-
Notifications
You must be signed in to change notification settings - Fork 44
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
initial setup #1
Comments
Hey there, love the sound of what you're working on, I'm currently using authelia for my setup however I'm interested in trying out keycloak but couldn't get it working before. If you need testers I'm definitely up for giving you a hand with that! Saw your posts over on issue #593 on the traefik github page :) |
@zackpollard wasn't aware of that project so thanks for sending the link! I'd love to get more eyes on it so how can I help get you going? |
Sorry, wasn't perfectly clear with what I said there. My current setup is Traefik using Authelia as my authentication provider. They just submitted a PR that makes this work nicely together, however Keycloak seemed like a more feature-rich auth provider and is what I tried to get working with Traefik in the first place, however had no luck. I'm interested in helping you test this with Traefik + Keycloak as I want to give keycloak a go to see how it compares with Authelia :) |
@zackpollard so do you have what you need currently? Or do you need some assistance in how to configure keycloak etc? |
I won't be able to get around to testing until Monday night/Tuesday as am away, however I can configure keycloak myself just need some guidance towards how this all interacts between traefik and keycloak. I believe in the other issue you mentioned you were going to produce some sort of documentation with example labels etc, that'd be a lot of help :) |
@zackpollard ah ok! Are you running in kubernetes or something else? |
Running in docker with compose setup for all my services. |
@zackpollard ok, ultimately (after deploying the server somewhere) with |
Hey @travisghansen! Thank you for you work on this project! I've been messing around with it this weekend. The biggest hurdle I have had thus far is that the user is always redirected back to the same URL and the validation payload is passed through URL params. This is problematic since many OpenIDC providers require callback URLs to be fixed and whitelisted. This unfortunately makes it largely unusable for me :( |
@kevinoconnor7 hey thanks for the feedback. Actually my last commit before you even mentioned this I added support for that: https://github.com/travisghansen/oauth-external-auth-server/blob/master/bin/generate-config-token.js#L61 Try it out and let me know how it works out for you! I did my testing with gitlab (https://gitlab.com/gitlab-org/gitlab-ce/issues/48707) and confirmed it worked in my scenario. |
Oh very interesting! I played around with it a bit tonight and it seems to work! The only thing I'm not sure on is what I should host at that static url. |
@kevinoconnor7 great to hear! It's not documented very well but essentially nothing is needed to be hosted at the URL. As long as the URL goes back to the target service and the target service is configured to externally authenticate the URL/path to In short, assuming you're authenticating a full domain If you don't mind my asking can you share what environment you're running in (which reverse proxy, kubernetes?, etc, etc)? Also, any feedback (good or bad) you can share for the next little while is greatly appreciated. If we find any deficiencies we'll see what we can address. Thanks! |
Got it! I'm using traefik as my reverse proxy so I just fired up a nginx container that just always returns 200. There's nothing too fancy here, it's just traefik + a few docker compose files. So now the problem I have is that I got redirected back to
This only shows up once though. If I go through the flow again (without clearing cookies), I just end up getting a 503 response from oeas with no error message in the response or logs. BTW: can we make sure that errors don't get displayed on the page? |
@kevinoconnor7 that's pretty strange, it seems to indicate the provider isn't sending the Can you share who your provider is? If so can you send the discover url too? |
I'm using AWS Cognito. Looking at the logs a bit closer, we do indeed have state returned as I see a log entry for:
What is interesting though is that that the state in the uri does not appear to be url encoded. So the character This only appears to be the case for the initial redirect back from AWS Cognito though. On subsequent tries the state in the uri appears to match the state in the parsedQuery. The issue with the 503 response might be my fault. It looks like oeas returns that if the csrf check fails. I think this is do to me not redirecting back to the service directly. Basically I have a bunch of services that are |
@kevinoconnor7 ok, thanks for the patience trying to work through the quirks! I think what you've described is probably OK regarding the encoding but perhaps not. I need to have a little more info regarding your redirect approach though...I think that may be causing some issues. Let's assume the following:
Assuming the above, if you want to cover several services with the same session (this is mostly untested but should work by the way...I'll test it out this week some time) you should:
I'm pretty sure I can address the shortcomings of the above and make it so you can always use the same |
I was considering a slightly different setup:
Ideally I would want for any
So far this all seems to work since the state payload that Is there something else that I'm missing? |
Oh, with regard to the unencoded state payload, I think there is actually an issue there. I believe the state is meant to contain literal |
@kevinoconnor7 the CORS cookie isn't using the |
I am not, unfortunately. I'm also about to leave for vacation so I won't be able to get back to this until next week. -- Ah yes, I did overlook the CORS cookie... I was looking at the code for the wrong cookie. I think the basic idea that I'm going for is that I want to minimize the configuration I need to do per service. Ideally I want to be be able to add any docker container labeled for traefik and everything should just work. At a high-level this should work as-is, but the limitation I hit is that AWS Cognito doesn't allow any wildcards in I think your intention for the |
