Shows warning that user count exceeds license with three internal users on self hosted instance

[bjornsnoen]

Describe the bug
The dashboard has started showing a warning that "The current user count has exceeded the configured licenses". I'm self hosting and can find no documentation that there is a limit to the number of users I can have. I also find it unlikely that that limit would be <= 3.

To Reproduce
Log in as akadmin
Warning shows

Expected behavior
Dashboard with no warning should show

Screenshots

Logs
authentik.log

Version and Deployment (please complete the following information):

• authentik version: 2024.2.2
• Deployment: docker-compose

Additional context
Running on synology nas, error just popped up without any changes to configuration.
Docker compose definition:

  authentikserver:
    image: ghcr.io/goauthentik/server:2024.2.2
    restart: unless-stopped
    command: server
    healthcheck:
      disable: true
    environment:
      AUTHENTIK_REDIS__HOST: redis
      AUTHENTIK_POSTGRESQL__HOST: postgresql
      AUTHENTIK_POSTGRESQL__USER: authentik
      AUTHENTIK_POSTGRESQL__NAME: authentik
      AUTHENTIK_POSTGRESQL__PASSWORD: ${PG_PASS}
    volumes:
      - ./media:/media
      - ./custom-templates:/templates
    env_file:
      - .env
    ports:
      - "${COMPOSE_PORT_HTTP:-9000}:9000"
      - "${COMPOSE_PORT_HTTPS:-9443}:9443"
    depends_on:
      - postgresql
      - redis
    labels:
      - "traefik.enable=true"
      ## HTTP Routers
      - "traefik.http.routers.authentik.rule=Host(`authentik.${BASE_DOMAIN-home}`)"
      - "traefik.http.routers.authentik.entrypoints=web"
      - "traefik.http.routers.authentik.middlewares=redirectssl@docker"
      - "traefik.http.routers.authentiksecure.rule=Host(`authentik.${BASE_DOMAIN:-home}`)"
      - "traefik.http.routers.authentiksecure.entrypoints=websecure"
      ## Individual Application forwardAuth regex (catch any subdomain using individual application forwardAuth)
      - "traefik.http.routers.authentik-rtr-outpost.rule=HostRegexp(`{subdomain:[a-z0-9-]+}.${BASE_DOMAIN:-home}`) && PathPrefix(`/outpost.goauthentik.io/`)"
      - "traefik.http.routers.authentik-rtr-outpost.entrypoints=websecure"
      ## HTTP Services
      - "traefik.http.routers.authentiksecure.service=authentik-svc"
      - "traefik.http.routers.authentik-rtr-outpost.service=authentik-svc"
      - "traefik.http.services.authentik-svc.loadbalancer.server.port=9000"

  authentikworker:
    image: ghcr.io/goauthentik/server:2024.2.2
    restart: unless-stopped
    command: worker
    healthcheck:
      disable: true
    environment:
      AUTHENTIK_REDIS__HOST: redis
      AUTHENTIK_POSTGRESQL__HOST: postgresql
      AUTHENTIK_POSTGRESQL__USER: authentik
      AUTHENTIK_POSTGRESQL__NAME: authentik
      AUTHENTIK_POSTGRESQL__PASSWORD: ${PG_PASS}
    user: root
    volumes:
      - /var/run/docker.sock:/var/run/docker.sock
      - ./media:/media
      - ./certs:/certs
      - ./custom-templates:/templates
    env_file:
      - .env
    depends_on:
      - postgresql
      - redis

[bjornsnoen]

Quick update: The warning has gone away. I still have not changed anything.

[DavidFuchs]

I've been running Authentik a few months now, and I'm getting this error. I couldn't log in to the admin interface without generating a recovery token. I've only got 3 users (akadmin, an outpost user, and my user). Not sure what I need to change.

I'm running it with docker-compose. The image I'm using is as follows - perhaps this is an enterprise image? I couldn't find any reference to a different image for open source users:

image: ${AUTHENTIK_IMAGE:-ghcr.io/goauthentik/server}:${AUTHENTIK_TAG:-2024.2.2}

[BeryJu]

@DavidFuchs could you run ak shell in either worker or server container and paste this snippet line-by-line?

from django.core.cache import cache
from authentik.enterprise.license import LicenseKey, CACHE_KEY_ENTERPRISE_LICENSE
from authentik.enterprise.models import License
print(LicenseKey.get_total().summary())
print(cache.get(CACHE_KEY_ENTERPRISE_LICENSE))
print(License.objects.all().count())

[DavidFuchs]

Absolutely, here are the results:

