Open weeco opened 5 years ago
After looking at the code here https://github.com/buzzfeed/sso/blob/master/internal/auth/middleware.go#L106-L124 it seems this issue appears because the validateRedirectURI
(which is indeed grafana.service.int.mydomain.com
in my request which returns status code 400).
My blind guess is that if !validRedirectURI(redirectURI, p.ProxyRootDomains)
returns false, which may happen because redirectURL.Hostname()
hasn't set the correct rootDomain or doesn't get the correct redirectUri. Maybe you can log the passed parameters in case this if condition fails?
if strings.HasSuffix(redirectURL.Hostname(), domain)
Additional info: My redirect_uri is set to http://grafana.service.int.mydomain.com/oauth2/callback
(surprisingly http and not https?). Any help is appreciated.
Ok I figured it out, indeed my root domain was wrong, but I'd like to propose to log the passed parameters in validateRedirectURI
in case
if strings.HasSuffix(redirectURL.Hostname(), domain)
fails. What do you think?
@weeco was just firing up a cluster to try to troubleshoot. think there is anything we could add to https://github.com/buzzfeed/sso/blob/master/docs/quickstart.md or https://medium.com/@while1eq1/single-sign-on-for-internal-apps-in-kubernetes-using-google-oauth-sso-2386a34bc433 to make this more straightforward.
we set http just for the quickstart to simplifiy the setup, in actual practice we use https for our clusters even in dev
@danbf I am trying to achieve the same. I believe some sort of "production checklist" is helpful if you want to keep going with the "demo setup tutorial" to just get it up. However, this issue is primarily about the specific use case if someone accidentially uses a wrong proxyRootDomain. I believe my proposal to add a log message (see my previous comment) would be helpful.
for https support use just leave off COOKIE_SECURE
which defaults to true
, you will need valid certs!, default values set here:
https://github.com/buzzfeed/sso/blob/3a64e696452e2fea5d571e63ad5a53e45694ecd1/internal/auth/options.go#L76
https://github.com/buzzfeed/sso/blob/1662f7cc129421a9d2ac8aff577823bbd3703ec8/internal/proxy/options.go#L71
or explicitly set
- name: COOKIE_SECURE
value: "true"
here in the kuberneties quickstart: https://github.com/buzzfeed/sso/blob/cba449199768d18606bdf88b65ca1b8e64448a36/quickstart/kubernetes/sso-auth-deployment.yml#L78-L79 https://github.com/buzzfeed/sso/blob/cba449199768d18606bdf88b65ca1b8e64448a36/quickstart/kubernetes/sso-proxy-deployment.yml#L53-L54
i think there is case for better logging for sure
I just tried to setup the SSO application on my kubernetes cluster. Unfortunately I ran into this screen (Invalid redirect parameter):
Hence I followed the logs of my proxy and auth containers, trying to get more information about what is going wrong there. The following logs were produced when I requested my protected service (grafana.service.int.mydomain.com):
Buzzfeed SSO auth:
**Buzzfeed SSO proxy:***
Question:
How could I investigate this error?