You’ll need to use allow_local_remote_servers since Authentik is running on a local private subnet.
The port 80 in the DNS pinning error is perhaps a bit misleading. The LocalServerException used to not log the port. It’s not, necessarily, the actual port being used for the request.
(I was initially confused by your port being 80 as well, so that’s why I took a closer look at the code).
The way the DNS pinning works it generates a list of potential port combinations that must be protected. That is generally { actual port + 80 + 443 }. The logged port is just the one that happens to be specified in the particular iteration of the foreach that the isLocalAddress() check returns true on.
Disclaimer: This just my reading of the code. I’ve been meaning to get more familiar with the DNS pinning implementation.
If you want to confirm with certainty what discovery endpoint URL/scheme is being used, you can set your loglevel to 0 briefly and re-run the discovery. The URL should be logged.
P.S. I’ll fix the port logging now.