Error while processing filter oauthGrant - Skipper on AKS - Azure

[tamer-abdulghani]

We have installed skipper on AKS on microsoft azure to be used as reverse proxy behind azure gateway.
Currently, We are trying to configure authentication/authorization for skipper using OAuth2.0. However, we are getting some errors in the logs of Skipper thus we are unable to configure the Authorization step.

We have followed the steps below:

1. Skipper configuration

          - "-enable-oauth2-grant-flow"
          - "-oauth2-access-token-header-name=App-Grant-Authorization"
          - "-oauth2-client-id=CLIENT_ID"
          - "-oauth2-client-secret=CLIENT_SECRET"
          - "-oauth2-secret-file=/path/to/secret"
          - "-oauth2-auth-url=https://login.microsoftonline.com/TENANT_ID/oauth2/authorize"
          - "-oauth2-token-url=https://login.microsoftonline.com/TENANT_ID/oauth2/token"
          - "-oauth2-tokeninfo-url=https://login.microsoftonline.com/TENANT_ID/.well-known/openid-configuration"
          - "-oauth2-callback-path=/oauth/callback"

2. Skipper Ingress

apiVersion: networking.k8s.io/v1beta1
kind: Ingress
metadata:
  name: "skipper-ingress"
  annotations:
    kubernetes.io/ingress.class: azure/application-gateway
    appgw.ingress.kubernetes.io/appgw-ssl-certificate: "default"
    appgw.ingress.kubernetes.io/ssl-redirect: "true"
    appgw.ingress.kubernetes.io/backend-path-prefix: "/"
    appgw.ingress.kubernetes.io/request-timeout: 300
  labels:
    app: "skipper-ingress"
spec:
  rules:
    - host: "my.host.com"
      http:
        paths:
          - backend:
              serviceName: "skipper-ingress"
              servicePort: 80

3. App Ingress

apiVersion: extensions/v1beta1
kind: Ingress
metadata:
  annotations:
    kubernetes.io/ingress.class: skipper
    zalando.org/skipper-filter: oauthGrant() ->  modPath("^/my-service/", "/my-service/")
  name: my-service
  namespace: my-ns
spec:
  rules:
  - host: my.host.com
    http:
      paths:
      - backend:
          serviceName: my-service
          servicePort: 1234
        path: /my-service/*
        pathType: ImplementationSpecific
status:
  loadBalancer: {}

So with these configuration:

• we're getting redirected successfully to Microsoft Azure Login
• then we're logged in with our user/pass
• then redirected back to home page url which display normal JSON object
• Also we can find one cookie created with name "oauth2-grant" and other cookies for microsoft login

However, in Skipper logs we see these errors:

- error msg="error while processing filter during request: oauthGrant: interface conversion: interface {} is nil, not string ()"

- [APP]time="2021-04-07T13:54:35Z" level=error msg="error while proxying after 17.7µs, route _unknownroute_ with backend <unknown> <unknown>, status code 404: dialing failed false: route lookup failed, remote host: 10.42.104.73, request: \"GET /favicon.ico HTTP/1.1\", user
agent: \"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/89.0.4389.82 Safari/537.36\""
{"audit":"","duration":0,"flow-id":"","host":"10.42.104.73:59778","level":"info","method":"GET","msg":"","proto":"HTTP/1.1","referer":"my.domain.com","requested-host":"my.domain.com","response-size":10,"status"
:404,"timestamp":"07/Apr/2021:13:54:35 +0000","uri":"/favicon.ico","user-agent":"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/89.0.4389.82 Safari/537.36"}
{"audit":"","duration":280,"flow-id":"","host":"10.42.104.73:59778","level":"info","method":"GET","msg":"","proto":"HTTP/1.1","referer":"","requested-host":"my.domain.com","response-size":0,"status":307,"timestamp":"07/Apr/2021:13:55:02 +0000","uri":"
/oauth/callback?code=0.ASEA1cvq5Fu7MIY2300CPODSCKJC0SYCJPoB4zMcYJfnohAAA.AQAIJFLKDSHFDoQ778UaB40ll6o
  
- [APP]time="2021-04-07T13:54:35Z" level=error msg="error while processing filter during request: oauthGrant: interface conversion: interface {} is nil, not string (goroutine 1767 [running]:\ngithub.com/zalando/skipper/proxy.tryCatch.func1(0xc0000177b0)\n\t/workspace/proxy
/proxy.go:718 +0xcf\npanic(0x107ca40, 0xc000324870)\n\t/usr/local/go/src/runtime/panic.go:965 +0x1b9\ngithub.com/zalando/skipper/filters/auth.(*grantFilter).createTokenContainer(...)\n\t/workspace/filters/auth/grant.go:136\ngithub.com/zalando/skipper/filters/auth.(*grant
Filter).Request(0xc000441a40, 0x135ca98, 0xc00014c900)\n\t/workspace/filters/auth/grant.go:178 +0x832\ngithub.com/zalando/skipper/proxy.(*Proxy).applyFiltersToRequest.func1()\n\t/workspace/proxy/proxy.go:754 +0xcc\ngithub.com/zalando/skipper/proxy.tryCatch(0xc0005937d0,
0xc0005937b0)\n\t/workspace/proxy/proxy.go:726 +0x4f\ngithub.com/zalando/skipper/proxy.(*Proxy).applyFiltersToRequest(0xc0001dc000, 0xc0004c8840, 0x4, 0x4, 0xc00014c900, 0x0, 0x0, 0x0)\n\t/workspace/proxy/proxy.go:752 +0x336\ngithub.com/zalando/skipper/proxy.(*Proxy).do(
0xc0001dc000, 0xc00014c900, 0x0, 0x0)\n\t/workspace/proxy/proxy.go:1058 +0x2e5\ngithub.com/zalando/skipper/proxy.(*Proxy).ServeH)"

Any idea why are we getting these errors? or how can we check the user information ? or how can we verify if the token is validated successfully? and if tokeninfo-url is correct ?

[AlexanderYastrebov]

Hello, to me "-oauth2-tokeninfo-url=https://login.microsoftonline.com/TENANT_ID/.well-known/openid-configuration" looks suspicious, I would guess that grant filter does token info request, gets 200 and openid-configuration json, parses it into generic map[string]interface{} thinking it is token info and fails when it tries to get uid field (TokeninfoSubjectKey=uid by default)

skipper/filters/auth/grant.go

Lines 133 to 139 in d0b249a

	func (f *grantFilter) createTokenContainer(token *oauth2.Token, tokeninfo map[string]interface{}) tokenContainer {
	subject := ""
	if f.config.TokeninfoSubjectKey != "" {
	subject = tokeninfo[f.config.TokeninfoSubjectKey].(string)
	}
	tokeninfo["sub"] = subject

skipper/config/config.go

Line 604 in d0b249a

flag.StringVar(&cfg.Oauth2TokeninfoSubjectKey, "oauth2-tokeninfo-subject-key", "uid", oauth2AccessTokenHeaderNameUsage)

I have no experience with Microsoft Identity but maybe this API https://docs.microsoft.com/en-us/azure/active-directory/develop/userinfo would work as a token info. Also I think oauth2-tokeninfo-subject-key should be unset to "" to avoid the above failure.

[AlexanderYastrebov]

I think oauth2-tokeninfo-subject-key should be set to sub, not empty string actually

[tamer-abdulghani]

Thanks @AlexanderYastrebov
I have tried set oauth2-tokeninfo-subject-key=sub and oauth2-tokeninfo-url=https://login.microsoftonline.com/TENANT_ID/openid/userinfo, also I tried different possibilites (oid & graph userinfo url).

I'm not getting anymore the nil error that was mentioned before.

But now, I'm getting the following:

• This page isn’t working redirected you too many times. Try clearing your cookies. ERR_TOO_MANY_REDIRECTS
• This page isn’t working is currently unable to handle this request. HTTP ERROR 500

I noticed that there are a lot of redirect and status codes of 307

Failed to exchange access token: oauth2: cannot fetch token: 400 Bad Request\nResponse: {"error":"invalid_grant","error_description":"AADSTS54005: OAuth2 Authorization code was already redeemed, please retry with new valid code or use an existing refresh token

Skipper Logs

[APP]time="2021-04-07T17:28:19Z" level=error msg="**Failed to exchange access token: oauth2: cannot fetch token: 400 Bad Request\nResponse: {\"error\":\"invalid_grant\",\"error_description\":\"AADSTS54005: OAuth2 Authorization code was already redeemed, please retry with
new valid code or use an existing refresh token**.\\r\\nTrace ID: 34963c42-3ede-4341-a5bd-6e1793d47100\\r\\nCorrelation ID: 059d4c1c-0010-418e-a614-d674b6f7947e\\r\\nTimestamp: 2021-04-07 17:28:19Z\",\"error_codes\":[54005],\"timestamp\":\"2021-04-07 17:28:19Z\",\"trace_
d\":\"34963c42-3ede-4341-a5bd-6e1793d47100\",\"correlation_id\":\"059d4c1c-0010-418e-a614-d674b6f7947e\"}."
{"audit":"","duration":272,"flow-id":"","host":"10.42.104.73:58437","level":"info","method":"GET","msg":"","proto":"HTTP/1.1","referer":"https://adfs.azgi.com/","requested-host":"my.domain.com","response-size":0,"status":500,"timestamp":"07/Apr/2021:
7:28:19 +0000","uri":"/oauth/callback?code=0.ASEA1cvqoQ778UaB40ll6o5Fu7MIYC0SYCJPoB4zMcYJfnohAAA.AQABAAIAAAD--DLA3VO7QrddgJg7Wevr6NoYMtZFycDAO-_nNmoYA9YeQJZV2phTOl8gpN-KE4DQT6BqY0sAP2uWs6OX3LUbO_he72FC0TgHPOR9zRHCaOo8H81p0-Edfpfgkqkyj8K9HgHonBy3dsa0NqaDSnAE4oUf9cuuZlPiH
2q9A9ajb20LY4Ws6enCvbqbQl5AsTjrqpXqj9tY8v2kQCsrZMbjk2D-wxXB0cpbnyXo0fJjH5YpsWH_n0hU19fYGC7tm_LuFdyYc6ceyXOXORk-7kWXon78Ufmlu25wQV_nk9w4680DMGxD0RSsHCrgRpT6o83XvjvrVQPFeu-QoG4mi9-c7Bw5QJ6DHc-Tj6vr57T934HmYfFvG892zMuMz4cp6Liact117-Cv9ly_zJ4PLDI98btmnHTnWojwwWbRmMAzrz1O2f6
1b3a-S3p5baiRtzETDl2ytvzU6VaVEMvP134pJKYemXWGWj_vJs7ZEmzzlkF1FyMMECWpXPjCPGu811OjKBIA4X0C5nm8URHH6HDuS0j_uEj45igKXbwbeexFCTwxRL4DAa1DwrerXPF3AcysXqyQ45VgcyE3fTt6dDWAMeFFdGjD0cS6KX9_Qhx3aKJJrbFGX0xmnL5z7laQWg6jhr50hnVdg9ZkHQ5nWqoclvR1JV0fDPIV8TzvYZLBxPFTkTYCU8rFVU4zZZYYg
3ecVkF9Gt1UVpfN9d40wx0LF1PDbQvAsKr9GxTu3diAA\u0026state=c2cc79dc2819bf9902eb245f66c67bdebb090034f4ef3510212c1f060d38c122e1c98c14416286fcd75bc1ca157e4fdd474cac8678f110c0dd2d404a8e310996ac8260e65728568496aeebcf08f74ae415c9bc25e1fccbb5dd7a5a0bf697014d66c6c90eb769119d9b140d
af1b7fd1fe2c3523ab76e05129bf601b0a6a8b2a4a353629b7a3f41d7aa90e0cbccf46b100d1fcfb92ba581ab5f08aeb3ee\u0026session_state=b733bc1f-469a-4f29-a06e-4af0ad40c4c7","user-agent":"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/89.0.4389.8
Safari/537.36"}

