token using a JWT debugging tool. Just paste the token and read the payload.

If the data is missing, adjust your scope mappings.

Check Firewall and Ports

This sounds obvious. But it gets overlooked.

Make sure:

  • Authentik is reachable from Pangolin.
  • Port 443 (HTTPS) is open.
  • No internal Docker network conflicts exist.
Also read  6 Tools Like LogRocket for Session Replay and User Behavior Debugging

If using Docker, confirm both containers are on the same network if required.

Try curling the issuer endpoint:

  • curl https://auth.example.com/.well-known/openid-configuration

If it does not return JSON, that is your problem.

Docker-Specific Issues

Running everything in Docker? Great. But Docker networking can get confusing.

Common mistakes:

  • Using localhost inside containers.
  • Exposing wrong ports.
  • Forgetting bridge networks.

Inside Docker, localhost means the container itself. Not your host machine.

Instead of:

  • http://localhost:9000

You might need:

  • http://authentik:9000

Use container names as hostnames.

SSL Certificate Problems

If your SSL certificate is invalid or self-signed, Pangolin may refuse communication.

Symptoms include:

  • Handshake errors
  • Silent failures
  • Token fetch failures

Fix it by:

  • Using Let’s Encrypt
  • Making sure full certificate chain is installed
  • Disabling strict SSL verification only for testing

Never run production without proper SSL. It breaks trust. Literally.

Debug Like a Pro

If nothing works, turn on debug logging.

In:

  • Pangolin logs
  • Authentik logs
  • Reverse proxy logs

Look for:

  • 401 errors
  • Invalid redirect messages
  • CORS complaints

Logs are not scary. They tell you exactly what is wrong. You just have to read slowly.

Quick Checklist

If you want speed, follow this order:

  1. Verify redirect URI.
  2. Confirm issuer URL.
  3. Check HTTPS everywhere.
  4. Confirm cookies are set.
  5. Verify headers in reverse proxy.
  6. Sync server time.
  7. Check logs.

This fixes about 90% of issues.

When to Start Fresh

If things are messy, sometimes starting over is faster.

  • Delete the provider.
  • Create it again.
  • Copy values carefully.
  • Test with a fresh browser session.

Configuration drift is real. Especially after multiple edits.

Final Thoughts

Pangolin and Authentik are powerful tools. But authentication systems are picky. They require precision. One wrong URL. One missing header. And everything collapses.

The good news? The fix is usually small.

Focus on:

  • Exact URLs
  • Correct domains
  • HTTPS consistency
  • Proper headers

Slow down. Double-check each field. Test step by step.

Once configured properly, the system becomes rock solid. Logins will be smooth. Tokens will validate instantly. And you can forget this troubleshooting guide even exists.

Until next time something breaks.

But now? You know exactly what to do.

Avatar for Sastra
Sastra

Sastra shares simple and useful content to help readers understand technology, guides, and trending topics.The team focuses on explaining things in a clear, easy, and practical way.Every article is written with real users in mind, not complicated tech language.