Comments (7)
Got it... I needed to set the Host header in two places.
From the README:
location = /validate {
# Vouch Proxy can run behind the same nginx-revproxy
# May need to add "internal", and comply to "upstream" server naming
proxy_pass http://vouch.yourdomain.com:9090;
# Vouch Proxy only acts on the request headers
proxy_pass_request_body off;
proxy_set_header Content-Length "";
#[snip]
}
I'd obviously looked past the fact that the proxy_pass
directive here contains a hostname, whereas in my case I was pointing to an IP:port combo.
So yes, this location block required the addition of:
proxy_set_header Host login.example.com; # or vouch.example.com going by the doc's naming scheme.
Funnily enough I'd already done this elsewhere in the code, as the documentation specificly states a few lines down:
If Vouch is configured behind the same nginx reverseproxy (perhaps so you can configure ssl) be sure to pass the Host header properly, otherwise the JWT cookie cannot be set into the domain.
server {
listen 80 default_server;
server_name vouch.yourdomain.com;
location / {
proxy_set_header Host vouch.yourdomain.com;
proxy_pass http://127.0.0.1:9090;
}
}
It's late, and perhaps I've missed somethiing but this appears to be working now. What I can't understand is why this error wouldn't have been caught with allowAllUsers: true
. Perhaps this signifies another bug?
Either way, thanks for your assistance. I plan to do some more testing tomorrow and make sure non-whitelisted users can't get access, etc.
from vouch-proxy.
thanks for the detailed report
you may prefer turning on vouch.testing: true
while you approach the problem which will both help you see what Vouch Proxy is doing as well as slow down the interactions with GitHub.
The config looks sound though the oauth.scopes:
is suspect. I think you'd want to remove that to set - user
on your behalf.
And of course logLevel: debug
might be helpful
Try those and see if it helps.
from vouch-proxy.
Thanks for the prompt reply, I'll definitely keep you updated.
As for the scopes thing, I didn't actually want the user scope, which appears to be the default. I'm happy with just read-only perms on the user's github account. I'm not sure if this would cause a problem when allowAllUsers: false
is applied, but I can certainly test with this setting removed.
from vouch-proxy.
from vouch-proxy.
That doesn't appear to be the case. With the 2 scope related lines commented out (thus including the user scope), and allowAllUsers:false
I still have the redirect looping issue. Also without the user
scope vouch seems to be getting access to the user info, infact with the broken config (allowAllUsers:false) (and my original scope excluding lines present) I get the following behaviour:
When I hit my protected endpoint with testing on, Vouch catches a redirect to 302 redirect to: https://github.com/login/oauth/authorize?client_id=[SNIPasdlkjasldkjasd]&response_type=code&scope=&state=[SNIPalksdjalsdjalksdjaksd]
.
I click this link and the debug log actually shows (among other stuff):
time="2019-01-28T22:59:23Z" level=info msg="github userinfo body: ***Big load of json relating to account***
time="2019-01-28T22:59:23Z" level=debug msg="found user.Username in WhiteList: vulcan25"
time="2019-01-28T22:59:23Z" level=error msg="no bucket for users"
time="2019-01-28T22:59:23Z" level=debug msg="new user.. setting created on to 1223234[SNIP]"
But then proceeds to catch a redirect back to my endpoint which when I follow it, vouch debug shows (among other stuff):
time="2019-01-28T23:00:19Z" level=info msg="jwt cookie" username=vulcan25
time="2019-01-28T23:00:19Z" level=error msg="not authorized for 172.31.41.62:9090"
time="2019-01-28T23:00:19Z" level=debug msg="domain matched array value at [0]=example.com"
time="2019-01-28T23:00:19Z" level=debug msg="setting the cookie domain to example.com"
time="2019-01-28T23:00:19Z" level=debug msg="CaptureWriter.WriteHeader set w.StatusCode 401"
time="2019-01-28T23:00:19Z" level=debug msg="Request handled successfully: 401"
Where'as the working configuration (with allowAllUsers=true) at this stage shows:
time="2019-01-28T22:55:17Z" level=debug msg="skipping verify user since cfg.Cfg.AllowAllUsers is true"
then when I follow the end point redirect:
time="2019-01-28T22:55:53Z" level=info msg="jwt cookie" username=vulcan25
time="2019-01-28T22:55:53Z" level=debug msg="response header" X-Vouch-User=vulcan25
time="2019-01-28T22:55:53Z" level=debug msg="CaptureWriter.Write set w.StatusCode 200"
time="2019-01-28T22:55:53Z" level=debug msg="Request handled successfully: 200"
There's obviously more to these log files, though.
from vouch-proxy.
"not authorized for 172.31.41.62:9090"
doesn't look right
that comes from this block:
https://github.com/vouch/vouch-proxy/blob/master/handlers/handlers.go#L182-L184
That checks to confirm that the Host is authorized for one of the configured domains.
Please check that your nginx config is passing the Host header to Vouch Proxy properly
from vouch-proxy.
glad it's working now, happy to help
closing
from vouch-proxy.
Related Issues (20)
- Recommendations for using several OIDC endpoints HOT 1
- Vouch 400 and Invalid session state when opening a previous tab or returning to a tab after the laptop and browser has gone to sleep HOT 14
- How to pass OAuth2 ADFS token to server application? HOT 2
- How to fix "oauth.callback_url must be within a configured domains where the cookie will be sent" HOT 1
- docker build fails with golang image version `golang:1.18` HOT 4
- passing IdP access token to app via `Authorization "Bearer $ACCESS_TOKEN"` from kubernetes ingress-nginx HOT 2
- Select first value in multi-valued claim HOT 4
- WebAuthn/passkeys/Direct email login support? HOT 3
- Snowflake OAuth as additional oauth provider
- Setting log level via environment variables does not work HOT 1
- support for one instance with both publicAccess: true and false at different roots HOT 1
- Is vouch-proxy abandonware? HOT 5
- When ModSecurity/naxsi and auth_request (Vouch Proxy) and HTTP/2 is enabled, POST/PUT requests hang HOT 12
- receive "Required String parameter 'redirect_uri' is not present" from Cognito when YAML is not properly formatted HOT 3
- Authenticate additional user accounts outside of Google domain HOT 2
- Vouch Proxy and Keycloak 400 bad request after authenticating HOT 19
- 400 Error with vouch in a path HOT 11
- scope of nginx auth_request_set HOT 1
- Vouch Loses Redirect URL upon re-authorization HOT 1
- feat: Storage Backend for jwt cache HOT 2
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from vouch-proxy.