Ambassador 0.50 on /login redirect returns 404

[volatilemolotov]

I have trouble understanding the auth process. Looking at the flow diagaram client authenticates against auth service and ambassador should just proxy the request to the app on successful auth. How ever after setting everything up as in the example deployment (using Auth0) i get the following:

https://redacted.domain/login/oidc?code=Hg9neaU6hCkunLDu&state=8gLxLOLb is 404

What service should get this /login/oidc reqest?

[ajmyyra]

Hi! URL looks like it should be handled by the authentication component, so Ambassador should proxy the request to AuthProxy for finishing the login flow. Can you see anything in either Ambassador's or AuthProxys logs about this? If you don't see anything off, could you post your AuthProxy settings (redacted, of course) as its possibly a misconfiguration.

The step is known as id exchange and this is the step where AuthProxy fetches user identity from the provider (Auth0) to make sure that the login was succesful.

[volatilemolotov]

I see in the auth proxy that it detects no auth and redirects to login. Config is in kubernetes secrets and is as follows:

ambassador-auth-client-id: VALIDID

ambassador-auth-client-secret: VALIDSECRET

ambassador-auth-jwt-key: generated using openssl rand -base64 64|tr -d '\n '

ambassador-auth-oidc-provider: https://myusername.eu.auth0.com/

ambassador-auth-self-url: https://mydomain-used-on-ambassador-ip.redacted

Using auth0 as auth provider (Also tried with GSuite and same thing happens). I get the redirect to auth0 login screen and after login i get the 404 on https://mydomain-used-on-ambassador-ip.redacted/login/oidc?sometoken path

[ajmyyra]

Does AuthProxy return the "no auth, redirecting" log line twice? On the first occasion this is supposed to happen as user doesn't have a valid session, but second time the state should exist. If you're seeing it twice, could you post your Kubernetes spec files (or if you're using the example ones in misc folder, please let me know), so I can try to replicate the issue. I've been using Auth0 myself with AuthProxy and it behaves according to standard, so it isn't a problem on their side for sure.

[volatilemolotov]

This is the log output prom the container :

2019/01/14 12:12:57 Using Redis at localhost:6379 2019/01/14 12:12:57 No SKIP_AUTH_URI specified, using '' as default. 2019/01/14 12:12:58 Starting web server at :8080 2019/01/14 12:13:13 10.164.0.12,10.28.0.17 /example/ Cookie not set, redirecting to login. 2019/01/14 12:14:47 10.164.0.12,10.28.0.17 /httpbin/ip Cookie not set, redirecting to login.

EDIT:

yes im using the example ones form the repo

[ajmyyra]

It would seem that redirect URL (your base url + "/login/oidc") is not correctly forwarded to AuthProxy, as it's not seeing the redirect requests. The 404 is thus returned by Ambassador itself.

What version of Ambassador are you using? I haven't yet tested this with 0.50 release candidates and am using 0.40.0.

[volatilemolotov]

Yes i am using the 0.50 RC. Will try downgrading and see what happens.

[volatilemolotov]

Works with ambassador 0.40.2.

@ajmyyra Have you got the energy to debug this? Is this something you plan on supporting. This auth plugin is great alternative to ambassador pro. If you are willing i can supply you with logs and debugs if you need.

Thanks for help and for your great work.

[volatilemolotov]

@ajmyyra Think i have fixed it by adding:

      ---
      apiVersion: ambassador/v0
      kind:  Mapping
      name:  login_mapping
      prefix: /login/
      service: oidc-auth:8080

[ajmyyra]

Cool stuff, thank you @volatilemolotov!

Future Ambassador versions will of course be supported, I just hadn't had the time to try the new version yet.

I'll test that the change doesn't break anything in earlier versions in the evening and merge it after that.