Rackula does not redirect to OIDC provider when unauthorized

[BRShadow19]

Hello,

I have been trying to set up OIDC authentication with Authentik on a persistent instance of Rackula. I believe I have set the proper environment variables for Rackula, but whenever I try to access the app it simply says "Unauthorized" and never tries to sign me in with Authentik.

Upon being unauthorized, I would expect Rackula to either show a button to log in with OIDC or automatically redirect to my configured provider to obtain an access token. Perhaps I am doing something wrong with my config? Below is my docker-compose.yml with relevant variables redacted/changed for security:

services:
  rackula:
    image: ghcr.io/rackulalives/rackula:persist
    container_name: rackula
    ports:
      - "${RACKULA_PORT:-8080}:${RACKULA_LISTEN_PORT:-8080}"
    environment:
      - API_HOST=rackula-api
      - API_PORT=${RACKULA_API_PORT:-3001}
      - RACKULA_LISTEN_PORT=${RACKULA_LISTEN_PORT:-8080}
      # Optional: token forwarded to API for PUT/DELETE route auth
      - API_WRITE_TOKEN=${RACKULA_API_WRITE_TOKEN:-}
      - RACKULA_AUTH_MODE=oidc
      - RACKULA_BASE_URL=https://rackula.company.com
    restart: unless-stopped
    stop_grace_period: 10s
    depends_on:
      rackula-api:
        condition: service_healthy

    deploy:
      resources:
        limits:
          cpus: "0.50"
          memory: 128M
        reservations:
          cpus: "0.10"
          memory: 16M

    # Security hardening (optional but recommended)
    security_opt:
      - no-new-privileges:true
    cap_drop:
      - ALL
    read_only: true
    tmpfs:
      - /var/cache/nginx:size=10M
      - /var/run:size=1M
      - /tmp:size=5M
      - /etc/nginx/conf.d:size=1M,uid=101,gid=101

    logging:
      driver: json-file
      options:
        max-size: "10m"
        max-file: "3"

  rackula-api:
    image: ghcr.io/rackulalives/rackula-api:latest
    container_name: rackula-api
    restart: unless-stopped
    stop_grace_period: 10s
    volumes:
      - ./data:/data
    environment:
      - DATA_DIR=/data
      - RACKULA_API_PORT=${RACKULA_API_PORT:-3001}
      - RACKULA_BASE_URL=https://rackula.company.com
      - CORS_ORIGIN=https://rackula.company.com
      # Auth mode model: none | oidc | local
      - RACKULA_AUTH_MODE=oidc
      # Required when auth mode is enabled (oidc/local)
      # API startup validation fails fast if this is missing/short (minimum 32 chars).
      - RACKULA_AUTH_SESSION_SECRET=LONG_SECRET_HERE
      # OIDC configuration
      - RACKULA_OIDC_ISSUER=https://auth.company.com/application/o/rackula/
      - RACKULA_OIDC_CLIENT_ID=CLIENT_ID_HERE
      - RACKULA_OIDC_CLIENT_SECRET=OIDC_SECRET_HERE
      - RACKULA_OIDC_REDIRECT_URI=https://rackula.company.com/auth/callback

      # Explicit insecure fallback (use only for isolated/local testing)
      - ALLOW_INSECURE_CORS=${ALLOW_INSECURE_CORS:-false}
    deploy:
      resources:
        limits:
          cpus: "0.25"
          memory: 64M
        reservations:
          cpus: "0.05"
          memory: 16M

    # Security hardening
    security_opt:
      - no-new-privileges:true
    cap_drop:
      - ALL
    read_only: true
    tmpfs:
      - /tmp:size=5M

    healthcheck:
      test: ["CMD-SHELL", "wget -qO- http://127.0.0.1:${RACKULA_API_PORT:-3001}/health"]
      interval: 30s
      timeout: 10s
      start_period: 5s
      retries: 3

    logging:
      driver: json-file
      options:
        max-size: "5m"
        max-file: "2"

    expose:
      - "${RACKULA_API_PORT:-3001}"

I am also using Caddy as my reverse proxy with a TLS certificate rather than Nginx. Other applications that run behind Caddy do not have this issue, but perhaps there is some additional proxy configuration I need to add in order to use Caddy with Rackula?

Any advice or assistance is appreciated. I have otherwise been enjoying Rackula very much, it's a great tool!