[X] I agree to follow the Code of Conduct that this project adheres to.
[X] I have searched the issue tracker for an issue that matches the one I want to file, without success.
[X] I am not looking for support or already pursued the available support channels without success.
Version
2.41.1
Storage Type
Postgres
Installation Type
Official container image, Custom container image
Expected Behavior
go clients using grpc-go versions 1.67.0 and above should be able to connect to the Dex gRPC service via mTLS without having to set the environment variable GRPC_ENFORCE_ALPN_ENABLED=false .
Actual Behavior
When trying to connect the client fails with the log message:
Create mTLS certificates using examples/grpc-client/cert-gen
Start the server with mTLS enabled as described in examples/grpc-client/README.md
Create a new go module, copy the dex go client example in examples/grpc-client/client.go
Ensure go-grpc dependency 1.67.0 or later with go get google.golang.org/grpc@v1.67.0
Try to connect and see the client error logs.
Additional Information
Summary
The dex gRPC server is not doing proper protocol negotiation when served through TLS. It's not advertising http2 during protocol negotiation.
The default value of the environment variable GRPC_ENFORCE_ALPN_ENABLED changed from false to true on version 1.67.0. This causes clients to fail when the server does not advertise http2.
Preflight Checklist
Version
2.41.1
Storage Type
Postgres
Installation Type
Official container image, Custom container image
Expected Behavior
go clients using grpc-go versions 1.67.0 and above should be able to connect to the Dex gRPC service via mTLS without having to set the environment variable
GRPC_ENFORCE_ALPN_ENABLED=false.Actual Behavior
When trying to connect the client fails with the log message:
Steps To Reproduce
examples/grpc-client/cert-genexamples/grpc-client/README.mdexamples/grpc-client/client.gogo-grpcdependency 1.67.0 or later withgo get google.golang.org/grpc@v1.67.0Additional Information
Summary
The dex gRPC server is not doing proper protocol negotiation when served through TLS. It's not advertising http2 during protocol negotiation.
The default value of the environment variable
GRPC_ENFORCE_ALPN_ENABLEDchanged fromfalsetotrueon version 1.67.0. This causes clients to fail when the server does not advertise http2.https://github.com/grpc/grpc-go/pull/7535
Details
The
baseTLSConfigcreated for the gRPC service should includeNextProtos: []string{"h2"},https://github.com/dexidp/dex/blob/fa0240d396db1d8ed02ff52f8d010786aacd6936/cmd/dex/serve.go#L176-L181In most cases "h2" is added by go-grpc's
credentials.NewTLShttps://github.com/grpc/grpc-go/blob/2da976983bbb33feb3e25b7daaa8f60b9769adb5/credentials/tls.go#L201-L204But dex's fsnotify reloader returns a certificate based on the original
baseTLSConfig. Any modifications by go-grpc are discarded. https://github.com/dexidp/dex/blob/fa0240d396db1d8ed02ff52f8d010786aacd6936/cmd/dex/serve.go#L657-L660Configuration
No response
Logs
No response