Rundeck + Authentik (nginx auth_request) preauthenticated mode always falls back to login page – anyone actually have this working?

[Andrew Brock]

I’m trying to put Rundeck behind Authentik using nginx’s auth_request flow (header-based preauthentication) and I cannot get Rundeck to honor REMOTE_USER no matter what I do. I’m looking for someone who has this working in production because at this point I feel like I’m chasing ghosts.

Architecture:

Authentik outpost → nginx (auth_request) → Rundeck (Jetty/WAR on localhost:4440)

Flow is:

1. User hits webpage for rundeck

2. nginx calls /auth (auth_request) against Authentik outpost

3. Authentik authenticates and returns headers

4. nginx forwards headers to Rundeck

5. Rundeck should auto-login using preauthenticated mode

But instead, I always land on the Rundeck login page. It doesn't get me in using Authentik...

---

What I expect:

After Authentik login, Rundeck should auto-login using REMOTE_USER and never show its own login screen.

---

What actually happens:

• Authentik login works
• nginx redirects correctly
• Rundeck loads
• but I always see the Rundeck login page
• local admin login doesn’t even work sometimes
• logs show “Preauthentication is disabled” even though it’s explicitly enabled
• occasionally nginx returns 502 during restarts
• behavior is inconsistent across restarts

So Rundeck appears to ignore preauthentication entirely and silently falls back to JAAS.

---

My nginx config (core part):

location / {
auth_request /auth;
error_page 401 = @goauthentik_proxy_signin;

auth_request_set $authentik_username $upstream_http_x_authentik_username; auth_request_set $authentik_groups $upstream_http_x_authentik_groups; proxy_set_header REMOTE_USER $authentik_username; proxy_set_header X-authentik-groups $authentik_groups; proxy_pass http://127.0.0.1:4440;

}

location = /auth {
internal;
proxy_pass http://AUTHENTIK_OUTPOST/outpost.goauthentik.io/auth/nginx;
proxy_pass_request_body off;
proxy_set_header Content-Length "";
}

---

rundeck-config.properties:

rundeck.security.authentication=preauthenticated
rundeck.security.authentication.preauthenticated.enabled=true
rundeck.security.authentication.preauthenticated.attributeName=REMOTE_USER

rundeck.security.authorization.preauthenticated.enabled=true
rundeck.security.authorization.preauthenticated.attributeName=X-authentik-groups
rundeck.security.authorization.preauthenticated.delimiter=,

server.useForwardHeaders=true
grails.serverURL=https://myurl.com

dataSource.driverClassName=org.postgresql.Driver
dataSource.url=jdbc:postgresql://localhost:5432/rundeck
dataSource.username=rundeck
dataSource.password=provided via env var
rundeck.projectsStorageType=db

---

systemd service:

ExecStart=/usr/bin/java
-Xms512m -Xmx2048m
-Drundeck.server.http.port=4440
-Drdeck.base=/var/lib/rundeck
-Dserver.useForwardHeaders=true
-jar /var/lib/rundeck/bootstrap/rundeck-5.18.0.war

---

Things I have already verified:

• Rundeck responds on 127.0.0.1:4440
• nginx proxy works
• Authentik outpost works
• headers are passed by nginx
• PostgreSQL works
• no H2
• correct grails.serverURL
• correct rdeck.base
• DB password loads
• systemd environment works
• curl to backend works
• no SELinux
• no firewall issues

Yet logs still show:

"Using jaas authentication"
"Preauthentication is disabled"

Which contradicts the config.

---

Versions:

Rundeck 5.18 (WAR)
Authentik latest
nginx 1.20
PostgreSQL backend
systemd launch

[rac...@rundeck.com]

Hi! take a look at this guide https://mtcoffee.github.io/rundeck-opensource-and-sso/

Regards!

[Andrew Brock]

I tried the mtcoffee Authentik + Rundeck preauth pattern but swapped Apache/mod_auth_openidc for nginx + oauth2-proxy (auth_request) and I’m stuck in a weird “auth works but identity is empty” state.

Rundeck ACLs never match because the user/groups headers are blank: my /__whoami endpoint prints user= email= groups= empty every time.

What’s confusing is oauth2-proxy is being hit by internal auth subrequests (logs show tons of GET /oauth2/auth returning 202), but when I curl the public endpoint I get:
curl -kI https://<host>/oauth2/auth → HTTP/1.1 404 Not Found (from nginx), and the oauth2-proxy logs don’t show that curl at all.

So it feels like nginx isn’t routing /oauth2/auth to oauth2-proxy in the live vhost (or a different/default server block is actually handling the request), meaning oauth2-proxy never returns X-Auth-Request-User/Groups to nginx, and Rundeck never sees roles.

At this point I’m not fighting Rundeck ACL syntax — I’m fighting “nginx → oauth2-proxy headers never populate / public /oauth2/auth 404” and I can’t get past it.

[Andrew Brock]

Doh! Smoking gun: Rundeck was actually loading its framework config (and ACL policy dir) from /var/lib/rundeck/etc, not /etc/rundeck (logs showed loaded configuration: /var/lib/rundeck/etc/framework.properties and framework.etc.dir=/var/lib/rundeck/etc). I was editing /etc/rundeck/admin.aclpolicy and wondering why nothing changed. Once I placed a policy file under /var/lib/rundeck/etc/ with Application-context project permissions, projects immediately appeared and admin actions started working.