### authentik shell (2024.2.2)
### Node 8d907888cc9a | Arch x86_64 | Python 3.12.2
>>> from django.core.cache import cache
>>> from authentik.enterprise.license import LicenseKey, CACHE_KEY_ENTERPRISE_LICENSE
>>> from authentik.enterprise.models import License
>>> print(LicenseKey.get_total().summary())
LicenseSummary(internal_users=0, external_users=0, valid=False, show_admin_warning=False, show_user_warning=False, read_only=False, latest_valid=datetime.datetime(1970, 1, 1, 0, 0), has_license=False)
>>> print(cache.get(CACHE_KEY_ENTERPRISE_LICENSE))
{'internal_users': 0, 'external_users': 0, 'valid': False, 'show_admin_warning': False, 'show_user_warning': False, 'read_only': False, 'latest_valid': datetime.datetime(1970, 1, 1, 0, 0), 'has_license': False}
>>> print(License.objects.all().count())
0

[DavidFuchs]

Well hold on, now the error is gone. And I'm able to log in again.

/confused

[thefeli73]

@BeryJu I have the same issue except my warning banner is red. I cant create applications.
This is my output for the commands you mentioned, still cant do anything:

>>> from django.core.cache import cache
>>> from authentik.enterprise.license import LicenseKey, CACHE_KEY_ENTERPRISE_LICENSE
>>> from authentik.enterprise.models import License
>>> print(LicenseKey.get_total().summary())
LicenseSummary(internal_users=0, external_users=0, valid=False, show_admin_warning=True, show_user_warning=True, read_only=True, latest_valid=datetime.datetime(1970, 1, 1, 0, 0), has_license=False)
>>> print(cache.get(CACHE_KEY_ENTERPRISE_LICENSE))
{'internal_users': 0, 'external_users': 0, 'valid': False, 'show_admin_warning': True, 'show_user_warning': True, 'read_only': True, 'latest_valid': datetime.datetime(1970, 1, 1, 0, 0), 'has_license': False}
>>> print(License.objects.all().count())
0

I read somewhere that having multiple Brands is an enterprise feature, i have created my own Brand and deleted the Default Brand, could that be the issue? if so, how do i fix it?

[BeryJu]

@thefeli73 having multiple brands is not an enterprise feature; which version are you running? There was a bug with this in 2024.2.1 so make sure you're on 2024.2.2

[thefeli73]

@BeryJu That was indeed the issue! Thank you!

[Nicoautoxp]

i'm having the same issue and i just updated to 2024.2.2.
i'm also on a self hosed instance with only 1 user + the outpost user.

### authentik shell (2024.2.2)
### Node 144388ef124b | Arch x86_64 | Python 3.12.2
>>> from django.core.cache import cache
>>> from authentik.enterprise.license import LicenseKey, CACHE_KEY_ENTERPRISE_LICENSE
>>> from authentik.enterprise.models import License
>>> print(LicenseKey.get_total().summary())
LicenseSummary(internal_users=0, external_users=0, valid=False, show_admin_warning=False, show_user_warning=False, read_only=False, latest_valid=datetime.datetime(1970, 1, 1, 0, 0), has_license=False)
>>> print(cache.get(CACHE_KEY_ENTERPRISE_LICENSE))
{'internal_users': 0, 'external_users': 0, 'valid': False, 'show_admin_warning': True, 'show_user_warning': True, 'read_only': True, 'latest_valid': datetime.datetime(1970, 1, 1, 0, 0), 'has_license': False}
>>> print(License.objects.all().count())
0

any idea how i could fix it? i'm also not able to login

[Nicoautoxp]

i'm having the same issue and i just updated to 2024.2.2. i'm also on a self hosed instance with only 1 user + the outpost user.

### authentik shell (2024.2.2)
### Node 144388ef124b | Arch x86_64 | Python 3.12.2
>>> from django.core.cache import cache
>>> from authentik.enterprise.license import LicenseKey, CACHE_KEY_ENTERPRISE_LICENSE
>>> from authentik.enterprise.models import License
>>> print(LicenseKey.get_total().summary())
LicenseSummary(internal_users=0, external_users=0, valid=False, show_admin_warning=False, show_user_warning=False, read_only=False, latest_valid=datetime.datetime(1970, 1, 1, 0, 0), has_license=False)
>>> print(cache.get(CACHE_KEY_ENTERPRISE_LICENSE))
{'internal_users': 0, 'external_users': 0, 'valid': False, 'show_admin_warning': True, 'show_user_warning': True, 'read_only': True, 'latest_valid': datetime.datetime(1970, 1, 1, 0, 0), 'has_license': False}
>>> print(License.objects.all().count())
0

any idea how i could fix it? i'm also not able to login

I redeployed the docker containers and this solved my issue. No idea what was the problem.

[pratclot]

The same issue for me, worked for a ~month and now this. Updated from 2024.2.0-rc1 to 2024.2.2, still the same. Judging by the reports above it may start working tomorrow? lol

[DenVilk]

What can I do, to fix same problem?

[DenVilk]

@DavidFuchs

Well hold on, now the error is gone. And I'm able to log in again.

/confused

What did you do to fix it?

[max-critcrew]

We have the exact same issue. It predicted 100+ users when we had 5 users. Then yesterday it predicted "0 users". Now we can't log in any more.

[DenVilk]

Now fixed for us. We updated authentik to the last version.

[max-critcrew]

It works again for me.
The solution for us was this:

1. Update Worker + Server to 2024.2.2
2. Optional probably (?): We also added this to the .env

AUTHENTIK_TENANTS__ENABLED: false

3. Do as said here (see above):

@DavidFuchs could you run ak shell in either worker or server container and paste this snippet line-by-line?

from django.core.cache import cache
from authentik.enterprise.license import LicenseKey, CACHE_KEY_ENTERPRISE_LICENSE
from authentik.enterprise.models import License
print(LicenseKey.get_total().summary())
print(cache.get(CACHE_KEY_ENTERPRISE_LICENSE))
print(License.objects.all().count())

4. After this restart all of Authentik's containers
5. You can now log in again :)

My guess is that the logging of the license refreshes some kind of cache in the background and/or triggers something internally to fix itself. The update to the latest version alone + restart didn't fix it. Only after doing the logging + another restart fixed it.

[Krishnacore]

We have the same issue. However, neither updating the version nor adding AUTHENTIK_TENANTS__ENABLED: false changed anything

[max-critcrew]

@Krishnacore Did you do the exact sequence of things I posted? Including restarting everything a couple times? :)

[clavery]

I also had this problem even after updating to 2024.2.2 and doing all steps above. I assumed my instance was in a bad state so in the shell I took a guess and set the warnings and read only back to false in the cache key with these additional commands to the ones above.

import datetime
cache.set(CACHE_KEY_ENTERPRISE_LICENSE, {'internal_users': 0, 'external_users': 0, 'valid': False, 'show_admin_warning': False, 'show_user_warning': False, 'read_only': False, 'latest_valid': datetime.datetime(1970, 1, 1, 0, 0), 'has_license': False})

That seemed to fix it and my normal user could log in again. Restarting the containers and the error remains gone.

[Immovality]

I also had this problem even after updating to 2024.2.2 and doing all steps above. I assumed my instance was in a bad state so in the shell I took a guess and set the warnings and read only back to false in the cache key with these additional commands to the ones above.

import datetime
cache.set(CACHE_KEY_ENTERPRISE_LICENSE, {'internal_users': 0, 'external_users': 0, 'valid': False, 'show_admin_warning': False, 'show_user_warning': False, 'read_only': False, 'latest_valid': datetime.datetime(1970, 1, 1, 0, 0), 'has_license': False})

That seemed to fix it and my normal user could log in again. Restarting the containers and the error remains gone.

Thanks for this, the above method was also not working for me either, but your solution resolved the issue.

[BeryJu]

setting AUTHENTIK_TENANTS__ENABLED: false is not required as the default value is already false.

The issue was caused by a bug in 2024.2.1 which was fixed in 2024.2.2, but incorrect values could be cached and thus the warning banner/read only mode would wrongly be enabled.

The workaround is to remove the faulty cache item (cache.delete(CACHE_KEY_ENTERPRISE_LICENSE))

[geiger-to]

I also ran into this issue which prevented me from accessing my self-hosted authentik instance containing only two users. Any attempt to login raised a denied_license error (just like the one in this reddit thread). I noticed the banner message warning that I exceeded the user count a few weeks ago but didn't have time to look into it then.

@BeryJu's comment is the fix, but it's missing a couple of details. I'm sharing what I had to do for reference. I self-host authentik with docker-compose, so I first upgraded the image to the latest version, then I ran the following:

$ docker exec -it authentik-server-1 /bin/bash
$ ak shell
>>> from django.core.cache import cache
>>> from authentik.enterprise.license import CACHE_KEY_ENTERPRISE_LICENSE
>>> cache.delete(CACHE_KEY_ENTERPRISE_LICENSE)

After this I restarted authentik and everything worked as expected. Since this is deleting a cache entry I doubt restarting is necessary but I did so before testing if simply deleting the cache entry worked. Either way I'm glad my authentik instance is back to working—I love this piece of software!