search

Netflix / lemur

Repository for the Lemur Certificate Manager
Apache License 2.0
1.72k stars 322 forks source link

Oauth2 with Azure issue #5007

Closed andreisolo0 closed 1 week ago

andreisolo0 commented 2 weeks ago

Hi, accordint to docs I managed to add the configs for the Azure Oauth flow. The Azure part of the Oauth seems to work but on Lemur I am getting 405 Not Allowed from nginx. I cannot see any usefull logs.

My oauth config:

# Authentication Providers
ACTIVE_PROVIDERS = ["oauth2"]
OAUTH2_SECRET = "VerySecret"
OAUTH2_ACCESS_TOKEN_URL = "https://login.microsoftonline.com/my-id/oauth2/v2.0/token"
OAUTH2_USER_API_URL = "https://graph.microsoft.com/oidc/userinfo"
OAUTH2_JWKS_URL = "https://login.microsoftonline.com/my-id/discovery/v2.0/keys"
OAUTH2_NAME = "Microsoft Azure AD"
OAUTH2_CLIENT_ID = "my-client-id"
OAUTH2_URL = "https://my.lemur.com"
OAUTH2_REDIRECT_URI = "https://my.lemur.com/api/1/auth/oauth2"
OAUTH2_AUTH_ENDPOINT = "https://login.microsoftonline.com/my-id/oauth2/v2.0/authorize"
OAUTH2_SCOPE = ["openid", "email", "profile", "Group.Read.All"]

I am using Group.Read.All since I was receveing an error when trying to ask for scope groups and did not existed.

Also I am getting multiple 200 responses in the lemur log file

Nov 12 15:55:07 lemur-clm lemur[2266537]: [2024-11-12 15:55:07,548] INFO in __init__: {'lemur': 'lemur-clm', 'ingress-ip': '127.0.0.1', 'request-id': None, 'ip': 'my-ip', 'method': 'GET', 'scheme': 'http', 'path': '/api/1/auth/oauth2?<sanitized_query_parameters>', 'status': 200, 'user-agent': 'Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/130.0.0.0 Safari/537.36', 'referer': 'https://login.microsoftonline.com/', 'host': 'my.lemur.com'}
Nov 12 15:55:07 lemur-clm lemur[2266537]: {'lemur': 'lemur-clm', 'ingress-ip': '127.0.0.1', 'request-id': None, 'ip': 'my-ip', 'method': 'GET', 'scheme': 'http', 'path': '/api/1/auth/oauth2?<sanitized_query_parameters>', 'status': 200, 'user-agent': 'Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/130.0.0.0 Safari/537.36', 'referer': 'https://login.microsoftonline.com/', 'host': 'my.lemur.com'}
Nov 12 15:55:07 lemur-clm lemur[2266537]: {'lemur': 'lemur-clm', 'ingress-ip': '127.0.0.1', 'request-id': None, 'ip': 'my-ip', 'method': 'GET', 'scheme': 'http', 'path': '/api/1/auth/oauth2?<sanitized_query_parameters>', 'status': 200, 'user-agent': 'Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/130.0.0.0 Safari/537.36', 'referer': 'https://login.microsoftonline.com/', 'host': 'my.lemur.com'}

The only log where I see 405 is the nginx access log

my-ip - - [12/Nov/2024:15:57:28 +0000] "GET /api/1/auth/oauth2?code=1.AYIAKasfasaISQ_gww287P4iG5-KnhHo1fIZHyJxtiCAJmCAA.AgABBAIAAADW6jl31mB3T7ugrWTT8pFeAwDs_wUA9P-DSXJ4n49MTvEX7Rp4Z1wIOdd_dEhgW-t0Ybya1THr7F0xg76Al0pjEiXfE-K8BrcTBqGnLC7qVTH2Wotbskv6gCgnowppd52g6CytcQq4RcjPPTojJPnmTPpBFz9frlAuR2lL9V6OYGBTrH2MBzHNr7gZe2eQhtQjh9sNSrE-GJCEJN2oOkxvpUYOmCrBLfjmgRefkql0xAwnl5ciRCRt_ClVDm0Qp-ucA6BMLiHfxBgU-Q5YSmUWhsytg_RHClb3NEb0uEPNKhuNYa4PlTuuls1JloZfjf9QjQA8iDmGMKHrc28DO0Omnf2vo8x_NkBss731AETWUMKFm5PXxPBY3Z-Vecp6XI45HBPEIDqrbGNIsfs31dUxYdG1SeUzPsjlDbT13kE-Ji0NI98YHuk7KtKf4ijzT4SmkDdqxSpiklbTIEa6qACuP5PzPFKHVLcQUjZwV_dlqc0TIXhX6ihX8QieTsIF-4FkmWubtxRrMq47ntIa1kx95QMKgR9u7yjo3j6RGZh0zi0ZykOsAJUh7dhWg8AFYl6yvU4v_0bs7LQCxwbqTMe8CxPmSVF4f9wZArzQDnrcxDkpxw_a83q14EtDA_2MVCeEz05f7OeR-LeaL7jTy5asI7YPOAaYfK2W55HBhsafasMLUUXjBTFf3xZnCWQaMBmXq2AVHYzVQ9avaj58DynTC_5GNzJweKc9ZdlDv4iMrRWP-i8Y7CElawMEE79qxm5eL3aZTGCIcx4nsdLXO5DgB_UrN4kFHey1zkejenBwzs7Th2Ry3xA5u4G1ujXzy9kyfyo2HlS0Iy3U1J8pjeTFPy04YCbNNfbOjGC2eP51_FAX-5TbS2gGmeHjmqs5YjTQe3uPj0LSeYyV9Wl4WqQ5KF0tZmrSrKj0f9kKsoq5Kp-q7Jauet7SEzG41HTpxVUzeNjOw_o1qMId7_7zzH0P5DdolDsIAKU4oUSsrH_CKhTZK46EpADevQ7BVajEzMIhke73KFzw37UmavmeVlgueipHI707APJMeU6et-Oo&state=67337adc%3aj3Slg53%2fqEGnsss6glOeFi9LHn0bTN9jov7GCQo%3d&session_state=7df4d5a2-3205-43a7-bf76-546b465d7531 HTTP/1.1" 200 17 "https://my.lemur.com/" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/130.0.0.0 Safari/537.36"
my-ip - - [12/Nov/2024:15:57:28 +0000] "POST / HTTP/1.1" 405 568 "https://my.lemur.com/" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/130.0.0.0 Safari/537.36"

On the frontend side I am getting the Red badge popup with Whoa there

Any ideas? Thanks!

andreisolo0 commented 1 week ago

My problem seemed to have been fixed after removing from config OAUTH2_URL so it automatically gets the OAUTH2_REDIRECT_URI according to code, and then editing the in auth/views.py the

PING_INCLUDE_BEARER_TOKEN = True in config