-
Notifications
You must be signed in to change notification settings - Fork 350
-
Notifications
You must be signed in to change notification settings - Fork 350
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Error while processing filter oauthGrant - Skipper on AKS - Azure #1752
Comments
Hello, to me Lines 133 to 139 in d0b249a
Line 604 in d0b249a
I have no experience with Microsoft Identity but maybe this API https://docs.microsoft.com/en-us/azure/active-directory/develop/userinfo would work as a token info. Also I think |
I think |
Related to #1752 Signed-off-by: Alexander Yastrebov <alexander.yastrebov@zalando.de>
Related to #1752 Signed-off-by: Alexander Yastrebov <alexander.yastrebov@zalando.de>
Thanks @AlexanderYastrebov I'm not getting anymore the nil error that was mentioned before. But now, I'm getting the following:
I noticed that there are a lot of redirect and status codes of 307 Failed to exchange access token: oauth2: cannot fetch token: 400 Bad Request\nResponse: {"error":"invalid_grant","error_description":"AADSTS54005: OAuth2 Authorization code was already redeemed, please retry with new valid code or use an existing refresh token Skipper Logs
|
Just in case, try cleaning up all the cookies |
I've tried that already, also tried different browsers, but got same thing "too many redirects" |
@tamer-abdulghani too many redirects likely happen if the login flow was not successful. also interesting is |
Hello @szuecs
And here is a snapshot taken from fiddler to capture the requests: I guess the first I thought that if the cookies are created in the browser, it means login has been completed successfully, but honestly not sure. is there a way to get the more logs from skipper about the login flow? |
IMO it is not an issue, json package encodes ampersand by default https://golang.org/pkg/encoding/json/#Encoder.SetEscapeHTML
|
@AlexanderYastrebov thanks for clarification. @tamer-abdulghani I don’t know the tool you used to record the traffic but packet 26-30 look unrelated to skipper. One question from my side would be what the application would do with a request to /app1/statu (do we miss an ‘s’ here?). Maybe the redirect is not done by skipper but the backend? |
Fiddler
no that's fine, all services endpoints working perfectly without OAuthGrant, they are all returing Json result.
Thanks I will check that. Also, I got response from Microsoft support regarding this problem, and they said that my application (skipper) reuses authorization codes to get tokens. also they mentioned that: Starting on November 15, 2018, Azure AD will stop accepting previously used authentication codes for apps. This security change helps to bring Azure AD in line with the OAuth specification and will be enforced on both the v1 and v2 endpoints. AADSTS54005: OAuth2 Authorization code was already redeemed (microsoft.com) @szuecs @AlexanderYastrebov Do you think that is relevant to our problem? |
Reuse should not happen. I think there’s a redirect loop but not sure how. The request trace shows it and I think auth code should never be reused also in a redirect loop case. |
Maybe there is something going on with domains - I would expect to see only application and microsoft login domains but we see three out there. What is |
so basically, I'm being redirected to a login page (user/pass), then I enter my credentials properly, then enter the loop. However, again, if I change the
But when I use I feel we are unable to find which endpoint validates the token. Sorry but I'm still unable to get more logs even with having |
Related to #1752 Signed-off-by: Alexander Yastrebov <alexander.yastrebov@zalando.de>
You can set -application-log-level=debug to turn on debug logs. The format doesn't matter. |
@tamer-abdulghani sorry for the late reply. I am now back from parental leave and can check the code with a computer. :) I think you are right with the
Tokeninfo is about returning a validated token information. We should validate the access token ourselves and not call out to tokeninfo in this case. |
@tamer-abdulghani Reading again the issue and resources, I think this is correct:
The question is what else is not. Can you send an access token to https://login.microsoftonline.com/TENANT_ID/openid/userinfo and send us the output if the json you get back, such that we can check if the code path misses data? |
Unfortunately, there is no endpoint available provided by microsoft to varify the access token. User-info endpoint wont't work here, because it returns different result type (user information) https://docs.microsoft.com/en-us/azure/active-directory/develop/userinfo#calling-the-api And if I'm not wrong, Skipper is expecting something like this: We believe that the only way to solve this problem is to develop a skipper plugin that can validate the jwt-token This article explain what is missing here and how to validate token using discovery/keys endpoint: |
Userinfo API requires token and I assume it validates it.
It does not interpret the result as far as I can tell, it queries "tokeninfo" (any api that returns json would work) Lines 169 to 180 in 48a63d6
skipper/filters/auth/authclient.go Line 103 in 48a63d6
and looks for configured "subject" key: Lines 134 to 151 in 48a63d6
This would be interesting to see indeed |
Yes I would agree on this.
Here you go:
I have just modified the result to have fake values instead of the real ones but the json object look like this anyway. "abc" values are mostly random string characters. Hope it is helpful. |
@tamer-abdulghani the userinfo is great, because it shows you can use this as "tokeninfo". The data you got from userinfo endpoint is stored such that you can use the authz filter to allow/deny. Reading again the first log error message:
This shows skipper/filters/auth/grantcallback.go Line 67 in 48a63d6
-> https://github.com/golang/oauth2/blob/master/oauth2.go#L213 -> https://github.com/golang/oauth2/blob/master/token.go#L157 Now looking at the configuration data that the go library has: I would suggest to configure skipper with (see the
It seems that if we use userinfo we have to use v2 as stated in https://docs.microsoft.com/en-us/azure/active-directory/develop/userinfo#notes-and-caveats-on-the-userinfo-endpoint , maybe also https://docs.microsoft.com/en-us/azure/active-directory/develop/v2-protocols-oidc helps. |
So I have tried again the Skipper config:
and filter:
First hit to my application URL, I'm being re-directed to this url:
Then after login:
then
Skipper logs:
|
The authorize url apparently has a proper callback url
You are redirected to that callback url. The response from the callback normally would have status 307, When browser follows location url from callback response it should send the grant cookie along. Could you capture full sequence starting from hitting your application (chrome dev tools should work) and check response from callback url and if the grant cookie is sent on redirect? |
Just a side note we can get credits for Azure via https://developer.microsoft.com/en-us/microsoft-365/dev-program. I got a reply in #provider-azure in kubernetes slack. |
Hi @tamer-abdulghani , i wanted to ask you something about your Skipper configuration file. |
would be great if we can get a doc PR, if 2 have the same problem it's worth to document for the next ones. |
We have installed skipper on AKS on microsoft azure to be used as reverse proxy behind azure gateway.
Currently, We are trying to configure authentication/authorization for skipper using OAuth2.0. However, we are getting some errors in the logs of Skipper thus we are unable to configure the Authorization step.
We have followed the steps below:
So with these configuration:
However, in Skipper logs we see these errors:
Any idea why are we getting these errors? or how can we check the user information ? or how can we verify if the token is validated successfully? and if tokeninfo-url is correct ?
The text was updated successfully, but these errors were encountered: