Comments (15)
Hi everyone,
I finally found the issue. When Logto validates the token, it requests the relevant configuration from oidc-config
:
const oidcConfigUrl = appendPath(issuer, '/.well-known/openid-configuration');
const configuration = await ky
.get(
oidcConfigUrl // 'http://auth.localhost/oidc/.well-known/openid-configuration'
)
.json();
In the Logto container, requests to 'http://auth.localhost' are directed to 127.0.0.1:80
, which is the address of the Logto container itself. The request should actually be made to the address of the entire Docker network so that it can be proxied by Caddy.
To fix this, map admin.localhost
and auth.localhost
to the IP address of the Caddy container in the Logto container:
logto:
image: local/logto:latest
entrypoint: ["sh", "-c", "npm run cli db seed -- --swe && npm start"]
environment:
- TRUST_PROXY_HEADER=1
- DB_URL=postgres://postgres:[email protected]:5432/logto
# Mandatory for GitPod to map host env to the container, thus GitPod can dynamically configure the public URL of Logto;
# Or, you can leverage it for local testing.
- ENDPOINT=http://auth.localhost
- ADMIN_ENDPOINT=http://admin.localhost
extra_hosts:
- "auth.localhost:172.17.0.1"
- "admin.localhost:172.17.0.1"
And in versions < 1.17.0, the configuration is read from the local database, so this issue does not occur.
from logto.
Am experiencing this too - was working fine. Then I pulled latest docker image, ran DB migrations from CLI and now I get the same error.
from logto.
Tested several docker images now:
+ ✓ Tag 1.15 is working
+ ✓ Tag 1.16 is working
- ✘ Tag 1.17 is not working
- ✘ Tag latest is not working
- ✘ Tag edge is not working
from logto.
@kaiwa Thank you for your feedback. I am looking into it.
from logto.
I just tried the bare example docker compose yml and it is working (https://github.com/logto-io/logto/blob/master/docker-compose.yml).
So it seems to be somehow related to the environment I have set it up in. Maybe the reverse proxy or something. I will try to narrow down the issue a bit more, but if anyone has an idea in the meanwhile, please let me know.
from logto.
@xiaoyijun Minimal reproduction repository, here you go: https://github.com/kaiwa/logto-unauthorized-example/tree/master (I have used Caddy instead of nginx for simplicity here, but the problem was the same with nginx.)
It is a very simple reverse proxy setup. Admin is at http://admin.localhost. As soon as you have created your admin user, logged in and then move to some page, you should see the "Unauthorized" error.
Please let me know as soon as you can confirm the issue.
from logto.
Am experiencing this too - was working fine. Then I pulled latest docker image, ran DB migrations from CLI and now I get the same error.
Have you tried clearing the browser cache?
from logto.
I have this problem too, but on Raw Node.js setup.
from logto.
Am experiencing this too - was working fine. Then I pulled latest docker image, ran DB migrations from CLI and now I get the same error.
Have you tried clearing the browser cache?
Yes clearing storage of all types has not fixed this. Am on version 1.17.
from logto.
I am also using a reverse proxy (traefik). 1.16 works no problem.
from logto.
Hi everyone,
I finally found the issue. When Logto validates the token, it requests the relevant configuration from
oidc-config
:const oidcConfigUrl = appendPath(issuer, '/.well-known/openid-configuration'); const configuration = await ky .get( oidcConfigUrl // 'http://auth.localhost/oidc/.well-known/openid-configuration' ) .json();In the Logto container, requests to 'http://auth.localhost' are directed to
127.0.0.1:80
, which is the address of the Logto container itself. The request should actually be made to the address of the entire Docker network so that it can be proxied by Caddy.To fix this, map
admin.localhost
andauth.localhost
to the IP address of the Caddy container in the Logto container:logto: image: local/logto:latest entrypoint: ["sh", "-c", "npm run cli db seed -- --swe && npm start"] environment: - TRUST_PROXY_HEADER=1 - DB_URL=postgres://postgres:[email protected]:5432/logto # Mandatory for GitPod to map host env to the container, thus GitPod can dynamically configure the public URL of Logto; # Or, you can leverage it for local testing. - ENDPOINT=http://auth.localhost - ADMIN_ENDPOINT=http://admin.localhost extra_hosts: - "auth.localhost:172.17.0.1" - "admin.localhost:172.17.0.1"And in versions < 1.17.0, the configuration is read from the local database, so this issue does not occur.
Do you have suggestion how to handle same issue in version installed by npm-init and not using reverse proxy?
I am using same domain for ENDPOINT and ADMIN_ENDPOINT, just different ports, is that okay?
from logto.
I am using same domain for ENDPOINT and ADMIN_ENDPOINT, just different ports, is that okay?
Yes, you can use different ports, but remember to specify the port in the URL.
from logto.
it's not work for me.
nginx:
server {
listen 443 ssl;
server_name dev.logtoserve.com;
ssl_certificate /etc/nginx/conf.d/pem/localhost+3.pem;
ssl_certificate_key /etc/nginx/conf.d/pem/localhost+3-key.pem;
ssl_protocols TLSv1.2 TLSv1.3;
ssl_ciphers HIGH:!aNULL:!MD5;
location / {
proxy_pass http://192.168.99.142:13001;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto https;
}
}
server {
listen 443 ssl;
server_name dev.logtoadmin.com;
ssl_certificate /etc/nginx/conf.d/pem/localhost+3.pem;
ssl_certificate_key /etc/nginx/conf.d/pem/localhost+3-key.pem;
ssl_protocols TLSv1.2 TLSv1.3;
ssl_ciphers HIGH:!aNULL:!MD5;
location / {
proxy_pass http://192.168.99.142:13002;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto https;
}
}
.env
# This compose file is for demonstration only, do not use in prod.
version: "3.9"
services:
app:
depends_on:
postgres:
condition: service_healthy
image: svhd/logto:${TAG-latest}
entrypoint: ["sh", "-c", "npm run cli db seed -- --swe && npm start"]
ports:
- 13001:3001
- 13002:3002
environment:
- TRUST_PROXY_HEADER=1
- DB_URL=postgres://postgres:p0stgr3s@postgres:5432/logto
# Mandatory for GitPod to map host env to the container, thus GitPod can dynamically configure the public URL of Logto;
# Or, you can leverage it for local testing.
- ENDPOINT=https://dev.logtoserve.com
- ADMIN_ENDPOINT=https://dev.logtoadmin.com
- TRUST_PROXY_HEADER=1
extra_hosts:
- "dev.logtoserve.com:172.17.0.1"
- "dev.logtoadmin.com:172.17.0.1"
postgres:
image: postgres:14-alpine
user: postgres
environment:
POSTGRES_USER: postgres
POSTGRES_PASSWORD: p0stgr3s
healthcheck:
test: ["CMD-SHELL", "pg_isready"]
interval: 10s
timeout: 5s
retries: 5
from logto.
also, i used npm-init create my project. not work to.
from logto.
@xiaoyijun Thank you!!! 👍
from logto.
Related Issues (20)
- feature request: Set Secondary Functional Icons to tabIndex="-1" on Login Page HOT 2
- bug: 2FA Redirection Issue after Third-Party Login with Same Email HOT 2
- feature request: Astro Example for Traditional Web
- bug: ReferenceError: crypto is not defined in generators.js HOT 4
- feature request: limit ip access for machine to machine application HOT 1
- feature request: add `direct_sign_in` to flutter SDK HOT 2
- bug: Management API is unreasonably slow HOT 6
- bug: after changing application name getting: invalid_client HOT 2
- Get error Error while initializing HOT 3
- bug: [SMTP] Connector TimeoutError when sending test HOT 2
- feature request: prefill email field on register screen
- feature request: disable auto-prompt of 2fa setup for the first-time login HOT 2
- feature request: Verify user mfa code endpoint HOT 1
- feature request: support multiple sign-up identifier
- feature request: audit log for update user's profile
- bug: cannot reset to empty scope a social connector HOT 1
- feature request: standardize time units HOT 1
- bug: Access Denied when uploading image/logo in onboarding flow HOT 3
- bug: 404 Error Page Returned After Clicking Login Button Issue HOT 1
- bug: Not able to work as OIDC to Cloudflare Zero Trust
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from logto.