Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Invalid credentials with oidc auth with dex #11

Closed
linuxshokunin opened this issue Apr 8, 2019 · 9 comments
Closed

Invalid credentials with oidc auth with dex #11

linuxshokunin opened this issue Apr 8, 2019 · 9 comments

Comments

@linuxshokunin
Copy link

linuxshokunin commented Apr 8, 2019
edited
Loading

Hi,

I get invalid credentials error like below when authenticated with dex as an oidc-provider.

An error occured during the request { OpenIdConnectError: invalid_client (Invalid client credentials.)
    at Client.requestErrorHandler (/usr/src/app/node_modules/openid-client/lib/helpers/error_handler.js:16:11)
    at processTicksAndRejections (internal/process/next_tick.js:81:5)
  error: 'invalid_client',
  error_description: 'Invalid client credentials.' } POST /oidc
POST /oidc 500

If I turn off oidc auth, k8dash asks for token and it works if I enter a valid token.
Dex is authenticating with github.com and it works fine with kubectl.
Here is the kubectl settings

user:
    auth-provider:
      config:
        client-id: kubernetes
        client-secret: ZXhhbXBsZS1hcHAtc2VjcmV0
        extra-scopes: offline_access openid profile email groups
        id-token: REDACTED
        idp-certificate-authority-data: LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSUMrakNDQWVLZ0F3SUJBZ0lKQU1lRXJhSHYzNXJWTUEwR0NTcUdTSWIzRFFFQkN3VUFNQkl4RURBT0JnTlYKQkFNTUIydDFZbVV0WTJFd0hoY05NVGt3TXpNeE1Ua3dPVEE0V2hjTk1Ua3dOREV3TVRrd09UQTRXakFTTVJBdwpEZ1lEVlFRRERBZHJkV0psTFdOaE1JSUJJakFOQmdrcWhraUc5dzBCQVFFRkFBT0NBUThBTUlJQkNnS0NBUUVBCjBkb2NjV3Zpb29xbDRVa05oejFCZ01KV25JU0w5TUExRm1ySEZ4U2hUYysrL1V0VURxMVVlU0xCRXpXTjNZZmcKQm5TQVNBQUNmS0lCRTBDRWJWdzhSTUtodXJReExGT0hQUDBodWtVRGkxNmVnaXBHSjI0WWdWcnJ4cUpVYWxsYQo2cUpaTkdsUHQ3SmxWdWtrSHRlY0hONjVneG0wQjBzMWtwV1VRNFh2L0E2ZldOaHVhV3VqYlRjRWx0SEFtQlJnCmtmMHpRYnV2ZCtMRnl3V0V2VDdBai9ua1FVZko1L21DOTQyUmlYVDNXdUtyc1g1a3F3ellrVU9xN2hOM1B1aVQKU1NYRm9JNUxqQWd5eDVqVEhubDdmb3JWSnhObDYvdEc2eFg4S3BxMmpST3FZSzlUWFdhSFlDVktQeTlMUTFuegpBNG9jTXQyRkFzREY4a2ZMUjBhK2l3SURBUUFCbzFNd1VUQWRCZ05WSFE0RUZnUVVMK1gzejRKWkhDZkg4Ry80Ckl0ZDhUdUZ5ZEV3d0h3WURWUjBqQkJnd0ZvQVVMK1gzejRKWkhDZkg4Ry80SXRkOFR1RnlkRXd3RHdZRFZSMFQKQVFIL0JBVXdBd0VCL3pBTkJna3Foa2lHOXcwQkFRc0ZBQU9DQVFFQU1rTFB0dkZoZlZxM0VibUJFU3dER09ZdwpVYjFYS0VKb1JEVGV5dlozamZSWGhTVDlmdmM0bC9GMWVOd1ZKZnhXb0piUjdCU0JmbURiNzR5anBOcGVYS2xZClZVWnE1Mmx1dnlwNDlFNHJOQ1JHTDNzL0NjUnFnV0tqVmxKZWZGakg2TU8zYTZnM0NFZElGNXJSZi8zRXFGSDYKZm9tUkZ0MEw5NzZodmpGRXFyMlVYR01yTk1LMUN6YXJreDhaUXNkekwySGFhMzV6ei9aUG1PdFA1a2dzYUlMegpoSC9CQ215N242Q2pDVmx3UXZFRmFUOXVRRDZWa216eVNmQ29oaGo4WFYwanBMa2doeG12cGJRdzFDWmwvcDJSCkRwSTh3aCtNVkhGczMvZzNKa0lqUkU0SVJtV2ROWE5hWTBwMVVZUEVIMys3bDlDOXZTQ2Q3OXgvSTZtOVB3PT0KLS0tLS1FTkQgQ0VSVElGSUNBVEUtLS0tLQo=
        idp-issuer-url: https://dex.example.com:32000
        refresh-token: ChlibzZjeDJyNnMzNWMzZjVoeWpuZm5oem8zEhltaWt3YmRxc3Eyem1qeHAyNmk2ZWlqYnd0
      name: oidc

And this is k8s yaml manifests

kind: Deployment
apiVersion: apps/v1
metadata:
  name: k8dash
  namespace: kube-system
spec:
  replicas: 1
  selector:
    matchLabels:
      k8s-app: k8dash
  template:
    metadata:
      labels:
        k8s-app: k8dash
    spec:
      hostAliases:
      - hostnames:
        - dex.example.com
        ip: 10.0.2.100
      containers:
      - name: k8dash
        image: herbrandson/k8dash:dev
        command:
        - sh
        - -c
        - |
          npm config set cafile /ca/dex-ca.pem
          /sbin/tini -- node .
        ports:
        - containerPort: 4654
        livenessProbe:
          httpGet:
            scheme: HTTP
            path: /
            port: 4654
          initialDelaySeconds: 30
          timeoutSeconds: 30
        env:
        - name: OIDC_URL
          valueFrom:
            secretKeyRef:
              name: k8dash
              key: url
        - name: OIDC_CLIENT_ID
          valueFrom:
            secretKeyRef:
              name: k8dash
              key: id
        - name: OIDC_SECRET
          valueFrom:
            secretKeyRef:
              name: k8dash
              key: secret
        - name: NODE_EXTRA_CA_CERTS
          value: /ca/dex-ca.pem
        - name: OIDC_SCOPES
          value: "openid email groups"
        volumeMounts:
        - name: cafile
          mountPath: /ca
      volumes:
      - name: cafile
        configMap:
          name: k8dash

---
kind: Service
apiVersion: v1
metadata:
  name: k8dash
  namespace: kube-system
spec:
  ports:
    - port: 80
      targetPort: 4654
  selector:
    k8s-app: k8dash

---
apiVersion: v1
data:
  dex-ca.pem: |
    -----BEGIN CERTIFICATE-----
    MIIC+jCCAeKgAwIBAgIJAMeEraHv35rVMA0GCSqGSIb3DQEBCwUAMBIxEDAOBgNV
    BAMMB2t1YmUtY2EwHhcNMTkwMzMxMTkwOTA4WhcNMTkwNDEwMTkwOTA4WjASMRAw
    DgYDVQQDDAdrdWJlLWNhMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA
    0doccWviooql4UkNhz1BgMJWnISL9MA1FmrHFxShTc++/UtUDq1UeSLBEzWN3Yfg
    BnSASAACfKIBE0CEbVw8RMKhurQxLFOHPP0hukUDi16egipGJ24YgVrrxqJUalla
    6qJZNGlPt7JlVukkHtecHN65gxm0B0s1kpWUQ4Xv/A6fWNhuaWujbTcEltHAmBRg
    kf0zQbuvd+LFywWEvT7Aj/nkQUfJ5/mC942RiXT3WuKrsX5kqwzYkUOq7hN3PuiT
    SSXFoI5LjAgyx5jTHnl7forVJxNl6/tG6xX8Kpq2jROqYK9TXWaHYCVKPy9LQ1nz
    A4ocMt2FAsDF8kfLR0a+iwIDAQABo1MwUTAdBgNVHQ4EFgQUL+X3z4JZHCfH8G/4
    Itd8TuFydEwwHwYDVR0jBBgwFoAUL+X3z4JZHCfH8G/4Itd8TuFydEwwDwYDVR0T
    AQH/BAUwAwEB/zANBgkqhkiG9w0BAQsFAAOCAQEAMkLPtvFhfVq3EbmBESwDGOYw
    Ub1XKEJoRDTeyvZ3jfRXhST9fvc4l/F1eNwVJfxWoJbR7BSBfmDb74yjpNpeXKlY
    VUZq52luvyp49E4rNCRGL3s/CcRqgWKjVlJefFjH6MO3a6g3CEdIF5rRf/3EqFH6
    fomRFt0L976hvjFEqr2UXGMrNMK1Czarkx8ZQsdzL2Haa35zz/ZPmOtP5kgsaILz
    hH/BCmy7n6CjCVlwQvEFaT9uQD6VkmzySfCohhj8XV0jpLkghxmvpbQw1CZl/p2R
    DpI8wh+MVHFs3/g3JkIjRE4IRmWdNXNaY0p1UYPEH3+7l9C9vSCd79x/I6m9Pw==
    -----END CERTIFICATE-----
kind: ConfigMap
metadata:
  creationTimestamp: null
  name: k8dash
  namespace: kube-system
---
apiVersion: v1
data:
  id: a3ViZXJuZXRlcw==
  secret: ZXhhbXBsZS1hcHAtc2VjcmV0
  url: aHR0cHM6Ly9kZXguZXhhbXBsZS5jb206MzIwMDA=
kind: Secret
metadata:
  creationTimestamp: null
  name: k8dash
  namespace: kube-system

Do you have any idea?
@linuxshokunin
Copy link
Author

Forgot to say, this dashboard is awesome.

@herbrandson
Copy link
Collaborator

Thanks for filing the issue. I'm not familiar with Dex, but after reading a couple blogs about it, it looks pretty cool!

I'm not sure offhand what would be going wrong. Are there any logs on the dex end? Can we confirm that the request is at least getting there?

@linuxshokunin
Copy link
Author

Dex looks fine. I can see login successful with github in the dex logs. If I change client id on k8dash side, dex complains with invalid client_id.

When I accessed the dashboard, it gets forwarded to dex and then to github, and then come back to the dashboard. However, dashboard shows an error "login failed".

I will play with it more to find out.

@linuxshokunin
Copy link
Author

I found out that it's in loop of authentication like:
k8dash -> dex -> github -> dex -> k8dash -> dex -> github

I guess k8dash is not compatible with oidc providers.
Would that be possible to add compatibility with oidc providers such as dex.

@linuxshokunin
Copy link
Author

It looks like fixed the problem. I needed to encode the client secret with base64.

@herbrandson
Copy link
Collaborator

Great! I'm glad you were able to figure it out. And thanks for leaving a comment with the solution. Hopefully that saves the next person some time :)

Can we close this at this point or are there still pending issues getting OIDC working in your environment?

@linuxshokunin
Copy link
Author

Yes. It works fine now.

@herbrandson
Copy link
Collaborator

Good to hear :)

Please don't hesitate to file feature requests as you use k8dash more. I'd love feedback on how to make it better

@psreddy22
Copy link

Hello ,
I have same issues with DEX, LDAP & k8DASH.

I'm redirected to dex, able to authenticate with LDAP and finally not able to login with k8dash.
Am I missing anything. All I have done as mention in this thread.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@herbrandson @linuxshokunin @psreddy22