search

fatedier / frp

A fast reverse proxy to help you expose a local server behind a NAT or firewall to the internet.
Apache License 2.0
85.13k stars 13.21k forks source link

Invalid ping with multiple clients using OIDC #4466

Open RobKenis opened 5 days ago

RobKenis commented 5 days ago

Bug Description

We run a single FRP Server and multiple FRP Client. For authentication, we use OIDC. This works fine when a single FRPC is running, but we see following errors when running more than 1 FRPC at the same time.

2024/10/03 09:17:55 [W] [control.go:425] [7cd7d9906a894271] received invalid ping: received different OIDC subject in login and ping. original subject: e4712136-7694-4d03-871c-6758d4ca79e5, new subject: 2e63168f-a7b1-4b4c-9c0d-09c3ea9c5f9c

This results in the the FRP Clients constantly reconnecting, resulting in an unstable connection

frpc Version

0.53.2

frps Version

0.53.2

System Architecture

Server: linux/amd64, Client: windows/amd64

Configurations

Server:

authentication_method = oidc
oidc_issuer = {{ .Envs.FRP_KEYCLOAK_ADDRESS }}realms/<realm>
oidc_audience = account

Client:

[common]
server_addr = HOST
server_port = 7000
authentication_method = oidc
oidc_client_id = CLIENT_ID
oidc_client_secret = CLIENT_SECRET
oidc_audience = profile
oidc_token_endpoint_url = https://HOST/auth/realms/REALM/protocol/openid-connect/token
oidc_scope = openid

Logs

2024/09/23 12:45:26 [W] [control.go:425] [27c200cb77438642] received invalid ping: received different OIDC subject in login and ping. original subject: c789f698-547c-4453-a46b-e18c873aca9d, new subject: 312fb2ab-6c8d-4628-a8fc-d62a6c7d4e24
2024/09/23 12:45:26 [I] [proxy.go:115] [27c200cb77438642] [test-session] proxy closing
2024/09/23 12:45:26 [I] [control.go:359] [27c200cb77438642] client exit success
2024/09/23 12:45:27 [I] [service.go:563] [27c200cb77438642] client login info: ip [10.0.99.67:57445] version [0.53.2] hostname [] os [windows] arch [amd64]
2024/09/23 12:45:28 [I] [http.go:110] [27c200cb77438642] [test-session] http proxy listen for host [test-session] location [] group [], routeByHTTPUser []
2024/09/23 12:45:28 [I] [control.go:401] [27c200cb77438642] new proxy [test-session] type [http] success
2024/09/23 12:45:30 [W] [control.go:425] [da9f0b7c28941afa] received invalid ping: received different OIDC subject in login and ping. original subject: 312fb2ab-6c8d-4628-a8fc-d62a6c7d4e24, new subject: c789f698-547c-4453-a46b-e18c873aca9d
2024/09/23 12:45:30 [I] [proxy.go:115] [da9f0b7c28941afa] [test-data-connector] proxy closing
2024/09/23 12:45:30 [I] [control.go:359] [da9f0b7c28941afa] client exit success
2024/09/23 12:45:30 [I] [service.go:563] [da9f0b7c28941afa] client login info: ip [10.0.124.244:38998] version [0.53.2] hostname [] os [linux] arch [amd64]
2024/09/23 12:45:30 [I] [http.go:110] [da9f0b7c28941afa] [test-data-connector] http proxy listen for host [tm-test-data-connector-development] location [] group [], routeByHTTPUser []
2024/09/23 12:45:30 [I] [control.go:401] [da9f0b7c28941afa] new proxy [test-data-connector] type [http] success
2024/09/23 12:45:57 [W] [control.go:425] [27c200cb77438642] received invalid ping: received different OIDC subject in login and ping. original subject: c789f698-547c-4453-a46b-e18c873aca9d, new subject: 312fb2ab-6c8d-4628-a8fc-d62a6c7d4e24
2024/09/23 12:45:58 [I] [proxy.go:115] [27c200cb77438642] [test-session] proxy closing
2024/09/23 12:45:58 [I] [control.go:359] [27c200cb77438642] client exit success
2024/09/23 12:45:58 [I] [service.go:563] [27c200cb77438642] client login info: ip [10.0.114.214:62949] version [0.53.2] hostname [] os [windows] arch [amd64]
2024/09/23 12:45:59 [I] [http.go:110] [27c200cb77438642] [test-session] http proxy listen for host [test-session] location [] group [], routeByHTTPUser []
2024/09/23 12:45:59 [I] [control.go:401] [27c200cb77438642] new proxy [test-session] type [http] success
2024/09/23 12:46:00 [W] [control.go:425] [da9f0b7c28941afa] received invalid ping: received different OIDC subject in login and ping. original subject: 312fb2ab-6c8d-4628-a8fc-d62a6c7d4e24, new subject: c789f698-547c-4453-a46b-e18c873aca9d
2024/09/23 12:46:00 [I] [proxy.go:115] [da9f0b7c28941afa] [test-data-connector] proxy closing
2024/09/23 12:46:00 [I] [control.go:359] [da9f0b7c28941afa] client exit success
2024/09/23 12:46:00 [I] [service.go:563] [da9f0b7c28941afa] client login info: ip [10.0.124.244:33290] version [0.53.2] hostname [] os [linux] arch [amd64]
2024/09/23 12:46:01 [I] [http.go:110] [da9f0b7c28941afa] [test-data-connector] http proxy listen for host [tm-test-data-connector-development] location [] group [], routeByHTTPUser []
2024/09/23 12:46:01 [I] [control.go:401] [da9f0b7c28941afa] new proxy [test-data-connector] type [http] success
2024/09/23 12:46:28 [W] [control.go:425] [27c200cb77438642] received invalid ping: received different OIDC subject in login and ping. original subject: c789f698-547c-4453-a46b-e18c873aca9d, new subject: 312fb2ab-6c8d-4628-a8fc-d62a6c7d4e24
2024/09/23 12:46:29 [I] [proxy.go:115] [27c200cb77438642] [test-session] proxy closing
2024/09/23 12:46:29 [I] [control.go:359] [27c200cb77438642] client exit success
2024/09/23 12:46:29 [I] [service.go:563] [27c200cb77438642] client login info: ip [10.0.124.244:21986] version [0.53.2] hostname [] os [windows] arch [amd64]
2024/09/23 12:46:30 [I] [http.go:110] [27c200cb77438642] [test-session] http proxy listen for host [test-session] location [] group [], routeByHTTPUser []
2024/09/23 12:46:30 [I] [control.go:401] [27c200cb77438642] new proxy [test-session] type [http] success
2024/09/23 12:46:30 [W] [control.go:425] [da9f0b7c28941afa] received invalid ping: received different OIDC subject in login and ping. original subject: 312fb2ab-6c8d-4628-a8fc-d62a6c7d4e24, new subject: c789f698-547c-4453-a46b-e18c873aca9d
2024/09/23 12:46:30 [I] [proxy.go:115] [da9f0b7c28941afa] [test-data-connector] proxy closing
2024/09/23 12:46:30 [I] [control.go:359] [da9f0b7c28941afa] client exit success
2024/09/23 12:46:30 [I] [service.go:563] [da9f0b7c28941afa] client login info: ip [10.0.124.244:24708] version [0.53.2] hostname [] os [linux] arch [amd64]
2024/09/23 12:46:31 [I] [http.go:110] [da9f0b7c28941afa] [test-data-connector] http proxy listen for host [tm-test-data-connector-development] location [] group [], routeByHTTPUser []
2024/09/23 12:46:31 [I] [control.go:401] [da9f0b7c28941afa] new proxy [test-data-connector] type [http] success
2024/09/23 12:47:00 [W] [control.go:425] [27c200cb77438642] received invalid ping: received different OIDC subject in login and ping. original subject: c789f698-547c-4453-a46b-e18c873aca9d, new subject: 312fb2ab-6c8d-4628-a8fc-d62a6c7d4e24
2024/09/23 12:47:00 [I] [proxy.go:115] [27c200cb77438642] [test-session] proxy closing
2024/09/23 12:47:00 [I] [control.go:359] [27c200cb77438642] client exit success
2024/09/23 12:47:00 [I] [service.go:563] [27c200cb77438642] client login info: ip [10.0.114.214:25343] version [0.53.2] hostname [] os [windows] arch [amd64]
2024/09/23 12:47:01 [I] [http.go:110] [27c200cb77438642] [test-session] http proxy listen for host [test-session] location [] group [], routeByHTTPUser []
2024/09/23 12:47:01 [I] [control.go:401] [27c200cb77438642] new proxy [test-session] type [http] success
2024/09/23 12:47:30 [W] [control.go:425] [da9f0b7c28941afa] received invalid ping: received different OIDC subject in login and ping. original subject: 312fb2ab-6c8d-4628-a8fc-d62a6c7d4e24, new subject: c789f698-547c-4453-a46b-e18c873aca9d
2024/09/23 12:47:30 [I] [proxy.go:115] [da9f0b7c28941afa] [test-data-connector] proxy closing
2024/09/23 12:47:30 [I] [control.go:359] [da9f0b7c28941afa] client exit success
2024/09/23 12:47:30 [I] [service.go:563] [da9f0b7c28941afa] client login info: ip [10.0.100.43:49509] version [0.53.2] hostname [] os [linux] arch [amd64]
2024/09/23 12:47:31 [W] [control.go:425] [27c200cb77438642] received invalid ping: received different OIDC subject in login and ping. original subject: c789f698-547c-4453-a46b-e18c873aca9d, new subject: 312fb2ab-6c8d-4628-a8fc-d62a6c7d4e24
2024/09/23 12:47:31 [I] [http.go:110] [da9f0b7c28941afa] [test-data-connector] http proxy listen for host [tm-test-data-connector-development] location [] group [], routeByHTTPUser []
2024/09/23 12:47:31 [I] [control.go:401] [da9f0b7c28941afa] new proxy [test-data-connector] type [http] success
2024/09/23 12:47:31 [I] [proxy.go:115] [27c200cb77438642] [test-session] proxy closing
2024/09/23 12:47:31 [I] [control.go:359] [27c200cb77438642] client exit success
2024/09/23 12:47:31 [I] [service.go:563] [27c200cb77438642] client login info: ip [10.0.99.67:44672] version [0.53.2] hostname [] os [windows] arch [amd64]
2024/09/23 12:47:32 [I] [http.go:110] [27c200cb77438642] [test-session] http proxy listen for host [test-session] location [] group [], routeByHTTPUser []
2024/09/23 12:47:32 [I] [control.go:401] [27c200cb77438642] new proxy [test-session] type [http] success
2024/09/23 12:47:44 [I] [proxy.go:115] [da9f0b7c28941afa] [test-data-connector] proxy closing
2024/09/23 12:47:44 [I] [control.go:359] [da9f0b7c28941afa] client exit success

Steps to reproduce

  1. Start server with OIDC Auth
  2. Start Client with OIDC
  3. Start second client with OIDC

Affected area

blizard863 commented 20 hours ago

I test in auth0, there is no error like you. you can create an free auth0 account and test it.

My successful config.

frps
authentication_method = oidc
oidc_issuer = https://dev-xxxx.us.auth0.com/
oidc_audience = https://dev-xxxx.us.auth0.com/api/v2/

frpc
authentication_method = oidc
oidc_client_id = xxxx
oidc_client_secret = xxxx
oidc_audience = https://dev-xxxx.us.auth0.com/api/v2/
oidc_token_endpoint_url = https://dev-xxxx.us.auth0.com/oauth/token

oidc_audience should be same.

One frpc and multiple frpc are all right.

@RobKenis

blizard863 commented 20 hours ago

You can find more openid RFC docs to find your problems.

RobKenis commented 20 hours ago

@blizard863 We are using different clients per frpc, so all tokens have a different subject. I am making a Pull Request currently to demonstrate the issue. I'll keep you posted

blizard863 commented 7 hours ago

OK, I will review it soon.