Authentik (outpost) used with Forward Auth of traefik -- surpress/handle additions to redirected url?

[dierochade]

I run Authentik and use it with Traefik as forward auth for an external application (Technitium) on a single subdomain to handle authentication with Authentik.

This works in principle (or seems to?), as the flow proceeds as expected: when I access the subdomain, I am redirected to Authentik for authentication and consent. However, after successful authentication, I am not redirected back to the external host as declared in the configuration (https://192.168.100.108:53443) but instead to:

https://192.168.100.108:53443/outpost.goauthentik.io/callback?X-authentik-auth-callback=true&code=0d1142efac11410ab526ca12566c0748&state=eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJpc3MiOiJnb2F1dGhlbnRpay5pby9vdXRwb3N0L2Z2eDIxR2h6R2tWQURMNzdNUkhaNFpnSE9sQ28wYWJRTXNsdkg1NHIiLCJzaWQiOiJaSUFMVEI1WUZNSktTS1pRS01BNUNKVzNYWklMRFNNUUFDQUxWREpJTVNWUFdOTDZQWlVBIiwic3RhdGUiOiJuX0lsWUtRNndqUUhHNzRQb0ljbkg0MTh1Z09RVUt2cTl5TXQyWEFoU09FIiwicmVkaXJlY3QiOiJodHRwczovL3RlY2huaXRpdW0uemVlYjI0LmRlLyJ9.idHimAoeKOqbTvy5S-WskUXzeV5CbA2UKu4QDZvjzEc

I learned that the path is is the standard callback url and the query parameters are ids/tokens etc for the authentication flow, but how can i set these, cause the relevant path is just https://192.168.100.108:53443/ and should be called as simple as that as the server cant handle the path. Therefore I get an error 500.

In the "Advanced protocol settings" of the provider, there are some fields for "additional" scopes, but i cannot deselect all of them and do not include 'state' or 'code' parameters in the first place.

I tried to use a some middleware in traefik (as seen in my config provided) to strip it (correct approach?) but this did not succeed.

This is the router and middleware config in traefik:

 http:
 
  # ROUTERS
  routers:
    technitium:
      rule: "Host(`technitium.mydomain.de`)"
      middlewares:
        - authentik
        #- replace-outpost-path # see below, didnt work, no effect
      priority: 10
      tls: {}
      service: technitium
 
    technitium-auth:
      rule: "Host(`technitium.mydomain.de`) && PathPrefix(`/outpost.goauthentik.io/`)"
      priority: 15
      tls: {}
      service: authentik-forward
 
  # SERVICES
  services:
 
    authentik-forward:
      loadBalancer:
        servers:
          #- url: "https://192.168.100.103:9443/outpost.goauthentik.io"
          - url: http://authentik-proxy:9000/outpost.goauthentik.io
 
    technitium:
      loadBalancer:
        servers:
          - url: https://192.168.100.108:53443
          #preservePath: true # didnt work, lead to 404
 
  # MIDDLEWARES
  middlewares:
 
    authentik: # for forward auth
      forwardAuth:
        address: "http://authentik-proxy:9000/outpost.goauthentik.io/auth/traefik"
        trustForwardHeader: false
        authResponseHeaders:
          - X-authentik-username
          - X-authentik-groups
          - X-authentik-email
          - X-authentik-name
          - X-authentik-uid
          - X-authentik-jwt
          - X-authentik-meta-jwks
          - X-authentik-meta-outpost
          - X-authentik-meta-provider
          - X-authentik-meta-app
          - X-authentik-meta-version
 
    replace-outpost-path:
      replacePathRegex:
        regex: "^/outpost(.*)"
        replacement: "/"
 

Moreover this is the provider section in authentik: