Comments (13)
It looks like the client ID or secret is missing. Double check that the client ID and secret are set in the config file. The example config file is a bit confusing as it has several examples of OAuth providers in it but you need just the one you're using, so make sure the others are commented out.
from vouch-proxy.
thanks, you are right, my token url was wrong. Now, I am getting
oauth2: server response missing access_token
I am guessing https://github.com/LassoProject/lasso/blob/abe5646e267dd8859aa749e46ccc334044a2dad9/handlers/handlers.go#L498 always call github.com instead of github enterprise?
from vouch-proxy.
Looks like yep, we'll need to add a config option to set the GitHub enterprise API URL.
from vouch-proxy.
Tried with
userinfo, err := client.Get(genOauth.UserInfoURL + ptoken.AccessToken)
and it seems works.
But I was getting another issue which is that it repeated redirect and ask for token. My config as follows:
http {
server {
listen 0.0.0.0:80;
server_name mydomain.name;
# see https://github.com/LassoProject/lasso
# send all requests to the `/validate` endpoint for authorization
# if validate returns `401 not authorized` then forward the request to the error401block
auth_request /validate;
error_page 401 = @error401;
location = /validate {
# lasso can run behind the same nginx-revproxy
# May need to add "internal", and comply to "upstream" server naming
proxy_pass http://lasso:9091;
# lasso only acts on the request headers
proxy_pass_request_body off;
proxy_set_header Content-Length "";
# pass X-Lasso-User along with the request
auth_request_set $auth_resp_x_lasso_user $upstream_http_x_lasso_user;
# these return values are used by the @error401 call
auth_request_set $auth_resp_jwt $upstream_http_x_lasso_jwt;
auth_request_set $auth_resp_err $upstream_http_x_lasso_err;
auth_request_set $auth_resp_failcount $upstream_http_x_lasso_failcount;
}
location @error401 {
# redirect to lasso for login
return 302 http://mydomain.name:9091/login?url=$scheme://$http_host$request_uri&lasso-failcount=$auth_resp_failcount&X-Lasso-Token=$auth_resp_jwt&error=$auth_resp_err;
}
location /prometheus/ {
proxy_set_header Host mydomain.name;
proxy_set_header X-Lasso-User $auth_resp_x_lasso_user;
proxy_pass http://prometheus:9090/;
}
}
}
events {
}
from vouch-proxy.
lasso runs on the same node with 9091 port and can be public assessed using http://mydomain.name:9091
from vouch-proxy.
Do you have the cookie config set to secure: true
?
https://github.com/LassoProject/lasso/blob/master/config/config.yml_example#L34
You may need to set that to false
Lasso is generally assumed to be running behind a reverse proxy which provides https, at least for the publicly accessible endpoint /login
Your nginx config looks correct otherwise. You could also see if adding internal
would help...
https://nginx.org/en/docs/http/ngx_http_core_module.html#internal
from vouch-proxy.
Found the root cause:
level=error msg="no email found in jwt"
If happens when user did not publish the email so that the API return null for email field.
from vouch-proxy.
aha! But it works otherwise if the email is published?
Would you suggest using the username instead of email for github (and github enterprise) accounts?
from vouch-proxy.
yeah. maybe username is better.
from vouch-proxy.
k thanks, I'm going to keep this issue open to track the addition of a config option to set the GitHub enterprise API URL
I'll establish a new issue for the change from email
to username
from vouch-proxy.
@QingsongYao would you be able to sanity check this...
https://github.com/LassoProject/lasso/blob/feature/config_fixes/config/config.yml_example_github_enterprise
Overall it should be much simpler now to configure Lasso for GitHub Enterprise
from vouch-proxy.
Yes. Verified that the new config works with latest docker and config. My userinfo url is something like
user_info_url: "https://github_enterprise_url/api/v3/user?access_token=" which might be different than the one in the template.
from vouch-proxy.
from vouch-proxy.
Related Issues (20)
- Recommendations for using several OIDC endpoints HOT 1
- Vouch 400 and Invalid session state when opening a previous tab or returning to a tab after the laptop and browser has gone to sleep HOT 14
- How to pass OAuth2 ADFS token to server application? HOT 2
- How to fix "oauth.callback_url must be within a configured domains where the cookie will be sent" HOT 1
- docker build fails with golang image version `golang:1.18` HOT 4
- passing IdP access token to app via `Authorization "Bearer $ACCESS_TOKEN"` from kubernetes ingress-nginx HOT 2
- Select first value in multi-valued claim HOT 4
- WebAuthn/passkeys/Direct email login support? HOT 3
- Snowflake OAuth as additional oauth provider
- Setting log level via environment variables does not work HOT 1
- support for one instance with both publicAccess: true and false at different roots HOT 1
- Is vouch-proxy abandonware? HOT 5
- When ModSecurity/naxsi and auth_request (Vouch Proxy) and HTTP/2 is enabled, POST/PUT requests hang HOT 12
- receive "Required String parameter 'redirect_uri' is not present" from Cognito when YAML is not properly formatted HOT 3
- Authenticate additional user accounts outside of Google domain HOT 2
- Vouch Proxy and Keycloak 400 bad request after authenticating HOT 19
- 400 Error with vouch in a path HOT 11
- scope of nginx auth_request_set HOT 1
- Vouch Loses Redirect URL upon re-authorization HOT 1
- feat: Storage Backend for jwt cache HOT 2
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from vouch-proxy.