search

arrikto / oidc-authservice

This is a fork/refactoring of the ajmyyra/ambassador-auth-oidc project
MIT License
87 stars 66 forks source link

all URIs are whitelisted and cannot be secured by OIDC provider #116

Closed RoyOsaki closed 1 year ago

RoyOsaki commented 1 year ago

Is this a bug report or feature request?

Describe the bug AuthService used with KubeFlow 1.7 and OIDC passes all requests as whitelisted.

I am not sure why SkipAuthURLs is empty but the requests are all whitelisted.

How to Reproduce Steps to reproduce the behavior:

  1. Deploy AuthService in kubeflow 1.7 using kustmize
  2. Access top page of kubeflow
  3. See error in authservice log by kubectl logs authservice-0 -n kubeflow

Logs The logs from authservice is as follows.

time="2023-06-17T07:01:50Z" level=info msg="Config: &{ProviderURL:https://xxxxxxxx ClientID:xxxxxx ClientSecret:xxxxxxx OIDCAuthURL: RedirectURL:https://xxxxxx/oidc/callback OIDCScopes:[openid profile email groups] StrictSessionValidation:false OIDCStateStorePath:/var/lib/authservice/data.db AuthserviceURLPrefix:https://xxxxxxx SkipAuthURLs:[] AuthHeader:Authorization Audiences:[istio-ingressgateway.istio-system.svc.cluster.local] HomepageURL:https://xxxxxxx/site/homepage AfterLoginURL: AfterLogoutURL:https://xxxxxxxx/site/after_logout UserIDHeader:kubeflow-userid GroupsHeader:kubeflow-groups UserIDPrefix: UserIDTransformer:{rules:[]} UserIDClaim:email UserIDTokenHeader: GroupsClaim:groups IDTokenHeader:Authorization Hostname: Port:8080 WebServerPort:8082 ReadinessProbePort:8081 CABundlePath: SessionStorePath:/var/lib/authservice/data.db SessionMaxAge:86400 SessionSameSite:Lax ClientName:AuthService ThemesURL:themes Theme:kubeflow TemplatePath:[web/templates/default] UserTemplateContext:map[] GroupsAllowlist:[*]}"
time="2023-06-17T07:02:32Z" level=info msg="URI is whitelisted. Accepted without authorization." ip=192.168.93.103 request="/?ns=kubeflow-user-example-com"
time="2023-06-17T07:02:32Z" level=info msg="URI is whitelisted. Accepted without authorization." ip=192.168.93.103 request=/webcomponentsjs/webcomponents-loader.js
time="2023-06-17T07:02:32Z" level=info msg="URI is whitelisted. Accepted without authorization." ip=192.168.93.103 request=/app.css
time="2023-06-17T07:02:32Z" level=info msg="URI is whitelisted. Accepted without authorization." ip=192.168.93.103 request=/webcomponentsjs/custom-elements-es5-adapter.js
time="2023-06-17T07:02:32Z" level=info msg="URI is whitelisted. Accepted without authorization." ip=192.168.93.103 request=/vendor.bundle.js
time="2023-06-17T07:02:32Z" level=info msg="URI is whitelisted. Accepted without authorization." ip=192.168.93.103 request=/app.bundle.js
time="2023-06-17T07:02:32Z" level=info msg="URI is whitelisted. Accepted without authorization." ip=192.168.93.103 request=/dashboard_lib.bundle.js

Environment:

RoyOsaki commented 1 year ago

Sorry, this issue was resolved. I am guessing that the reason was long reflection time.