Env:
Istio: 1.14.1
Okta
OAuth2-proxy: v7.2.0
K8s: 1.21.11
Followed this https://www.jetstack.io/blog/istio-oidc/ to setup OIDC auth for my application. I am running into redirect loop issue. I see this error in the oauth2-proxy pod logs
[2022/07/06 17:20:56] [oauthproxy.go:862] No valid authentication in request. Initiating login.
Any help to troubleshoot this? Please let me know if you need more details about the setup.
Related
Occasionally I receive a connection timeout when calling the /userinfo endpoint of my KeyCloak-Server.
So far, I have no indication what's wrong and what causes the timeouts. There are no errors in the server.log I configured. Also, I cannot reproduce the issue, I just see the errors in the logs of the application trying to authenticate with keycloak.
Is there some sort of connection limit that my keycloak might use?
List item
What additional logs can I activate to narrow down the problem?
I am currently on version 17.0.1
Try running keycloak in debug mode kc.sh start --log-level=debug If the /userinfo call reached the keycloak then there will be a debug log for that, you can match the time when error occurred to the keycloak log.
Do you have any other components in between your application and keycloak such as proxy, a DNS server etc ? You would need to check their logs as well.
Also check out this document regarding rest api in keycloak -> https://github.com/keycloak/keycloak-community/blob/main/design/rest-api-guideline.md#rate-lmiting
I try to using oauth authentication in RabbitMQ via cloudfoundry UAA
Follow this tutorial it works there's no problem
I checked RabbitMQ management login successfully and RabbitMQ management API also successfully called
But RabbitMQ UAA demo's cloudfoundry UAA image created 2years ago. so UAA image has log4j vulnerability (CVE-2021-44228)
So I'm trying to UAA image changes to 75.16.0
And I faced critical problem
In RabbitMQ Management Web login button does not show
Web Browser's console log showed X-Frame-Options DENY (192.168.137.237:8080 is UAA server IP address)
Can anyone help me?
I am trying Keycloak for the first time and using Keycoak as provider with oauth2_proxy (https://github.com/oauth2-proxy/oauth2-proxy/blob/v5.1.1/providers/keycloak.go) to achieve user authentication via LDAP.
I have followed all steps inside Keycloak to create a realm, create client, client id, client secret etc. Also the Keycloak API "/token" is passing. However once I pass username/password in the keycloak login screen, I get following error in oauth2_proxy:
[2020/05/30 10:15:37] [requests.go:25] 401 GET http://172.20.0.10:8080/auth/realms/master/protocol/openid-connect/userinfo {"error":"invalid_token","error_description":"Token verification failed"}
Also I am passing following parameters when bringing up oauth2_proxy docker container:
command: -upstream=static://200 -http-address=0.0.0.0:8080 -https-address=0.0.0.0:8443
-redirect-url="https://portal.acme.com/oauth2/callback"
-scope='test-scope' -email-domain=* -cookie-domain=* -cookie-secure=false -cookie-secret=skjgfsgfsf23524
-cookie-samesite="none" -provider=keycloak
-client-id='abcd-client' -client-secret='c0281257-b600-40b2-beae-68d1f2d72f02'
--tls-cert-file=/etc/acme.com.pem
--tls-key-file=/etc/acme.com.key
-login-url="http://localhost:7575/auth/realms/master/protocol/openid-connect/auth"
-redeem-url="http://172.20.0.10:8080/auth/realms/master/protocol/openid-connect/token"
-validate-url="http://172.20.0.10:8080/auth/realms/master/protocol/openid-connect/userinfo"
Can someone please help what could be missing or going wrong?
Any lead or hint will be really helpful.
I found the solution to this problem. This was because the issuer in the JWT token was not matching with the URL I gave when bringing up this oauth2_proxy container.
To fix this, what was needed is that the docker container needed to talk to the host network and port exposed by Keycloak. This needs 2 things:
Use "host.docker.internal" as host in all Keycloak APIs when bringing up oauth2_proxy so that oauth2_proxy container communicates Keycloak via host network.
Map "host.docker.internal" to 127.0.0.1 in local machine/host so that the browser redirect is accessible.
After this little hack, the setup works.
Thanks!
I integrated jenkins with Okta using SAML2.0 plugin.
Issue: When i click on jenkins app in the OKTA url it is redirecting request to https://jenkins.xxxx.com/samlLogout/ and displaying message "You are now logged out of Jenkins, however this has not logged you out of SAML".
I want to login to jenkins using OKTA Credentials but okta redirecting request to logout url and displaying the above message.
Please lemme know how can redirect request to jenkins home page(where my jobs are located)
You should first check jenkins.log. I had the same issue with Jenkins version 2.235.3 and saml plugin 1.1.6 . I was seeing below error in the logs.
SAMLException: Authentication issue instant is too old or in the future
As per https://support.cloudbees.com/hc/en-us/articles/115000087231-SAML-Authentication-issue-instant-is-too-old-or-in-the-future
Sync servers by Installing NTPD
a. Install NTPD in each of the machines is running services to integrate: IdP Provider as well as Jenkins in this case.
b. If you install the NTP service after IdP Provider/Jenkins has already been installed in your network, you should restart the IdP Provider/Jenkin service after NTP has been successfully installed.
Maximum authentication time
a. On the IdP side, decrease the time users are being retained to a value less than 24 days.
b. Delete browser cookies and login again.
Note: Deleting browser cookies may solve you problem temporary.
Just clearing the cookies did the job
I've implemented Google oauth login based on this tutorial: https://www.callicoder.com/spring-boot-security-oauth2-social-login-part-1/
It is working correctly when app is run locally. However, after deploying it on GKE, I'm unable to log in - flow fails with the following error:
error: [invalid_token_response] An error occurred while attempting to retrieve the OAuth 2.0 Access Token Response: I/O error on POST request for "https://www.googleapis.com/oauth2/v4/token": www.googleapis.com; nested exception is java.net.UnknownHostException: www.googleapis.com
Which comes from OAuth2AccessTokenResponseClient
As I said before, it's working fine when run on localhost and I'm unable to debug it.
The app is deployed with Ingress using a static IP. I've assigned that IP to my domain very recently. Domain is registered in Google APIs Authorised redirect URIs
Google APIs use the OAuth 2.0 protocol for authentication and authorization. Google supports common OAuth 2.0 scenarios such as those for web server, installed, and client-side applications. Please have a look at this link.
We can follow the below steps for obtaining OAuth 2.0 access tokens.
Step 1: Generate a code verifier and challenge
Step 2: Send a request to Google's OAuth 2.0 server
Step 3: Google prompts user for consent
Step 4: Handle the OAuth 2.0 server response
Step 5: Exchange authorization code for refresh and access tokens
The problem was that kube-dns pods dind't get up. I set up a preemptible cluster and added a taint to it's only node pool. That prevented kube-dns from starting:
Normal NotTriggerScaleUp 61s (x22798 over 2d18h) cluster-autoscaler pod didn't trigger scale-up (it wouldn't fit if a new node is added): 1 node(s) had taints that the pod didn't tolerate
Warning FailedScheduling 44s (x141 over 26h) default-scheduler 0/1 nodes are available: 1 node(s) had taints that the pod didn't tolerate.
After removing the taint hostname got resolved