Rundeck + Authentik (nginx auth_request) preauthenticated mode always falls back to login page – anyone actually have this working?
Andrew Brock
I’m trying to put Rundeck behind Authentik using nginx’s auth_request flow (header-based preauthentication) and I cannot get Rundeck to honor REMOTE_USER no matter what I do. I’m looking for someone who has this working in production because at this point I feel like I’m chasing ghosts.
Architecture:
Authentik outpost → nginx (auth_request) → Rundeck (Jetty/WAR on localhost:4440)
Flow is:
User hits webpage for rundeck
nginx calls /auth (auth_request) against Authentik outpost
Authentik authenticates and returns headers
nginx forwards headers to Rundeck
Rundeck should auto-login using preauthenticated mode
But instead, I always land on the Rundeck login page. It doesn't get me in using Authentik...
What I expect:
After Authentik login, Rundeck should auto-login using REMOTE_USER and never show its own login screen.
What actually happens:
• Authentik login works
• nginx redirects correctly
• Rundeck loads
• but I always see the Rundeck login page
• local admin login doesn’t even work sometimes
• logs show “Preauthentication is disabled” even though it’s explicitly enabled
• occasionally nginx returns 502 during restarts
• behavior is inconsistent across restarts
So Rundeck appears to ignore preauthentication entirely and silently falls back to JAAS.
My nginx config (core part):
location / {
auth_request /auth;
error_page 401 = @goauthentik_proxy_signin;
auth_request_set $authentik_username $upstream_http_x_authentik_username; auth_request_set $authentik_groups $upstream_http_x_authentik_groups; proxy_set_header REMOTE_USER $authentik_username; proxy_set_header X-authentik-groups $authentik_groups; proxy_pass http://127.0.0.1:4440;
}
location = /auth {
internal;
proxy_pass http://AUTHENTIK_OUTPOST/outpost.goauthentik.io/auth/nginx;
proxy_pass_request_body off;
proxy_set_header Content-Length "";
}
rundeck-config.properties:
rundeck.security.authentication=preauthenticated
rundeck.security.authentication.preauthenticated.enabled=true
rundeck.security.authentication.preauthenticated.attributeName=REMOTE_USER
rundeck.security.authorization.preauthenticated.enabled=true
rundeck.security.authorization.preauthenticated.attributeName=X-authentik-groups
rundeck.security.authorization.preauthenticated.delimiter=,
server.useForwardHeaders=true
grails.serverURL=https://myurl.com
dataSource.driverClassName=org.postgresql.Driver
dataSource.url=jdbc:postgresql://localhost:5432/rundeck
dataSource.username=rundeck
dataSource.password=provided via env var
rundeck.projectsStorageType=db
systemd service:
ExecStart=/usr/bin/java
-Xms512m -Xmx2048m
-Drundeck.server.http.port=4440
-Drdeck.base=/var/lib/rundeck
-Dserver.useForwardHeaders=true
-jar /var/lib/rundeck/bootstrap/rundeck-5.18.0.war
Things I have already verified:
• Rundeck responds on 127.0.0.1:4440
• nginx proxy works
• Authentik outpost works
• headers are passed by nginx
• PostgreSQL works
• no H2
• correct grails.serverURL
• correct rdeck.base
• DB password loads
• systemd environment works
• curl to backend works
• no SELinux
• no firewall issues
Yet logs still show:
"Using jaas authentication"
"Preauthentication is disabled"
Which contradicts the config.
Versions:
Rundeck 5.18 (WAR)
Authentik latest
nginx 1.20
PostgreSQL backend
systemd launch
