Getting access denied 403 from OIDC login with Azure AD in Kubeflow

[mohamedFaris47]

Is this a bug report or feature request?

• Bug Report

Describe the bug When trying to use Azure AD as an OIDC provider in Kubeflow v1.6.1 as mentioned in the documentation here, I get redirected to Microsoft login. However, after successful login I get redirected back to my kubeflow website getting a page with error 403 access denied, and I get panic error in the logs of the OIDC service pod

How to Reproduce Steps to reproduce the behavior:

1. Download the kubeflow v1.6.1 manifest here
2. Edit the manifest to use Azure AD OIDC provider as mentioned here
3. Deploy Kubeflow on Azure AKS using this guide

Expected behavior After successful login in the Microsoft sign in page, I should be redirected back to kubeflow's dashboard and use the UI directly.

Config Files

• Kubeflow manifests here
• OIDC configuration as mentioned here

  
  # parameters for the OIDC service
  OIDC_PROVIDER=https://login.microsoftonline.com/<my-tenant-id>/v2.0
  OIDC_AUTH_URL=https://login.microsoftonline.com/<my-tenant-id>/oauth2/v2.0/authorize
  OIDC_SCOPES=profile email
  REDIRECT_URL=https://my-kubeflow-domain.com/login/oidc
  SKIP_AUTH_URI=
  USERID_HEADER=kubeflow-userid
  USERID_PREFIX=
  USERID_CLAIM=email
  PORT="8080"
  STORE_PATH=/var/lib/authservice/data.db

secret parameters for the OIDC service

CLIENT_ID= CLIENT_SECRET=

**Logs**
These are the error logs that appear in the OIDC service pod after signing in with Microsoft

http: panic serving 10.248.0.13:42486: interface conversion: interface {} is nil, not string goroutine 164 [running]: net/http.(conn).serve.func1(0xc0002f4e60) /usr/local/go/src/net/http/server.go:1767 +0x139 panic(0x88ee00, 0xc000102d20) /usr/local/go/src/runtime/panic.go:679 +0x1b2 main.(server).callback(0xc0000f8100, 0x9b6ce0, 0xc0000fe1c0, 0xc0000a0300) /go/src/oidc-authservice/handlers.go:150 +0x1061
net/http.HandlerFunc.ServeHTTP(0xc0000e8340, 0x9b6ce0, 0xc0000fe1c0, 0xc0000a0300)
/usr/local/go/src/net/http/server.go:2007 +0x44 github.com/gorilla/mux.(Router).ServeHTTP(0xc0000ea0c0, 0x9b6ce0, 0xc0000fe1c0, 0xc0000a0e00)
/go/pkg/mod/github.com/gorilla/mux@v1.7.3/mux.go:212 +0xe2
main.whitelistMiddleware.func1.1(0x9b6ce0, 0xc0000fe1c0, 0xc0000a0e00)
/go/src/oidc-authservice/handlers.go:225 +0xf2
net/http.HandlerFunc.ServeHTTP(0xc00013c040, 0x9b6ce0, 0xc0000fe1c0, 0xc0000a0e00)
/usr/local/go/src/net/http/server.go:2007 +0x44
github.com/gorilla/handlers.(cors).ServeHTTP(0xc000140000, 0x9b6ce0, 0xc0000fe1c0, 0xc0000a0e00)
/go/pkg/mod/github.com/gorilla/handlers@v1.4.2/cors.go:54 +0x1037
net/http.serverHandler.ServeHTTP(0xc0000fe0e0, 0x9b6ce0, 0xc0000fe1c0, 0xc0000a0e00)
/usr/local/go/src/net/http/server.go:2802 +0xa4
net/http.(conn).serve(0xc0002f4e60, 0x9b7ea0, 0xc000282500)
/usr/local/go/src/net/http/server.go:1890 +0x875
created by net/http.(Server).Serve
/usr/local/go/src/net/http/server.go:2927 +0x38e

**Environment:**
- Platform: (Azure AKS)
- Kubernetes version: 1.24.9
- Kubeflow v1.6.1

[subasathees]

Hi , I am also facing same issue on the user login. Platform: Onpremise Kubernetes version: 1.23.5 Kubeflow v1.7.0