Comments (12)
@Hmr-ramzi based on the OIDC flow diagram: https://github.com/arrikto/oidc-authservice/blob/master/docs/media/oidc_authservice_sequence_diagram.svg
can you point at which part is failing?
I understand that:
- User hits AuthService
- AuthService redirects to Keycloak
- 404
Is that the case? What URL is AuthService redirecting to? Can you also provide the OIDC discovery doc? (/well-known/openid-configuration
)
from oidc-authservice.
@yanniszark Thanks for replying that promptly.
flow is as follows: 1. Entry point is the ingressgateway
2. it gets redirecting to authservice
3. AuthService redirects to keycloak with address (http://keycloak-http.keycloak.svc/login/oidc?error=invalid_request&error_description=Invalid+scopes%3A+profile+email+groups+openid&state=MTU5OTIyNzMzNHxFd3dBRUVSell6SlhSRGhHTW5GT1praExOV0U9fMy3S_H_V1Ucv4yaAxkDmXYmmaor6CwvAUbwvKEuYuPX)
Discovery doc:
{"issuer":"http://10.111.155.73/auth/realms/kubeflow","authorization_endpoint":"http://10.111.155.73/auth/realms/kubeflow/protocol/openid-connect/auth","token_endpoint":"http://10.111.155.73/auth/realms/kubeflow/protocol/openid-connect/token","introspection_endpoint":"http://10.111.155.73/auth/realms/kubeflow/protocol/openid-connect/token/introspect","userinfo_endpoint":"http://10.111.155.73/auth/realms/kubeflow/protocol/openid-connect/userinfo","end_session_endpoint":"http://10.111.155.73/auth/realms/kubeflow/protocol/openid-connect/logout","jwks_uri":"http://10.111.155.73/auth/realms/kubeflow/protocol/openid-connect/certs","check_session_iframe":"http://10.111.155.73/auth/realms/kubeflow/protocol/openid-connect/login-status-iframe.html","grant_types_supported":["authorization_code","implicit","refresh_token","password","client_credentials"],"response_types_supported":["code","none","id_token","token","id_token token","code id_token","code token","code id_token token"],"subject_types_supported":["public","pairwise"],"id_token_signing_alg_values_supported":["PS384","ES384","RS384","HS256","HS512","ES256","RS256","HS384","ES512","PS256","PS512","RS512"],"id_token_encryption_alg_values_supported":["RSA-OAEP","RSA1_5"],"id_token_encryption_enc_values_supported":["A256GCM","A192GCM","A128GCM","A128CBC-HS256","A192CBC-HS384","A256CBC-HS512"],"userinfo_signing_alg_values_supported":["PS384","ES384","RS384","HS256","HS512","ES256","RS256","HS384","ES512","PS256","PS512","RS512","none"],"request_object_signing_alg_values_supported":["PS384","ES384","RS384","HS256","HS512","ES256","RS256","HS384","ES512","PS256","PS512","RS512","none"],"response_modes_supported":["query","fragment","form_post"],"registration_endpoint":"http://10.111.155.73/auth/realms/kubeflow/clients-registrations/openid-connect","token_endpoint_auth_methods_supported":["private_key_jwt","client_secret_basic","client_secret_post","tls_client_auth","client_secret_jwt"],"token_endpoint_auth_signing_alg_values_supported":["PS384","ES384","RS384","HS256","HS512","ES256","RS256","HS384","ES512","PS256","PS512","RS512"],"claims_supported":["aud","sub","iss","auth_time","name","given_name","family_name","preferred_username","email","acr"],"claim_types_supported":["normal"],"claims_parameter_supported":false,"scopes_supported":["openid","microprofile-jwt","web-origins","roles","phone","address","email","profile","offline_access"],"request_parameter_supported":true,"request_uri_parameter_supported":true,"code_challenge_methods_supported":["plain","S256"],"tls_client_certificate_bound_access_tokens":true}
from oidc-authservice.
@yanniszark This is a kind reminder to the inquiry as this is currently a blocker on my side
from oidc-authservice.
I'm having a similar issue with keycloak.
- Enter base url, response 302 redirect to keycloak
- Get to keycloak login page , response 200
- Post with login info, response 302 to callback url
- Get to callback url and receive authservice_session cookie, response 302 to original url.
- Get to url entered from step 1 but doesnt send cookie in header, response 302 to keycloak.
The redirect loops and fails after 5 rounds, err too many redirects, and ends with a 403.
If the original url is requested the cookie is passed and all is good.
Its probably linked to #38 as my keycloak is an external instance.
from oidc-authservice.
I'm having a similar issue with keycloak.
- Enter base url, response 302 redirect to keycloak
- Get to keycloak login page , response 200
- Post with login info, response 302 to callback url
- Get to callback url and receive authservice_session cookie, response 302 to original url.
- Get to url entered from step 1 but doesnt send cookie in header, response 302 to keycloak.
The redirect loops and fails after 5 rounds, err too many redirects, and ends with a 403.
If the original url is requested the cookie is passed and all is good.
Its probably linked to #38 as my keycloak is an external instance.
I applied patch from #38 and the issue was resolved. Thanks
from oidc-authservice.
I think I know what's going on. What you see here is the response from Keycloak:
it says "Invalid scopes: profile email groups openid".
Indeed, it seems that Keycloak doesn't support the groups scope, as seen from the groups_supported
section of the discovery doc. You can set the desired groups with the OIDC_SCOPES
env var. In older version like the one Kubeflow uses, setting OIDC_SCOPES="openid profile email"
should do the trick.
from oidc-authservice.
@james-martinez did you resolve your issue?
from oidc-authservice.
@james-martinez did you resolve your issue?
@yanniszark Yes I did, thanks! Thanks for adding the config option in 80bc219
from oidc-authservice.
@james-martinez that's great to hear :)
Closing...
from oidc-authservice.
@yanniszark Sorry i was on vacation and just came back today to work. I am not sure why the discovery does not show the "groups" as a valid supported group although i created it in the realm. I will make sure it is there and verify the discovery have it and then report if the issue is still there thanks for your help.
from oidc-authservice.
@yanniszark It looks like I posted wrong logs sorry. The issue still persists and I have now the 404 - not found error which I opened the issue for.
Kustomizeconfiguration:
- kustomizeConfig:
overlays:
- application
parameters:
- name: namespace
value: istio-system
- name: userid-header
value: kubeflow-userid
- name: oidc_provider
value: http://keycloak-http.keycloak.svc:80/auth/realms/kubeflow
- name: oidc_redirect_uri
value: /login/oidc
- name: client_id
value: kubeflow
repoRef:
name: manifests
path: istio/oidc-authservice
name: oidc-authservice
Flow goes as follows:
- entry point is the istio ingress gateway.
- It redirects to the authservice
- the authservice redirects to keycloak (which asks me to log in with username and password)
- one I give a valid username and password I don't get redirected to the central dashboard but instead to a 404 - not found page with Url (http://keycloak-http.keycloak.svc/login/oidc?state=MTYwMjU5MzI1M3xFd3dBRUVSell6SlhSRGhHTW5GT1praExOV0U9fPim4CovjsV8V1mYBraB2SRuETV4-D9TuHpkeiYyZyEn&session_state=e78c415e-5c7c-40c1-a733-fbe0e3cd060d&code=c0ac69ee-7fdf-4da6-8a66-d31746222cc2.e78c415e-5c7c-40c1-a733-fbe0e3cd060d.1a57a03e-7290-4237-acf5-5ea358ab4cf8)
Discovery Doc:
{"issuer":"http://10.101.65.187/auth/realms/kubeflow","authorization_endpoint":"http://10.101.65.187/auth/realms/kubeflow/protocol/openid-connect/auth","token_endpoint":"http://10.101.65.187/auth/realms/kubeflow/protocol/openid-connect/token","introspection_endpoint":"http://10.101.65.187/auth/realms/kubeflow/protocol/openid-connect/token/introspect","userinfo_endpoint":"http://10.101.65.187/auth/realms/kubeflow/protocol/openid-connect/userinfo","end_session_endpoint":"http://10.101.65.187/auth/realms/kubeflow/protocol/openid-connect/logout","jwks_uri":"http://10.101.65.187/auth/realms/kubeflow/protocol/openid-connect/certs","check_session_iframe":"http://10.101.65.187/auth/realms/kubeflow/protocol/openid-connect/login-status-iframe.html","grant_types_supported":["authorization_code","implicit","refresh_token","password","client_credentials"],"response_types_supported":["code","none","id_token","token","id_token token","code id_token","code token","code id_token token"],"subject_types_supported":["public","pairwise"],"id_token_signing_alg_values_supported":["PS384","ES384","RS384","HS256","HS512","ES256","RS256","HS384","ES512","PS256","PS512","RS512"],"id_token_encryption_alg_values_supported":["RSA-OAEP","RSA1_5"],"id_token_encryption_enc_values_supported":["A256GCM","A192GCM","A128GCM","A128CBC-HS256","A192CBC-HS384","A256CBC-HS512"],"userinfo_signing_alg_values_supported":["PS384","ES384","RS384","HS256","HS512","ES256","RS256","HS384","ES512","PS256","PS512","RS512","none"],"request_object_signing_alg_values_supported":["PS384","ES384","RS384","HS256","HS512","ES256","RS256","HS384","ES512","PS256","PS512","RS512","none"],"response_modes_supported":["query","fragment","form_post"],"registration_endpoint":"http://10.101.65.187/auth/realms/kubeflow/clients-registrations/openid-connect","token_endpoint_auth_methods_supported":["private_key_jwt","client_secret_basic","client_secret_post","tls_client_auth","client_secret_jwt"],"token_endpoint_auth_signing_alg_values_supported":["PS384","ES384","RS384","HS256","HS512","ES256","RS256","HS384","ES512","PS256","PS512","RS512"],"claims_supported":["aud","sub","iss","auth_time","name","given_name","family_name","preferred_username","email","acr"],"claim_types_supported":["normal"],"claims_parameter_supported":false,"scopes_supported":["openid","groups","microprofile-jwt","web-origins","roles","phone","address","email","profile","offline_access"],"request_parameter_supported":true,"request_uri_parameter_supported":true,"code_challenge_methods_supported":["plain","S256"],"tls_client_certificate_bound_access_tokens":true}
from oidc-authservice.
Can we please reopen ?
from oidc-authservice.
Related Issues (20)
- Enable oidc-authservice repository CI for power(ppc64le) architecture. HOT 4
- External Authentication with Updated OIDC authservice image HOT 1
- Wildcard support for GROUPS_ALLOWLIST
- Authservice pod "Failed to save state in store: error trying to save session: input/output error" HOT 4
- ERROR: CSRF check failed. This may happen if you opened the login form in more than 1 tabs. Please try to login again. HOT 6
- Set LOG_LEVEL not work HOT 4
- Getting access denied 403 from OIDC login with Azure AD in Kubeflow HOT 1
- all URIs are whitelisted and cannot be secured by OIDC provider HOT 1
- OIDC authentication repeating and getting session timed out HOT 2
- Support Secure and HttpOnly flags in session cookie HOT 2
- x509: certificate signed by unknown authority-While deploying Kubeflow
- STORE_PATH option isn't honoured HOT 1
- Authservice validation HOT 1
- /var/lib/authservice
- Sessions are not cleaned up when using bolt db
- Possibly memory leak HOT 2
- Update container image on gcr.io HOT 1
- Failed to exchange authorization code with token: oauth2: cannot fetch token: 400 Bad Request Using Azure AD OIDC HOT 3
- how to get user info by session token?
- Access kubeflow from path "/kubeflow" instead of "/" HOT 1
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from oidc-authservice.