Problem: HTTP 400/401 when creating or restoring a project respectively

[chkpwd]

Issue

I've created a new instance of Semaphore with oidc (authentik) setup. Disabled password authentication. Upon logon, I'm not able to create a new Project nor restore from a backup.

Warning when creating new project:

time="2024-12-26T13:57:13-05:00" level=warning msg="chkpwd is not permitted to edit users"

Error when attempting restore:

Loading config
Validating config
BoltDB /var/lib/semaphore/database.boltdb
Tmp Path (projects home) /tmp/semaphore
Semaphore v2.11.2-0e9490c-1735214886
Interface 
Port :3000
Server is running

No additional python dependencies to install
Starting semaphore server
time="2024-12-26T13:57:03-05:00" level=error msg="websocket: close sent" fields.level=Error
time="2024-12-26T13:57:03-05:00" level=error msg="close tcp 172.17.0.3:3000->172.16.16.11:49210: use of closed network connection" fields.level=Error
time="2024-12-26T13:58:26-05:00" level=error msg="unsupported kind interface"
time="2024-12-26T13:58:26-05:00" level=error msg="unsupported kind interface"
goroutine 6 [running]:
runtime/debug.Stack()
        /usr/local/go/src/runtime/debug/stack.go:24 +0x64
runtime/debug.PrintStack()
        /usr/local/go/src/runtime/debug/stack.go:16 +0x1c
github.com/semaphoreui/semaphore/api/helpers.WriteError({0x15ef140, 0x40001e4ee0}, {0x15e97e0, 0x4000097eb0})
        /go/src/semaphore/api/helpers/helpers.go:122 +0x20c
github.com/semaphoreui/semaphore/api/projects.Restore({0x15ef140, 0x40001e4ee0}, 0x40001af440)
        /go/src/semaphore/api/projects/backup_restore.go:54 +0x1e0
net/http.HandlerFunc.ServeHTTP(0x15ef140?, {0x15ef140?, 0x40001e4ee0?}, 0xc500000000000000?)
        /usr/local/go/src/net/http/server.go:2166 +0x38
github.com/semaphoreui/semaphore/api.authentication.func1({0x15ef140, 0x40001e4ee0}, 0x40001af440)
        /go/src/semaphore/api/auth.go:102 +0x58
net/http.HandlerFunc.ServeHTTP(0x7a1880?, {0x15ef140?, 0x40001e4ee0?}, 0xc?)
        /usr/local/go/src/net/http/server.go:2166 +0x38
github.com/semaphoreui/semaphore/api.JSONMiddleware.func1({0x15ef140, 0x40001e4ee0}, 0x40001af440)
        /go/src/semaphore/api/router.go:45 +0xf0
net/http.HandlerFunc.ServeHTTP(0x0?, {0x15ef140?, 0x40001e4ee0?}, 0x0?)
        /usr/local/go/src/net/http/server.go:2166 +0x38
github.com/semaphoreui/semaphore/api.StoreMiddleware.func1.1()
        /go/src/semaphore/api/router.go:36 +0x34
github.com/semaphoreui/semaphore/db.StoreSession({0x15fed68, 0x400015b808}, {0x40002e5f40, 0xc}, 0x40004f3780)
        /go/src/semaphore/db/Store.go:562 +0x60
github.com/semaphoreui/semaphore/api.StoreMiddleware.func1({0x15ef140, 0x40001e4ee0}, 0x40001af440)
        /go/src/semaphore/api/router.go:35 +0x10c
net/http.HandlerFunc.ServeHTTP(0x40001af440?, {0x15ef140?, 0x40001e4ee0?}, 0x7bbac0?)
        /usr/local/go/src/net/http/server.go:2166 +0x38
github.com/semaphoreui/semaphore/cli/cmd.runService.func1.1({0x15ef140, 0x40001e4ee0}, 0x40001af440)
        /go/src/semaphore/cli/cmd/root.go:93 +0xe4
net/http.HandlerFunc.ServeHTTP(0x0?, {0x15ef140?, 0x40001e4ee0?}, 0x555900?)
        /usr/local/go/src/net/http/server.go:2166 +0x38
github.com/semaphoreui/semaphore/api.Route.CORSMethodMiddleware.func1.1({0x15ef140, 0x40001e4ee0}, 0x40001af440)
        /go/src/semaphore/vendor/github.com/gorilla/mux/middleware.go:51 +0x7c
net/http.HandlerFunc.ServeHTTP(0x40001af320?, {0x15ef140?, 0x40001e4ee0?}, 0x25210?)
        /usr/local/go/src/net/http/server.go:2166 +0x38
github.com/gorilla/mux.(*Router).ServeHTTP(0x40000eed80, {0x15ef140, 0x40001e4ee0}, 0x40001af200)
        /go/src/semaphore/vendor/github.com/gorilla/mux/mux.go:212 +0x194
github.com/semaphoreui/semaphore/cli/cmd.runService.ProxyHeaders.func2({0x15ef140, 0x40001e4ee0}, 0x40001af200)
        /go/src/semaphore/vendor/github.com/gorilla/handlers/proxy_headers.go:59 +0x130
net/http.HandlerFunc.ServeHTTP(0x40000c4f35?, {0x15ef140?, 0x40001e4ee0?}, 0x7f609cc7c8?)
        /usr/local/go/src/net/http/server.go:2166 +0x38
github.com/semaphoreui/semaphore/cli/cmd.runService.cropTrailingSlashMiddleware.func3({0x15ef140, 0x40001e4ee0}, 0x40001af200)
        /go/src/semaphore/cli/cmd/server.go:27 +0xc4
net/http.HandlerFunc.ServeHTTP(0x10?, {0x15ef140?, 0x40001e4ee0?}, 0x40001e4ee0?)
        /usr/local/go/src/net/http/server.go:2166 +0x38
net/http.serverHandler.ServeHTTP({0x15ecbc8?}, {0x15ef140?, 0x40001e4ee0?}, 0x6?)
        /usr/local/go/src/net/http/server.go:3137 +0xbc
net/http.(*conn).serve(0x40000ca480, {0x15f1038, 0x400019e390})
        /usr/local/go/src/net/http/server.go:2039 +0x508
created by net/http.(*Server).Serve in goroutine 1
        /usr/local/go/src/net/http/server.go:3285 +0x3f0

I'm suspecting the user being created via oidc is not an admin.

Impact

Web-Frontend (what users interact with), Semaphore Project

Installation method

Docker

Database

BoltDB

Browser

Firefox

Semaphore Version

v2.11.2

Ansible Version

No response

Logs & errors

Manual installation - system information

No response

Configuration

---

semaphore_container:

• name: semaphore
  image: semaphoreui/semaphore:v2.11.2
  user: 1001:1001
  env:
  SEMAPHORE_DB_DIALECT: bolt
  SEMAPHORE_ADMIN: &name chkpwd
  SEMAPHORE_ADMIN_NAME: *name
  SEMAPHORE_ACCESS_KEY_ENCRYPTION: "{{ lookup('bws_cache', 'infra-semaphore-secrets').value.access_key_encryption }}"
  SEMAPHORE_PASSWORD_LOGIN_DISABLED: "true"
  SEMAPHORE_WEB_ROOT: https://semaphore.chkpwd.com
  ANSIBLE_HOST_KEY_CHECKING: "False"
  TZ: "{{ timezone }}"
  volumes:
  • "{{ configuration_path }}/semaphore/db:/var/lib/semaphore"
  • "{{ configuration_path }}/semaphore/config:/etc/semaphore"
  • "{{ configuration_path }}/semaphore/tmp:/tmp/semaphore"
    ports: [3005:3000]

semaphore_oidc_config:
oidc_providers:
authentik:
display_name: "Sign in with SSO"
provider_url: "https://authentik.chkpwd.com/application/o/semaphore-ui/"
client_id: "semaphore"
client_secret: "{{ lookup('bws_cache', 'infra-semaphore-secrets').value.oauth_client_secret }}"
redirect_url: "https://semaphore.chkpwd.com/api/auth/oidc/authentik/redirect"
scopes:
- "email"
- "openid"
- "profile"
username_claim: "preferred_username"
name_claim: "preferred_username"

Additional information

Deployed using ansible.