New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
can not login after upgrading to 4 #2463
Comments
i also noticed this happens a lot in the logs |
Yes, it is also happening for me! The login is failing most of the time due to the above error. The login randomly succeeds :( |
I'm seeing the same behaviour. Further, when trying to log-in with Safari (v11.1.2) clicking on |
This happened to us also. FYI, we upgraded from 3.14. There was one user in Main and another team with a single local user. Xenial 97.3 azure stemcell. |
to add on i've also setup GitHub authentication. which also seems to work. i login to github and it does the same timeout waiting on the /sky/ redirect. |
@skibum55 nice! unfortunately dns is fine on my setup. |
so after seeing your dns fix i wanted to see why my Post was failing. i figured out that i wasn't allow my ec2 instance the ability to talk to itself. i fixed that, and now when i login instead of it taking a while to timeout. it instantly dies on the same call:
and this is in the logs:
|
ok so a little progress. it seems like my nginx is causing this. when i bypass it, it now works and logs me in. it seems like nginx may be doing something to the cookies? i thought having |
ok i removed nginx as my lb and put in a alb and everything works fine. not sure but something breaks on the newest concourse with the same nginx config i have been using. |
Ok, generally sounds like this is a resolve issue. I'm currently testing the I could imaging the docker networking setup to cause similar resolve issues here, but haven't been able to find a config that would fix the login. There is no |
@phynias @UniqueElphie give the concourse server ip with port or dns name in below parameter eg:
In latest version of concourse by default it will redirecting to localhost:8080 if you do not specify CONCOURSE_EXTERNAL_URL. use below parameters in latest version instead of basic authentication parameters and password should be in bcrypted format:
for reference: #2421 |
Ok, so I think I figured out what is going on:
Conclusion: Do NOT change the port without telling concourse about it! This did work until version 4 came along, but I can understand how the authentication is getting confused when it expects to run on a different port. Workaround: either do not change the port with |
Setting
[UPDATE] This fixed it: To get the different port working all of these variables have to be set: |
Woops, we really shouldn't be relying on the external URL internally. I think the problem is just this one line: If we were to change that to the bind IP/port (except I'll prioritize this highly somewhere. Sorry for the turbulence everyone! @r-chris I'm also gonna prioritize #2519 which should make changing the ports work a lot more smoothly. |
Does anyone know if this problem applies to the TSA port as well? Currently for a CI solution which stands up a local concourse stack, I have to launch a concourse stack on non-standard ports (so it won't conflict with the existing stack). Thus I have the web node docker image binding tsa to 2222 internally and web to 8080 as normal, but externally for the 'test stack' they get mapped on the host to 2323 and 8181, respectively. |
@pivotal-jamie-klassen Is this actually done? I see the code still using the external URL here and don't see any commits pushed. Moving back to the backlog. I thought this was in 4.1.0 but hadn't done acceptance on it yet so I'm not sure. We may need to do another release soon to fix this. :/ @eedwards-sk I don't think this issue applies to the TSA. |
Hey @vito I just setup v4.1, but when I try to login as local user or github user, the login fails due to the same error. Is this issue fixed and verified? |
@UniqueElphie Correct, this ended up not making it in to 4.1. We've picked it up again and plan to push a 4.1.1 out this week. |
@vito Actually, this very issue was one of the reasons I wanted to completely disable authentication, as I'm already using an auth solution. Most of the time, however, I think that the issues stem from not being able to access concourse directly, but being able to access the reverse proxy (so the 301 messes up the auth flow). If there is anything else I can answer, heck, if you want to ssh into my concourse deployment and reverse proxy to see the setup, I am more than happy to help. |
@enugentdt Hmm, I say this having no experience with Pritunl Zero/BeyondCorp myself, but I wonder if you'd be able to instead configure Concourse to use it as either an OIDC or oAuth2 provider? It seems a shame to forego all of the Concourse auth flow, as you might end up missing out on things like fine-grained access control (#1317) in the future. Is the reverse-proxy aspect a hard requirement from your organisation? |
@vito Unfortunately, Pritunl Zero itself does not support custom OAuth providers, only SAML, and even then, it's at a price point which is unreachable for most users. I'd agree that it's a shame to lose on Concourse ABAC, though. Admittedly, the lack of OAuth drives me up a wall, and one day, I plan to PR (or fork) it. Running this reverse proxy allows us to have an extremely resilient architecture, which might not be as easy with Concourse being exposed publicly. Zero does the usual "check if it's up" stuff and directs as it pleases. The other side is IP addresses - using a reverse proxy lets us have less public IPs, and have services behind a centrally-secured and -audited endpoint. Not to mention the general load-balance ability of reverse proxies (CloudFlare or custom solutions). Would Concourse be able to function as an oAuth2 provider, while still obtaining users from Google? If so, I could see that being very useful for reverse proxies that are pass-through only. I'm going to do some testing, and see how non-authenticating proxies work with regards to Concourse, and try to pinpoint anything that would be useful with that. If it would help, I'm @space55 on the Discord (multiple GitHub accounts, yay!), so I can chat there if it works better than on this issue. |
#2463 Submodule src/github.com/concourse/atc 3379392b9..fd2a08bd0: > Remove internal URL from skyserver config Submodule src/github.com/concourse/skymarshal b72c6d513..fe0656e2b: > Remove internal URL from skyserver config Signed-off-by: Josh Winters <jwinters@pivotal.io>
We investigated doing an internal redirect for all of the auth components, but that doesn't work because of the way Dex is designed. To perform an internal redirect, the issuer URL in Dex needs to be set to the internal URL. This breaks for the following reasons:
|
To double tap on this, I am using Concourse behind a reverse proxy that doesn't use authentication of any form, it just performs a TLS/SSL termination. I'm still seeing errors:
Reading @vito's comments about this not making it into 4.1.1 is a bit disheartening, but I wanted to validate some assumptions around the external URLs so there was more visibility into the issue. For me, Here are my deployed versions: releases:
- name: concourse
sha1: 513e3a88d135e6e2cd8a974702e2e63caa0cb82b
url: https://bosh.io/d/github.com/concourse/concourse?v=4.1.0
version: 4.1.0
- name: garden-runc
sha1: 2a7c813e7e4d862e19334addf022916fb6b91eb0
url: https://bosh.io/d/github.com/cloudfoundry/garden-runc-release?v=1.16.3
version: 1.16.3
- name: postgres
sha1: 24d2e2887a45258b71bc40577c0f406180e47701
url: https://bosh.io/d/github.com/cloudfoundry/postgres-release?v=29
version: "29" |
#2463 Submodule src/github.com/concourse/atc 228d6457..40107fc6: > Use internal url for token requests to dex Submodule src/github.com/concourse/skymarshal fe0656e2b..cb41319bc: > Use internal url for token requests to dex Signed-off-by: Divya Dadlani <ddadlani@pivotal.io>
Having scanned this ticket a dozen times and not being able to extract a smoking gun, I wonder if anyone could elaborate on the circumstances by which this error occurs. Specifically, the |
The main problem here is that when the ATC can't reach the |
#2463 Submodule src/github.com/concourse/skymarshal cb41319b..5b92fd83: > Always use http for loopback communication because certs Signed-off-by: Divya Dadlani <ddadlani@pivotal.io>
@pivotal-jwinters Thanks for that. So I can prove that my ATC box has access back to its own web service (80) through the |
@troykinsella that log message just means that an unauthenticated user is using the web interface. It doesn't mean theres a problem. It was a little spammy/misleading so we removed it for the next release. Are you having problems logging into your concourse installation? |
we can't rely on being able to reach the external URL from the ATC for a few reasons: * it might be pointing to a reverse-proxy with its own auth * it might be pointing to a reverse-proxy with SSL termination and a cert not trusted by the `web` node * it might be literally unreachable from the ATC because of firewall/security groups/etc so, inject a client that just re-routes requests from the external URL to the internal URL. concourse/concourse#2463
#2463 Submodule src/github.com/concourse/atc 40107fc6a..374d3ce91: > reroute login flow dex traffic to internal url Submodule src/github.com/concourse/skymarshal 5b92fd837..30842c3e1: > Revert "Use internal url for token requests to dex" > Revert "Always use http for loopback communication because certs"
Hi all,
Auth doesn't work when UPDATE: MORE UPDATE: FINAL UPDATE:
We've fixed this by configuring proxy buffering in our ingress like this:
External Url and Amount of teams wasn't our problem. Sorry for the noise. 😊 |
@pivotal-jwinters Yes, the most basic auth setup I can think of fails all login attempts:
Tried a bcrypted password and a plain password. I'm accessing the ATC directly through an ssh tunnel over plain http. |
For posterity: 4.2.0 fixes my login issue. |
Just setup v4.2.1 and login via github/local is working perfectly now!! |
Hooray! Works for me too! Thanks guys! |
I deployed 4.2.1 today and it works for me! Thanks @vito and team. |
Hey there, I keep getting redirected to 127.0.0.1 right when I click the login button with a fresh install of concourse 4.2.1. Could you please clarify if I need to specify an external URL for this not to happen? While some users seem to be happy, they haven't specified their setup, and I'm still having problems. Here's my situation:
If in v4 I must specify a single external URL, I'll have to stay on 3.14.1. |
I can confirm. Just ran into the same issue.
|
Please open new issues instead of commenting on this one - there was a very specific thing to fix, and we fixed it, and received feedback from those affected by this issue that it was indeed fixed. The title of this GitHub issue is very open-ended and we'll keep getting comments on here as long as anyone is having login issues. :) (We should maybe lock it eventually.) @jeffawang An external URL must be configured for auth to work properly and securely. If you have a use case for multiple external URLs, we'd like to hear about it (but again, in a separate issue), but it at least sounds a bit strange. |
i have the following set for my web config
now when i try and login, it just sits there spinning. if i look in the inspector i can see it pending on
https://ci.xxxx.com/sky/callback?code=btkstm4h47f23yugenht5v5s2&state=eyJyZWRpcmVjdF91cmkiOiIvIiwiZW50cm9weSI6IjQzNWY1N2NiZDNiMWZmYTMzNGZmNGUxYmRhOThmYjMxNzUxNTg4YThhYzFkNDQ2N2QxMGJkMmYyMzkyOTg1MzIifQ%3D%3D
it will finally time out after a while.
in the logs i see
if i put in the wrong login info it instantly comes back and says bad login/password.
when it does work it seems to just timeout.
after it times out i see this in the log:
Aug 4 00:27:10 ip-10-200-1-205 concourse[4491]: {"timestamp":"1533342430.388325930","source":"atc","message":"atc.sky.callback.failed-to-fetch-dex-token","log_level":2,"data":{"error":"Post https://ci.wizr.com/sky/issuer/token: dial tcp 34.210.127.211:443: i/o timeout","session":"4.277"}}
The text was updated successfully, but these errors were encountered: