Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

ERROR: Failed to login due to a disallowed callback URL. Please check Teleport's log for more details. #41516

Closed
rfmoz opened this issue May 14, 2024 · 4 comments
Closed

ERROR: Failed to login due to a disallowed callback URL. Please check Teleport's log for more details. #41516

rfmoz opened this issue May 14, 2024 · 4 comments
Labels
bug

Comments

@rfmoz
Copy link

rfmoz commented May 14, 2024

Expected behavior:

Trying to login from a remote server without desktop, up until now, the following command has been working:

$ tsh login --proxy=company.teleport.sh --user=user@company.com --bind-addr=192.168.1.10:3000 --browser none

The tsh process opened the validarion website on the defined bind-address and, from a remote desktop, it was possible to enter on that url to proceed with the validation (not the default 127.0.0.1).

Current behavior:

But today, that comand fails with an error:

WARNING: Ignoring Teleport user (user@company.com) for Single Sign-On (SSO) login.
Provide the user name during the SSO flow instead. Use --auth=local if you did not intend to login with SSO.
ERROR: Failed to login due to a disallowed callback URL. Please check Teleport's log for more details.

It doesn't listen on the defined address any more.

Bug details:

  • Teleport version
    Teleport v15.3.4 git:v15.3.4-0-g0436ce5 go1.21.9

  • Recreation steps
    Trying to execute login as described avobe.

  • Debug logs

2024-05-14T13:57:14+02:00 DEBU [KEYSTORE]  Reading certificates from path "/home/user/.tsh/keys/company.teleport.sh/user@company.com-ssh/company.teleport.sh-cert.pub". client/keystore.go:357
2024-05-14T13:57:14+02:00 DEBU [KEYSTORE]  Teleport TLS certificate valid until "2023-10-06 02:43:25 +0000 UTC". client/client_store.go:111
2024-05-14T13:57:14+02:00 INFO [CLIENT]    ALPN connection upgrade required for "company.teleport.sh:443": false. client/api.go:787
2024-05-14T13:57:14+02:00 INFO [CLIENT]    no host login given. defaulting to user client/api.go:1125
2024-05-14T13:57:14+02:00 WARN [CLIENT]    [KEY AGENT] Unable to connect to SSH agent on socket "": dial unix: missing address client/api.go:4838
2024-05-14T13:57:14+02:00 DEBU [KEYSTORE]  Reading certificates from path "/home/user/.tsh/keys/company.teleport.sh/user@company.com-ssh/company.teleport.sh-cert.pub". client/keystore.go:357
2024-05-14T13:57:14+02:00 DEBU [KEYSTORE]  Teleport TLS certificate valid until "2023-10-06 02:43:25 +0000 UTC". client/client_store.go:111
2024-05-14T13:57:14+02:00 INFO [KEYAGENT]  Loading SSH key for user "user@company.com" and cluster "company.teleport.sh". client/keyagent.go:198
2024-05-14T13:57:14+02:00 DEBU [CLIENT]    not using loopback pool for remote proxy addr: company.teleport.sh:443 client/api.go:4797
2024-05-14T13:57:14+02:00 DEBU             Attempting GET company.teleport.sh:443/webapi/ping webclient/webclient.go:129
2024-05-14T13:57:15+02:00 DEBU             ALPN connection upgrade required for "company.teleport.sh:443": false. client/alpn_conn_upgrade.go:95
WARNING: Ignoring Teleport user (user@company.com) for Single Sign-On (SSO) login.
Provide the user name during the SSO flow instead. Use --auth=local if you did not intend to login with SSO.
2024-05-14T13:57:15+02:00 DEBU [CLIENT]    Attempting to login with a new RSA private key. client/api.go:4104
2024-05-14T13:57:15+02:00 DEBU [CLIENT]    not using loopback pool for remote proxy addr: company.teleport.sh:443 client/api.go:4797
2024-05-14T13:57:15+02:00 DEBU [CLIENT]    HTTPS client init(proxyAddr=company.teleport.sh:443, insecure=false, extraHeaders=map[]) client/weblogin.go:354
2024-05-14T13:57:15+02:00 DEBU [CLIENT]    Binding to 192.168.1.10:3000. client/redirect.go:175
2024-05-14T13:57:15+02:00 INFO [CLIENT]    Waiting for response at: http://192.168.1.10:3000. client/redirect.go:194

ERROR REPORT:
Original Error: *trace.AccessDeniedError Failed to login due to a disallowed callback URL. Please check Teleport's log for more details.
Stack Trace:

Caught:
	github.com/gravitational/teleport/lib/httplib/httplib.go:216 github.com/gravitational/teleport/lib/httplib.ConvertResponse
	github.com/gravitational/teleport/lib/client/https_client.go:124 github.com/gravitational/teleport/lib/client.(*WebClient).PostJSON
	github.com/gravitational/teleport/lib/client/redirect.go:229 github.com/gravitational/teleport/lib/client.(*Redirector).issueSSOLoginConsoleRequest
	github.com/gravitational/teleport/lib/client/redirect.go:214 github.com/gravitational/teleport/lib/client.(*Redirector).Start
	github.com/gravitational/teleport/lib/client/weblogin.go:413 github.com/gravitational/teleport/lib/client.SSHAgentSSOLogin
	github.com/gravitational/teleport/lib/client/api.go:4325 github.com/gravitational/teleport/lib/client.(*TeleportClient).ssoLogin
	github.com/gravitational/teleport/lib/client/api.go:3814 github.com/gravitational/teleport/lib/client.(*TeleportClient).getSSHLoginFunc.func4
	github.com/gravitational/teleport/lib/client/api.go:4002 github.com/gravitational/teleport/lib/client.(*TeleportClient).SSHLogin.func1
	github.com/gravitational/teleport/lib/client/api.go:4049 github.com/gravitational/teleport/lib/client.(*TeleportClient).loginWithHardwareKeyRetry
	github.com/gravitational/teleport/lib/client/api.go:4000 github.com/gravitational/teleport/lib/client.(*TeleportClient).SSHLogin
	github.com/gravitational/teleport/lib/client/api.go:3581 github.com/gravitational/teleport/lib/client.(*TeleportClient).Login
	github.com/gravitational/teleport/tool/tsh/common/tsh.go:1930 github.com/gravitational/teleport/tool/tsh/common.onLogin
	github.com/gravitational/teleport/tool/tsh/common/tsh.go:1405 github.com/gravitational/teleport/tool/tsh/common.Run
	github.com/gravitational/teleport/tool/tsh/common/tsh.go:593 github.com/gravitational/teleport/tool/tsh/common.Main
	github.com/gravitational/teleport/tool/tsh/main.go:26 main.main
	runtime/proc.go:267 runtime.main
	runtime/asm_amd64.s:1650 runtime.goexit
User Message: Failed to login due to a disallowed callback URL. Please check Teleport's log for more details
@rfmoz rfmoz added the bug label May 14, 2024
@nadarashwin
Copy link

We can confirm that we see the same issue on the 14.3.19 version.
We had to revert to 14.3.18 to get things working.

@espadolini
Copy link
Contributor

Intended change, please see #41833 for further details.

@fghamsary
Copy link

You should not just close the issue and saying that this is intended!
There are some restrictions in some organizations that we may use local IPs but not 127.0.0.1 on http and it's not possible anymore!
The option that you added allows only https URLs and not http local IPs which is a huge problem!
We use --bind-addr= on the client side, and the server should be able to handle the client request with this option as well, because this is blocker point for us!

@fghamsary
Copy link

We are paying for teleport on enterprise edition and not the way that we expected the return to just close the issue!

@fghamsary fghamsary mentioned this issue May 27, 2024
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
bug
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
4 participants
@espadolini @fghamsary @nadarashwin @rfmoz