OS Name/Version: Ubuntu 22.04.5 LTS x86_64
Product Name/Version: v2.6.2, built 17/06/2025 09:10
Problem Description: When using a user from authentik that does not have the AMP_Super Admins (I created another authentik group: AMP_Users and an associated role in AMP: Users), They are not able to edit any instances no matter how many permissions I give them on the ADS, instance or individual level. The temporary user I created ‘asdfasdf’ has been given all the permissions available ,and when logged in, still gets this message
"Failed to login to remote instance - Permission Denied
This user does not have permission to access this instance. Please ensure that this user has the ‘Manage Instance’ permission within ADS for this instance. - The auth server at http://localhost:8080/ denied access to log in to this specific instance."
A couple more things about my setup:
- I have a domain configured to a static tailscale ip address
- I have a reverse proxy that is in a docker container at ip 172.19.0.25
To Action From
-- ------ ----
8080/tcp ALLOW Anywhere # AMP:ADS01:Core.Webserver.Port
717 ALLOW Anywhere # SSH Port
53 ALLOW Anywhere # systemd-resolve and libvirt-dnsmasq
42388 ALLOW Anywhere
36624 ALLOW Anywhere
2223 ALLOW Anywhere
2224 ALLOW Anywhere
Samba ALLOW Anywhere
plexmediaserver-all ALLOW Anywhere
3389 ALLOW Anywhere # xrdp
27015/udp ALLOW Anywhere # AMP:SQUADL4D201:srcdsModule.SRCDS.ServerPortBinding
27020/udp ALLOW Anywhere # AMP:SQUADL4D201:srcdsModule.SourceTV.SourceTVPort
8084 ALLOW Anywhere # DOCKER: fullfeedrss-fullfeedrss-1
12820/udp ALLOW Anywhere # AMP:ADS01:ADSModule.Network.MetricsServerPort
5900 ALLOW Anywhere # x11vnc
21025/tcp ALLOW Anywhere # AMP:TestStarbound01:GenericModule.App.Ports.$gameServerPort
21025/udp ALLOW Anywhere # AMP:TestStarbound01:GenericModule.App.Ports.$gameServerPort
21026/tcp ALLOW Anywhere # AMP:TestStarbound01:GenericModule.App.Ports.$rconServerPort
21026/udp ALLOW Anywhere # AMP:TestStarbound01:GenericModule.App.Ports.$rconServerPort
8096 ALLOW Anywhere # Jellyfin Web Server
55414 ALLOW Anywhere # DOCKER: urbackup
25565/tcp ALLOW Anywhere # AMP:SquadCraft121101:MinecraftModule.Minecraft.PortNumber
25565/udp ALLOW Anywhere # AMP:SquadCraft121101:MinecraftModule.Minecraft.PortNumber
82 ALLOW 172.19.0.0/16 # Nextcloud http
7443 ALLOW 172.19.0.0/16 # Nextcloud https
9443 ALLOW 172.19.0.0/16 # DOCKER: authentik-server 1 https
9000 ALLOW 172.19.0.0/16 # DOCKER: authentik-server 1 http
10000:10100/tcp ALLOW Anywhere # Webmin
61208 ALLOW 172.19.0.0/16 # DOCKER: glances
61209 ALLOW 172.19.0.0/16 # DOCKER: glances
8082 ALLOW 172.19.0.0/16 # DOCKER: dashy
3000 ALLOW 172.19.0.0/16 # DOCKER: dashy proxy_pass to port 3000
443 ALLOW 172.19.0.0/16 # DOCKER: dashy https health checks
80 ALLOW 172.19.0.0/16 # DOCKER: dashy http health check
8123 ALLOW 172.19.0.0/16 # DOCKER: homeassistant
8081 ALLOW Anywhere # AMP: Im not sure honestly, but logs keep saying its coming from L4D2 and Minecraft
27015/tcp ALLOW Anywhere # AMP:SQUADL4D201:GenericModule.App.Ports.$ServerPort
127.0.0.1 ALLOW 172.19.0.0/16 # DOCKER to Host TEST
27015/udp (v6) ALLOW Anywhere (v6) # AMP:SQUADL4D201:srcdsModule.SRCDS.ServerPortBinding
27020/udp (v6) ALLOW Anywhere (v6) # AMP:SQUADL4D201:srcdsModule.SourceTV.SourceTVPort
