github id provider

[zxdzxd]

@ericchiang can you give detailed steps on how to implement github using dex i am getting certain error as "unable to connect github"

[zxdzxd]

[zxdzxd]

 level=error msg="Invalid 'state' parameter provided: not found" 

# The base path of dex and the external name of the OpenID Connect service.
# This is the canonical URL that all clients MUST use to refer to dex. If a
# path is provided, dex's HTTP service will listen at a non-root URL.
issuer: http://127.0.0.1:5556/dex

# The storage configuration determines where dex stores its state. Supported
# options include SQL flavors and Kubernetes third party resources.
#
# See the storage document at Documentation/storage.md for further information.
storage:
  type: sqlite3
  config:
    file: examples/dex.db

# Configuration for the HTTP endpoints.
web:
  http: 0.0.0.0:5556
  # Uncomment for HTTPS options.
#   https: 127.0.0.1:5555
#   tlsCert: /etc/dex/server.crt
#   tlsKey: /etc/dex/server.key

# Uncomment this block to enable the gRPC API. This values MUST be different
# from the HTTP endpoints.
# grpc:
#  addr: 127.0.0.1:5557
#  tlsCert: examples/grpc-client/server.crt
# tlsKey: examples/grpc-client/server.key
#  tlsClientCA: /etc/dex/client.crt

# Uncomment this block to enable configuration for the expiration time durations.
# expiry:
#   signingKeys: "6h"
#   idTokens: "24h"

# Options for controlling the logger.
# logger:
#   level: "debug"
#   format: "text" # can also be "json"

# Instead of reading from an external storage, use this list of clients.
#
# If this option isn't chosen clients may be added through the gRPC API.
staticClients:
- id: 6c0971e3c5016f020e0f
  redirectURIs:
  - 'http://127.0.0.1:5556/dex/callback'
  name: 'Github'
  secret: 5dd8069b23820aaad1afb6c215f6eb5cd72f33c2

connectors:
#- type: mockCallback
#  id: mock
#  name: Example
 - type: github
   id: github
   name: Github
   config:
     issuer: http://127.0.0.1:5556/dex
#     # Connector config values starting with a "$" will read from the environment.
     clientID: 6c0971e3c5016f020e0f
     clientSecret: 5dd8069b23820aaad1afb6c215f6eb5cd72f33c2
     redirectURI: http://127.0.0.1:5556/dex/callback

# Let dex keep a list of passwords which can be used to login to dex.
enablePasswordDB: true

# A static list of passwords to login the end user. By identifying here, dex
# won't look in its underlying storage for passwords.
#
# If this option isn't chosen users may be added through the gRPC API.
#staticPasswords:
#- email: "admin@example.com"
  # bcrypt hash of the string "password"
#  hash: "$2a$10$2b2cU8CPhOTaGrs1HRQuAueS7JTT5ZHsHSzYiFPm1leZck7Mc8T4W"
#  username: "admin"
#  userID: "08a8684b-db88-4b73-90a9-3cd1661f5466"

this is config-dev.yaml file is the config file correct ? how can i remove above error ?

[rithujohn191]

@zxdzxd Please specify which version of dex you are using.

[zxdzxd]

dex master

[zxdzxd]

@rithujohn191 i am getting similar error as in issue #944 https://github.com/coreos/dex/issues/944

while i am working to implement it for github using sqlite 3

[rithujohn191]

@zxdzxd are you trying to follow the getting started docs and implement the example app? In that case the values under staticClients is wrong. You seem to have provided the GitHub client credentials. It should be changed to the following:

staticClients:
- id: example-app
  redirectURIs:
  - 'http://127.0.0.1:5555/callback'
  name: 'Example App'
  secret: ZXhhbXBsZS1hcHAtc2VjcmV0

You can find the source code of the example app here: https://github.com/coreos/dex/tree/master/cmd/example-app

[zxdzxd]

thank you for response @rithujohn191 github id provider is working now

but when similar configuration change i did for Gitlab

i get following error

time="2017-05-18T10:37:53Z" level=error msg="Failed to authenticate: gitlab: failed to get token: oauth2: cannot fetch token: 401 Unauthorized\nResponse: {\"error\":\"invalid_client\",\"error_description\":\"Client authentication failed due to unknown client, no client authentication included, or unsupported authentication method.\"}"

Failed to return user's identity.

it is generated from here https://github.com/coreos/dex/blob/master/server/handlers.go#L379

my config-dev.yaml codes for connector

connectors:
#- type: mockCallback
#  id: mock
#  name: Example
 - type: gitlab
   id: gitlab
   name: Gitlab
   config:
     baseURL: https://www.gitlab.com
     issuer: http://127.0.0.1:5556/dex
#     # Connector config values starting with a "$" will read from the environment.
     clientID: gitlab client id
     clientSecret: gitlab client secret   
     redirectURI: http://127.0.0.1:5556/dex/callback

please help me solve the error

[tfluehmann]

+1 I have the same issue with google go_projects/src/github.com/coreos/dex$ bin/dex version dex Version: 15242a86b83058d0b3409a304320878006e1c3c6 Go Version: go1.8.3 Go OS/ARCH: darwin amd64

109 - type: oidc
110   id: google
111   name: Google
112   config:
113     # Canonical URL of the provider, also used for configuration discovery.
114     # This value MUST match the value returned in the provider config discovery.
115     #
116     # See: https://openid.net/specs/openid-connect-discovery-1_0.html#ProviderConfig
117     issuer: https://accounts.google.com
118
119     # Connector config values starting with a "$" will read from the environment.
120     clientID: my_client_id
121     clientSecret: my_secret
122
123     # Dex's issuer URL + "/callback"
124     redirectURI: http://127.0.0.1:8080/dex/callback

[rithujohn191]

@tfluehmann have you followed the instructions here to register your app with gitlab? Do the callback URLs match?

[tfluehmann]

@rithujohn191 No, I follwed the instructions here: https://github.com/coreos/dex/blob/master/Documentation/oidc-connector.md But in the google interface I've whitelisted the callback url http://127.0.0.1:8080/dex/callback. The downloaded JSON from google looks like this:

{"web":
    {"client_id":"xyz",
    "project_id":"eighth-beacon-100622",
        "auth_uri":"https://accounts.google.com/o/oauth2/auth",
        "token_uri":"https://accounts.google.com/o/oauth2/token",
        "auth_provider_x509_cert_url":"https://www.googleapis.com/oauth2/v1/certs",
        "client_secret":"xyz",
        "redirect_uris":["http://127.0.0.1:8080/dex/callback"],
        "javascript_origins":["http://localhost","http://127.0.0.1"]
        }
}

I tried to follow this page: https://developers.google.com/identity/protocols/OpenIDConnect

[so0k]

might wanna cycle your github oauth app credentials

[derekjwilliams]

I'm also seeing the same on Gitlab:

My connector configuration for gitlab in my dex configuration:

  - type: gitlab
     id: gitlab
     name: Gitlab
     config:
       baseURL: https://www.gitlab.com
       clientID: $GITLAB_CLIENT_ID
       clientSecret: $GITLAB_SECRET
       redirectURI: http://127.0.0.1:5556/dex/callback

Gitlab configuration (e.g. https://gitlab.com/oauth/applications/12345)

Application Id: [GITLAB_CLIENT_ID] Secret: [GITLAB_SECRET] Callback url: http://127.0.0.1:5556/dex/callback Scopes: api (Access your API) read_user (Read user information) read_registry (Read Registry) openid (Authenticate using OpenID Connect)

console error: "Failed to authenticate: gitlab: failed to get token: oauth2: cannot fetch token: 401 Unauthorized Response: {\"error\":\"invalid_client\",\"error_description\":\"Client authentication failed due to unknown client, no client authentication included, or unsupported authentication method.\"}"

When currently logged in (e.g. in another tab)

[goby]

@derekjwilliams please try to set baseURL: https://gitlab.com instead of https://www.gitlab.com, it may work

[tuwid]

@goby @rithujohn191 having the same issue with Azure AD, any workarounds ?

[dverbeek84]

I have the same issue with Google :(

[brondum]

@tuwid did you ever find a solution when using Azure ?

[tuwid]

@brondum nope :/

[chenzhiwei]

I also encountered this issue today, the reason is because the redirect uri is wrong.

The redirect uri in both dex config.yaml and example-app start flag is the example-app redirect URI, not the dex server URI.

[sagikazarmark]

This is quite an old issue. Google and OIDC connectors are actively used in production by multiple users, so if there was a bug, it might have been fixed in the meantime. If you still experience this problem, please open a new issue.