Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Get undefined in location URI after Keycloak authentication #79

Closed
asyd opened this issue Jun 18, 2020 · 3 comments
Closed

Get undefined in location URI after Keycloak authentication #79

asyd opened this issue Jun 18, 2020 · 3 comments

Comments

@asyd
Copy link

asyd commented Jun 18, 2020
edited
Loading

Hi @travisghansen,

I'm trying to get eas working in the following architecture (each one are containers):

  • eas
  • a simple python demo for testing purposes
  • keycloak
  • traefikv2

Here my eas configuration:

let config_token = {
  eas: {
    plugins: [
      {
        type: "oidc",
        issuer: {
          discover_url: "https://auth.example.com/auth/realms/demo/.well-known/openid-configuration"
        },
        client: {
          client_id: 'eas',
          client_secret: 'xxxx',
        },
        scopes: ['openid', 'email', 'profile'],
        custom_authorization_paremeters: {},
        redirect_uri: 'https://eas.example.com/oauth/callback',
        features: {
          cookie_expiry: false,
          userinfo_query: true,
          session_expiry: true,
          session_expiry_refresh_windows: 86400,
          session_retain_id: true,
          authorization_token: 'access_token',
          fetch_userinfo: true,
        },
        assertions: {
          exp: true,
          nbf: true,
          iss: true,
          userinfo: []
        },
        xhr: {},
        cookie: {},
        custom_error_headers: {},
        custom_service_headers: {},
      }
    ]
  }
}

The demo backend is declared with following labels in traefik:

      - "traefik.enable=true"
      - "traefik.http.routers.demo.rule=Host(`demo.example.com`)"
      - "traefik.http.routers.demo.entryPoints=https"
      - "traefik.http.routers.demo.tls=true"
      - "traefik.http.routers.demo.tls.certResolver=letsencrypt"
      - "traefik.http.routers.demo.middlewares=eas-gitlab@file"
      - "traefik.http.services.demo.loadbalancer.server.port=8000"
      - "traefik.http.services.demo.loadbalancer.server.scheme=http"

And the middleware:

http:
  middlewares:
    eas-gitlab:
      forwardAuth:
        trustForwardHeader: true
        address: "https://eas.example.com/verify?config_token=xxx"

Once I'm logged in keycloak, I'm redirect to eas.example.com, and the get a response with following header:

location: https://eas.example.comundefined/?__eas_oauth_handler__=authorization_callback&code=xxx&session_state=yy&state=xxx

I first had a look at #23 but I'm must confess I'm not sure to understand the source issue. As far as I can tell, all users requests received by eas include X-Forward headers (but not in traefik requests to /verify off course):

X-Forwarded-For: xxxx
X-Forwarded-Host: eas.example.com
X-Forwarded-Port: 443
X-Forwarded-Proto: https
X-Forwarded-Server: b1dbda6b3efc

Here some eas debug logs where undefined appears for the first time:

eas_1         | verbose: parent request info: {"uri":"https://eas.example.comundefined","parsedUri":{"scheme":"https","host":"eas.example.comundefined","path":"","reference":"absolute"},"parsedQuery":{}}                                                              
eas_1         | verbose: audMD5: 3b37aad6a3106ebb7e1bf3ff6f33e857
eas_1         | verbose: cookie name: _eas_oauth_session

Can you confirm the missing part should be the requested URI?

Thanks!
@asyd
Copy link
Author

asyd commented Jun 18, 2020

Got it,

sounds like writing a bug reports help a lot to clarify things :)

Traefik must be configured to trust headers from eas (I guess?):

entrypoints:
  http:
    address: ":80"

  https:
    address: ":443"
    forwardedHeaders:
      trustedIPs:
        - "172.16.255.0/24"
        - "127.0.0.1/32

where my containers are started in 172.16.255.0/24 network.

@asyd asyd closed this as completed Jun 18, 2020
@travisghansen
Copy link
Owner

That’s interesting. Keep me in the loop if you see this again as it appears to be an issue with the initial request going down to eas (before the redirect to keycloak). Maybe what you’ve done fully resolves the issue but I find it strange that eas was able to determine part of the request (it clearly properly detected the host for example) but not all of it.

In any case thanks for the interest and glad you got it working! Here to help if anything else pops up.

@kettenbach-it
Copy link

I can confirm that "trustedIPs" is needed as well when running traefik 2.4 and eas with Google OIDC.
I supplied the needed parameters in the yaml-file for the DaemonSet running traefik:

          - "--entryPoints.http.address=:8000/tcp"
          - "--entryPoints.http.forwardedHeaders.trustedIPs=127.0.0.1/32,10.0.0.0/8"
          - "--entryPoints.https.address=:8443/tcp"
          - "--entryPoints.https.forwardedHeaders.trustedIPs=127.0.0.1/32,10.0.0.0/8"

@kettenbach-it kettenbach-it mentioned this issue Jul 21, 2021
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@travisghansen @asyd @kettenbach-it