get oauth2 401 Unauthorized in Github Enterprse 2.13

[QingsongYao]

In https://developer.github.com/enterprise/2.13/v3/oauth_authorizations/#more-info, I saw the token field is deprecated, not sure whether it has impact on this.

Logs

time="2018-09-20T08:06:19Z" level=debug msg=/validate
time="2018-09-20T08:06:19Z" level=error msg="no jwt found"
time="2018-09-20T08:06:19Z" level=debug msg="Request handled successfully"
time="2018-09-20T08:06:19Z" level=debug msg="statuscode: <nil>"
time="2018-09-20T08:06:19Z" level=info msg="|\x1b[97;42m 200 \x1b[0m|      29.309µs | 172.19.0.7:48630 | GET lasso:9091 /validate | "
time="2018-09-20T08:06:19Z" level=debug msg="Request received : &{GET /login?url=http://xi-sat.eng.a.com/prometheus/&lasso-failcount=&X-Lasso-Token=&error= HTTP/1.1 1 1 map[User-Agent:[Mozilla/5.0 (Macintosh; Intel Mac OS X 10.13; rv:62.0) Gecko/20100101 Firefox/62.0] Accept:[text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8] Accept-Language:[en-US,en;q=0.5] Accept-Encoding:[gzip, deflate] Upgrade-Insecure-Requests:[1] Dnt:[1] Connection:[keep-alive]] {} <nil> 0 [] false xi-sat.eng.a.com:9091 map[] map[] <nil> map[] 10.3.254.101:54809 /login?url=http://xi-sat.eng.a.com/prometheus/&lasso-failcount=&X-Lasso-Token=&error= <nil> <nil> <nil> 0xc420330880}\n"
time="2018-09-20T08:06:19Z" level=debug msg=/login
time="2018-09-20T08:06:19Z" level=debug msg="session state set to v/n9PnQSQq6LmX486Nz2cTazM3rDImuDl4VuhepdBdI="
time="2018-09-20T08:06:19Z" level=debug msg="session requestedURL set to http://xi-sat.eng.a.com/prometheus/"
time="2018-09-20T08:06:19Z" level=debug msg="saving session"
time="2018-09-20T08:06:19Z" level=debug msg="redirecting to oauthURL https://drt-it-github-prod-1.eng.a.com/login/oauth/authorize?client_id=not_displayed&response_type=code&scope=user&state=v%2Fn9PnQSQq6LmX486Nz2cTazM3rDImuDl4VuhepdBdI%3D"
time="2018-09-20T08:06:19Z" level=debug msg="Request handled successfully"
time="2018-09-20T08:06:19Z" level=debug msg="statuscode: <nil>"
time="2018-09-20T08:06:19Z" level=info msg="|\x1b[97;42m 200 \x1b[0m|     238.022µs | 10.3.254.101:54809 | GET xi-sat.eng.a.com:9091 /login | "
time="2018-09-20T08:06:25Z" level=debug msg="Request received : &{GET /auth?code=e921fc2b5ea3c0a5007a&state=v%2Fn9PnQSQq6LmX486Nz2cTazM3rDImuDl4VuhepdBdI%3D HTTP/1.1 1 1 map[Upgrade-Insecure-Requests:[1] User-Agent:[Mozilla/5.0 (Macintosh; Intel Mac OS X 10.13; rv:62.0) Gecko/20100101 Firefox/62.0] Accept:[text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8] Accept-Language:[en-US,en;q=0.5] Accept-Encoding:[gzip, deflate] Referer:[https://drt-it-github-prod-1.eng.a.com/] Connection:[keep-alive] Cookie:[lasso-session=MTUzNzQzMDc3OXxEdi1CQkFFQ180SUFBUkFCRUFBQV85TF9nZ0FEQm5OMGNtbHVad3dIQUFWemRHRjBaUVp6ZEhKcGJtY01MZ0FzZGk5dU9WQnVVVk5SY1RaTWJWZzBPRFpPZWpKalZHRjZUVE55UkVsdGRVUnNORloxYUdWd1pFSmtTVDBHYzNSeWFXNW5EQTRBREhKbGNYVmxjM1JsWkZWU1RBWnpkSEpwYm1jTUt3QXBhSFIwY0RvdkwzaHBMWE5oZEM1bGJtY3ViblYwWVc1cGVDNWpiMjB2Y0hKdmJXVjBhR1YxY3k4R2MzUnlhVzVuRENzQUtXaDBkSEE2THk5NGFTMXpZWFF1Wlc1bkxtNTFkR0Z1YVhndVkyOXRMM0J5YjIxbGRHaGxkWE12QTJsdWRBUUNBQUk9fEigLUf7d7pTeMNzHFPq3VzUWAsRyrHe9MCM3Dd89Zij] Dnt:[1]] {} <nil> 0 [] false xi-sat.eng.a.com:9091 map[] map[] <nil> map[] 10.3.254.101:54809 /auth?code=e921fc2b5ea3c0a5007a&state=v%2Fn9PnQSQq6LmX486Nz2cTazM3rDImuDl4VuhepdBdI%3D <nil> <nil> <nil> 0xc42018f680}\n"
time="2018-09-20T08:06:25Z" level=debug msg=/auth
time="2018-09-20T08:06:25Z" level=error msg="oauth2: cannot fetch token: 401 Unauthorized\nResponse: {\"message\":\"Bad credentials\",\"documentation_url\":\"https://developer.github.com/enterprise/2.13/v3\"}"
time="2018-09-20T08:06:25Z" level=debug msg="Request handled successfully"
time="2018-09-20T08:06:25Z" level=debug msg="statuscode: <nil>"
time="2018-09-20T08:06:25Z" level=info msg="|\x1b[97;42m 200 \x1b[0m|   92.752547ms | 10.3.254.101:54809 | GET xi-sat.eng.a.com:9091 /auth | https://drt-it-github-prod-1.eng.a.com/"```

[aaronpk]

It looks like the client ID or secret is missing. Double check that the client ID and secret are set in the config file. The example config file is a bit confusing as it has several examples of OAuth providers in it but you need just the one you're using, so make sure the others are commented out.

[QingsongYao]

thanks, you are right, my token url was wrong. Now, I am getting
oauth2: server response missing access_token

I am guessing https://github.com/LassoProject/lasso/blob/abe5646e267dd8859aa749e46ccc334044a2dad9/handlers/handlers.go#L498 always call github.com instead of github enterprise?

[aaronpk]

Looks like yep, we'll need to add a config option to set the GitHub enterprise API URL.

[QingsongYao]

Tried with

     userinfo, err := client.Get(genOauth.UserInfoURL + ptoken.AccessToken)

and it seems works.

But I was getting another issue which is that it repeated redirect and ask for token. My config as follows:

http {
  server {
    listen 0.0.0.0:80;
    server_name mydomain.name;

    # see https://github.com/LassoProject/lasso
    # send all requests to the `/validate` endpoint for authorization
    # if validate returns `401 not authorized` then forward the request to the error401block 
    auth_request /validate;
    error_page 401 = @error401;

    location = /validate {
      # lasso can run behind the same nginx-revproxy
      # May need to add "internal", and comply to "upstream" server naming
      proxy_pass http://lasso:9091;

      # lasso only acts on the request headers
      proxy_pass_request_body off;
      proxy_set_header Content-Length "";

      # pass X-Lasso-User along with the request
      auth_request_set $auth_resp_x_lasso_user $upstream_http_x_lasso_user;

      # these return values are used by the @error401 call
      auth_request_set $auth_resp_jwt $upstream_http_x_lasso_jwt;
      auth_request_set $auth_resp_err $upstream_http_x_lasso_err;
      auth_request_set $auth_resp_failcount $upstream_http_x_lasso_failcount;
    }

    location @error401 {
        # redirect to lasso for login
        return 302 http://mydomain.name:9091/login?url=$scheme://$http_host$request_uri&lasso-failcount=$auth_resp_failcount&X-Lasso-Token=$auth_resp_jwt&error=$auth_resp_err;
    }

    location /prometheus/ {
        proxy_set_header Host mydomain.name;
        proxy_set_header X-Lasso-User $auth_resp_x_lasso_user;
        proxy_pass http://prometheus:9090/;
    }
  }
}
events {
}

[QingsongYao]

lasso runs on the same node with 9091 port and can be public assessed using http://mydomain.name:9091

[bnfinet]

Do you have the cookie config set to secure: true?
https://github.com/LassoProject/lasso/blob/master/config/config.yml_example#L34

You may need to set that to false

Lasso is generally assumed to be running behind a reverse proxy which provides https, at least for the publicly accessible endpoint /login

Your nginx config looks correct otherwise. You could also see if adding internal would help...
https://nginx.org/en/docs/http/ngx_http_core_module.html#internal

[QingsongYao]

Found the root cause:
level=error msg="no email found in jwt"
If happens when user did not publish the email so that the API return null for email field.

[bnfinet]

aha! But it works otherwise if the email is published?

Would you suggest using the username instead of email for github (and github enterprise) accounts?

[QingsongYao]

yeah. maybe username is better.

[bnfinet]

k thanks, I'm going to keep this issue open to track the addition of a config option to set the GitHub enterprise API URL

I'll establish a new issue for the change from email to username

[bnfinet]

@QingsongYao would you be able to sanity check this...
https://github.com/LassoProject/lasso/blob/feature/config_fixes/config/config.yml_example_github_enterprise

Overall it should be much simpler now to configure Lasso for GitHub Enterprise

[QingsongYao]

Yes. Verified that the new config works with latest docker and config. My userinfo url is something like
user_info_url: "https://github_enterprise_url/api/v3/user?access_token=" which might be different than the one in the template.

[bnfinet]

That's great, thanks for checking.

…

On Thu, Sep 20, 2018, 2:21 PM Qingsong Yao ***@***.***> wrote: lasso runs on the same node with 9091 port and can be public assessed using http://mydomain.name:9091 — You are receiving this because you are subscribed to this thread. Reply to this email directly, view it on GitHub <#22 (comment)>, or mute the thread <https://github.com/notifications/unsubscribe-auth/ABNK68G2FHFpRZIBoVkSakoKtEzJZEPnks5udAbzgaJpZM4WxmXP> .