500 upon authentik OAuth2/OpenID: login

[moan0s]

Description

I configured Authentik and Gitea as described in this manual. When trying to login via this OAuth-Flow I encounter a http 500 error and cannot log in via this flow. Reloading does not solve the problem (#5005).

The server log says:

oauth2: error decoding JWT token: jws: invalid token received, not all parts available

Callback that fails with 500: https://git.hyteck.de/user/oauth2/QZT%20Authentik/callback?code=c26c5f75c939524d98f5f67e3d58c6b6&state=08176cae-79d6-46a3-04c7-36670db77079 (not the real code or state).

I specifically configured
samesite: Lax as per #25542, same for GITEA__server__ROOT_URL=https://git.hyteck.de (I also tried including a backslash at the end)

I also set GITEA__oauth2_client__ENABLE_AUTO_REGISTRATION=true

I'm looking for ways to debug this further. Feel free to ask for more information.

Gitea Version

1.22.3

Can you reproduce the bug on the Gitea demo site?

No

Log Gist

https://gist.github.com/moan0s/6e214403d9f1cd15265259455529b3fb

Screenshots

No response

Git Version

No response

Operating System

docker (running on ubuntu)

How are you running Gitea?

Gitea is run as docker container started by a systemd service as deployed by the mash-playbook, same for authentik.
Both run behind Traefik.

Database

PostgreSQL