search

Netflix-Skunkworks / stethoscope

Personalized, user-focused recommendations for employee information security.
Apache License 2.0
2k stars 114 forks source link

JWT Error: Token could not be decoded. #118

Open TacticalCheerio opened 6 years ago

TacticalCheerio commented 6 years ago

I'm having an issue with logging in once enabling OICD. When I navigate to the page Google shows me a 400 error

  1. That’s an error.

Error: invalid_request

device_id and device_name are required for private IP: http://ip:5000/auth/oidc

I've changed my hosts file to have a domain name that can be used for the redirect URI in the Google console. Currently running this through docker-compose and when the login fails I see:

login_1 | [ERROR stethoscope.login.factory] Invalid token in auth flow: login_1 | Traceback (most recent call last): login_1 | File "/code/stethoscope/login/factory.py", line 115, in index login_1 | userinfo = auth.decode_token(token) login_1 | File "/code/stethoscope/auth.py", line 46, in decode_token login_1 | raise werkzeug.exceptions.Unauthorized("JWT Error: Token could not be decoded.") login_1 | Unauthorized: 401 Unauthorized: JWT Error: Token could not be decoded. login_1 | - - [06/Jul/2018 23:03:05] "GET / HTTP/1.0" 302 -

Here is my current config.py file:

LOGIN_MANAGER = 'oidc'

OIDC_AUTHORIZATION_URL = 'https://accounts.google.com/o/oauth2/v2/auth' OIDC_TOKEN_URL = 'https://www.googleapis.com/oauth2/v4/token' OIDC_USERINFO_URL = 'https://www.googleapis.com/oauth2/v3/userinfo' OIDC_CLIENT_ID = 'redacted.apps.googleusercontent.com' OIDC_CLIENT_SECRET = 'redacted'

OIDC_CALLBACK_PATHS = ['/auth/oidc', '/auth/oidc/'] OIDC_CALLBACK_URL = 'ip' OIDC_CALLBACK_PORT = 5000 OIDC_CALLBACK_SCHEME = 'http'

PLUGINS = { 'google':{ 'GOOGLE_API_SECRETS':'''{ "type": "service_account", "project_id": "redacted", "private_key_id": "redacted", "private_key": "redacted" "client_email": "redacted" "client_id": "redacted", "auth_uri": "https://accounts.google.com/o/oauth2/auth", "token_uri": "https://accounts.google.com/o/oauth2/token", "auth_provider_x509_cert_url": "https://www.googleapis.com/oauth2/v1/certs... "client_x509_cert_url": "https://www.googleapis.com/robot/v1/metadata/x509... }''',

    'GOOGLE_API_USERNAME': 'Stethoscope',
    'GOOGLE_API_SCOPES': [
            "https://www.googleapis.com/auth/admin.directory.device.chromeos.readonly",
            "https://www.googleapis.com/auth/admin.directory.device.mobile.readonly",
            "https://www.googleapis.com/auth/admin.directory.user.readonly",
            "https://www.googleapis.com/auth/admin.reports.audit.readonly",
            "https://www.googleapis.com/auth/admin.reports.usage.readonly",
    ]
    }

}

Any help is appreciated!

andrewmwhite commented 6 years ago

I'm not able to replicate this. A couple ideas/things to try:

  1. Make sure JWT_SECRET_KEY and SECRET_KEY are set as described here: https://github.com/Netflix/stethoscope/blob/master/instance/config.py
  2. Try using 127.0.0.1 instead of the hosts file entry. Whichever you use has to be registered with Google (including the port and scheme).