search

gravitational / teleport

The easiest, and most secure way to access and protect all of your infrastructure.
https://goteleport.com
GNU Affero General Public License v3.0
17.52k stars 1.75k forks source link

OIDC connectors require trailing slash in in issuers. #6879

Open russjones opened 3 years ago

russjones commented 3 years ago

If you forget to include a trailing slash in your OIDC connector issuer_url, Teleport throws the below error. It goes away when you include a trailing slash.

  issuer_url: https://foo.example.com/  <-- works
  issuer_url: https://foo.example.com  <-- does not work  
Original Error: *trace.ConnectionProblemError failed to reach out to oidc connector auth0, most likely URL &#34;https://rusty-oidc.us.auth0.com&#34; is not valid or not accessible, check configuration and try to re-create the connector
Stack Trace:
    /home/rjones/go/src/github.com/gravitational/teleport/lib/auth/oidc.go:98 github.com/gravitational/teleport/lib/auth.(*Server).createOIDCClient
    /home/rjones/go/src/github.com/gravitational/teleport/lib/auth/oidc.go:50 github.com/gravitational/teleport/lib/auth.(*Server).getOrCreateOIDCClient
    /home/rjones/go/src/github.com/gravitational/teleport/lib/auth/oidc.go:182 github.com/gravitational/teleport/lib/auth.(*Server).CreateOIDCAuthRequest
    /home/rjones/go/src/github.com/gravitational/teleport/lib/auth/auth_with_roles.go:1623 github.com/gravitational/teleport/lib/auth.(*ServerWithRoles).CreateOIDCAuthRequest
rudream commented 3 weeks ago

Testing this now, the inverse of this problem now seems to be occurring (ie. having a trailing slash doesn't work but removing it fixes it).

issuer_url: https://dev-28344168.okta.com <--- works
issuer_url: https://dev-28344168.okta.com/ <--- doesn't work

This error is logged when attempting to log in with the trailing slash:

2024-10-04T13:54:49-04:00 ERRO [WEB.ENTER] Error creating auth request. auth:oidc error:[
ERROR REPORT:
Original Error: *interceptors.RemoteError timed out syncing oidc connector okta, ensure URL &#34;https://dev-28344168.okta.com/&#34; is valid and accessible and check configuration
Stack Trace:
        github.com/gravitational/teleport/api@v0.0.0/client/client.go:2001 github.com/gravitational/teleport/api/client.(*Client).CreateOIDCAuthRequest
        github.com/gravitational/teleport/e/lib/web/sso.go:40 github.com/gravitational/teleport/e/lib/web.(*Plugin).oidcLoginWeb
        github.com/gravitational/teleport/lib/web/apiserver.go:4493 github.com/gravitational/teleport/e/lib/web.(*Plugin).RegisterProxyWebHandlers.(*Handler).WithRedirect.func18
        github.com/julienschmidt/httprouter@v1.3.0/router.go:399 github.com/julienschmidt/httprouter.(*Router).ServeHTTP
        net/http/server.go:2282 github.com/gravitational/teleport/lib/web.NewHandler.func1.StripPrefix.1
        net/http/server.go:2220 net/http.HandlerFunc.ServeHTTP
        github.com/gravitational/teleport/lib/web/apiserver.go:599 github.com/gravitational/teleport/lib/web.NewHandler.func1
        net/http/server.go:2220 net/http.HandlerFunc.ServeHTTP
        github.com/julienschmidt/httprouter@v1.3.0/router.go:460 github.com/julienschmidt/httprouter.(*Router).ServeHTTP
        github.com/gravitational/teleport/lib/web/apiserver.go:437 github.com/gravitational/teleport/lib/web.(*APIHandler).ServeHTTP
        github.com/gravitational/oxy@v0.0.0-20231219172753-f855322f2a6c/ratelimit/tokenlimiter.go:118 github.com/gravitational/oxy/ratelimit.(*TokenLimiter).ServeHTTP
        github.com/gravitational/teleport/lib/limiter/connlimiter.go:84 github.com/gravitational/teleport/lib/limiter.(*ConnectionsLimiter).ServeHTTP
        github.com/gravitational/teleport/lib/limiter/limiter.go:83 github.com/gravitational/teleport/lib/limiter.(*Limiter).ServeHTTP
        github.com/gravitational/teleport/lib/httplib/httplib.go:104 github.com/gravitational/teleport/lib/httplib.MakeTracingHandler.func1
        net/http/server.go:2220 net/http.HandlerFunc.ServeHTTP
        go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp@v0.55.0/handler.go:177 go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp.(*middleware).serveHTTP
        go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp@v0.55.0/handler.go:65 go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp.NewMiddleware.func1.1
        net/http/server.go:2220 net/http.HandlerFunc.ServeHTTP
        net/http/server.go:3210 net/http.serverHandler.ServeHTTP
        net/http/server.go:2092 net/http.(*conn).serve
        runtime/asm_arm64.s:1223 runtime.goexit
User Message: timed out syncing oidc connector okta, ensure URL &#34;https://dev-28344168.okta.com/&#34; is valid and accessible and check configuration] web/sso.go:51

in audit log:

SSO user login failed [timed out syncing oidc connector okta, ensure URL "https://dev-28344168.okta.com/" is valid and accessible and check configuration]