Changes broke OIDC auth

[wknapik]

Changes between embarkstudios/wireguard-ui

sha256:68b9fdc449bae2221a628010fe4060c93799f59a68c17d7b5f9118a56d7892f9

and

sha256:65620724d22cadaa81721a9a1eedaa0b01ff9f3a190750c7dff91b9b19b869b9

appear to have broken OIDC auth.

When logging into the webui, the user is not recognized and displayed as "anonymous" (unable to see their configs).

At the moment I don't have more info. I just know the downgrade to the older version fixes the problem. I'll post here if/when I know more, but figured it would be good to let you know asap.

[wknapik]

With --auth-user-header=x-amzn-oidc-data passed to the server and an ALB in front, getting

time="2022-08-30T14:23:16Z" level=debug msg="Unauthenticated request"
time="2022-08-30T14:23:16Z" level=debug msg="Auth required"
time="2022-08-30T14:23:16Z" level=debug msg=anonymous

after a successful SSO login. Same setup works with older wireguard-ui (e.g. 1.3.0).

[wknapik]

When I log the actual error, I get illegal base64 data at input byte 450 and/or token contains an invalid number of segments, but it appears to be a valid ES256 token. jwt decode doesn't complain.

[wknapik]

Downgrading github.com/fujiwara/go-amzn-oidc from v0.0.3 to v0.0.2 appears to resolve the issue. Opened https://github.com/fujiwara/go-amzn-oidc/issues/7 for this.

[wknapik]

Opened https://github.com/EmbarkStudios/wg-ui/pull/169 to address this via downgrade. There may be a better fix in the future, but this would unblock anyone affected by the issue who doesn't want to maintain their own fork and/or push/pull their own docker images.

Also the last release is a year old, so a new one would be useful anyway.

[wknapik]

@suom1 can you please trigger a new release? I'm mostly interested in a new docker image myself. Thanks!

EDIT: I see there's a fresh latest image, which is great, I can just pin to a hash, but it would be even better to have a tagged image.