You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Desire for more detailed error logging in the /oauth2/callback handler when using SSO
Use Cases
When enabling SSO Authentication for the first time, we may encounter subtle errors and misconifucations that can delay our setup process.
In such cases, having more detailed logs in the server would greatly assist us in identifying and resolving these misconfigurations and errors.
For instance, I deployed Keycloak and used it as an Identity Provider. I attempted to configure Argo Workflows SSO using Keycloak. However, misconfigured the OIDC issuer setting by mistake. Instead of setting it to http://keycloak-http.keycloak/auth/realms/myrealm, I incorrectly set it to http://keycloak-http.keycloak:80/auth/realms/myrealm. (i.e., I should have omitted the port).
Thie misconfiguration resulted in a simple 401 error without any logs in the server and lacked a detailed error message in the HTTP response to clients.
To gather more information, I added logging on every line in the HandleCallback function (ref:
).
Through this, I managed to identify that the error occurred during the verfication of ID tokens after their issuance.
Notably, I discovered that the HandleCallback function, unlike other functions, simply responds with w.WriteHeader(401), which led to insufficient logging or information about the errors specific to this function.
I believe there are others who may face similar challenges in setting up SSO, and having more detailed logging woulde be immensely helpful.
Message from the maintainers:
Love this enhancement proposal? Give it a 👍. We prioritise the proposals with the most 👍.
The text was updated successfully, but these errors were encountered:
This is excellent feedback. Thank you! Since you already went through the debugging process, would you like to put together a PR that improves the logging?
Summary
Desire for more detailed error logging in the
/oauth2/callback
handler when using SSOUse Cases
When enabling SSO Authentication for the first time, we may encounter subtle errors and misconifucations that can delay our setup process.
In such cases, having more detailed logs in the server would greatly assist us in identifying and resolving these misconfigurations and errors.
For instance, I deployed Keycloak and used it as an Identity Provider. I attempted to configure Argo Workflows SSO using Keycloak. However, misconfigured the OIDC
issuer
setting by mistake. Instead of setting it tohttp://keycloak-http.keycloak/auth/realms/myrealm
, I incorrectly set it tohttp://keycloak-http.keycloak:80/auth/realms/myrealm
. (i.e., I should have omitted the port).Thie misconfiguration resulted in a simple 401 error without any logs in the server and lacked a detailed error message in the HTTP response to clients.
To gather more information, I added logging on every line in the
HandleCallback
function (ref:argo-workflows/server/auth/sso/sso.go
Line 227 in 97b6fa8
Through this, I managed to identify that the error occurred during the verfication of ID tokens after their issuance.
Notably, I discovered that the
HandleCallback
function, unlike other functions, simply responds withw.WriteHeader(401)
, which led to insufficient logging or information about the errors specific to this function.I believe there are others who may face similar challenges in setting up SSO, and having more detailed logging woulde be immensely helpful.
Message from the maintainers:
Love this enhancement proposal? Give it a 👍. We prioritise the proposals with the most 👍.
The text was updated successfully, but these errors were encountered: