-
Notifications
You must be signed in to change notification settings - Fork 516
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Improve documentation about PKCE #492
Comments
Is anyone successfully using the PKCE plugin? We are getting 401 responses but no redirect or log detailing why. Here is what we have tried so far and what we have learned: I have not confirmed yet what
dispatch configuration
According to the documentation
other resources: |
Unfortunately, I believe every IDP will be a little bit different. I haven't personally tried to integrate with the Google IDP itself (we have an internal IDP based on Ping) so I don't have explicit directions however our hope is that in choosing PKCE as a standard we should be able to support any IDP that supports PKCE. A few thoughts: @gargrag @johnbuhay -- Yes, you're correct, the docs should say As far as what redirectURI to list, it's up to your IDP what they allow, some allow wildcarding i.e. you could whitelist the root of the app You said you're receiving a 401, are you being forwarded to your IDP provider? Some things you could check: Are you seeing successful requests to your openIdConnect issuer in your network tab? This call happends here If you are getting redirected to your IDP, are you getting a If it helps this is what the console looks like for a valid PKCE handshake: One last thing, looking at the google docs it looks like this is a lot closer to what I would expect: I know it's listed as a native app (which is confusing), but that's only because that is where folks typically use PKCE. |
No, we do not get redirected to the IDP I have verified the IDP configuration successfully using the *Note: wildcard substitution for paths are not supported by Google OAuth clients |
Can you set a breakpoint here: And verify that you're entering the PKCE auth flow? |
If you're building the JS app separately (i.e. not having the dispatch install do it for you). There are a few things you will have to do to get the var set correctly. Essentially you will need a It could be we also need to specify |
|
We are building using the provided Dockerfile. Adding the We now have a new issue where process.env.VUE_APP_DISPATCH_AUTHENTICATION_PROVIDER_PKCE_OPEN_ID_CONNECT_URL in the debugger is unknown and AuthorizationServiceConfiguration fails to build the url. Now,
the
thanks for your help |
So it seems we have an issue where at build time, Looking into |
I wonder if we're missing a COPY for the ENV file at some point. I would have thought this would be enough: https://github.com/Netflix/dispatch/blob/develop/docker/Dockerfile#L89 |
I have discovered this VUE_APP_DISPATCH_AUTHENTICATION_PROVIDER_PKCE_OPEN_ID_CONNECT is unused. It should be: VUE_APP_DISPATCH_AUTHENTICATION_PROVIDER_PKCE_OPEN_ID_CONNECT_URL And the keys in .env.example_vue_app are only referenced in that file? dispatch/src/dispatch/static/dispatch/.env.example_vue_app Lines 2 to 3 in e6d3a3e
|
It is enough and to verify I added |
Status update: After baking the client_id and oidc_url into a new container we are triggering the pkce plugin and redirect to the IDP for login. Furthermore it seems the Google token retrieval requires client_secret, and I do not see anywhere we are providing that to dispatch. Otherwise, it seems we will need to author a plugin to work with Google IDP... |
We could add the ability to set the Again, each IDP is a bit different. If you do wish to go down the road of having a different auth flow, I would be happy to merge something in if it makes it easier for folks to use the app. |
A few things to note 1 - I will try to get a PR merged in the openid/appauth library, that will probably take some time as other PR's seem to have stalled on the project. Currently, it is missing support for passing the optional 2 - Creating Google OAuth credentials with Desktop type does not allow you to specify redirect_uri and are intentionally limited to |
Status update... I have updated a private copy of the PKCEAuthPlugin to include the clientSecret option as an item in EDIT: This now stands out as the access_token retrieved is not base64 decodable. from the error thrown here |
@johnbuhay I'm trying to get Google OAuth2 working as well. Thanks for the advice so far. I got past successful login by changing But now backend is failing authorisation with a valid JWT (verified signature etc. at jwt.io). I'm adding some debug logging to investigate further. |
Alright, I finally got Google auth working after setting |
@mclueppers Can you please describe the steps you took to make google auth work? |
Thanks! @mclueppers It's working for me now. I think I'm going to implement this as a separate auth provider on our fork. |
Great news. I'm waiting for the separate adapter, sounds like the best implementation approach. |
Just wanted to stop by and say this thread + PR #535 was indispensable in getting PKCE/OIDC working in my environment. I'll write up a blog post soon about it, but thanks for your help folks. |
Thanks to @patcable, I think we are in a better place re: pkce configuration. Closing this now, please open a new issue if you find any other gaps. |
Hi, we are trying to adopt the tool, and we are struggling trying to configure PKCE with google auth, PKCE it's kind of new, we may not be fully getting it. But is it possible that you guys can help us configure that, so that we can contribute to the docs?
The issue now, is that without an auth provider, the app is not usable. We also detected that may be an inconsistency between the docs and the code with this env var
I also asked on a separate issue, and I tried reading the docs, but is still not clear, and I think this may be the case for the majority of the users.
Thanks
The text was updated successfully, but these errors were encountered: