Infinite loop with Authentik OpenID Connect

This happens when your IdP presents self-signed certificates and you didn’t define pemtrustedcas_filepath in config.yml.

Also, pemtrustedcas_filepath requires a CA that was used to sign your IdP’s certificate.
However, instead, you can provide a final certificate of the service.

The certificate that the security plugin refers to is the one configured at the HTTPS endpoint of the IdP. You can check that by running the below command.

openssl s_client -connect <Authentik_FQDN>:443
1 Like

You’ve done it my friend!

(also there was a typo https// instead of https://)

I copied the certificate from openssl and pasted it in there, ran and now it’s all good! Amazing!


Just for people that stumble on this thread. If you’re using letsencrypt you need to use the fullchain cert:

openssl s_client -connect -servername -showcerts </dev/null > fullchain.pem

Hey what does mean here ? Is it your IDP’s server or your opensearch’s server URL ?