HEllRZA
commented
4 years ago Unregistered redirect_uri means exactly that: you are trying to usa a redirect_uri, which you did not register for the used client
staticClients:
- id: example-app
redirectURIs:
- 'https://seliius28457.se:8001/callback'
name: 'Example App'
secret: ZXhhbXBsZS1hcHAtc2VjcmV0is missing the redirectURI you want to use: http://10.120.2.2:8001/callback
try this:
staticClients:
- id: example-app
redirectURIs:
- 'https://seliius28457.se:8001/callback'
- 'http://10.120.2.2:8001/callback'
name: 'Example App'
secret: ZXhhbXBsZS1hcHAtc2VjcmV0I guess seliius28457.se resolves to 10.120.2.2 on your pc; however, the redirect URI is checked by string comparison, so it has to match exactly.
I configuration dex and ldap yaml file, when i login dex portal then return Unregistered redirect_uri step 1 I run the command :./bin/example-app --issuer https://seliius28457.se:32000 --listen http://10.120.2.2:8001 --redirect-uri http://10.120.2.2:8001/callback
step 2 open a browser and login to http://10.120.2.2:8001
step 3 when I click the login button then return Unregistered redirect_uri
I don't know where the configuration is wrong
The folllowing is all configuation information
kube-apiserver.yaml:
kube-apiserver
=============================================================== gencert.sh
`#!/bin/bash mkdir -p ssl cat << EOF > ssl/req.cnf [req] req_extensions = v3_req distinguished_name = req_distinguished_name
[req_distinguished_name]
[ v3_req ] basicConstraints = CA:FALSE keyUsage = nonRepudiation, digitalSignature, keyEncipherment subjectAltName = @alt_names
[alt_names] DNS.1 = seliius28457.se EOF
openssl genrsa -out ssl/ca-key.pem 2048 openssl req -x509 -new -nodes -key ssl/ca-key.pem -days 10 -out ssl/ca.pem -subj "/CN=kube-ca"
openssl genrsa -out ssl/key.pem 2048 openssl req -new -key ssl/key.pem -out ssl/csr.pem -subj "/CN=kube-ca" -config ssl/req.cnf openssl x509 -req -in ssl/csr.pem -CA ssl/ca.pem -CAkey ssl/ca-key.pem -CAcreateserial -out ssl/cert.pem -days 1000 -extensions v3_req -extfile ssl/req.cnf`
=============================================================== dex.yaml
`apiVersion: apps/v1 kind: Deployment metadata: labels: app: dex name: dex spec: selector: matchLabels: app: dex replicas: 3 template: metadata: labels: app: dex spec: serviceAccountName: dex # This is created below containers:
image: quay.io/dexidp/dex:v2.10.0 name: dex command: ["/usr/local/bin/dex", "serve", "/etc/dex/cfg/config.yaml"]
volumes:
name: tls secret: secretName: dex.example.com.tls
kind: ConfigMap apiVersion: v1 metadata: name: dex data: config.yaml: | issuer: https://seliius28457.se:32000 storage: type: kubernetes config: inCluster: true web: https: 0.0.0.0:5556 tlsCert: /etc/dex/tls/tls.crt tlsKey: /etc/dex/tls/tls.key connectors:
type: ldap id: ldap name: OpenLDAP config: host: er03.example.se insecureNoSSL: true
bindDN: CN=euser,OU=P001,OU=ID,OU=Data,DC=example,DC=se bindPW: xxxx usernamePrompt: ID userSearch: baseDN: OU=ID,OU=Data,dc=example,dc=se filter: "(objectClass=user)" username: uid idAttr: DN emailAttr: mail nameAttr: cn
groupSearch: baseDN: OU=P001,OU=GRP,OU=Data filter: "(objectClass=group)"
userMatchers:
oauth2: skipApprovalScreen: true
staticClients:
bcrypt hash of the string "password"
hash: "$2a$10$2b2cU8CPhOTaGrs1HRQuAueS7JTT5ZHsHSzYiFPm1leZck7Mc8T4W" username: "admin" userID: "08a8684b-db88-4b73-90a9-3cd1661f5466"
apiVersion: v1 kind: Service metadata: name: dex spec: type: NodePort ports:
name: dex port: 5556 protocol: TCP targetPort: 5556 nodePort: 32000 selector: app: dex
apiVersion: v1 kind: ServiceAccount metadata: labels: app: dex name: dex
apiVersion: rbac.authorization.k8s.io/v1beta1 kind: ClusterRole metadata: name: dex rules:
apiGroups: ["apiextensions.k8s.io"] resources: ["customresourcedefinitions"] verbs: ["create"] # To manage its own resources, dex must be able to create customresourcedefinitions
apiVersion: rbac.authorization.k8s.io/v1beta1 kind: ClusterRoleBinding metadata: name: dex roleRef: apiGroup: rbac.authorization.k8s.io kind: ClusterRole name: dex subjects: