Can't connect to Wallabag instance that has auth on /, but exposes ^/api/ and ^/oauth/

[johnmaguire]

Hey all,

I use Authentik + Traefik to protect my internal services, typically willing to expose only API routes needed for mobile apps, browser extensions, etc. For Wallabag, that means that any traffic it receives will be redirected to my authentication provider before granting access unless the URL begins with /api/ or /oauth/.

With Authentik, this is done by setting unauthenticated paths in the proxy provider:

You can see that this works successfully for my Firefox Wallabagger add-on:

However, when I try to configure the mobile app the same way I get an error:

In my Traefik logs I can see that the app is trying to hit / first:

traefik-1  | 2025-09-04T14:51:32Z DBG github.com/traefik/traefik/v3/pkg/middlewares/auth/forward.go:223 > Remote error http://authentik-server:9000/outpost.goauthentik.io/auth/traefik. StatusCode: 302 middlewareName=authentik-authorization-passthru@docker middlewareType=ForwardAuth
traefik-1  | 172.58.120.38 - - [04/Sep/2025:14:51:32 +0000] "GET / HTTP/2.0" 302 583 "-" "-" 9862 "wallabag@docker" "-" 2ms
traefik-1  | 2025-09-04T14:51:32Z DBG github.com/traefik/traefik/v3/pkg/server/service/loadbalancer/wrr/wrr.go:213 > Service selected by WRR: http://192.168.16.13:9000

But this should not be necessary for OAuth login!

[johnmaguire]

It seems I was able to workaround this issue by temporarily disabling authentication on Wallabag ^/, testing the connection, and then re-enabling authentication except for ^/api and ^/oauth