Comments (19)
Just figured out : I needed to use v3 of the userinfo api endpoint instead of v2. Edit : I just found out about OIDC Discovery, URLs updated.
vouch:
domains:
- test.com
oauth:
provider: oidc
client_id: [...].apps.googleusercontent.com
client_secret: [...]
auth_url: https://accounts.google.com/o/oauth2/v2/auth?prompt=select_account%20consent
token_url: https://oauth2.googleapis.com/token
user_info_url: https://openidconnect.googleapis.com/v1/userinfo
scopes:
- openid
- email
- profile
callback_url: https://vouch.test.com/auth
#preferredDomain: test.com
With those settings, I can protect my apps with Google Account Chooser.
Thanks @bnfinet and the Vouch team !
For anyone interested, to log out of your app, add the following to your nginx vhost config file :
location = /logout {
return 302 https://vouch.test.com/logout?url=$scheme://$http_host;
}
from vouch-proxy.
@fredericseiler thanks for the report.
What OS/browser are you using? Is it Chrome? Are you logged into the browser itself by any chance?
from vouch-proxy.
Windows 7 and Chrome 71.0.3578.98.
I'm logged into Chrome with my corp G Suite account, not my test account.
from vouch-proxy.
is your corp G Suite account in the same domain as your test account? Does the behavior change if you sign out of your corp G Suite account?
from vouch-proxy.
Let's call my corp account corp.com and my test account test.com.
I'm using test.com in Vouch and Google OAuth.
When you go to google.com/accounts/logout, you log out from every logged in google account (and broke the sync with Chrome).
from vouch-proxy.
Hmm, I cannot reproduce the behavior. Is this a change in behavior that you've notice between versions?
Could you please provide a redacted config.yml
and the logs from your vouch-proxy
session with debug enabled? You could also try running with vouch.testing: true
and see if that doesn't change the behavior.
from vouch-proxy.
And your nginx.conf (redacted) would be helpful as well
from vouch-proxy.
I can't tell about any previous version, I just tried Vouch today.
Vouch vhost :
server {
listen 443 ssl http2;
listen [::]:443 ssl http2;
server_name vouch.test.com;
location / {
include proxy.conf;
proxy_pass http://192.168.0.1:9090;
}
}
oauth.conf included in every secured vhost :
auth_request /validate;
location = /validate {
proxy_pass https://vouch.test.com;
proxy_pass_request_body off;
proxy_set_header Content-Length "";
auth_request_set $auth_resp_x_vouch_user $upstream_http_x_vouch_user;
auth_request_set $auth_resp_jwt $upstream_http_x_vouch_jwt;
auth_request_set $auth_resp_err $upstream_http_x_vouch_err;
auth_request_set $auth_resp_failcount $upstream_http_x_vouch_failcount;
}
error_page 401 = @error401;
location @error401 {
return 302 https://vouch.test.com/login?url=$scheme://$http_host$request_uri&vouch-failcount=$auth_resp_failcount&X-Vouch-Token=$auth_resp_jwt&error=$auth_resp_err;
}
config.yml :
vouch:
domains:
- test.com
oauth:
provider: google
client_id: [...]
client_secret: [...]
callback_urls:
- https://vouch.test.com/auth
preferredDomain: test.com
Logs are coming.
from vouch-proxy.
Common nginx settings for my vhosts (including Vouch) :
client_max_body_size 0;
client_body_buffer_size 128k;
client_header_buffer_size 1k;
large_client_header_buffers 4 8k;
client_body_timeout 30;
client_header_timeout 10;
keepalive_timeout 30;
send_timeout 60;
keepalive_requests 100;
access_log off;
proxy_buffers 32 4k;
proxy_connect_timeout 7d;
proxy_read_timeout 7d;
proxy_send_timeout 7d;
proxy_http_version 1.1;
proxy_redirect / $scheme://$server_name/;
proxy_set_header Host $host;
proxy_set_header X-Forwarded-Ssl on;
proxy_set_header X-Forwarded-Proto https;
proxy_set_header X-Forwarded-Host $http_host;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Real-HTTPS $https;
proxy_set_header X-Real-Port $remote_port;
proxy_set_header X-Server-IP $server_addr;
proxy_set_header X-Server-Port $server_port;
proxy_set_header Origin "$scheme://$host";
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection "upgrade";
from vouch-proxy.
your config looks generally correct to my eyes
things to try..
- set
vouch.testing: true
and confirm you get redirected properly tovouch.test.com
and then togoogle
- try adding "internal" to your /validate block
- remove
include proxy.conf;
- confirm that you can reach http://192.168.0.1:9090 and https://vouch.test.com from your nginx environment
from vouch-proxy.
Do you see the same behavior with Firefox or any other browser?
from vouch-proxy.
If I disable my browser cache and go to vouch.test.com/logout and then back to myapp.test.com, the redirections are working : myapp > vouch/login > google/auth > vouch/auth > myapp
With the cache enabled, the first request is loaded from disk cache and subsequent xhr queries are redirected to Vouch and fails silently (canceled) when redirected to google.
So, my bad. Next step : tweaking nginx cache headers...
Anyway, is there a way to log out a user from Vouch and redirect him to google account chooser instead of the auto-login process ?
from vouch-proxy.
from vouch-proxy.
I'm logged into the browser with [email protected] but I'm testing Vouch with [email protected], so I don't think it's an issue.
My steps (with cache disabled) :
- New Chrome session
- Go to myapp.test.com
- 302 to vouch.test.com/login
- 302 to Google/auth
- Log in to Google with [email protected]
- 302 to vouch.test.com/auth
- 302 to myapp.test.com
- Manually go to vouch.test.com/logout
- "You have been logged out" page (with some 404 errors for css and img, is that normal ?)
- Go to myapp.test.com
- 302 to vouch.test.com/login
- 302 to google/auth
- 302 to vouch.test.com/auth
- 302 to myapp.test.com
I don't have any prompt for account selection between steps 12 and 13, as you can see in this screenshot (beginning at step 10) :
from vouch-proxy.
Do you see the same behavior with a different browser?
from vouch-proxy.
and, can you comment out preferredDomain:
and try again please?
from vouch-proxy.
Nice catch !
When calling Google OAuth with the Host Domain hd:
query string param, if you only have one user account registered with Google Account Chooser (AC) for the specified domain, it will be automatically used without using the AC.
Without the hd:
param, the AC will only popup if you have at least 2 accounts (on different domains ?).
Is there a way to override the Google provider auth_url:
setting in config.yml to add prompt=select_account consent
?
from vouch-proxy.
I wonder what would happen by setting preferredDomain: " "
You could try to config provider: oidc
and then manually set the OIDC Google enpoints with auth_url
to add prompt=select_account
. I'm not certain if that will work but it would be worth a shot.
from vouch-proxy.
With preferredDomain: " "
, you have to type your e-mail and password :
With preferredDomain: "*"
(as seen in the docs), the autologin is back (because I only test with G Suite accounts, not Gmail accounts).
About prompt=select_account consent
, when I try with the OIDC provider, the Google OAuth URL is done right :
But I'm having a 400 Bad Request when redirected to Vouch :
json: cannot unmarshal string into Go struct field User.id of type int
I'm not quite sure about the URLs to call :
auth_url: https://accounts.google.com/o/oauth2/v2/auth?prompt=select_account%20consent
token_url: https://www.googleapis.com/oauth2/v4/token
user_info_url: https://www.googleapis.com/oauth2/v2/userinfo
scopes:
- openid
- email
- profile
Any thoughts ?
from vouch-proxy.
Related Issues (20)
- Recommendations for using several OIDC endpoints HOT 1
- Vouch 400 and Invalid session state when opening a previous tab or returning to a tab after the laptop and browser has gone to sleep HOT 14
- How to pass OAuth2 ADFS token to server application? HOT 2
- How to fix "oauth.callback_url must be within a configured domains where the cookie will be sent" HOT 1
- docker build fails with golang image version `golang:1.18` HOT 4
- passing IdP access token to app via `Authorization "Bearer $ACCESS_TOKEN"` from kubernetes ingress-nginx HOT 2
- Select first value in multi-valued claim HOT 4
- WebAuthn/passkeys/Direct email login support? HOT 3
- Snowflake OAuth as additional oauth provider
- Setting log level via environment variables does not work HOT 1
- support for one instance with both publicAccess: true and false at different roots HOT 1
- Is vouch-proxy abandonware? HOT 5
- When ModSecurity/naxsi and auth_request (Vouch Proxy) and HTTP/2 is enabled, POST/PUT requests hang HOT 12
- receive "Required String parameter 'redirect_uri' is not present" from Cognito when YAML is not properly formatted HOT 3
- Authenticate additional user accounts outside of Google domain HOT 2
- Vouch Proxy and Keycloak 400 bad request after authenticating HOT 19
- 400 Error with vouch in a path HOT 11
- scope of nginx auth_request_set HOT 1
- Vouch Loses Redirect URL upon re-authorization HOT 1
- feat: Storage Backend for jwt cache HOT 2
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from vouch-proxy.