Oauth2_proxy with Keycloak : getting "invalid_token" with /userinfo API - oauth-2.0

I am trying Keycloak for the first time and using Keycoak as provider with oauth2_proxy (https://github.com/oauth2-proxy/oauth2-proxy/blob/v5.1.1/providers/keycloak.go) to achieve user authentication via LDAP.
I have followed all steps inside Keycloak to create a realm, create client, client id, client secret etc. Also the Keycloak API "/token" is passing. However once I pass username/password in the keycloak login screen, I get following error in oauth2_proxy:
[2020/05/30 10:15:37] [requests.go:25] 401 GET http://172.20.0.10:8080/auth/realms/master/protocol/openid-connect/userinfo {"error":"invalid_token","error_description":"Token verification failed"}
Also I am passing following parameters when bringing up oauth2_proxy docker container:
command: -upstream=static://200 -http-address=0.0.0.0:8080 -https-address=0.0.0.0:8443
-redirect-url="https://portal.acme.com/oauth2/callback"
-scope='test-scope' -email-domain=* -cookie-domain=* -cookie-secure=false -cookie-secret=skjgfsgfsf23524
-cookie-samesite="none" -provider=keycloak
-client-id='abcd-client' -client-secret='c0281257-b600-40b2-beae-68d1f2d72f02'
--tls-cert-file=/etc/acme.com.pem
--tls-key-file=/etc/acme.com.key
-login-url="http://localhost:7575/auth/realms/master/protocol/openid-connect/auth"
-redeem-url="http://172.20.0.10:8080/auth/realms/master/protocol/openid-connect/token"
-validate-url="http://172.20.0.10:8080/auth/realms/master/protocol/openid-connect/userinfo"
Can someone please help what could be missing or going wrong?
Any lead or hint will be really helpful.

I found the solution to this problem. This was because the issuer in the JWT token was not matching with the URL I gave when bringing up this oauth2_proxy container.
To fix this, what was needed is that the docker container needed to talk to the host network and port exposed by Keycloak. This needs 2 things:
Use "host.docker.internal" as host in all Keycloak APIs when bringing up oauth2_proxy so that oauth2_proxy container communicates Keycloak via host network.
Map "host.docker.internal" to 127.0.0.1 in local machine/host so that the browser redirect is accessible.
After this little hack, the setup works.
Thanks!

Related

Nginx on Docker: redirect based on JWT authentication

I'm wondering how to configure nginx (running in a docker conatiner) to verify a JWT validity (passed by Authorization/Bearer or by Cookie, that's not the point) and consequently acts like a gateway.
If the JWT is invalid, or expired, the the nginx had to conenct (or better, act like a trasparent proxy) to the container "login".
If not, if the JWT is valid, it had to "proxy" to the "app" container.
I saw some modules like https://github.com/TeslaGov/ngx-http-auth-jwt-module, but at the moment I'm unable to configure it correcly.
Some suggestion about that or similar solution?
I'm open also at completely different solutions, for example Traefik or other.
In other words: what do you suggest to create with Docker a similar scenario?
Thank you in advance.

Is it possible to use `externalbrowser` authenticator inside docker container for connection authentication with Snowflake?

I am trying to use the snowflake connector inside docker container. I want to use the externalbrowser authenticator so that I can make connection using Okta credentials but the connector is failing with below mentioned error.
DatabaseError: (snowflake.connector.errors.DatabaseError) 250008 (08001): None: Failed to connect to DB: xx.snowflakecomputing.com:443, Unable to open a browser in this environment.
(Background on this error at: http://sqlalche.me/e/13/4xp6)
As an aside, I'd recommend removing your account name from the question (shown in the error).
You are correct that the "externalbrowser" option is a browser-based SSO. It might be possible to get this running a docker container with some extended software and configuration, but I wouldn't recommend it as it doesn't seem worth the effort.
Instead, there's alternative SSO authentication methods you can look at such as Native SSO Okta, key-pair authentication, or external OAuth. These won't require the browser.

Jitsi Docker server JWT authentication does not work. Why?

I am trying to enable jwt authentication for my self-hosted (Docker) Jitsi server. There is a guide on self hosting with Docker and on that guide, it tells how to enable authentication. This is the guide: https://jitsi.github.io/handbook/docs/devops-guide/devops-guide-docker
Now I will copy and paste the autentication part from that guide so that you can see it more clearly.
Authentication can be controlled with the environment
variables below. If guest access is enabled, unauthenticated users
will need to wait until a user authenticates before they can join a
room. If guest access is not enabled, every user will need to
authenticate before they can join.
Authentication using JWT tokens You can use JWT tokens to authenticate
users. To enable it you have to enable authentication with ENABLE_AUTH
and set AUTH_TYPE to jwt...
After these instructions, I changed my .env file. I did the configurations told above. Then I did docker-compose down. Then I removed the ~/.jitsi-meet-cfg and then created again with mkdir. Then I ran the command docker-compose up -d.
Then to try it, I am entering the URL:
https://{ip_add}:8443/room?jwt=randomwords
I am connecting to the server remotely thus I am accessing it with an ip. And because I did not provide a token, I should not be able to create/join to a meeting but I am able to. Whatever I write to the url I still can join.
Can someone help?

401 error when trying GET request to Hawkbit Server with Gateway Security Token

Q1:
I'm running a Hawkbit server on localhost in a docker container and activated the option "Allow a gateway to authenticate and manage multiple targets through a gateway security token" in the settings of the web UI that I access via http://localhost:8080/.
Now I'm using Postman to send a GET request to http://localhost:8080/default/controller/v1/25 with the header
key: GatewayToken, value: <The gateway token shown in the Hawkbit web UI>
Using this header, I'm supposed to be able to authenticate my Postman client against the Hawkbit server (compare e.g. https://www.eclipse.org/hawkbit/concepts/authentication/), however I'm always getting a "401 Unauthorized" response.
Even if I enable "Allow targets to download artifacts without security credentials" which should enable any client to get a ressource even without authentification, I get a 401.
What am I doing wrong?
Q2:
The Hawkbit server is running in Docker started via "docker-compse up -d" as described here: https://www.eclipse.org/hawkbit/gettingstarted/
In order to solve the problem of Q1, I wanted to check the output of Hawkbit inside the container, but I'm not too familiar with docker and couldn't find out how. I was able to get inside the conainer using
docker exec -it docker_hawkbit_1 /bin/sh
which bring me into the container's file system at /opt/hawkbit. But that's not what I was looking for. How can I see the log/output of the Hawkbit/Spring Boot application running inside the container?
Q1:
The key of the request should not be GatewayToken, but Authorization. The header of the request will then look as follows:
key: Authorization, value: GatewayToken <token>
Q2:
Try the following command to see the logs:
docker logs -f docker_hawkbit_1

Jhipster registry "Status: (Unauthorized)" page after keycloak login

Jhipster registry:v3.3.0
Keycloak: 4.5.0.Final (https enabled)
There is a jhipster registry setup using docker-compose as shown in picture. Registry talks to Keycloak for authentication.
We have two keycloak instances.
When configured with one keycloak instance it successfully logins and opens the registry page.
When configured with other keycloak instance it show the following page:
After entering keycloak credentials, the url in the browser is http://localhost:8761/login?state=Swy20H&session_state=c6853b18-42f3-4ad9-9ad0-14615aa576bd&code=eyJhbGciOiJkaXIiLCJlbmMiOiJBMTI4Q0JDLUhTMjU2In0..xtptsARyYJPbqrhZD4ZF7A.yKur_w3c5H-ybHcpXeBSca1W7N3XxRzQXaUs383Kqh57wzaWt3FhBglGf-w154GRTM93F5oa2grE8HzVyrRpDadQs5FCjpNDZuD86KZy5JVI4RnlYOFvsTMcO-fFi_bWl2ByvNy7QARglrwGQOTeYndvrYluuC57OJGKm8819gIb9a5wvZ9oeiJLuDPwkcefs2J-xnUvEde3yAyVKGxe_oGdA8jJbbwRDQQvCI2e3FLyiKJ1F2P2iHFT5g_QaQxv.7k__JisYiWQrQpjgxJ8m5Q
Same keycloak client was imported in Keycloak realm for instances. Any idea what could be the reason?
I had faced similar issue.
In my case I was getting it because of two reasons.
The keycloak was SSL enabled and the keystore file used in this
process did not include Root certificate. Refer this SOS.
Our network firewall was blocking the requests to Auth Server. In your case it could be Jhipster registry's backend
you must change configuration in docker file inside your server if you use docker and when enable SSL you must mapping new URI in each docker file
i have the same problem and this is solution for that
- SPRING_SECURITY_OAUTH2_CLIENT_PROVIDER_OIDC_ISSUER_URI=http://127.0.0.1/auth/realms/jhipster
but after enable ssl your service cannot show above url you must be change it to
- SPRING_SECURITY_OAUTH2_CLIENT_PROVIDER_OIDC_ISSUER_URI=https://your-domain.eg/auth/realms/jhipster
after that you can authentication without any problem

Resources