Comments (9)
I'm traveling atm but just quickly...
Could you try turning allowAllUsers: true
to allowAllUsers: false
. If you're using a whitelist, then you don't want allowAllUsers
on.
If that doesn't work I can take a closer look tomorrow
from vouch-proxy.
Hi Ben, thanks for responding. I tried allowAllUsers: false
, but I still fall into the redirect loop.
I had set allowAllUsers: true
with the thought that that, combined with whiteList
entries, would let me authenticate a selected set of users from any domain, without setting anything under domains
. Is using allowAllUsers: false
, no domains
section, and a whiteList
section the right configuration choice for that?
from vouch-proxy.
from vouch-proxy.
Aha, that's the ticket. Now my (simplified) config works fine:
lasso:
domains:
- [domain].com
whiteList:
- [my gmail address]
jwt:
secret: [secret]
maxAge: 10080
oauth:
provider: google
client_id: [google oauth2 client id]
client_secret: [google oauth2 client secret]
callback_urls:
- https://lasso.[domain].com/auth
Thank you for the clarification. And thanks for Lasso!
from vouch-proxy.
from vouch-proxy.
EDIT: Disregard. I had misunderstood the domains
options. Once I set it for ONLY the common top level domain (se.domain.com, instead of domain.com, se.domain.com, and login.se.domain.com) everything worked as expected.
The documentation here is a little confusing in this regard, because it makes it sound like those are the valid domains for callback URLs:
valid domains that the jwt cookies can be set into
the callback_urls will be to these domains
I've run into the same problem of infinite redirects, but the solution here (setting the domains) doesn't resolve it. Any suggestions would be appreciated.
The initial redirect to /auth works and resolves the user, but it looks like the forward back to the original URL loses the JWT by the time it hits the /validate endpoint.
Here are relevant logs:
vouch.log
nginx.log
And config files:
Vouch
# vouch config
# bare minimum to get vouch running with OpenID Connect (such as okta)
lasso:
logLevel: debug
# domains:
# valid domains that the jwt cookies can be set into
# the callback_urls will be to these domains
domains:
- se.domain.com
- login.se.domain.com
- domain.com
# - OR -
# instead of setting specific domains you may prefer to allow all users...
# set allowAllUsers: true to use Vouch Proxy to just accept anyone who can authenticate at the configured provider
allowAllUsers: true
oauth:
# Generic OpenID Connect
# including okta
provider: oidc
client_id: CLIENT_ID
client_secret: SECRET
auth_url: https://dev-123456.oktapreview.com/oauth2/default/v1/authorize
token_url: https://dev-123456.oktapreview.com/oauth2/default/v1/token
user_info_url: https://dev-123456.oktapreview.com/oauth2/default/v1/userinfo
scopes:
- openid
- email
callback_url: https://login.se.domain.com/auth
Nginx
log_format hostcombo '$remote_addr - $host - $remote_user [$time_local] '
'"$request" $status $body_bytes_sent '
'"$http_referer" "$http_user_agent"';
server {
listen 80 ssl http2 default_server;
server_name se.domain.com;
access_log /var/log/nginx/access.log hostcombo;
error_log /var/log/nginx/error.log debug;
ssl_certificate /certs/localhost.pem;
ssl_certificate_key /certs/localhost.key;
root /usr/share/nginx/html;
index index.html;
# send all requests to the `/validate` endpoint for authorization
auth_request /validate;
location = /validate {
internal;
# Vouch Proxy can run behind the same nginx-revproxy
# May need to add "internal", and comply to "upstream" server naming
proxy_pass http://vouch:9090;
# Vouch Proxy only acts on the request headers
proxy_pass_request_body off;
proxy_set_header Content-Length "";
# pass X-Vouch-User along with the request
auth_request_set $auth_resp_x_vouch_user $upstream_http_x_vouch_user;
# these return values are used by the @error401 call
auth_request_set $auth_resp_jwt $upstream_http_x_vouch_jwt;
auth_request_set $auth_resp_err $upstream_http_x_vouch_err;
auth_request_set $auth_resp_failcount $upstream_http_x_vouch_failcount;
}
# if validate returns `401 not authorized` then forward the request to the error401block
error_page 401 = @error401;
location @error401 {
# redirect to Vouch Proxy for login
return 302 https://login.se.domain.com/login?url=$scheme://$http_host$request_uri&vouch-failcount=$auth_resp_failcount&X-Vouch-Token=$auth_resp_jwt&error=$auth_resp_err;
}
# proxy pass authorized requests to your service
location / {
proxy_pass http://www.comain.com;
# may need to set
auth_request_set $auth_resp_x_vouch_user $upstream_http_x_vouch_user;
# in this bock as per https://github.com/vouch/vouch-proxy/issues/26#issuecomment-425215810
# set user header (usually an email)
proxy_set_header X-Vouch-User $auth_resp_x_vouch_user;
}
}
# forwards to vouch
server {
access_log /var/log/nginx/access.log hostcombo;
listen 80 ssl;
server_name login.se.domain.com;
ssl_certificate /certs/localhost.pem;
ssl_certificate_key /certs/localhost.key;
location / {
proxy_set_header Host login.se.domain.com;
proxy_pass http://vouch:9090;
}
}
from vouch-proxy.
from vouch-proxy.
from vouch-proxy.
It was a non-issue. I had misunderstood the domains options (see edit).
Sounds like we both missed our coffees this morning ☕️
from vouch-proxy.
Related Issues (20)
- Recommendations for using several OIDC endpoints HOT 1
- Vouch 400 and Invalid session state when opening a previous tab or returning to a tab after the laptop and browser has gone to sleep HOT 14
- How to pass OAuth2 ADFS token to server application? HOT 2
- How to fix "oauth.callback_url must be within a configured domains where the cookie will be sent" HOT 1
- docker build fails with golang image version `golang:1.18` HOT 4
- passing IdP access token to app via `Authorization "Bearer $ACCESS_TOKEN"` from kubernetes ingress-nginx HOT 2
- Select first value in multi-valued claim HOT 4
- WebAuthn/passkeys/Direct email login support? HOT 3
- Snowflake OAuth as additional oauth provider
- Setting log level via environment variables does not work HOT 1
- support for one instance with both publicAccess: true and false at different roots HOT 1
- Is vouch-proxy abandonware? HOT 5
- When ModSecurity/naxsi and auth_request (Vouch Proxy) and HTTP/2 is enabled, POST/PUT requests hang HOT 12
- receive "Required String parameter 'redirect_uri' is not present" from Cognito when YAML is not properly formatted HOT 3
- Authenticate additional user accounts outside of Google domain HOT 2
- Vouch Proxy and Keycloak 400 bad request after authenticating HOT 19
- 400 Error with vouch in a path HOT 11
- scope of nginx auth_request_set HOT 1
- Vouch Loses Redirect URL upon re-authorization HOT 1
- feat: Storage Backend for jwt cache HOT 2
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from vouch-proxy.