8084 (v6) ALLOW Anywhere (v6) # DOCKER: fullfeedrss-fullfeedrss-1
12820/udp (v6) ALLOW Anywhere (v6) # AMP:ADS01:ADSModule.Network.MetricsServerPort
5900 (v6) ALLOW Anywhere (v6) # x11vnc
21025/tcp (v6) ALLOW Anywhere (v6) # AMP:TestStarbound01:GenericModule.App.Ports.$gameServerPort
21025/udp (v6) ALLOW Anywhere (v6) # AMP:TestStarbound01:GenericModule.App.Ports.$gameServerPort
21026/tcp (v6) ALLOW Anywhere (v6) # AMP:TestStarbound01:GenericModule.App.Ports.$rconServerPort
21026/udp (v6) ALLOW Anywhere (v6) # AMP:TestStarbound01:GenericModule.App.Ports.$rconServerPort
8080/tcp (v6) ALLOW Anywhere (v6) # AMP:ADS01:Core.Webserver.Port
8096 (v6) ALLOW Anywhere (v6) # Jellyfin Web Server
55414 (v6) ALLOW Anywhere (v6) # DOCKER: urbackup
25565/tcp (v6) ALLOW Anywhere (v6) # AMP:SquadCraft121101:MinecraftModule.Minecraft.PortNumber
25565/udp (v6) ALLOW Anywhere (v6) # AMP:SquadCraft121101:MinecraftModule.Minecraft.PortNumber
717 (v6) ALLOW Anywhere (v6) # SSH Port
10000:10100/tcp (v6) ALLOW Anywhere (v6) # Webmin
53 (v6) ALLOW Anywhere (v6) # systemd-resolve and libvirt-dnsmasq
8081 (v6) ALLOW Anywhere (v6) # AMP: Im not sure honestly, but logs keep saying its coming from L4D2 and Minecraft
27015/tcp (v6) ALLOW Anywhere (v6) # AMP:SQUADL4D201:GenericModule.App.Ports.$ServerPort
This is the logs for being logged in as asdfasdf then trying to open an instance, logging out and logging in again
17:20:09 :asdfasdf
ManageInstance called with InstanceId: aa4d57d4-dd19-41b4-8184-4866044e6166 and session: asdfasdf 94887137-9d2f-4f59-9bb2-a5b06651ffd0
Managed remote instance Minecraft121501 at http://127.0.0.1:8081/
Authentication token de28a9813241 for asdfasdf requested by ManageInstance on behalf of asdfasdf
17:20:09 Login request from 127.0.0.1 for asdfasdf@aa4d57d4-dd19-41b4-8184-4866044e6166 via aa4d57d4-dd19-41b4-8184-4866044e6166
Removed expired tokens for user asdfasdf.
User asdfasdf has 1 tokens
Login failed for asdfasdf@aa4d57d4-dd19-41b4-8184-4866044e6166 via 127.0.0.1 - NoInstanceAccess : -
17:24:23 User asdfasdf is a member of the following OIDC groups: AMP_ Users, authentik-users. The following groups were matched: Users. The following groups were not matched: authentik-users.
Ending session 3a16ace2-6076-4507-ad02-a1b4f4f4931a - No activity for the session timeout period.
Creating new session for asdfasdf at 100.120.20.157 (Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/136.0.0.0 Safari/537.36) OIDC Login
Total sessions count: 3
Timeout: 15
Login success from 100.120.20.157 (via 172.19.0.25) assigned session ID 652b73ac-a43e-42cd-8fe1-00b3e4bc58da
#AMP Configuration File
################################
#DO NOT EDIT WHILE AMP IS RUNNING
################################
################################
# Security
################################
Security.ExecPath=Exec
Security.AllowConcurrentSessions=True
Security.LogAuthFailures=False
Security.AuthFailureLogPath=./AuthFailures.log
Security.LogSensitiveProcArgs=False
Security.EncIV=SECURITY
Security.EnablePassthruAuth=True
# Security.PassthruAuthLocalOnly - Only allows auth requests that come from 127.0.0.1 - careful when using a controller that is bound to a specific IP rather than 0.0.0.0!
