HTTP error 500 #60
Labels
question
Further information is requested
Comments
|
The middleware must also wrap the /oidc/callback path
…On Mon, Jan 20, 2025 at 11:38 AM cowegner ***@***.***> wrote:
I am very excited about your project. Valuable addition to Traefik plugins.
I tried to configure it and only got that far. I'm testing with Traefik's
dashboard and using a standalone Traefik instance (no docker). I get only
"HTTP GET error" displayed on access of the dashboard URL.
Firefox web developer tools give me:
GET https://traefik.<RedactedDomain>/dashboard/
Status 500
Version HTTP/2
Übertragen 181 B (15 B Größe)
Anfrage-Priorität Highest
DNS-Auflösung System
I don't see any signs, that the OIDC plugin is invoked as a middleware at
all.
To make sure everything else is OK I also tested using basic-auth: this
shows up in the Traefik logs and the dashboard is displayed.
Testing my Keycloak instance (directly, without Traefik) using OpenID
Connect Debugger also succeeds without errors.
Middleware configuration (snippet) - taken almost completely from your
project:
middlewares-keycloak-auth:
plugin:
traefik-oidc-auth:
LogLevel: DEBUG
Provider:
Url: "https://keycloak.<RedactedDomain>:8443/realms/<RedactedRealmName>/protocol/openid-connect/auth"
ClientId: "traefik-dashboard"
ClientSecret: "<RedactedSecret>"
# UsePkce: true # Use PKCE if your Provider supports this
Scopes: ["openid", "profile", "email"]
Headers:
- Name: "X-Oidc-Username"
Value: "{{`{{ .claims.preferred_username }}`}}"
- Name: "X-Oidc-Subject"
Value: "sub"
- Name: "Authorization"
Value: "{{`Bearer {{ .accessToken }}`}}"
AuthorizationHeader:
Name: "CustomAuth"
AuthorizationCookie:
Name: "CustomAuth"
Router configuration (snippet):
routers:
dashboard:
entryPoints:
- websecure
rule: Host(`traefik.<RedacteDomain>`) && (PathPrefix(`/api`) || PathPrefix(`/dashboard`))
priority: 1
service: ***@***.***
middlewares:
# Basic auth for tests
# - ***@***.***
# Keycloak auth
- middlewares-keycloak-auth
# Enforce TLS and apply my "default" TLS options (defined in ***@***.***)
tls: {}
—
Reply to this email directly, view it on GitHub
<#60>, or
unsubscribe
<https://github.com/notifications/unsubscribe-auth/AAI3NZZWXYCCOKZ5ZB4QAUT2LUQ65AVCNFSM6AAAAABVQYIN7CVHI2DSMVQWIX3LMV43ASLTON2WKOZSG44TSOBTGIZTINA>
.
You are receiving this because you are subscribed to this thread.Message
ID: ***@***.***>
|
|
Just one one thing i can see: The Provider URL for Keycloak should only contain everything up to the realm name. it should be: The middleware will then use the OIDC discovery endpoint to detect all the URLs. |
|
Still no joy :-( Outcome is the same. The URL line now reads
The callback URL is one thing I haven't understood yet. I know these callback URLS from IdPs, but I am not clear about your docs regarding this line and the Trafik dashboard which has the URL
What also worries me is that I don't see anything related to your OIDC plugin in the Traefik log. Shouldn't I see anything? If it helps: I have no problems sending you my whole config without "redacted" changes over a private channel. |
|
You must define a route for that path which puts the middleware there. It’s
easiest to wrap the whole domain.
…On Mon, Jan 20, 2025 at 1:10 PM cowegner ***@***.***> wrote:
Still no joy :-(
Outcome is the same. The URL line now reads
Url: "https://keycloak.tupti.net:8443/realms/Tupti"
The callback URL is one thing I haven't understood yet. I know these
callback URLS from IdPs, but I am not clear about your docs regarding this
line and the Trafik dashboard which has the URL
https://traefik.<RedactedDomain>/dashboard/
and has no logic implemented on /oidc/callback and will not do anything
with what comes along the way this URL path.
The middleware must also wrap the /oidc/callback path
What also worries me is that I don't see anything related to your OIDC
plugin in the Traefik log. Shouldn't I see anything?
—
Reply to this email directly, view it on GitHub
<#60 (comment)>,
or unsubscribe
<https://github.com/notifications/unsubscribe-auth/AAI3NZ7ZBS6LFC6UH3DJSQ32LU33HAVCNFSM6AAAAABVQYIN7CVHI2DSMVQWIX3LMV43OSLTON2WKQ3PNVWWK3TUHMZDMMBTGAYTOMJXGU>
.
You are receiving this because you commented.Message ID:
***@***.***>
|
|
Could you put the path into my config as an example, please. |
routers:
callback:
entryPoints:
- websecure
rule: Host(`traefik.<RedacteDomain>`) && PathPrefix(`/oidc`)
priority: 1
service: noop@internal
middlewares:
# Keycloak auth
- middlewares-keycloak-auth
# Enforce TLS and apply my "default" TLS options (defined in default-tls@file)
tls: {}
dashboard:
entryPoints:
- websecure
rule: Host(`traefik.<RedacteDomain>`) && (PathPrefix(`/api`) || PathPrefix(`/dashboard`))
priority: 1
service: api@internal
middlewares:
# Basic auth for tests
# - middlewares-basic-auth@file
# Keycloak auth
- middlewares-keycloak-auth
# Enforce TLS and apply my "default" TLS options (defined in default-tls@file)
tls: {}Apologies if that's not quite right, I'm on my phone |
|
Nothing to apologize. I'm grateful. We are moving. With your code line I now get a 404 back instead of HTTP 500. Still clueless :-( No, sorry. After closing and opening Firefox again it is still 500. But maybe I have to put the callback also in the middleware section?! I am pretty sure that now it's only a small thing, but I don't get it. From the pug docs I understand, that the CallbackUri should be part of middleware section, not router. What I believe how it has to be: In the client in Keycloak "/oidc/callback" is specified as a valid redirect URI as well. Still the same outcome of HTTP 500, even I additionally specify a "callback router", as @cdanis mentioned. |
|
What do Traefik logs tell you? There might be some more info about the cause of the error. |
|
As said, the logs tell me nothing. I don‘t see any sign of engaging this middleware on the URL. Only thing I can tell: commenting the oidc middleware in the router or replacing it by Traefik‘s basic-auth will let me access the dashboard
Sadly I am new to Keycloak and have yet no idea how to enable debug logging for the system and audit request. But I doubt that any request makes it to Keycloak at all from the router/middleware. Using the OIDC Debugger for tests and verify client and realm shows me a Keycloak token as answer (of cause after putting the OIDC Debugger callback URI also in the client).
|
|
@cowegner I've tried the same setup to secure the traefik dashboards. http:
middlewares:
oidc-auth:
plugin:
traefik-oidc-auth:
LogLevel: DEBUG
Provider:
UrlEnv: "PROVIDER_URL"
ClientIdEnv: "CLIENT_ID"
ClientSecretEnv: "CLIENT_SECRET"
UsePkce: false
ValidateAudience: false
SessionCookie:
Secure: false
routers:
traefik-dashboard:
entryPoints: ["web"]
rule: "Host(`dashboard.127.0.0.1.sslip.io`)"
service: dashboard@internal
middlewares: ["oidc-auth@file"]
traefik-dashboard-api:
entryPoints: ["web"]
rule: "Host(`dashboard.127.0.0.1.sslip.io`) && PathPrefix(`/api`)"
service: api@internal
middlewares: ["oidc-auth@file"]
traefik-dashboard-auth: # Not really needed, because the first router would also include that
entryPoints: ["web"]
rule: "Host(`dashboard.127.0.0.1.sslip.io`) && PathPrefix(`/oidc/callback`)"
service: noop@internal
middlewares: ["oidc-auth@file"]A few things to mention here:
If the middleware is loaded correctly, you should see a similar log output like this: |
|
This is really weird. I completely replaced my Traefik config with a test one, based on your config. I omitted TLS at all and am now accessing the dashboard URL using http. I run Firefox as a test browser, so I deleted everything: cookies, etc. In the following I have replaced my domain name using X instead of . Still I get the same message calling http://traefik.X/dashboard/: HTTP GET error in Browser window, Firefox dev shows HTTP error 500. Here is my complete config. My static Traefik config now - traefik.yaml: My only dynamic config now - router-dashboard.yaml: In /var/log/traefik/traefik.log I see among others: I don't see the other lines from your plugin! In particular I don't see "Configuration loaded successfully, starting OIDC Auth middleware"! |
|
Do you have access to the stdout of the Traefik process? It seems like the plugin might be logging there, instead of to the log file. |
|
Ah, as it turns out this is a limitation of Traefik: traefik/traefik#8204 |
|
Mmmh, this limitation makes it no fun at all. Thanks for disclosing this @cdanis |
|
Here is the outcome of stdout from Traefik. It's complete up to the first call of the dashboard URL. My assumption, that the request never reached Keyclaok was obviously wrong. It seems to be a certificate error. Keycloak uses a LetsEncrypt (production, not staging) certificate. Aren't the trusted OS certificates not honored? I can successfully do "curl https://helloworld.letsencrypt.org" from bash. Nice thing: I'am starting to learn things about Traefik, Keycloak...even the Go language (just kiddin';-). Even from my first contact with Go I could modify the idc.go to make http request - thanks to the comments already in the file: Also the import of "crypto/tls" has been nessecary. Now a browser reload shows a page from Keycloak: Invalid parameter: redirect_uri |
Thx @cdanis, i forgot about that. Iam always using docker to run my traefik instances... @cowegner the TLS issue seems to be related to #54. |
|
@cowegner the TLS issue should be very resolve-able for you with v0.6.0. If you are getting that error from Keycloak still, you should double- and triple-check the redirect URI as you configured it in your Keycloak realm. |
|
Alas, even with v0.6.0 there is still the (an?) error. IMHO, we are not reaching the redirect URL at this stage. I did two runs:
1st (HTTPS) give me: 2nd (HTTP) gives me: Calling the URL "https://keycloak.DOMAIN.net:8443/realms/REALM/.well-known/openid-configuration" in Firefox (calling the URL with http only, the response is still redirected to https) gives me correct OIDC discovery JSON output. |
|
@cowegner hmm... can you please show me the log output from the beginning of the plugin? |
|
Interesting: I don't see such a line nor any similar. Here's the console output, as well as traefik.log, which includes my whole config. And additionally the traefik-access.log:
|
|
@cowegner thank you for the logs. You're using a self-signed certificate for your keycloak right? middlewares-keycloak-auth:
plugin:
traefik-oidc-auth:
LogLevel: DEBUG
Provider:
Url: "https://keycloak.REDACTED.net:8443/realms/REDACTED"
CABundleFile: "/etc/ssl/yourSelfSignedCertificatePublicKey.pem" # Or whereever it is
ClientId: "traefik-dashboard"
ClientSecret: "REDACTED"Please have a look at the |
|
I didn't specify a CA bundle for I assumed that in this case the System bundle from the underlying OS is used. I run Traefik in a LXC not a docker container and therefore do see the System's CertificatePool. I do not use a self-signed certificate, but one from LetsEncrypt (production, not staging). |
|
OK, tested with Console: Despite the error, my test user gets a valid token. I can prove by calling https://keycloak.REDACTED.net:8443/realms/REDACTED/account in a second tab in Firefox. Without the previous call to Traefik, I get the Keycloak login page. After calling Traefik and getting the above error in console output, I get shown my Keycloak account info. Here is the relevant section from traefik.log: |
Interesting... If you're using a Letsencrypt certificate it should be publicly trusted and no CABundle should be needed. So yes, it should use the underlyings OS certificate store... But maybe there is something special going on with LXC containers.
Client Authentication needs to be turned on, but i think thats already true in your case because you've got a client secret. 
|
|
Correct, Client Authentication is already turned on. |
Ok. Can you please double check your client id and secret? 
You can just copy/paste them |
|
Success! In the end it has been the client secret, which I copied at the beginning from Keycloak but must have hit regenerate somewhere during this course. Sorry for that. Thank you very much! |
|
Perfect. Great to hear that its working for you now. 👍 |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
I am very excited about your project. Valuable addition to Traefik plugins.
I tried to configure it and only got that far. I'm testing with Traefik's dashboard and using a standalone Traefik instance (no docker). I get only "HTTP GET error" displayed on access of the dashboard URL.
Firefox web developer tools give me:
I don't see any signs, that the OIDC plugin is invoked as a middleware at all.
To make sure everything else is OK I also tested using basic-auth: this shows up in the Traefik logs and the dashboard is displayed.
Testing my Keycloak instance (directly, without Traefik) using OpenID Connect Debugger also succeeds without errors.
Middleware configuration (snippet) - taken almost completely from your project:
Router configuration (snippet):
The text was updated successfully, but these errors were encountered: