search

dniel / traefik-forward-auth0

A backend for performing forward authentication with Auth0 using the Traefik reverse proxy.
GNU General Public License v3.0
85 stars 15 forks source link

Too many redirect - AuthorizeNonce cookie didnt match the nonce in authorizeState #362

Closed jamesy829 closed 1 month ago

jamesy829 commented 3 months ago

When I use the suggested way of configuring all web apps to forward /oauth2 path to ForwardAuth (thread), the error I get is 400 Bad Request AuthorizeNonce cookie didnt match the nonce in authorizeState.., it then starts another Authorization Grant all over again, at the end Chrome will show ERR_TOO_MANY_REDIRECTS

I am currently running Traefik 2.9.6, deployed with Helm charts and the stripprefix and redirect are implemented using middlewares (thread)

This is my application.yaml

 domain: https://mydomain.auth0.com/
 token-endpoint: https://mydomain.auth0.com/oauth/token
 authorize-url: https://mydomain.auth0.com/authorize
 userinfo-endpoint: https://mydomain.auth0.com/userinfo
 logout-endpoint: https://mydomain.auth0.com/v2/logout

 default:
     name: mydomain.com
     client-id: <CLIENT_ID>
     client-secret: <CLIENT_SECRET>
     audience: https://mydomain.com
     scope: "profile openid email"
     redirect-uri: https://auth.preprod.mydomain.com/signin
     token-cookie-domain: mydomain.com

 apps:
    - name: traefik.prep.mydomain.com
      required-permissions:
        - read:traefik
    - name: epimetheus-preprod.mydomain.com
      required-permissions:
        - read:epimetheus

This is my middleware

apiVersion: traefik.containo.us/v1alpha1
kind: Middleware
metadata:
  name: oauth2-chain
  namespace: traefik
spec:
  chain:
    middlewares:
      - name: forwardauth-authorize
        namespace: traefik
      - name: oauth2-strip-prefix
        namespace: traefik
      - name: oauth2-redirect
        namespace: traefik
---
apiVersion: traefik.containo.us/v1alpha1
kind: Middleware
metadata:
  name: oauth2-strip-prefix
  namespace: traefik
spec:
  stripPrefix:
    prefixes:
      - /oauth2
---
apiVersion: traefik.containo.us/v1alpha1
kind: Middleware
metadata:
  name: oauth2-redirect
  namespace: traefik
spec:
  redirectRegex:
    regex: ^https?://epimetheus-preprod.mydomain.com/(.*)
    replacement: https://auth.preprod.mydomain.com/${1}

This is the version of docker I'm using.

NAME            NAMESPACE       REVISION        UPDATED                                 STATUS          CHART                   APP VERSION
forwardauth     traefik         19              2024-04-10 02:04:13.347383 +0800 CST    deployed        forwardauth-2.0.13      2.0-rc1
traefik         traefik         1               2022-04-17 23:59:30.260106 +0200 +0200  deployed        traefik-10.14.1         2.6.0
jamesy829 commented 1 month ago

Figured out it was a typo within the yaml