oidc-authservice: infinite redirect loop with v1.7.0-rc.2

[deepk2u]

I am trying to test v1.7.0-rc.2 and i see the oidc-authservice image tag is moved from 28c59ef to e236439
83fbc57

i see the new version requires some more parameters or changed parameter names like AUTHSERVICE_URL_PREFIX and SKIP_AUTH_URI changed to SKIP_AUTH_URLS

I provided all the parameters accordingly, but I am seeing this issue of infinite redirect.
Flow:

1. When I open the kubeflow URL, it starts the OIDC flow
2. OIDC MFA gets done and redirects back to kubeflow redirect URL
3. for some reason it starts the MFA flow again after redirection to REDIRECT_URL

config:

apiVersion: v1
data:
  AUTHSERVICE_URL_PREFIX: /authservice/
  OIDC_AUTH_URL: https://<oidc base path>/as/authorization.oauth2
  OIDC_PROVIDER: https://<oidc base path>
  OIDC_SCOPES: profile email groups
  PORT: '"8080"'
  REDIRECT_URL: https://<kubeflow base url>/login/oidc
  SKIP_AUTH_URLS: /as
  STORE_PATH: /var/lib/authservice/data.db
  USERID_CLAIM: email
  USERID_HEADER: kubeflow-userid
  USERID_PREFIX: ""
  namespace: kubeflow
kind: ConfigMap
metadata:
  name: oidc-authservice-parameters
  namespace: kubeflow

I checked the logs and looks like the session key is not getting stored properly, so it always tries to fetch the new codes by restarting the OIDC MFA flow.

time="2023-03-26T17:27:07Z" level=info msg="Loading session from cookie authservice_session" ip=10.12.112.176 request="/login/oidc?code=<code>"
time="2023-03-26T17:27:07Z" level=info msg="Failed to authenticate using authenticators. Initiating OIDC Authorization Code flow..." ip=10.12.112.176 request="/login/oidc?code=<code>&state=<state>"
time="2023-03-26T17:27:07Z" level=info msg="Authenticating request..." ip=10.12.113.14 request="/login/oidc?code=<new code>&state=<new state>"

[deepk2u]

I tried same setup with the latest image from oidc-athservice, it worked.

changed image from gcr.io/arrikto/kubeflow/oidc-authservice:e236439 to gcr.io/arrikto/oidc-authservice:0c4ea9a

https://console.cloud.google.com/gcr/images/arrikto/global/oidc-authservice

[mousam-singh]

Updating to this image gcr.io/arrikto/oidc-authservice:0c4ea9a worked for me well

[RoyOsaki]

I tried same setup with the latest image from oidc-athservice, it worked.

changed image from gcr.io/arrikto/kubeflow/oidc-authservice:e236439 to gcr.io/arrikto/oidc-authservice:0c4ea9a

https://console.cloud.google.com/gcr/images/arrikto/global/oidc-authservice

This works for me too.

[kimwnasptd]

@deepk2u I haven't managed to reproduce this in the latest version of KF 1.7. Could you share steps to reproduce?

[deepk2u]

@kimwnasptd I am not using dex, I am trying to connect to Intuit's OIDC directly using the above config. exact same config works for the new version of authservice.

[juliusvonkohout]

/close

We are not at Kubeflow 1.8

[google-oss-prow]

@juliusvonkohout: Closing this issue.

In response to this:

/close

We are not at Kubeflow 1.8

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository.