How to set up Dex with Cloudflare Zero Trust?

[BRGustavoRibeiro]

Disclaimer: I'm really not used to working with LDAP/OpenID/Dex concepts at all. I have an idea of how everything works, but nothing too complex. I'm doing my best to understand it all, so please forgive me if this is a very basic question. 🙂

Describe the bug

I'm not sure if this is a bug.

As YunoHost's admin panel don't have many security features (no captcha, no 2FA, no multiple admins), I'm trying to set up a free Cloudflare Zero Trust instance into the /yunohost/admin/ subdirectory on my domain.

This is completely possible and already works like a charm, but the cherry on top would be syncing YunoHost's LDAP with Cloudflare ZT auth. This is only possible via OpenID Connect and this wonderful module.

I was trying to set up Dex to get a cool, simple OpenID Connect I could link with Cloudflare ZT.

Here is the information that Cloudflare asks for:

The issue here: while trying to install Dex, it asks for the "OIDC secret of the app you want to connect to the OIDC auth flow". Cloudflare does not provide such OIDC secret.

Here's how I'm trying to install Dex currently:

I've inserted a random string in the OIDC secret input - I would expect at least to get the credentials that Cloudflare is requesting at this documentation, but nothing is returned after the installation and I honestly have no idea how to get that info, as it wasn't provided to me during the installation of this module.

What am I doing wrong? 😕

Context

• Hardware: VPS / 6GB RAM / 200GB SSD / Running Debian 11, latest version of YunoHost. Fresh install.
• YunoHost version: 11.0.9.14
• I have access to my server: root
• Are you in a special context or did you perform some particular tweaking on your YunoHost instance?: unsure
  • I didn't set up any custom packages or did any changes to my server outside YunoHost's webadmin panel. The instance is running completely proxied by Cloudflare. The directory domain.tld/yunohost/admin is blocked for unauthorized requests by Cloudflare Access (Cloudflare Zero Trust).
• Using, or trying to install package version/branch: latest

Expected behavior

I expected to perform a quick install - only insert the Callback URL, and after the install finishes, it would show me a page, a popup, or anything with the data that Cloudflare was requesting.

Steps to reproduce

N/A - No errors

Logs

N/A - No errors

[Limezy]

Hi ! I have to admit that dex_ynh documentation is very far from optimal...

What I would try for dex installation :

• Name of the app : put a name that will be then used for "App ID" in Cloudflare ZT
• OIDC Secret of the app : put a random string chain that will then be used for "Client Secret" in Cloudflare ZT
• Callback URI : as you did
• I will assume below that you've installed dex on https://yourserver.com/dex

What I would try for Cloudflare ZT setup :

• "App ID" : name you've put during dex installation
• "Client secret" : chain you've put during dex installation
• Auth URL : https://yourserver.com/dex/auth
• Token URL : https://yourserver.com/dex/token

For the certificate URL, I'm not very sure of what it is... The Outline_ynh app for which I have used Dex as the LDAP <-> OIDC connector requires me to input a "user info" URL, which I've put as https://yourserver.com/dex/userinfo Is it what they mean by "certificate URL" ? I don't know !

[Limezy]

OK, after checking quickly, you should be good using https://yourserver.com/dex/keys for the "Certificate URL" required value on Cloudflare ZT. Tell me if it worked !

[BRGustavoRibeiro]

Hey, bro! Thank you for helping me to sort this out.

I've done it correctly, but Dex didn't like Cloudflare's URL. Is this a configuration error on my side or Cloudflare's side? Is there anyway I can get a more detailed log?

Thanks again! 🙂 _I'll consider doing some PRs to help a bit with dexynh docs after this.

[Limezy]

Hi ! It's with pleasure. Is the screenshot you show here still on the dex domain ? I don't know on cloudflare side, but you should be able to read some better logs of the error by going to Yunohost administration, then services, then dex and have a look there

[Limezy]

Seen on dex github. I think you should definitely check the callback url you've put. Is your team name really randomteamname ?

[BRGustavoRibeiro]

Everything is on Dex domain. I'm changing the domain I'm using on everything I post here (including my previous screenshot, I've used Inspect Element to change the domain) because I'm quite paranoid with security, but I can send you in private if needed.

I should also point that I'm not running Dex from /dex, but from /advanced-res/oid. Here are my logs for /var/log/dex/dex.log.

time="2022-09-26T15:12:15Z" level=info msg="Dex Version: , Go Version: go1.17.13, Go OS/ARCH: linux amd64"
time="2022-09-26T15:12:15Z" level=info msg="config issuer: https://domain.tld/advanced-res/oid"
time="2022-09-26T15:12:15Z" level=info msg="config storage: sqlite3"
time="2022-09-26T15:12:15Z" level=info msg="config static client: openidssoauth"
time="2022-09-26T15:12:15Z" level=info msg="config connector: ldap"
time="2022-09-26T15:12:15Z" level=info msg="config refresh tokens rotation enabled: true"
time="2022-09-26T15:12:15Z" level=info msg="keys expired, rotating"
time="2022-09-26T15:12:15Z" level=info msg="keys rotated, next rotation: 2022-09-26 21:12:15.559447493 +0000 UTC"
time="2022-09-26T15:12:15Z" level=info msg="listening (http) on 127.0.0.1:5556"
time="2022-09-26T15:12:45Z" level=error msg="Failed to parse authorization request: Unregistered redirect_uri (\"https://randomteamname.cloudflareaccess.com/cdn-cgi/access/callback\")."
time="2022-09-26T15:25:47Z" level=error msg="Failed to parse authorization request: Unregistered redirect_uri (\"https://randomteamname.cloudflareaccess.com/cdn-cgi/access/callback\")."
time="2022-09-26T15:27:11Z" level=error msg="Failed to parse authorization request: Unregistered redirect_uri (\"https://randomteamname.cloudflareaccess.com/cdn-cgi/access/callback\")."

[BRGustavoRibeiro]

I believe I found the issue.

On Dex config.yaml, I found this:

Let me test - I believe it will work this time 👍

[BRGustavoRibeiro]

Yay! The login worked after I've fixed the double HTTPS issue.

Now we have one more error. This a fresh new one 😅

[BRGustavoRibeiro]

I found this comment at Cloudflare forums. Maybe its related to /keys?

[Limezy]

This seem like a last small tweak to be made, I believe in the "scopes" thing. May I let you google / search the dex documentation ?

Dex_ynh was originally designed as an ID provider for Outline_ynh, but I may need to add a few options at installation stage to cover for other cases such as yours.

I'm very interested to see whether we will manage to have a working setup or not !

[Limezy]

Yay! The login worked after I've fixed the double HTTPS issue.

Now we have one more error. This a fresh new one 😅

My fault telling you to add https:// before, sorry ! This seem like a problem, I will maybe change but I'm afraid it may break some installations. Will think of it. In any case it's very much necessary to show in the readme how that uri should be written

[Limezy]

I found this comment at Cloudflare forums. Maybe its related to /keys?

OK I didn't see your message before replying above. Forget these. I have searched a little bit, and I feel that at this stage it's a problem on Cloudflare side. You should maybe ask for help on their forum, as I feel Dex is correctly configured.

[BRGustavoRibeiro]

Heeeello again! I have an update about this.

Unfortunately, I won't be able to set this up in the short term as I'm rushing to set some things up for this project. I will try to configure the Dex-Cloudflare integration again in a few months, but for now, I will set Cloudflare ZT with my personal Github Organization SSO.

Thanks for the help, though! I'm very excited to see the future of this project with YunoHost. 🙂

[Limezy]

You're welcome, and feel free to reach out anytime to finish this !