 
 [APP]time="2021-04-07T17:28:00Z" level=error msg="error while proxying after 15.801µs, route _unknownroute_ with backend <unknown> <unknown>, status code 404: dialing failed false: route lookup failed, remote host: 10.42.104.73, request: \"GET / HTTP/1.1\", user agent: \
"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/89.0.4389.82 Safari/537.36\""
{"audit":"","duration":0,"flow-id":"","host":"10.42.104.73:58437","level":"info","method":"GET","msg":"","proto":"HTTP/1.1","referer":"","requested-host":"my.domain.com","response-size":10,"status":404,"timestamp":"07/Apr/2021:17:28:00 +0000","uri":"/
","user-agent":"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/89.0.4389.82 Safari/537.36"}



{"audit":"","duration":894,"flow-id":"","host":"10.42.104.73:58437","level":"info","method":"GET","msg":"","proto":"HTTP/1.1","referer":"https://adfs.azgi.com/","requested-host":"my.domain.com","response-size":0,"status":307,"timestamp":"07/Apr/2021:1
7:28:12 +0000","uri":"/oauth/callback?code=0.ASEA1cvqoQ778UaB40ll6o5Fu7MIYC0SYCJPoB4zMcYJfnohAAA.AQABAAIAAAD--DLA3VO7QrddgJg7WevrLncy5oOl_GFFi_g6m2ao1amTG0y5Ew6Qk4OWbixfDtg1ahEblWFyGl1Y7KBBTZOMGvunv2bSQqCq1gTyPFO6rxfRHJ920QAAMWEKM9NHOdMdnLNC2vuj5GPKpuOZfUDJuXfrzz78Gr34IZ
o7dFoV9ArVUYkPRcXKCnCZI3uo3HtDoUgbgFwf4_bOsvd8nizmCnl8SRjX8QOCvH0acxYDLiFaF386i1p-DRe_ZWDow8yPYs1PLTYKQdZ6apNL0JFGXPNnK5BsYHtpUvA2rvjpilU9f_Ys_2dlvN7X3z0HN0UC9bN7vVmPoB4hsm7WEyT_yllWlt2k
HCcJ2GB3ZyqGja7Te8VHAbzC8VBERRUBe2ONkvLkjSAA\u0026state=94c471bbc0ffa47d5cf004b3d48ff2d921b5e0186e5e2d5c7c71bfc3be1cfb8be25587e0e8c0231b8718dc69f44feac872966a5e4dbb963202381f46a1c6594454c289c16d87c40a57827c7a4438003e614d2a0d3a7f3b4dad5cb6e279f8ec55476d908a922f2539b873b75
0616a3a817ec599aca94a6d41559b0ac71ea9f0fb17107ee1098810d568f3868e1e056f0c1fdf5bf03be47574dc162d71b3\u0026session_state=b733bc1f-469a-4f29-a06e-4af0ad40c4c7","user-agent":"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/89.0.4389.82
Safari/537.36"}
{"audit":"","duration":232,"flow-id":"","host":"10.42.104.73:58437","level":"info","method":"GET","msg":"","proto":"HTTP/1.1","referer":"https://adfs.azgi.com/","requested-host":"my.domain.com","response-size":0,"status":307,"timestamp":"07/Apr/2021:1
7:28:13 +0000","uri":"/oauth/callback?code=0.ASEA1cvqoQ778UaB40ll6o5Fu7MIYC0SYCJPoB4zMcYJfnohAAA.AQABAAIAAAD--DLA3VO7QrddgJg7Wevr9QuQsH1s3W-icI_1THGflDtC5mdf9RzIjNVP3DFEZG3DM3SrxdQY5jWEUbKbaPPbVkxE_Z-z5etk5hl3o9-Vuf1Lxvk02jCPqs0JkGyM9NPpLbaUWseZrW7yryZ8L6o8m9VdRLx8V4M6fS
UxY3L8j2pTcHWMfEDjaj4mpoLCRWc0SmSQMf-2YM9NkOe4Qa6B0TRPn1g30pdfZEun9b4k6bXFnIu4Y-lsue-ZgbK9KTPU_3O5i-c7dpBLHqESPRGbZRgjgFMEWv7JTEfzggCBYqZcKUP3L7kwFLuVaiaMNL9SJDY2BoLofUny4YP3UPXc3UHsGT4Y9DhwKta8jUaImNa4UjstvTc
qvJitrwbVeABXUrwdtGUduVIHHRoebIqvsVHxVWt0SAA\u0026state=6b948f4f6cbbd0bb3819d9c31d01c095a8c151e8bfd1ec2ca7a2faccfbeefe1fa8a58dbcdcf33dfebfcc1c8917a9437a7c6c88d597a894eb91de0db48a1b0cb514ad92a4f0200e16d6dd95a9a52adc4ddeca5e1506916f7de4503d86f381fb6e21305bb43044f9f27c19406
961643065a14f361962cc6b501e6be05bd15c5bddadb4d9fdabae9eff87a991541bb84f462bdc4b401037acef3523ddc97b\u0026session_state=b733bc1f-469a-4f29-a06e-4af0ad40c4c7","user-agent":"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/89.0.4389.82
Safari/537.36"}
{"audit":"","duration":557,"flow-id":"","host":"10.42.104.73:58437","level":"info","method":"GET","msg":"","proto":"HTTP/1.1","referer":"https://adfs.azgi.com/","requested-host":"my.domain.com","response-size":0,"status":307,"timestamp":"07/Apr/2021:1
7:28:14 +0000","uri":"/oauth/callback?code=0.ASEA1cvqoQ778UaB40ll6o5Fu7MIYC0SYCJPoB4zMcYJfnohAAA.AQABAAIAAAD--DLA3VO7QrddgJg7WevrBbUnuc2z4jb8QWU0vzoD1MLWtyR5ENCCffd3c-Ain7C4dS54qR68_1XX38Fd0aj4HtpoOKk0iI1VJe7i2l38yc08CECxN6NBbL1roJPvbZJ-5TQRbCaYtXnPDVvduUCgx33FjW_737XzAt
HCEXmZNFUmP8DejTUDGqfNlX-wFt4pbfEDEtqmM6hhE6T1JXwPbIoU_hyTCZDTdjne4ZTFh6PQ-GCMRpuYMM6PL4MUMWd6UEXulCr9RTrTB72ffiu0pQzcUoOiVVD2lHdUVuyQuwwV6xnczZLSaMNFapQRK-Fxyp8JUiLXvtMITnNnOHXCjmf3P7ggiB_b4mGJ3aU71Oj0LC0a24u44m8DMpEVoH7XHNTfB0OUsq-1mY9S6q5JZz7k3i_4SuL9YaKauX60Qai7xQVms
L9H6G6E-cOtbvcxphUj-3RTirlE-bBEwCUNNAAJFjO96iOf65595bc86935f055b7a9c619fec8c415a1fcf7ca6d7a6badc9b07f27b97f66964dd4c078c79211181e666a00d7c677e6d46e79f3a30417038fa4360eff3d8cf5704f5be85481a5553252214f7688ac5cc09
ab0a50b138b7147b0dd70073002ecf3cf2dd49d69306e439939c60216119cea78096a5776fc19e1a8a497dcfeef104db131\u0026session_state=b733bc1f-469a-4f29-a06e-4af0ad40c4c7","user-agent":"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/89.0.4389.82
Safari/537.36"}
{"audit":"","duration":239,"flow-id":"","host":"10.42.104.73:58437","level":"info","method":"GET","msg":"","proto":"HTTP/1.1","referer":"https://adfs.azgi.com/","requested-host":"my.domain.com","response-size":0,"status":307,"timestamp":"07/Apr/2021:1
7:28:15 +0000","uri":"/oauth/callback?code=0.ASEA1cvqoQ778UaB40ll6o5Fu7MIYC0SYCJPoB4zMcYJfnohAAA.AQABAAIAAAD--DLA3VO7QrddgJg7WevrmTg-KFrQyEQ8aHVUZTdRoQZf7h5UVx2QC9Pm1xBQSFT08wLeLveSiAWxN07Y2_EbhHoixfiebgJwMtO7Gfggib5J_J1PFrvlrFpKDIPwOcAYWr10q9rsgvE3voaJMI8Q_FHEiZLoKg88KN
TUQcl5L5UL6UtAl41k6T5MlVokpKDDOt0rK7gGqrWrtRQJJHJw3FX5IhuWA1EfQ60YIjw0E4-fon8jVTMiZkbGlE9diAd2zFC5IeatQzzkVgW8yBTl6bS0DrphcxEnBHqmjBTMDLNRq5Kw9GY_fYWAG0mDr3UdeWJZZ5jwivVTr2TQMubwoQ2OGJ5s9wJFc_DeyewP4bozEQhF6c0Kk0ETn1V9j6ZAvQiLfop91zJxdPrK0_15HM8I4m5jhW2QTsP05MRFoKDrfX5_G
Ppen2xuEwOmrt7JO3u_YKj9K_hN2WzKNNd6FGhb-9i_Yxi5kpb6wbb315d20405260f5f63fae9eb35e92c206ac6947688806985da80a2ec44805c216016bee3276283b29851d1d8c253cc8599dd8f2bb1bed3b279d9d8f1f1d55b84f92f362271919cce7a0bd7c99f59cd8ef6a96
5d3674889118623d8040439365dedb2602d5c9cd9b0c025ce706a2bf84c60e66652a3aab983e1cded6120390c647ee951a5\u0026session_state=b733bc1f-469a-4f29-a06e-4af0ad40c4c7","user-agent":"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/89.0.4389.82
Safari/537.36"}
{"audit":"","duration":340,"flow-id":"","host":"10.42.104.73:58437","level":"info","method":"GET","msg":"","proto":"HTTP/1.1","referer":"https://adfs.azgi.com/","requested-host":"my.domain.com","response-size":0,"status":307,"timestamp":"07/Apr/2021:1
7:28:15 +0000","uri":"/oauth/callback?code=0.ASEA1cvqoQ778UaB40ll6o5Fu7MIYC0SYCJPoB4zMcYJfnohAAA.AQABAAIAAAD--DLA3VO7QrddgJg7WevrCkKYP7Kpgkg4lSw_SSp6KMdtULUZqOWUqO_SKL54WUFmUTtedwDsOn_kNisDvKp7A-LTJ5A4NS74IdDcs_cZxI4tlSTVzAVuRxMcaDztdEtjkrj3Db2U0os563q23eOzwtQMHTE-LQjCZ4
X67FiK_ZsZ0msDxiMAnq3R2_4Bj5wS9B10xbRJZYzEa0yykv9fpKUA8KW-ytgWPThWXDya2kRwf8Q1uyxUwqvc0DFJbxtzz7q-0yTymkbMyamq2QSRzlDsf3FRsOqX5yymo8o3e0IGLIpWrDyKB2b18-3VeJ_HQxz2I25r9017B5qppX9r0RVeY5Sb4eykYA1cD-Pl5KD2TRO6h_T-6V_9cb2StTGNWujFdqyW_fmJg8SCuX3nnC6n7Q_Bt9bBXc8INVCe5_7gn7Xkn
6aLdwkNZETWJASQKE5XxPGQGxuIuUsbwDmOkZ7Fabaaa1df1d189cb3582339ed143d6e574d2485f795c9a01dcec12fea73c19d62b17b6fa418ff2c837081aecf81035e596290977a6da969dd744c1b53a20ce309d3ee31332dc6f0103c01478e201654d546942e64ff1cb0886e69
3223799cecaa87b220ecfecd832b240feaf2a1c5f072b056e137bb4ab8c972190ec47347876faf2705c28e7cdb82afe38bc\u0026session_state=b733bc1f-469a-4f29-a06e-4af0ad40c4c7","user-agent":"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/89.0.4389.82
Safari/537.36"}
{"audit":"","duration":233,"flow-id":"","host":"10.42.104.73:58437","level":"info","method":"GET","msg":"","proto":"HTTP/1.1","referer":"https://adfs.azgi.com/","requested-host":"my.domain.com","response-size":0,"status":307,"timestamp":"07/Apr/2021:1
7:28:16 +0000","uri":"/oauth/callback?code=0.ASEA1cvqoQ778UaB40ll6o5Fu7MIYC0SYCJPoB4zMcYJfnohAAA.AQABAAIAAAD--DLA3VO7QrddgJg7WevrKxzaywaWHMSKfkyt70Y4qxDB6_CqbRX3MgqIVI0zOvhqQRF4Xa2WT0PA-mABDuZ0-NaVUIAe867mbWDFpTDbs4tvJ3dqibWOERIOC1bJs-ENjK_4gxLo9067OIzhtX3ZYZNM3d8ySmG69x
dNI9gimFqq8CLtGprcKCfGLaYsUh7Sf94580f9b6596abd353cd9e2559d7ef1516d9c070c241eadcbb24d73c4783695c498d30f24f0737c5a797946ed803b7955692b36d8afcb871dfb25a725f01732a9f4510eaeb5d802d7e694dc9a5ef8
0312e7fe188c4b8e8aecbb6f196ebc892498a4f63d271e2551dffba66032a733faa32fc7427f5e9518ad4400b122103c06d\u0026session_state=b733bc1f-469a-4f29-a06e-4af0ad40c4c7","user-agent":"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/89.0.4389.82
Safari/537.36"}
{"audit":"","duration":307,"flow-id":"","host":"10.42.104.73:58437","level":"info","method":"GET","msg":"","proto":"HTTP/1.1","referer":"https://adfs.azgi.com/","requested-host":"my.domain.com","response-size":0,"status":307,"timestamp":"07/Apr/2021:1
7:28:17 +0000","uri":"/oauth/callback?code=0.ASEA1cvqoQ778UaB40ll6o5Fu7MIYC0SYCJPoB4zMcYJfnohAAA.AQABAAIAAAD--DLA3VO7QrddgJg7Wevr6NoYMtZFycDAO-_nNmoYA9YeQJZV2phTOl8gpN-KE4DQT6BqY0sAP2uWs6OX3LUbO_he72FC0TgHPOR9zRHCaOo8H81p0-Edfpfgkqkyj8K9HgHonBy3dsa0NqaDSnAE4oUf9cuuZlPiHP
2q9A9ajb20LY4Ws6enCvbqbQl5AsTjrqpX3510212c1f060d38c122e1c98c14416286fcd75bc1ca157e4fdd474cac8678f110c0dd2d404a8e310996ac8260e65728568496aeebcf08f74ae415c9bc25e1fccbb5dd7a5a0bf697014d66c6c90eb769119d9b140d5
af1b7fd1fe2c3523ab76e05129bf601b0a6a8b2a4a353629b7a3f41d7aa90e0cbccf46b100d1fcfb92ba581ab5f08aeb3ee\u0026session_state=b733bc1f-469a-4f29-a06e-4af0ad40c4c7","user-agent":"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/89.0.4389.82
Safari/537.36"}

[AlexanderYastrebov]

Just in case, try cleaning up all the cookies

[tamer-abdulghani]

Just in case, try cleaning up all the cookies

I've tried that already, also tried different browsers, but got same thing "too many redirects"

[szuecs]

@tamer-abdulghani too many redirects likely happen if the login flow was not successful.
Can you check if skipper has a route for the callback path?
See also https://opensource.zalando.com/skipper/operation/operation/#routing-table-information for how to get the current routing table.

also interesting is \u0026session_state= in the logs (\u0026).
@AlexanderYastrebov @aryszka not sure if this is a bug or as expected.

[tamer-abdulghani]

Hello @szuecs
Here is the route table information located under http://localhost:9911/routes :

__oauth2_grant_callback: Path("/oauth/callback")
  -> grantCallback()
  -> <shunt>;

kube__healthz: Path("/kube-system/healthz") && SourceFromLast("10.0.0.0/8", "192.168.0.0/16", "172.16.0.0/12", "127.0.0.1/8", "fd00::/8", "::1/128")
  -> enableAccessLog(4, 5)
  -> lifo(2000, 20000, "3s")
  -> status(200)
  -> disableAccessLog(200)
  -> <shunt>;

kube__redirect: Header("X-Forwarded-Proto", "http") && Weight(1000)
  -> enableAccessLog(4, 5)
  -> lifo(2000, 20000, "3s")
  -> redirectTo(308, "https:")
  -> <shunt>;

kube_my_ns__app1__app_domain_com___app1____app1: Host(/^my[.]domain[.]com$/) && PathSubtree("/app1/*")
  -> enableAccessLog(4, 5)
  -> lifo(2000, 20000, "3s")
  -> oauthGrant()
  -> modPath("^/app1/", "/app1/")
  -> "http://172.16.129.134:8000";

kube_my_ns__app2__app_domain_com___app2____app2: Host(/^my[.]domain[.]com$/) && PathSubtree("/app2/*")
  -> enableAccessLog(4, 5)
  -> lifo(2000, 20000, "3s")
  -> oauthGrant()
  -> modPath("^/app2/", "/app2/")
  -> "http://172.16.128.104:8000";

kube_my_ns__app3__app_domain_com___app3____app3: Host(/^my[.]domain[.]com$/) && PathSubtree("/app3/*")
  -> enableAccessLog(4, 5)
  -> lifo(2000, 20000, "3s")
  -> oauthGrant()
  -> modPath("^/app3/", "/app3/")
  -> "http://172.16.129.174:8000";

And here is a snapshot taken from fiddler to capture the requests:

I guess the first 401 are before the login, then 200 after login, then 302.

I thought that if the cookies are created in the browser, it means login has been completed successfully, but honestly not sure.

is there a way to get the more logs from skipper about the login flow?

[AlexanderYastrebov]

@szuecs

also interesting is \u0026session_state= in the logs (\u0026).
not sure if this is a bug or as expected

IMO it is not an issue, json package encodes ampersand by default https://golang.org/pkg/encoding/json/#Encoder.SetEscapeHTML
Could be reproduced by

bin/skipper -inline-routes='Path("/test") -> status(204) -> <shunt>' -access-log-json-enabled
curl -v "http://localhost:9090/test?a=b&c=d"

[szuecs]

@AlexanderYastrebov thanks for clarification.

