Getting occasional 403 following quickstart guide

[samitpal]

Describe the bug Installed docker and docker-compose on my mac following the quick start guide. Mac OS

Mojave

Docker version

Client: Docker Engine - Community

Version: 19.03.5 API version: 1.40 Go version: go1.12.12 Git commit: 633a0ea Built: Wed Nov 13 07:22:34 2019 OS/Arch: darwin/amd64 Experimental: false

Server: Docker Engine - Community Engine: Version: 19.03.5 API version: 1.40 (minimum version 1.12) Go version: go1.12.12 Git commit: 633a0ea Built: Wed Nov 13 07:29:19 2019 OS/Arch: linux/amd64 Experimental: false containerd: Version: v1.2.10 GitCommit: b34a5c8af56e510852c35414db4c1f4fa6172339 runc: Version: 1.0.0-rc8+dev GitCommit: 3e425f80a8c931f88e6d94a8c831b9d5aa481657 docker-init: Version: 0.18.0 GitCommit: fec3683

Docker compose version

docker-compose version 1.24.1, build 4667896b

I'm using Google provider.

Everything works fine except that i get occasional 403 on both the http://hello-world.sso.localtest.me/, http://httpbin.sso.localtest.me/. After every 403, refreshing the page gets to to work. I see user is no longer in valid groups message whenever the backends throws the 403 error.

[samitpal]

Any pointers on this?

The error message is as follows

sso-proxy_1    | {"error":null,"level":"error","msg":"no longer authorized after validation period","remote_address":"172.21.0.1","service":"sso-proxy","time":"2019-12-03 07:25:00.579","user":"xx@gmail.com"}
sso-proxy_1    | {"http_status":403,"level":"info","msg":"error page","page_message":"You're not authorized to view this page","page_title":"Forbidden","remote_address":"172.21.0.1","service":"sso-proxy","time":"2019-12-03 07:25:00.579"}
sso-proxy_1    | {"action":"proxy","http_status":403,"level":"info","msg":"","remote_address":"172.21.0.1","request_duration":75.98140000000001,"request_method":"GET","request_uri":"hello-world.sso.localtest.me/","service":"sso-proxy","time":"2019-12-03 07:25:00.580","user":"","user_agent":"Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_6) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/78.0.3904.108 Safari/537.36"}
nginx-proxy_1  | nginx.1    | hello-world.sso.localtest.me 172.21.0.1 - - [03/Dec/2019:07:25:00 +0000] "GET / HTTP/1.1" 403 1850 "-" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_6) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/78.0.3904.108 Safari/537.36"```

The upstream.yml config is as follows

$ cat upstream_configs.yml 
- service: httpbin
  default:
    from: httpbin.sso.localtest.me
    to: http://httpbin:8080

- service: hello-world
  default:
    from: hello-world.sso.localtest.me
    to: http://hello-world/

[samitpal]

@Jusshersmith ,

The problem starts after SESSION_VALID_TTL expires. The proxy tries to issue /google/profile call to the sso authenticator like "/google/profile?client_id=%3D&email=%40gmail.com&groups=". It seems like becoz of the empty groups parameter, the code flow enters into https://github.com/buzzfeed/sso/blob/99e69f8f57cc4a5e64e467665cc6b8f46b11e511/internal/proxy/oauthproxy.go#L763? That seems to lead to the 403 error.

[Jusshersmith]

Hey @samitpal. Thanks for your patience and for sending over the additional details. Just wanted to let you know, I'll be looking into this today!

[Jusshersmith]

Hi @samitpal! A quick update -- We're testing a fix and hope to have it shipped soon!

Apologies for the inconvenience caused by this bug!

[gmbuell]

Any update on the fix? I'm seeing this error with the quickstart as well.

[Jusshersmith]

Hi!

This should be fixed now. Sorry for the massive delay getting this resolved. Unfortunately the original fix had some complications, which knocked this back a bit!

Please do re-open if you're still seeing this error.