Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

OIDC Resolving JWK set failed #2696

Closed
2 tasks done
Legeril opened this issue Apr 19, 2023 · 11 comments · Fixed by #2744
Closed
2 tasks done

OIDC Resolving JWK set failed #2696

Legeril opened this issue Apr 19, 2023 · 11 comments · Fixed by #2744
Labels
defect Something isn't working
Milestone
4.8.1

Comments

@Legeril
Copy link

Legeril commented Apr 19, 2023
edited

Current Behavior

dual ECS container v4.8.0 deployment
(Thanks for adding proxy support, I at least now can get TO Okta)

On login screen, click the OIDC button. Was redirected to Okta, Authenticate with Okta, Returned to login screen for DependencyTrack.

On further attempts once authenticated through Okta, it just takes straight back to login screen.
In Okta, it shows the token is granted

Logging in as admin to dtrack shows no user provisioned etc.
DependencyTrack Logs show:

ERROR [OidcIdTokenAuthenticator] Resolving JWK Set failed
java.net.ConnectException: Connection timed out

I did verify the jwk_uri exists and is accessible ending in /v1/keys

Steps to Reproduce

Front End has env vars

OIDC_ISSUER is set
OIDC_CLIENT_ID is set
OIDC_SCOPE=oepnid

API Server has env vars

ALPINE_OIDC_ENABLED=true
ALPINE_OIDC_CLIENT_ID is set
ALPINE_OIDC_ISSUER is set
ALPINE_OIDC_USERNAME_CLAIM=username
ALPINE_OIDC_USER_PROVISIONING=true
HTTP_PROXY and HTTPS_PROXY are also set as of v4.8.0 so we at least hit Okta now

Expected Behavior

I would expect to get into the Dashboard.

Dependency-Track Version

4.8.0

Dependency-Track Distribution

Container Image

Database Server

PostgreSQL

Database Server Version

15.2

Browser

Google Chrome

Checklist
@Legeril Legeril added defect Something isn't working in triage labels Apr 19, 2023
@nscuro
Copy link
Member

nscuro commented Apr 20, 2023

Looks like retrieval of JWKs may still not use the configured proxy.

Please try additionally setting the proxy on the JVM level and see if that works. For the container image, you can use the JAVA_EXTRA_OPTIONS environment variable.

dependency-track/src/main/docker/Dockerfile

Lines 20 to 21 in 665c4bc

# JVM Options that can be passed at runtime, while maintaining also those set in JAVA_OPTIONS
EXTRA_JAVA_OPTIONS="" \

For example:

JAVA_EXTRA_OPTIONS="-Dhttps.proxyHost=proxy.example.com -Dhttps.proxyPort=8080 -Dhttp.noProxyHosts=localhost|host-a.internal|host-b.internal"

@Legeril
Copy link
Author

Legeril commented Apr 20, 2023
edited

I have added the env variable in the container definition

JAVA_EXTRA_OPTIONS="-Dhttps.proxyHost=http://proxy.address -Dhttps.proxyPort=#### -Dhttp.noProxyHosts=list|of|hosts"
Unfortunately it is the same error in the logs
@nscuro I appreciate your help

@nscuro nscuro removed the in triage label Apr 25, 2023
nscuro added a commit to nscuro/Alpine that referenced this issue Apr 25, 2023
@nscuro
Use proxy to resolve JWK set for OIDC
e7f0411 
Fixes an oversight of stevespringett#466

Relates to DependencyTrack/dependency-track#2696

Signed-off-by: nscuro <nscuro@protonmail.com>
@nscuro nscuro mentioned this issue Apr 25, 2023
Merged
@nscuro
Copy link
Member

nscuro commented Apr 25, 2023

A fix for the underlying issue has been raised in stevespringett/Alpine#490

This will likely be shipped with a 4.8.1 bugfix release soon.

@nscuro nscuro added this to the 4.8.1 milestone Apr 25, 2023
@mieliespoor
Copy link

We are looking to upgrade to 4.8, but holding back because of this issue. Does this issue only relate to when the proxy has been set?

@nscuro
Copy link
Member

nscuro commented Apr 26, 2023

@mieliespoor Yes, this issue will only affect you if the communication between the DT API server and the OIDC IdP must go through a proxy.

@valentijnscholten
Copy link
Contributor

I have added the env variable in the container definition

JAVA_EXTRA_OPTIONS="-Dhttps.proxyHost=http://proxy.address -Dhttps.proxyPort=#### -Dhttp.noProxyHosts=list|of|hosts"

It might not help, but the correct name of the env variable is EXTRA_JAVA_OPTIONS.

@Legeril
Copy link
Author

Legeril commented Apr 27, 2023

I have added the env variable in the container definition
JAVA_EXTRA_OPTIONS="-Dhttps.proxyHost=http://proxy.address -Dhttps.proxyPort=#### -Dhttp.noProxyHosts=list|of|hosts"

It might not help, but the correct name of the env variable is EXTRA_JAVA_OPTIONS.

Thank you - I edited the ENV vars to reflect that difference. It got me further than before.

The error is now this but with our actual proxy url.
Resolving JWK set failed java.net.UnknownHostException: http://proxy.address

@nscuro
Copy link
Member

nscuro commented Apr 27, 2023

proxyHost must be only the hostname, the HTTP protocol is implicit.

So:

-Dhttps.proxyHost=proxy.address -Dhttps.proxyPort=1234

@Legeril
Copy link
Author

Legeril commented Apr 27, 2023

proxyHost must be only the hostname, the HTTP protocol is implicit.

So:

-Dhttps.proxyHost=proxy.address -Dhttps.proxyPort=1234

@nscuro thank you.
The error now seems to be related to OIDC settings we'll need to adjust on our end.
'Unable to assemble complete profile'

I appreciate how much help you've given.

@nscuro nscuro mentioned this issue Apr 30, 2023
Merged
3 tasks
@nscuro
Copy link
Member

nscuro commented May 14, 2023

This was fixed in stevespringett/Alpine#490 and will be shipped with 4.8.1.

@nscuro nscuro closed this as completed May 14, 2023
This was referenced May 15, 2023
Merged
Closed
@github-actions
Copy link
Contributor

This thread has been automatically locked since there has not been any recent activity after it was closed. Please open a new issue for related bugs.

@github-actions github-actions bot locked as resolved and limited conversation to collaborators Jun 14, 2023
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Assignees
No one assigned
Labels
defect Something isn't working
Projects
None yet
Milestone
4.8.1
Development

Successfully merging a pull request may close this issue.

Bump Alpine to 2.2.2 nscuro/dependency-track
4 participants
@valentijnscholten @mieliespoor @nscuro @Legeril