Open yphanikumar1995 opened 2 years ago
mohamedFaris47
commented
1 year ago Hello, I have the same configuration as yours but I can get the Microsoft sign in page, but when I sign in it redirects me back the my kubflow website with error 403 "Access denied". Have you found a solution for this problem?
subasathees
commented
1 year ago Yes, facing same issue on the on-premise environment with pingid sso integration. when we put user name and password it gives error as Access denied.
yphanikumar1995
commented
1 year ago Check the Azure AD group which you specified in the configuration and your user should be part of the group
On Mon, 17 Jul, 2023, 10:33 pm subasathees, @.***> wrote:
Yes, facing same issue on the on-premise environment with pingid sso integration. when we put user name and password it gives error as Access denied.
— Reply to this email directly, view it on GitHub https://github.com/arrikto/oidc-authservice/issues/93#issuecomment-1638531171, or unsubscribe https://github.com/notifications/unsubscribe-auth/ATKQPDNXZD2BHCSMCBSUSX3XQVV7FANCNFSM5WYGNNUA . You are receiving this because you authored the thread.Message ID: @.***>
Is this a bug report or feature request?
Describe the bug A clear and concise description of what the bug is.
We deploy oidc-authservice for Kubeflow and Integrated with Azure AD
How to Reproduce Steps to reproduce the behavior:
Expected behavior A clear and concise description of what you expected to happen.
Login the Azure AD user successfully and able the access the kubeflow dashboard
Config Files Please provide all the relevant configuration that you can publicly share. This includes:
We used below envs
OIDC_PROVIDER=https://login.microsoftonline.com//v2.0
OIDC_AUTH_URL=https://login.microsoftonline.com//oauth2/v2.0/authorize
OIDC_SCOPES=profile email
REDIRECT_URL=https://kubeflow-test.mydomain.com/login/oidc
SKIP_AUTH_URI=
USERID_HEADER=kubeflow-userid
USERID_PREFIX=
USERID_CLAIM=email
PORT="8080"
STORE_PATH=/var/lib/authservice/data.db
CLIENT_ID=
CLIENT_SECRET=
added the
https://kubeflow-test.mydomain.com/login/oidcas redirection url in azure app registrationIf relevant, upload your configuration files here using GitHub, there is no need to upload them to any 3rd party services
Logs Please provide all relevant logs (e.g., AuthService logs , OIDC Provider logs, etc.)
time="2022-05-24T04:47:59Z" level=info msg="Starting readiness probe at 8081" time="2022-05-24T04:47:59Z" level=info msg="No USERID_TOKEN_HEADER specified, using 'kubeflow-userid-token' as default." time="2022-05-24T04:47:59Z" level=info msg="No SERVER_HOSTNAME specified, using '' as default." time="2022-05-24T04:47:59Z" level=info msg="No SERVER_PORT specified, using '8080' as default." time="2022-05-24T04:47:59Z" level=info msg="No SESSION_MAX_AGE specified, using '86400' as default." time="2022-05-24T04:47:59Z" level=info msg="Starting web server at :8080" 2022/05/24 04:48:21 http: panic serving 10.244.0.249:57466: interface conversion: interface {} is nil, not string goroutine 20 [running]: net/http.(conn).serve.func1(0xc0000968c0) /usr/local/go/src/net/http/server.go:1767 +0x139 panic(0x88ee00, 0xc0001ca5d0) /usr/local/go/src/runtime/panic.go:679 +0x1b2 main.(server).callback(0xc0000e4100, 0x9b6ce0, 0xc00032f0a0, 0xc0001dc900) /go/src/oidc-authservice/handlers.go:150 +0x1061 net/http.HandlerFunc.ServeHTTP(0xc0000d4330, 0x9b6ce0, 0xc00032f0a0, 0xc0001dc900) /usr/local/go/src/net/http/server.go:2007 +0x44 github.com/gorilla/mux.(Router).ServeHTTP(0xc0000d60c0, 0x9b6ce0, 0xc00032f0a0, 0xc0001dc700) /go/pkg/mod/github.com/gorilla/mux@v1.7.3/mux.go:212 +0xe2 main.whitelistMiddleware.func1.1(0x9b6ce0, 0xc00032f0a0, 0xc0001dc700) /go/src/oidc-authservice/handlers.go:225 +0xf2 net/http.HandlerFunc.ServeHTTP(0xc000122040, 0x9b6ce0, 0xc00032f0a0, 0xc0001dc700) /usr/local/go/src/net/http/server.go:2007 +0x44 github.com/gorilla/handlers.(cors).ServeHTTP(0xc000130000, 0x9b6ce0, 0xc00032f0a0, 0xc0001dc700) /go/pkg/mod/github.com/gorilla/handlers@v1.4.2/cors.go:54 +0x1037 net/http.serverHandler.ServeHTTP(0xc0000e80e0, 0x9b6ce0, 0xc00032f0a0, 0xc0001dc700) /usr/local/go/src/net/http/server.go:2802 +0xa4 net/http.(conn).serve(0xc0000968c0, 0x9b7ea0, 0xc000122280) /usr/local/go/src/net/http/server.go:1890 +0x875 created by net/http.(Server).Serve /usr/local/go/src/net/http/server.go:2927 +0x38e time="2022-05-24T04:48:39Z" level=error msg="Failed to exchange authorization code with token: oauth2: cannot fetch token: 400 Bad Request\nResponse: {\"error\":\"invalid_grant\",\"error_description\":\"AADSTS54005: OAuth2 Authorization code was already redeemed, please retry with a new valid code or use an existing refresh token.\r\nTrace ID: b5d24d9e-76fe-44ca-aced-cce900c16c00\r\nCorrelation ID: e0e1823d-1f9a-4f37-9dbe-85d53bd9ce25\r\nTimestamp: 2022-05-24
Environment:
Additional context Add any other context about the problem here.