Security.PassthruAuthLocalOnly=False
Security.RateLimitLogins=False
Security.AuthFailureTimeWindow=720
Security.AuthFailureAttemptsInWindow=5
Security.TwoFactorMode=Optional
Security.RequireSessionIPStickiness=True
Security.RequireTokenIPStickiness=True
Security.AllowAPIDiscoveryWithoutLogin=False
Security.AllowUserPasswords=False
Security.MetricsHMAKKey=SECURITY
Security.IncludeExceptionDataInAPI=False
################################
# Webserver
################################
# Webserver.Port - NEVER CHANGE THIS SETTING MANUALLY! Always use `ampinstmgr rebind` to alter IP/Port bindings. IF YOU CHANGE THIS ON ADS YOU WILL BREAK YOUR LOGINS!
Webserver.Port=8080
# Webserver.IPBinding - NEVER CHANGE THIS SETTING MANUALLY! Always use `ampinstmgr rebind` to alter IP/Port bindings. IF YOU CHANGE THIS ON ADS YOU WILL BREAK YOUR LOGINS!
Webserver.IPBinding=0.0.0.0
Webserver.SessionTimeout=5
Webserver.NoUI=False
Webserver.FilterEndpoints=False
Webserver.AllowedEndpointIPs=["127.0.0.1"]
Webserver.CertificatePath=
Webserver.CertificateSerial=
Webserver.CertificateDomain=
Webserver.CertificatePassword=
Webserver.EnableWebSockets=True
Webserver.EnablePluginWSStreams=False
Webserver.EnableFetchPostEndpoints=True
Webserver.APIRateLimit=1000
Webserver.AllowGETForAPIEndpoints=False
Webserver.UsingReverseProxy=True
Webserver.ReverseProxyHost=172.19.0.25
Webserver.ReverseProxyHosts=["127.0.0.1","172.19.0.25"]
Webserver.CORSOrigin=
Webserver.DisableCompression=False
################################
# Login
################################
Login.UseAuthServer=False
# Login.AuthServerURL - The URL for the ADS instance providing authentication when using UseAuthServer
Login.AuthServerURL=
Login.MetricsServerHost=localhost
Login.MetricsServerPort=12820
Login.UseLDAPLogins=False
Login.UseLDAP3=True
Login.AllowLocalUsersWithLDAP=False
Login.LDAPAuthDomain=
Login.LDAP3Host=localhost
Login.LDAP3FilterDN=CN=Users,DC=example,DC=org
Login.LDAP3UserDN=User@example.org
Login.LDAPGroupPrefix=AMP_
Login.LDAPUserDomain=
Login.LDAP3UsesSSL=False
Login.LDAPADPre2000=False
Login.LDAPStripDomainFromFilter=False
Login.LDAPQueryUsername=ampquery
Login.LDAPQueryPassword=
Login.UseOIDC=True
Login.OIDCProviderFriendlyName=Authentik
Login.OIDCClientID=SECURITY
Login.OIDCClientSecret=SECURITY
Login.OIDCRedirectUri=https://amp.pokeypen7.us/
Login.OIDCAuthorizeEndpoint=https://authentik.example.com/application/o/authorize/
Login.OIDCValidationEndpoint=https://authentik.example.com/application/o/userinfo/
Login.OIDCTokenEndpoint=https://authentik.example.com/application/o/token/
Login.OIDCUserInfoEndpoint=https://authentik.example.com/application/o/userinfo/
Login.OIDCLogoutEndpoint=https://authentik.example.com/application/o/amp/end-session/
Login.OIDCRevokeEndpoint=https://authentik.example.com/application/o/amp/end-session/
Login.OIDCRoleNamePrefix=AMP_
Login.OIDCNewUsersDisabledAtCreation=False
################################
# Branding
################################
Branding.DisplayBranding=False
Branding.PageTitle=Provider Page Title Not Set
Branding.CompanyName=
Branding.WelcomeMessage=
Branding.BrandingMessage=
Branding.ShortBrandingMessage=PoweredByAMP
Branding.URL=
Branding.SupportURL=
Branding.SupportText=
Branding.SubmitTicketURL=
Branding.LogoURL=
Branding.BackgroundURL=
Branding.SplashFrameURL=
Branding.ForgotPasswordURL=
Branding.HostedAnalyticsTag=
################################
# AMP
################################
AMP.InstanceID=SECURITY
AMP.InstanceName=ADS01
AMP.FriendlyName=ADS01
AMP.AppModule=ADSModule
AMP.LoadPlugins=["FileManagerPlugin","EmailSenderPlugin","WebRequestPlugin","LocalFileBackupPlugin","CommonCorePlugin"]
AMP.SkipPlugins=[]
AMP.ScheduleOffsetSeconds=0
AMP.AppStartupMode=StartApplication
AMP.FirstStart=True
AMP.ShutdownProperly=True
AMP.Suspended=False
AMP.SuspendReason=
AMP.PreviousVersion=
AMP.LastSpecialNoticeID=1
AMP.DatastoreConnectionString=./datastore.dat
AMP.MapAllPluginStores=True
AMP.Theme=Phobos
AMP.ShowHelpOnStatus=True
AMP.PrimaryEndpoint=0.0.0.0:12820
AMP.PrimaryEndpointUri=
AMP.DisplayBaseURI=
AMP.SchedulerTimezoneId=UTC
################################
# Monitoring
################################
Monitoring.UseMulticoreCPUCalc=True
Monitoring.IgnoreSMTCores=True
Monitoring.ConsoleScrollback=10
# Monitoring.TitleSuffix - Suffix to append to the terminal title
Monitoring.TitleSuffix=
Monitoring.KeepProvisionConfigs=False
Monitoring.LogLevel=Debug
Monitoring.EnableConsoleColoring=True
Monitoring.LogsDirectory=AMPLogs
Monitoring.ProduceStartupScripts=False
Monitoring.DeleteOldLogs=True
Monitoring.LogRetentionDays=28
Monitoring.AuditLogRetentionDays=14
Monitoring.FullMetricsGathering=False
Monitoring.ReportPhysicalMemoryAsTotal=False
Monitoring.MetricsPollInterval=1000
Monitoring.MetricsReportingInterval=5000
Monitoring.ShowDevInfo=False
Monitoring.ServerLocale=en
Monitoring.MonitorPorts=[{"Protocol":1,"Port":12820,"Name":"Metrics Server Port","IsDelayedOpen":false,"Required":false}]
################################
# Privacy
################################
Privacy.PrivacySettingsSet=False
Privacy.SessionTimeout=15
Privacy.AutoReportFatalExceptions=True
Privacy.AllowAnalytics=True
Privacy.EnhancedLicenceReporting=False
################################
# Limits
################################
Limits.NumericValueNodeUpperLimits={}
Limits.NumericValueNodeLowerLimits={}
Steps to reproduce:
- Configure ngnix proxy manager and authentik in docker, and setup and OAuth/OpenID provider for AMP and have AMP installed
- Setup OIDC in AMP with AMP_Super Admins and AMP_Users and assign user asdfasdf to AMP_Users
- Authenticate with asdfasdf and thus create the user asdfasdf
- Give asdfasdf all the permissions at the ADS, instance, and individual level as well as all the permissions to the default role
- try to open/start an instance with asdfasdf
Actions taken to resolve so far:
I have tried opening up the firewall to allow all traffic to run from 172.19.0.0/16 to 127.0.0.1
I have tried to change default auth url to http://0.0.0.0:8080 and to http://127.0.0.1:8080
I have tried Granting all permissions at every level to user in question