@tamer-abdulghani I don’t know the tool you used to record the traffic but packet 26-30 look unrelated to skipper. One question from my side would be what the application would do with a request to /app1/statu (do we miss an ‘s’ here?). Maybe the redirect is not done by skipper but the backend?
You can add debug logs via skipper cli flags. You could also try to use logHeader filter to check if you see Set-Cookie on the response path from skipper to your browser.

[tamer-abdulghani]

@tamer-abdulghani I don’t know the tool you used to record the traffic but packet 26-30 look unrelated to skipper.

Fiddler

One question from my side would be what the application would do with a request to /app1/statu (do we miss an ‘s’ here?). Maybe the redirect is not done by skipper but the backend?

no that's fine, all services endpoints working perfectly without OAuthGrant, they are all returing Json result.

You can add debug logs via skipper cli flags. You could also try to use logHeader filter to check if you see Set-Cookie on the response path from skipper to your browser.

Thanks I will check that.

Also, I got response from Microsoft support regarding this problem, and they said that my application (skipper) reuses authorization codes to get tokens. also they mentioned that:

Starting on November 15, 2018, Azure AD will stop accepting previously used authentication codes for apps. This security change helps to bring Azure AD in line with the OAuth specification and will be enforced on both the v1 and v2 endpoints.
Please see below article:-
Azure Active Directory breaking changes reference | Microsoft Docs

AADSTS54005: OAuth2 Authorization code was already redeemed (microsoft.com)

@szuecs @AlexanderYastrebov Do you think that is relevant to our problem?

[szuecs]

Reuse should not happen. I think there’s a redirect loop but not sure how. The request trace shows it and I think auth code should never be reused also in a redirect loop case.
Maybe @aryszka can check it when he has time.

[AlexanderYastrebov]

Maybe there is something going on with domains - I would expect to see only application and microsoft login domains but we see three out there. What is adfs. .com and how it is related to myapp .application (the fiddler screenshot is a bit obscure)? It is also worth checking what domain is set on the oauth-grant cookie in 307 response from /oauth/callback

[tamer-abdulghani]

adfs.com is just a part of the authentication process with microsoft.

so basically, I'm being redirected to a login page (user/pass), then I enter my credentials properly, then enter the loop.

However, again, if I change the tokeninfo-url back to the one that return a json object (https://login.microsoftonline.com/TENANT_ID/.well-known/openid-configuration), there is NO loop and I will get a normal response, but with errors in the logs of skipper :

[APP]time="2021-04-12T13:53:33Z" level=error msg="error while processing filter during request: oauthGrant: interface co
nversion: interface {} is nil, not string ()"

[APP]time="2021-04-12T13:55:11Z" level=error msg="error while proxying after 17.7µs, route _unknownroute_ with backend <
unknown> <unknown>, status code 404: dialing failed false: route lookup failed, remote host: 127.0.0.1, request: \"GET /
 HTTP/1.1\", user agent: \"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/89.0.
4389.114 Safari/537.36\""

But when I use https://login.microsoftonline.com/TENANT_ID/openid/userinfo I get the loop.
So I believe it is all about the tokeninfo endpoint.

I feel we are unable to find which endpoint validates the token.

Sorry but I'm still unable to get more logs even with having access-log-json-enabled, and I also checked /dev/stderr but nothing there. would you please help on this point ?

[szuecs]

You can set -application-log-level=debug to turn on debug logs. The format doesn't matter.

[szuecs]

@tamer-abdulghani sorry for the late reply. I am now back from parental leave and can check the code with a computer. :)

I think you are right with the tokeninfo. I am not sure why we use it here in the filter. I think it is an error, because tokeninfo is optional in the spec and at Zalando we have a tokeninfo but it is not the openid-configuration URL, which is $issuer/.well-known/openid-configuration , which you used.

          - "-oauth2-tokeninfo-url=https://login.microsoftonline.com/TENANT_ID/.well-known/openid-configuration"

Tokeninfo is about returning a validated token information. We should validate the access token ourselves and not call out to tokeninfo in this case.
Do you have a tokeninfo URL in your https://login.microsoftonline.com/TENANT_ID/.well-known/openid-configuration ?
This you might be able to use to make it work.

[szuecs]

@tamer-abdulghani Reading again the issue and resources, I think this is correct:

-oauth2-tokeninfo-url=https://login.microsoftonline.com/TENANT_ID/openid/userinfo

The question is what else is not. Can you send an access token to https://login.microsoftonline.com/TENANT_ID/openid/userinfo and send us the output if the json you get back, such that we can check if the code path misses data?
Does it looks like the data shown in https://docs.microsoft.com/en-us/azure/active-directory/develop/userinfo#userinfo-response ?

[tamer-abdulghani]

@szuecs

Unfortunately, there is no endpoint available provided by microsoft to varify the access token.

User-info endpoint wont't work here, because it returns different result type (user information)

https://docs.microsoft.com/en-us/azure/active-directory/develop/userinfo#calling-the-api

And if I'm not wrong, Skipper is expecting something like this:
https://github.com/zalando/skipper/blob/master/filters/auth/doc.go#L31

We believe that the only way to solve this problem is to develop a skipper plugin that can validate the jwt-token
by using the JWKS_URI "jwks_uri":"https://login.microsoftonline.com/common/discovery/keys" or maybe make this token-info checking is completly optional for azure.

This article explain what is missing here and how to validate token using discovery/keys endpoint:
https://www.voitanos.io/blog/validating-azure-ad-generated-oauth-tokens/
or
https://stackoverflow.com/questions/39866513/how-to-validate-azure-ad-security-token

[AlexanderYastrebov]

@tamer-abdulghani

Unfortunately, there is no endpoint available provided by microsoft to varify the access token.

Userinfo API requires token and I assume it validates it.

