Connecting authservice of kubeflow to keycloak as an oidc provider about oidc-authservice HOT 12 CLOSED

@Hmr-ramzi based on the OIDC flow diagram: https://github.com/arrikto/oidc-authservice/blob/master/docs/media/oidc_authservice_sequence_diagram.svg

can you point at which part is failing?
I understand that:

1. User hits AuthService
2. AuthService redirects to Keycloak
3. 404

Is that the case? What URL is AuthService redirecting to? Can you also provide the OIDC discovery doc? (/well-known/openid-configuration)

from oidc-authservice.

@yanniszark Thanks for replying that promptly.

flow is as follows: 1. Entry point is the ingressgateway
2. it gets redirecting to authservice
3. AuthService redirects to keycloak with address (http://keycloak-http.keycloak.svc/login/oidc?error=invalid_request&error_description=Invalid+scopes%3A+profile+email+groups+openid&state=MTU5OTIyNzMzNHxFd3dBRUVSell6SlhSRGhHTW5GT1praExOV0U9fMy3S_H_V1Ucv4yaAxkDmXYmmaor6CwvAUbwvKEuYuPX)

Discovery doc:

{"issuer":"http://10.111.155.73/auth/realms/kubeflow","authorization_endpoint":"http://10.111.155.73/auth/realms/kubeflow/protocol/openid-connect/auth","token_endpoint":"http://10.111.155.73/auth/realms/kubeflow/protocol/openid-connect/token","introspection_endpoint":"http://10.111.155.73/auth/realms/kubeflow/protocol/openid-connect/token/introspect","userinfo_endpoint":"http://10.111.155.73/auth/realms/kubeflow/protocol/openid-connect/userinfo","end_session_endpoint":"http://10.111.155.73/auth/realms/kubeflow/protocol/openid-connect/logout","jwks_uri":"http://10.111.155.73/auth/realms/kubeflow/protocol/openid-connect/certs","check_session_iframe":"http://10.111.155.73/auth/realms/kubeflow/protocol/openid-connect/login-status-iframe.html","grant_types_supported":["authorization_code","implicit","refresh_token","password","client_credentials"],"response_types_supported":["code","none","id_token","token","id_token token","code id_token","code token","code id_token token"],"subject_types_supported":["public","pairwise"],"id_token_signing_alg_values_supported":["PS384","ES384","RS384","HS256","HS512","ES256","RS256","HS384","ES512","PS256","PS512","RS512"],"id_token_encryption_alg_values_supported":["RSA-OAEP","RSA1_5"],"id_token_encryption_enc_values_supported":["A256GCM","A192GCM","A128GCM","A128CBC-HS256","A192CBC-HS384","A256CBC-HS512"],"userinfo_signing_alg_values_supported":["PS384","ES384","RS384","HS256","HS512","ES256","RS256","HS384","ES512","PS256","PS512","RS512","none"],"request_object_signing_alg_values_supported":["PS384","ES384","RS384","HS256","HS512","ES256","RS256","HS384","ES512","PS256","PS512","RS512","none"],"response_modes_supported":["query","fragment","form_post"],"registration_endpoint":"http://10.111.155.73/auth/realms/kubeflow/clients-registrations/openid-connect","token_endpoint_auth_methods_supported":["private_key_jwt","client_secret_basic","client_secret_post","tls_client_auth","client_secret_jwt"],"token_endpoint_auth_signing_alg_values_supported":["PS384","ES384","RS384","HS256","HS512","ES256","RS256","HS384","ES512","PS256","PS512","RS512"],"claims_supported":["aud","sub","iss","auth_time","name","given_name","family_name","preferred_username","email","acr"],"claim_types_supported":["normal"],"claims_parameter_supported":false,"scopes_supported":["openid","microprofile-jwt","web-origins","roles","phone","address","email","profile","offline_access"],"request_parameter_supported":true,"request_uri_parameter_supported":true,"code_challenge_methods_supported":["plain","S256"],"tls_client_certificate_bound_access_tokens":true}

from oidc-authservice.

@yanniszark This is a kind reminder to the inquiry as this is currently a blocker on my side

from oidc-authservice.

I'm having a similar issue with keycloak.

1. Enter base url, response 302 redirect to keycloak
2. Get to keycloak login page , response 200
3. Post with login info, response 302 to callback url
4. Get to callback url and receive authservice_session cookie, response 302 to original url.
5. Get to url entered from step 1 but doesnt send cookie in header, response 302 to keycloak.

The redirect loops and fails after 5 rounds, err too many redirects, and ends with a 403.

If the original url is requested the cookie is passed and all is good.

Its probably linked to #38 as my keycloak is an external instance.

from oidc-authservice.

I'm having a similar issue with keycloak.

1. Enter base url, response 302 redirect to keycloak
2. Get to keycloak login page , response 200
3. Post with login info, response 302 to callback url
4. Get to callback url and receive authservice_session cookie, response 302 to original url.
5. Get to url entered from step 1 but doesnt send cookie in header, response 302 to keycloak.

The redirect loops and fails after 5 rounds, err too many redirects, and ends with a 403.

If the original url is requested the cookie is passed and all is good.

Its probably linked to #38 as my keycloak is an external instance.

I applied patch from #38 and the issue was resolved. Thanks

from oidc-authservice.

@Hmr-ramzi

I think I know what's going on. What you see here is the response from Keycloak:

3. AuthService redirects to keycloak with address (http://keycloak-http.keycloak.svc/login/oidc?error=invalid_request&error_description=Invalid+scopes%3A+profile+email+groups+openid&state=MTU5OTIyNzMzNHxFd3dBRUVSell6SlhSRGhHTW5GT1praExOV0U9fMy3S_H_V1Ucv4yaAxkDmXYmmaor6CwvAUbwvKEuYuPX)

it says "Invalid scopes: profile email groups openid".

Indeed, it seems that Keycloak doesn't support the groups scope, as seen from the groups_supported section of the discovery doc. You can set the desired groups with the OIDC_SCOPES env var. In older version like the one Kubeflow uses, setting OIDC_SCOPES="openid profile email" should do the trick.

from oidc-authservice.

@james-martinez did you resolve your issue?

from oidc-authservice.

@james-martinez did you resolve your issue?

@yanniszark Yes I did, thanks! Thanks for adding the config option in 80bc219

from oidc-authservice.

@james-martinez that's great to hear :)
Closing...

from oidc-authservice.

@yanniszark Sorry i was on vacation and just came back today to work. I am not sure why the discovery does not show the "groups" as a valid supported group although i created it in the realm. I will make sure it is there and verify the discovery have it and then report if the issue is still there thanks for your help.

from oidc-authservice.

@yanniszark It looks like I posted wrong logs sorry. The issue still persists and I have now the 404 - not found error which I opened the issue for.

Kustomizeconfiguration:

    - kustomizeConfig:
        overlays:
        - application
        parameters:
        - name: namespace
          value: istio-system
        - name: userid-header
          value: kubeflow-userid
        - name: oidc_provider
          value: http://keycloak-http.keycloak.svc:80/auth/realms/kubeflow
        - name: oidc_redirect_uri
          value: /login/oidc
        - name: client_id
          value: kubeflow
        repoRef:
          name: manifests
          path: istio/oidc-authservice
      name: oidc-authservice

Flow goes as follows:

1. entry point is the istio ingress gateway.
2. It redirects to the authservice
3. the authservice redirects to keycloak (which asks me to log in with username and password)
4. one I give a valid username and password I don't get redirected to the central dashboard but instead to a 404 - not found page with Url (http://keycloak-http.keycloak.svc/login/oidc?state=MTYwMjU5MzI1M3xFd3dBRUVSell6SlhSRGhHTW5GT1praExOV0U9fPim4CovjsV8V1mYBraB2SRuETV4-D9TuHpkeiYyZyEn&session_state=e78c415e-5c7c-40c1-a733-fbe0e3cd060d&code=c0ac69ee-7fdf-4da6-8a66-d31746222cc2.e78c415e-5c7c-40c1-a733-fbe0e3cd060d.1a57a03e-7290-4237-acf5-5ea358ab4cf8)

Discovery Doc:

{"issuer":"http://10.101.65.187/auth/realms/kubeflow","authorization_endpoint":"http://10.101.65.187/auth/realms/kubeflow/protocol/openid-connect/auth","token_endpoint":"http://10.101.65.187/auth/realms/kubeflow/protocol/openid-connect/token","introspection_endpoint":"http://10.101.65.187/auth/realms/kubeflow/protocol/openid-connect/token/introspect","userinfo_endpoint":"http://10.101.65.187/auth/realms/kubeflow/protocol/openid-connect/userinfo","end_session_endpoint":"http://10.101.65.187/auth/realms/kubeflow/protocol/openid-connect/logout","jwks_uri":"http://10.101.65.187/auth/realms/kubeflow/protocol/openid-connect/certs","check_session_iframe":"http://10.101.65.187/auth/realms/kubeflow/protocol/openid-connect/login-status-iframe.html","grant_types_supported":["authorization_code","implicit","refresh_token","password","client_credentials"],"response_types_supported":["code","none","id_token","token","id_token token","code id_token","code token","code id_token token"],"subject_types_supported":["public","pairwise"],"id_token_signing_alg_values_supported":["PS384","ES384","RS384","HS256","HS512","ES256","RS256","HS384","ES512","PS256","PS512","RS512"],"id_token_encryption_alg_values_supported":["RSA-OAEP","RSA1_5"],"id_token_encryption_enc_values_supported":["A256GCM","A192GCM","A128GCM","A128CBC-HS256","A192CBC-HS384","A256CBC-HS512"],"userinfo_signing_alg_values_supported":["PS384","ES384","RS384","HS256","HS512","ES256","RS256","HS384","ES512","PS256","PS512","RS512","none"],"request_object_signing_alg_values_supported":["PS384","ES384","RS384","HS256","HS512","ES256","RS256","HS384","ES512","PS256","PS512","RS512","none"],"response_modes_supported":["query","fragment","form_post"],"registration_endpoint":"http://10.101.65.187/auth/realms/kubeflow/clients-registrations/openid-connect","token_endpoint_auth_methods_supported":["private_key_jwt","client_secret_basic","client_secret_post","tls_client_auth","client_secret_jwt"],"token_endpoint_auth_signing_alg_values_supported":["PS384","ES384","RS384","HS256","HS512","ES256","RS256","HS384","ES512","PS256","PS512","RS512"],"claims_supported":["aud","sub","iss","auth_time","name","given_name","family_name","preferred_username","email","acr"],"claim_types_supported":["normal"],"claims_parameter_supported":false,"scopes_supported":["openid","groups","microprofile-jwt","web-origins","roles","phone","address","email","profile","offline_access"],"request_parameter_supported":true,"request_uri_parameter_supported":true,"code_challenge_methods_supported":["plain","S256"],"tls_client_certificate_bound_access_tokens":true}

from oidc-authservice.

Can we please reopen ?

from oidc-authservice.