Hi all,
OIDC integration with Authentik fails after successful login. Authentication completes and the redirect works, but the session cannot be established. The Everest API server logs the following error repeatedly:
{"level":"error","T":"2026-03-03T10:55:42Z","logger":"everest","caller":"session/manager.go:215","msg":"failed to shorten token: could not extract jti"}
IdP Configuration
-
Authentik (latest)
-
OAuth2/OIDC provider configured with PKCE
-
Signing key assigned (RSA)
-
Scopes: openid, email, profile
-
Redirect URI set correctly (
<EVEREST_URL>/login-callback)
Login itself succeeds — the user authenticates against Authentik and is redirected back to Everest — so client ID, issuer URL, and redirect URIs are all correct.
Root Cause
Everest’s session manager (session/manager.go:215) attempts to parse the access token as a JWT and extract the jti claim. Authentik issues opaque (random string) access tokens for the authorization code flow, not JWTs. Only the id_token is a signed JWT. This is compliant with the OIDC spec — the spec does not require access tokens to be JWTs.
Authentik has no setting to switch access tokens to JWT format for authorization code grants. This means Everest’s OIDC integration is currently incompatible with Authentik (and likely any other IdP that issues opaque access tokens).
Expected Behaviour
Everest should either:
-
Use the
id_token(which is always a JWT per the OIDC spec) for session identity andjtiextraction, or -
Support opaque access tokens via the IdP’s token introspection endpoint (
/application/o/introspect/), or -
Document that the IdP must issue JWT access tokens as a requirement for OIDC integration.
Steps to Reproduce
-
Install OpenEverest 1.13.0
-
Configure an Authentik OAuth2/OIDC provider per the SSO docs
-
Run
everestctl settings oidc configure --issuer-url=<url> --client-id=<id> -
Attempt to log in via SSO
-
Observe successful redirect but failed session creation in logs