User-info endpoint wont't work here, because it returns different result type (user information)
And if I'm not wrong, Skipper is expecting something like this:

It does not interpret the result as far as I can tell, it queries "tokeninfo" (any api that returns json would work)

skipper/filters/auth/grant.go

Lines 169 to 180 in 48a63d6

	tokeninfo, err := f.config.TokeninfoClient.getTokeninfo(token.AccessToken, ctx)
	if err != nil {
	if err != errInvalidToken {
	log.Errorf("Failed to call tokeninfo: %v.", err)
	}
	loginRedirect(ctx, f.config)
	return
	}
	f.setAccessTokenHeader(req, token.AccessToken)
	tokenContainer, err := f.createTokenContainer(token, tokeninfo)

skipper/filters/auth/authclient.go

Line 103 in 48a63d6

func (ac *authClient) getTokeninfo(token string, ctx filters.FilterContext) (map[string]interface{}, error) {

and looks for configured "subject" key:

skipper/filters/auth/grant.go

Lines 134 to 151 in 48a63d6

	func (f *grantFilter) createTokenContainer(token *oauth2.Token, tokeninfo map[string]interface{}) (tokenContainer, error) {
	subject := ""
	if f.config.TokeninfoSubjectKey != "" {
	if s, ok := tokeninfo[f.config.TokeninfoSubjectKey].(string); ok {
	subject = s
	} else {
	return tokenContainer{}, fmt.Errorf("tokeninfo subject key '%s' is missing", f.config.TokeninfoSubjectKey)
	}
	}
	tokeninfo["sub"] = subject
	return tokenContainer{
	OAuth2Token: token,
	Subject: subject,
	Claims: tokeninfo,
	}, nil
	}

Can you send an access token to https://login.microsoftonline.com/TENANT_ID/openid/userinfo and send us the output if the json you get back, such that we can check if the code path misses data?

This would be interesting to see indeed

[tamer-abdulghani]

@szuecs @AlexanderYastrebov

@tamer-abdulghani

Unfortunately, there is no endpoint available provided by microsoft to varify the access token.

Userinfo API requires token and I assume it validates it.

Yes I would agree on this.

Can you send an access token to https://login.microsoftonline.com/TENANT_ID/openid/userinfo and send us the output if the json you get back, such that we can check if the code path misses data?

This would be interesting to see indeed

Here you go:

curl -H "Authorization: Bearer ACCESS_TOKEN" https://login.microsoftonline.com/TENANT_ID/openid/userinfo

{
   "aio":"value",
   "amr":"[\"wia\"]",
   "family_name":"Abdulghani",
   "given_name":"Tamer",
   "in_corp":"true",
   "ipaddr":"1.2.3.4",
   "name":"Full name",
   "oid":"abc",
   "onprem_sid":"abc",
   "rh":"abc",
   "sub":"abc",
   "tid":"abc",
   "unique_name":"name@domain.com",
   "upn":"name@domain.com",
   "uti":"abc",
   "ver":"1.0",
   "groups":[
      .....
   ]
}

I have just modified the result to have fake values instead of the real ones but the json object look like this anyway. "abc" values are mostly random string characters.

Hope it is helpful.

[szuecs]

@tamer-abdulghani the userinfo is great, because it shows you can use this as "tokeninfo". The data you got from userinfo endpoint is stored such that you can use the authz filter to allow/deny.

Reading again the first log error message:

[APP]time="2021-04-07T17:28:19Z" level=error msg="**Failed to exchange access token: oauth2: cannot fetch token: 400 Bad Request\nResponse: {\"error\":\"invalid_grant\",\"error_description\":\"AADSTS54005: OAuth2 Authorization code was already redeemed, please retry with
new valid code or use an existing refresh token**.\\r\\nTrace ID: 34963c42-3ede-4341-a5bd-6e1793d47100\\r\\nCorrelation ID: 059d4c1c-0010-418e-a614-d674b6f7947e\\r\\nTimestamp: 2021-04-07 17:28:19Z\",\"error_codes\":[54005],\"timestamp\":\"2021-04-07 17:28:19Z\",\"trace_
d\":\"34963c42-3ede-4341-a5bd-6e1793d47100\",\"correlation_id\":\"059d4c1c-0010-418e-a614-d674b6f7947e\"}."
{"audit":"","duration":272,"flow-id":"","host":"10.42.104.73:58437","level":"info","method":"GET","msg":"","proto":"HTTP/1.1","referer":"https://adfs.azgi.com/","requested-host":"my.domain.com","response-size":0,"status":500,"timestamp":"07/Apr/2021:
7:28:19 +0000","uri":"/oauth/callback?code=0.ASEA1cvqoQ778UaB40ll6o5Fu7MIYC0SYCJPoB4zMcYJfnohAAA.AQABAAIAAAD--DLA3VO7QrddgJg7Wevr6NoYMtZFycDAO-_nNmoYA9YeQJZV2phTOl8gpN-KE4DQT6BqY0sAP2uWs6OX3LUbO_he72FC0TgHPOR9zRHCaOo8H81p0-Edfpfgkqkyj8K9HgHonBy3dsa0NqaDSnAE4oUf9cuuZlPiH
2q9A9ajb20LY4Ws6enCvbqbQl5AsTjrqpXqj9tY8v2kQCsrZMbjk2D-wxXB0cpbnyXo0fJjH5YpsWH_n0hU19fYGC7tm_LuFdyYc6ceyXOXORk-7kWXon78Ufmlu25wQV_nk9w4680DMGxD0RSsHCrgRpT6o83XvjvrVQPFeu-QoG4mi9-c7Bw5QJ6DHc-Tj6vr57T934HmYfFvG892zMuMz4cp6Liact117-Cv9ly_zJ4PLDI98btmnHTnWojwwWbRmMAzrz1O2f6
1b3a-S3p5baiRtzETDl2ytvzU6VaVEMvP134pJKYemXWGWj_vJs7ZEmzzlkF1FyMMECWpXPjCPGu811OjKBIA4X0C5nm8URHH6HDuS0j_uEj45igKXbwbeexFCTwxRL4DAa1DwrerXPF3AcysXqyQ45VgcyE3fTt6dDWAMeFFdGjD0cS6KX9_Qhx3aKJJrbFGX0xmnL5z7laQWg6jhr50hnVdg9ZkHQ5nWqoclvR1JV0fDPIV8TzvYZLBxPFTkTYCU8rFVU4zZZYYg
3ecVkF9Gt1UVpfN9d40wx0LF1PDbQvAsKr9GxTu3diAA\u0026state=c2cc79dc2819bf9902eb245f66c67bdebb090034f4ef3510212c1f060d38c122e1c98c14416286fcd75bc1ca157e4fdd474cac8678f110c0dd2d404a8e310996ac8260e65728568496aeebcf08f74ae415c9bc25e1fccbb5dd7a5a0bf697014d66c6c90eb769119d9b140d
af1b7fd1fe2c3523ab76e05129bf601b0a6a8b2a4a353629b7a3f41d7aa90e0cbccf46b100d1fcfb92ba581ab5f08aeb3ee\u0026session_state=b733bc1f-469a-4f29-a06e-4af0ad40c4c7","user-agent":"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/89.0.4389.8
Safari/537.36"}

This shows

skipper/filters/auth/grantcallback.go

Line 67 in 48a63d6

log.Errorf("Failed to exchange access token: %v.", err)

, which shows that the Exchange() call fails.
-> https://github.com/golang/oauth2/blob/master/oauth2.go#L213
-> https://github.com/golang/oauth2/blob/master/token.go#L157

Now looking at the configuration data that the go library has:
https://github.com/golang/oauth2/blob/master/microsoft/microsoft.go#L29

I would suggest to configure skipper with (see the /v2.0/) and try again:

          - "-oauth2-auth-url=https://login.microsoftonline.com/TENANT_ID/oauth2/v2.0/authorize"
          - "-oauth2-token-url=https://login.microsoftonline.com/TENANT_ID/oauth2/v2.0/token"

It seems that if we use userinfo we have to use v2 as stated in https://docs.microsoft.com/en-us/azure/active-directory/develop/userinfo#notes-and-caveats-on-the-userinfo-endpoint , maybe also https://docs.microsoft.com/en-us/azure/active-directory/develop/v2-protocols-oidc helps.

[tamer-abdulghani]

@szuecs @AlexanderYastrebov

So I have tried again the v2.0 endpoints with userinfo also added the required scopes but I'm getting the same loop redirct:

Skipper config:

        - -enable-oauth2-grant-flow
        - -oauth2-access-token-header-name=Grant-Authorization
        - -oauth2-client-id=CLIENT_ID
        - -oauth2-client-secret=CLIENT_SECRET
        - -oauth2-secret-file=/etc/cookiesecret/secret
        - -oidc-secrets-file=/etc/cookiesecret/secret
        - -oauth2-auth-url=https://login.microsoftonline.com/TENANT_ID/oauth2/v2.0/authorize
        - -oauth2-token-url=https://login.microsoftonline.com/TENANT_ID/oauth2/v2.0/token
        - -oauth2-tokeninfo-url=https://login.microsoftonline.com/TENANT_ID/openid/userinfo
        - -oauth2-tokeninfo-subject-key=sub
        - -oauth2-callback-path=/oauth/callback
        - -oauth2-auth-url-parameters=scope=email profile openid # I tried other scopes such as GUID/.default 

and filter:

zalando.org/skipper-filter: oauthGrant()

First hit to my application URL, I'm being re-directed to this url:

https://login.microsoftonline.com/TENANT_ID/oauth2/v2.0/authorize?
client_id=CLIENT_ID
&redirect_uri=https%3A%2F%2Fmy.application.domain%2Foauth%2Fcallback
&response_type=code
&scope=email+profile+openid
&state=abcd
&sso_reload=true

Then after login:

TOO_MANY_REDIRECTS 

then

This page isn’t working my.application.domain is currently unable to handle this request.
HTTP ERROR 500

Skipper logs:

{"audit":"","duration":193,"flow-id":"","level":"info","method":"GET","msg":"","proto":"HTTP/1.1", "response-size":0,"status":307,"timestamp":"28/May/2021:14 :37:17 +0000","uri":"/oauth/callback?code=.................","user-agent":"Mozilla/5.0 (Windows NT 10.0; Win64; x6 4) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/90.0.4430.85 Safari/537.36"}

[APP]time="2021-05-28T14:37:18Z" level=error msg="Failed to exchange access token: oauth2: cannot fetch token: 400 Bad Request\nResponse: {\"error\":\"invalid_grant\",\"error_description\":\"AADSTS54005: OAuth2 Authorization code was already redeemed, please retry with a  new valid code or use an existing refresh token. ...... 

[APP]time="2021-05-28T14:37:23Z" level=error msg="Failed to exchange access token: oauth2: cannot fetch token: 400 Bad Request\nResponse: {\"error\":\"invalid_grant\", \"error_description\":\"AADSTS54005: OAuth2 Authorization code was already redeemed, please retry with a  new valid code or use an existing refresh token.\\r\\nTrace ID:..........
 

[AlexanderYastrebov]

The authorize url apparently has a proper callback url redirect_uri=https%3A%2F%2Fmy.application.domain%2Foauth%2Fcallback (configured via -oauth2-callback-path)

Then after login:

You are redirected to that callback url. The response from the callback normally would have status 307, Location header that contains initial url and Set-Cookie header setting the grant cookie (name is configured via -oauth2-token-cookie-name, it is oauth2-grant by default). I think we need to have a look at this cookie properties like domain, path etc.

When browser follows location url from callback response it should send the grant cookie along.

Could you capture full sequence starting from hitting your application (chrome dev tools should work) and check response from callback url and if the grant cookie is sent on redirect?

[szuecs]

Just a side note we can get credits for Azure via https://developer.microsoft.com/en-us/microsoft-365/dev-program. I got a reply in #provider-azure in kubernetes slack.

[tamer-abdulghani]

Solved with JWT Token validation without introspection endpoint #1810

[sanjeev55]

Hi @tamer-abdulghani , i wanted to ask you something about your Skipper configuration file.
I have a similar configuration but The TenantID you have in your oauth2-auth-url and others, how have you passed the tenantID during runtime to be set in this path? Similarly for the ClientID and Client secret. How have you managed to pass these tenant specific information? If you could provide me with any information, i would be grateful. And i am sorry if this not the right way to ask questions.

[szuecs]

would be great if we can get a doc PR, if 2 have the same problem it's worth to document for the next ones.