p53
commented
1 month ago Hi, thank you for opening issue! Will look at it, looks like it cannot retrieve refresh token from redis
Closed YuesIt17 closed 1 week ago
p53
commented
1 month ago Hi, thank you for opening issue! Will look at it, looks like it cannot retrieve refresh token from redis
p53
commented
1 month ago @YuesIt17 i tested it now with different token/refresh token lifetimes (30s - Access token, 10 min Refresh; 3 min. Access, 10 min Refresh; 30s Access, 6h Refresh) and with these options, trying to make them closest to your and it was working without problems:
"--discovery-url=http://127.0.0.1:8081/realms/xxx/.well-known/openid-configuration",
"--client-id=xxx",
"--client-secret=xxx",
"--upstream-url=http://127.0.0.1:8082",
"--listen=0.0.0.0:5000",
"--enable-metrics=true",
"--enable-refresh-tokens=true",
"--encryption-key=xxx",
"--skip-upstream-tls-verify=true",
"--skip-openid-provider-tls-verify=true",
"--enable-id-token-cookie=true",
"--server-read-timeout=600s",
"--server-write-timeout=600s",
"--upstream-response-header-timeout=600s",
"--listen-admin=0.0.0.0:6000",
"--scopes=openid",
"--secure-cookie=false",
"--verbose=true",
"--store-url=redis://localhost:6379/1",
"--redirection-url=http://localhost:5000",Which version of gatekeeper are you using+what version of redis+can you enable verbose: true and post logs, thx
p53
commented
1 month ago @YuesIt17 i see you are probably making ajax request, do you have withCredentials set to true?
YuesIt17
commented
1 month ago @YuesIt17 i see you are probably making ajax request, do you have withCredentials set to true?
Yes, i make a request via axios and set withCredentials=true
YuesIt17
commented
1 month ago @YuesIt17 i tested it now with different token/refresh token lifetimes (30s - Access token, 10 min Refresh; 3 min. Access, 10 min Refresh; 30s Access, 6h Refresh) and with these options, trying to make them closest to your and it was working without problems:
"--discovery-url=http://127.0.0.1:8081/realms/xxx/.well-known/openid-configuration", "--client-id=xxx", "--client-secret=xxx", "--upstream-url=http://127.0.0.1:8082", "--listen=0.0.0.0:5000", "--enable-metrics=true", "--enable-refresh-tokens=true", "--encryption-key=xxx", "--skip-upstream-tls-verify=true", "--skip-openid-provider-tls-verify=true", "--enable-id-token-cookie=true", "--server-read-timeout=600s", "--server-write-timeout=600s", "--upstream-response-header-timeout=600s", "--listen-admin=0.0.0.0:6000", "--scopes=openid", "--secure-cookie=false", "--verbose=true", "--store-url=redis://localhost:6379/1", "--redirection-url=http://localhost:5000",Which version of gatekeeper are you using+what version of redis+can you enable
verbose: trueand post logs, thx
We use version of apps:
I have set verbose: true and am monitoring the logs.
I see in the logs this case:
[cors] 2024/10/03 10:54:44 Handler: Actual request [cors] 2024/10/03 10:54:44 Actual request no headers added: missing origin 2024-10-03T10:54:45.058Z debug middleware/oauth.go:60 authentication middleware 2024-10-03T10:54:45.058Z error middleware/oauth.go:65 authentication session not found in request 2024-10-03T10:54:45.058Z debug core/helpers.go:110 redirecting to url {"url": "/oauth/authorize?state=7ccda93d-27c5-4c3d-8c3c-04c69d2e7a17"}
p53
commented
1 month ago @YuesIt17 i see also that in screenshots you have cors errors+i see in your last update logs: "Actual request no headers added: missing origin" - cookies are also in headers so they will be missing. Not sure about your app setup but you can adjust cors settings e.g. https://github.com/gogatekeeper/gatekeeper/issues/384#issuecomment-1824339661. I was testing without using javascript (not having frontend+backend setup), so this might be difference between our setups causing you trouble
YuesIt17
commented
1 month ago @YuesIt17 i see also that in screenshots you have cors errors+i see in your last update logs: "Actual request no headers added: missing origin" - cookies are also in headers so they will be missing. Not sure about your app setup but you can adjust cors settings e.g. #384 (comment). I was testing without using javascript (not having frontend+backend setup), so this might be difference between our setups causing you trouble
Ok, thanks! I will see cors error.
And i have tried to draw scheme of our app for to understand interaction with gogatekeeper
Maybe i'm wrong
p53
commented
1 month ago why you have there CORS errors? are you using different domains for web frontend/backend?
YuesIt17
commented
1 month ago why you have there CORS errors? are you using different domains for web frontend/backend?
yes, i added cors-origins
cors-origins:
- https://frontend-url
- backend-url
- https://some-keycloackbut i see in the logs some errors with cors
[cors] 2024/10/08 16:31:01 Handler: Actual request
[cors] 2024/10/08 16:31:01 Actual request no headers added: missing origin
2024-10-08T16:31:01.337Z debug middleware/oauth.go:60 authentication middleware
2024-10-08T16:31:01.337Z debug session/token.go:168 found the user identity {"id": "0e71815b-e0ac-40e7-b7ed-b5fdd18be319", "name": "someuser@gmail.com", "email": "someuser@gmail.com", "roles": "", "groups": "somegroup"}
2024-10-08T16:31:01.338Z debug middleware/security.go:192 access permitted to resource {"access": "permitted", "email": "someuser@gmail.com", "expires": 179.66190608, "resource": "/*"}
2024-10-08T16:31:38.214Z debug proxy/handlers.go:79 authorization handler
2024-10-08T16:31:38.214Z debug proxy/handlers.go:145 incoming authorization request from client address {"access_type": {}, "client_ip": ", "remote_addr": ""}
[cors] 2024/10/08 16:31:38 Handler: Actual request
[cors] 2024/10/08 16:31:38 Actual request no headers added: missing origin
2024-10-08T16:31:38.214Z debug proxy/handlers.go:158 redirecting to auth_url {"auth_url": "https://some-keycloack/auth/realms/some-realm/protocol/openid-connect/...."}@YuesIt17 did you add all of those cors options similar to what is in comment https://github.com/gogatekeeper/gatekeeper/issues/384#issuecomment-1824339661 ? :
- "--cors-headers=*"
- "--cors-origins=<give here your origins>"
- "--cors-methods=POST,OPTIONS,<your methods>"
- "--cors-max-age=86400s"
- "--cors-credentials=true"here you can read about CORS https://developer.mozilla.org/en-US/docs/Web/HTTP/CORS
YuesIt17
commented
1 month ago @YuesIt17 did you add all of those cors options similar to what is in comment #384 (comment) ? :
- "--cors-headers=*" - "--cors-origins=<give here your origins>" - "--cors-methods=POST,OPTIONS,<your methods>" - "--cors-max-age=86400s" - "--cors-credentials=true"here you can read about CORS https://developer.mozilla.org/en-US/docs/Web/HTTP/CORS
Yes, i tried to add those settings to config of gatekeeper
and also i added this cors settings to config of nginx
and i see those headers in the console
but those errors of cors are in the logs of gatekeeper for request of api
2024-10-09 18:19:15 [cors] 2024/10/09 15:19:15 Handler: Actual request
2024-10-09 18:19:15 [cors] 2024/10/09 15:19:15 Actual request no headers added: missing origin
2024-10-09 18:19:15 2024-10-09T15:19:15.698Z debug middleware/oauth.go:60 authentication middleware
2024-10-09 18:19:15 2024-10-09T15:19:15.698Z debug session/token.go:168 found the user identity {...}
2024-10-09 18:19:15 2024-10-09T15:19:15.699Z debug middleware/security.go:192 access permitted to resource {"access": "permitted", "email": "...", "expires": 510.300812614, "resource": "/*"}it is enough to have cors configuration on front proxy, in your case i assume=nginx, if nginx is in front of gatekeeper it is possible that it removes Origin header, message "Actual request no headers added: missing origin" is from cors middleware and it is returned when Origin is empty. If you have this configuration on nginx, nginx should send all headers properly to gatekeeper so it should be working now.
YuesIt17
commented
1 month ago it is enough to have cors configuration on front proxy, in your case i assume=nginx, if nginx is in front of gatekeeper it is possible that it removes Origin header, message "Actual request no headers added: missing origin" is from cors middleware and it is returned when Origin is empty. If you have this configuration on nginx, nginx should send all headers properly to gatekeeper so it should be working now.
Yes, you absolutly rigth. I have added settings of cors to nginx's config
server {
listen 443 ssl;
server_name somesite.com;
ssl_certificate /etc/ssl/somesite.crt;
ssl_certificate_key /etc/ssl/somesite.key;
access_log /var/log/nginx.access_log main;
location / {
proxy_pass http://gatekeeper-dev:5551/;
proxy_redirect off;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
add_header Access-Control-Allow-Origin https://somesite.com;
add_header Access-Control-Allow-Credentials true;
add_header Access-Control-Allow-Headers *;
add_header Access-Control-Allow-Methods *;
add_header Access-Control-Max-Age 86400;
client_max_body_size 75M;
proxy_connect_timeout 70;
proxy_send_timeout 90;
proxy_read_timeout 90;
proxy_busy_buffers_size 512k;
proxy_buffers 4 512k;
proxy_buffer_size 256k;
charset koi8-r;
}
error_page 404 /404.html;
}I will be monitoring this problem
YuesIt17
commented
1 month ago @p53 how do you think, this architecture is correct?
I.e. i use api of gatekeeper on the frontend (ts+ reactjs):
Maybe i need to check directly on the keycloak side via 'react-keycloak/web'?
p53
commented
1 month ago not sure about your picture/architecture: it should be: browser(user) request = frontend.js -> frontend proxy (from your picture your frontend proxy is gogatekeeper??, you said in comments above that it is nginx) -> gatekeeper -> backend (serving your frontend/api?)
YuesIt17
commented
1 month ago not sure about your picture/architecture: it should be: browser(user) request = frontend.js -> frontend proxy (from your picture your frontend proxy is gogatekeeper??, you said in comments above that it is nginx) -> gatekeeper -> backend (serving your frontend/api?)
- is your keycloak available to browser(user)=frontend.js? Using /oauth endpoints is enough but you can use also keycloak if you want to expose those endpoints publicly, that's up to you
I changed my scheme. My app is proxied through gogatekeeper, but keycloack has custom authorization page. After login, user is redirected to nginx (which stores the frontend statics)
p53
commented
1 month ago simplified picture of arch
detailed flow and arch
it is not nice image, i would need quite more time to make it nice but should be informative pairs of one request/response pairs are in same colour
YuesIt17
commented
4 weeks ago simplified picture of arch
Thanks for your help and images, it is very usefull for me👍
My simplified image looks like this
Will you have a plan to add arch to our gogatekeeper repository page?
p53
commented
4 weeks ago there are different setups which you users might need so architecture is up to the user, there is no single one which fits all user scenarios...so not sure if this should be part of docu, maybe only as example
YuesIt17
commented
3 weeks ago there are different setups which you users might need so architecture is up to the user, there is no single one which fits all user scenarios...so not sure if this should be part of docu, maybe only as example
Yes, as an example it would be great, especially a detailed example🤝
Hello! I have a problem with the gatekeeper in my app.
We have settings of accsess token in keyclock, where his lifetime is 10 minutes and lifetime of refresh token is 6 hours.
But after 10 minutes, when access token is expired, api requests get 303 status and happend redirect to page authorization
And then i see logs of gatekeeper
My setting:
for keycloak
for gatekeeper
what am i doing wrong?