@kevinoconnor7 yeah, I'm gonna punch at that idea for a bit. Pretty sure it's feasible (and I actually already had code for it at one point but ripped it out I think). In essence you want:
In essence, you want to share the
There are lots of nuanced scenarios in-between but does that align with your approach generally? |
That sounds correct to me. |
@kevinoconnor7 ok, enjoy your vacation, I'll start covering the use-case for you to try when you get back :) |
@kevinoconnor7 ok, I've just wrapped up support for your use case. Do the following:
That should do it. I'm using Also note, I actually built it in such a way that the domain where Try it out and let me know how it goes. |
Just a heads up to those following along, I've decided that I want to expand the scope of the project to be a generic external authentication server. openid will be 1 plugin with ldap following shortly (nearly ready). |
Awesome! This update seems to be working for my use case. The only remaining issue I have is that AWS Cognito is URI decoding the state when redirecting back to oeas which leads to decrypt errors. I'm fairly certain this is an issue on their end though, unless oeas is not properly transmitting the state in the first place. |
@kevinoconnor7 wow great to hear! That sounds really odd that AWS is doing that. So when you get redirected it's an invalid URL? I'm guessing the other providers I'm using are working cause that state is critical to functioning setup.. |
It's not invalid, just not properly encoded. So when oeas sends me to AWS with the state When AWS redirects back to oeas it sets If I manually encode that component and refresh then it works. |
@kevinoconnor7 ok, I'll have a look and see what I can find. |
@kevinoconnor7 yeah, I think you've found a bug with AWS's handling of the |
@kevinoconnor7 it appears hex will work nicely. It's a slightly longer string but given the overall amount of data still relatively small. I've made the change but probably still a few days out since I have the code base ripped up right now to support multiple providers etc. My next commit will include lots of new stuff. Support for openid and ldap (and possibly oauth2) and also allowing multiple plugins to used simultaneously (ie: check for basic auth and openid cookie with the same config token). |
Sounds good, I'll try to reach out to AWS to see if they'll confirm the bug on their end. |
Soliciting a little feedback: I'm implementing a sort of pipeline of configured plugins (ie: test openid/oauth, basic auth, url param, etc). The order matters as the first one to succeed allows the request through. However, if all of them fail what feels more natural from a configuration standpoint, return the response for the first or the last plugin in the pipeline? PS: I've gutted the code-base and got everything back in working order with openid specifically. I'm implementing a couple of crude plugins mostly for demonstration/testing purposes. After those are done I'll be tidying up ldap and looking into oauth2. |
OK, I've landed a massive overhaul (pleaes re-read the docs, regenerate the tokens, update the foward auth endpoint to The service now implements 6 authentication plugins including ldap, oidc (open id connect), ouath2, htpasswd (basic auth) and others. Also, as mentioned in the previous comment the authentication process is now a pipeline of plugins. It's now possible to secure an endpoint with, for example, both ldap/basic auth and oauth2. It processes the plugins in a linear fashion and as soon as one responds 2XX the request is allowed. If all of them fail the default is to return the response from the last plugin in the Feedback welcome. Beware lots of logging currently including the config tokens so beware of secrets logging. I'll get that cleaned up next. |
@kevinoconnor7 |
OK, just landed support for custom assertions and infrastructure to support provider-specific This does 2 broad things:
So far I've only implemented Proper logging is now in place and cleaned up. Secrets should not be getting logged now unless you've turned on Server-side sessions expiration has been implemented for Userinfo expiration has been implemented as well (meaning after X period of time it is considered stale and must be re-retrieved). When used with |
I've landed some better documentation and explanation of custom assertions now (still not great, but it's a start).
I've implemented a At this point I've knocked everything off the list I really care to for the |
@kevinoconnor7 any luck with @zackpollard did you ever give it a go? |
Sorry, haven't gotten a chance to try again. Hopefully I'll have some time this weekend. Thanks again for your help and active development. I did open a thread on the AWS forums about the issue, but the forum doesn't appear to have a lot of activity from the AWS team. |
@kevinoconnor7 yeah ok, I'm hoping the issue will simply be gone now :D |
Wired it up this morning; the rename from oeas --> eas caused a few issues since I had to update a bunch of configurations but... everything works! This is perfect! Thank you so much! |
@kevinoconnor7 awesome to hear! I've got some more goodness coming shortly :) I'm adding a feature I call For example you could force requests which have an As part of it I'm going to upgrade the assertion stuff a little bit which may or may not need a new config to be generated if you're using assertions as an FYI. Also I just committed a As a side note, I'd love if you could send over your config minus any secrets/etc so I can start collecting a series of examples with different providers. Thanks again for the feedback! |
Creating this issue to simply provide a forum for discussing the initial setup.
The text was updated successfully, but these errors were encountered: