Open russjones opened 3 years ago
Testing this now, the inverse of this problem now seems to be occurring (ie. having a trailing slash doesn't work but removing it fixes it).
issuer_url: https://dev-28344168.okta.com <--- works
issuer_url: https://dev-28344168.okta.com/ <--- doesn't work
This error is logged when attempting to log in with the trailing slash:
2024-10-04T13:54:49-04:00 ERRO [WEB.ENTER] Error creating auth request. auth:oidc error:[
ERROR REPORT:
Original Error: *interceptors.RemoteError timed out syncing oidc connector okta, ensure URL "https://dev-28344168.okta.com/" is valid and accessible and check configuration
Stack Trace:
github.com/gravitational/teleport/api@v0.0.0/client/client.go:2001 github.com/gravitational/teleport/api/client.(*Client).CreateOIDCAuthRequest
github.com/gravitational/teleport/e/lib/web/sso.go:40 github.com/gravitational/teleport/e/lib/web.(*Plugin).oidcLoginWeb
github.com/gravitational/teleport/lib/web/apiserver.go:4493 github.com/gravitational/teleport/e/lib/web.(*Plugin).RegisterProxyWebHandlers.(*Handler).WithRedirect.func18
github.com/julienschmidt/httprouter@v1.3.0/router.go:399 github.com/julienschmidt/httprouter.(*Router).ServeHTTP
net/http/server.go:2282 github.com/gravitational/teleport/lib/web.NewHandler.func1.StripPrefix.1
net/http/server.go:2220 net/http.HandlerFunc.ServeHTTP
github.com/gravitational/teleport/lib/web/apiserver.go:599 github.com/gravitational/teleport/lib/web.NewHandler.func1
net/http/server.go:2220 net/http.HandlerFunc.ServeHTTP
github.com/julienschmidt/httprouter@v1.3.0/router.go:460 github.com/julienschmidt/httprouter.(*Router).ServeHTTP
github.com/gravitational/teleport/lib/web/apiserver.go:437 github.com/gravitational/teleport/lib/web.(*APIHandler).ServeHTTP
github.com/gravitational/oxy@v0.0.0-20231219172753-f855322f2a6c/ratelimit/tokenlimiter.go:118 github.com/gravitational/oxy/ratelimit.(*TokenLimiter).ServeHTTP
github.com/gravitational/teleport/lib/limiter/connlimiter.go:84 github.com/gravitational/teleport/lib/limiter.(*ConnectionsLimiter).ServeHTTP
github.com/gravitational/teleport/lib/limiter/limiter.go:83 github.com/gravitational/teleport/lib/limiter.(*Limiter).ServeHTTP
github.com/gravitational/teleport/lib/httplib/httplib.go:104 github.com/gravitational/teleport/lib/httplib.MakeTracingHandler.func1
net/http/server.go:2220 net/http.HandlerFunc.ServeHTTP
go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp@v0.55.0/handler.go:177 go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp.(*middleware).serveHTTP
go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp@v0.55.0/handler.go:65 go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp.NewMiddleware.func1.1
net/http/server.go:2220 net/http.HandlerFunc.ServeHTTP
net/http/server.go:3210 net/http.serverHandler.ServeHTTP
net/http/server.go:2092 net/http.(*conn).serve
runtime/asm_arm64.s:1223 runtime.goexit
User Message: timed out syncing oidc connector okta, ensure URL "https://dev-28344168.okta.com/" is valid and accessible and check configuration] web/sso.go:51
in audit log:
SSO user login failed [timed out syncing oidc connector okta, ensure URL "https://dev-28344168.okta.com/" is valid and accessible and check configuration]
If you forget to include a trailing slash in your OIDC connector
issuer_url
, Teleport throws the below error. It goes away when you include a trailing slash.