Authentik Doesn't Provide a Sign-Up Page?

I spent the entire afternoon setting up Authentik with Grist. For now it’s at least working. But I still find it a bit weird that your Authentik account and Grist account are the same thing. You login as A into Authentik and you can login as A into Grist. You must log out of Authentik to switch accounts. IDK if it’s by design or something is wrong with my setup.

One thing is for sure broken though. I cannot sign up or add new user. When I click the ‘sign up’ button I will just be redirected to the sign in page, as if I already have an account. I had to manually add an account via Authentik, and then log into Grist. Is this the way it should be?

Also there’s no add site option since I implemented Authentik.

Sorry for the deluge of questions, but SSO for Grist really is barely documented.

Can someone help please :sob:

We have what we have.
Authentik and Grist credentials are matched by Email.
You need to create an Authentik account separately.
To log out you need to log out in Authentik.
Have you tried container omnibus?

Yes I have tried omnibus. The problem is I can’t get it to run.

Here’s my docker run command:

docker run   -p 808:80 -p 4438:443   -e URL=   -e HTTPS=auto   -e TEAM=cool-beans   -e   -e PASSWORD=topsecret   -v /tmp/grist-test:/persist   --name grist --rm   -it gristlabs/grist-omnibus

And I’m seeing these errors immediately on running:

2023/08/17 01:29:39 Starting up on port 17102
INFO[0000] Configuration loaded from flags.
No /custom/dex.yaml
Checking dex... at
  not ready: FetchError: request to failed, reason: Client network socket disconnected before secure TLS connection was established
time="2023-08-17T01:29:39Z" level=info msg="Dex Version: v2.33.1-dirty, Go Version: go1.18.4, Go OS/ARCH: linux amd64"
time="2023-08-17T01:29:39Z" level=info msg="config using log level: debug"
time="2023-08-17T01:29:39Z" level=info msg="config issuer:"
time="2023-08-17T01:29:39Z" level=info msg="config storage: sqlite3"
time="2023-08-17T01:29:39Z" level=info msg="config static client: Grist"
time="2023-08-17T01:29:39Z" level=info msg="config connector: google"
time="2023-08-17T01:29:39Z" level=info msg="config connector: microsoft"
time="2023-08-17T01:29:39Z" level=info msg="config connector: local passwords enabled"
time="2023-08-17T01:29:39Z" level=info msg="config skipping approval screen"
time="2023-08-17T01:29:39Z" level=info msg="config refresh tokens rotation enabled: true"
Checking dex... at
  not ready: FetchError: request to failed, reason: Client network socket disconnected before secure TLS connection was established
time="2023-08-17T01:29:39Z" level=info msg="listening (http) on"
Checking dex... at
  got: 404
Checking dex... at
  got: 404
Checking dex... at
  got: 200
Happy with dex
Starting traefik-forward-auth
time="2023-08-17T01:29:39Z" level=fatal msg="Get x509: cannot validate certificate for because it doesn't contain any IP SANs"
Welcome to Grist.
In quiet mode, see http://localhost:17100 to use.
For full logs, re-run with DEBUG=1
I think everything has started up now
Listening internally on 80/443, externally at
ERRO[2023-08-17T01:29:40Z] Unable to obtain ACME certificate for domains "": unable to generate a certificate for the domains []: acme: error: 400 :: POST :: :: urn:ietf:params:acme:error:rejectedIdentifier :: Error creating new order :: Cannot issue for "": The ACME server can not issue a certificate for an IP address  routerName=https-route-grist-auth@file providerName=letsencrypt.acme ACME CA="" rule="Host(``) && PathPrefix(`/_oauth`)"

Then when I tried to open, I got redirected to, but got an HTTP ERR 500. Logs were as follows:

2023-08-17 01:30:17.414 - debug: Auth[GET]: / customHostSession=, method=GET, host=, path=/, org=cool-beans,, userId=1, altSessionId=q9DR1AifQuyLuxcC5KFE6G
2023-08-17 01:30:17.415 - debug: Authorizer: redirecting to sign up

Also tried using docker compose to run it, but the results were even worse. Dex won’t even connect to the exposed HTTPS port.

To use HTTPS, you need an actual publicly accessible hostname. If you remove -e HTTPS=auto, to run with plain HTTP (if it’s on an internal network only), then it should work with just an IP address.

However, grist-omnibus does not actually allow sign-ups. It uses Dex, which makes it easy to integrate with other identity providers (like Google or Microsoft), but doesn’t provide user registration (it used to, but that got removed). So if you want to use it without connecting to any external service, it’ll work only for users you hard-code using EMAIL, PASSWORD, EMAIL2, PASSWORD2, etc. environment variables.

I tried removing -e HTTPS=auto and got this error:

Error: HTTPS environment variable must be set to: auto, external, or manual.
    at prepareCertificateSettings (/grist/run.js:329:13)
    at main (/grist/run.js:20:3)
    at Object.<anonymous> (/grist/run.js:45:1)
    at Module._compile (internal/modules/cjs/loader.js:1114:14)
    at Object.Module._extensions..js (internal/modules/cjs/loader.js:1143:10)
    at Module.load (internal/modules/cjs/loader.js:979:32)
    at Function.Module._load (internal/modules/cjs/loader.js:819:12)
    at Function.executeUserEntryPoint [as runMain] (internal/modules/run_main.js:75:12)
    at internal/main/run_main_module.js:17:47

Also change URL= to URL= (i.e. httpshttp, and use the non-https port)