search

greenpau / caddy-security

šŸ” Authentication, Authorization, and Accounting (AAA) App and Plugin for Caddy v2. šŸ’Ž Implements Form-Based, Basic, Local, LDAP, OpenID Connect, OAuth 2.0 (Github, Google, Facebook, Okta, etc.), SAML Authentication. MFA/2FA with App Authenticators and Yubico. šŸ’Ž Authorization with JWT/PASETO tokens. šŸ”
https://authcrunch.com/
Apache License 2.0
1.39k stars 70 forks source link

breakfix: Unable to authenticate with more than 1 replica #342

Closed andrefmarques closed 3 months ago

andrefmarques commented 3 months ago

Describe the issue

I'm using ghcr.io/authp/authp:v1.0.5 with the Caddyfile described bellow to provide an login page to authenticate and access some services. This is deployed on GKE. Everything is worked as expected when using 1 replica, but when there's more than 1 replica the authentication fails, when entering the password or the username.

Configuration

{
    debug
    order authenticate before respond
    order authorize before basicauth

    security {
        local identity store localdb {
            realm local
            path /tmp/users.json
        }

        authentication portal partners {
            crypto key sign-verify 428f41ab-67ec-47d1-8633-bcade9dcc7ed

            enable identity store localdb
            cookie domain partners.domain.com

            ui {
                links {
                    "Service1" "/portal/service/index.html" icon "las la-phone"
                }
            }

        }

        authorization policy partners {
            set auth url https://partners.domain.com/auth
            allow roles authp/admin authp/user authp/guest
            crypto key verify 428f41ab-67ec-47d1-8633-bcade9dcc7ed

            validate bearer header
            inject headers with claims
            inject header "X-Entreprise-Local-Internal" from "X-Entreprise-Local-Internal"
        }

    }
}

:8080 {
    route /* {
        authenticate with partners
    }

    route /portal/service* {
        authorize * with partners
        reverse_proxy http://portal-gateway.istio-system.svc.cluster.local:8080 {
            header_up Host portal-gateway.istio-system.svc.cluster.local
        }
    }

}

Version Information

http.authentication.hashes.bcrypt v2.7.5
http.authentication.hashes.scrypt v2.7.5
http.authentication.providers.http_basic v2.7.5
http.handlers.authentication v2.7.5
tls.client_auth.leaf v2.7.5
http.authentication.providers.authorizer v1.1.21
http.handlers.authenticator v1.1.21
security v1.1.21
security.secrets.aws_secrets_manager v1.0.1

Expected behavior

Be able to authenticate when using more than 1 replica

Additional context

Deployed in GKE with Deployment and istio sidecar.

greenpau commented 3 months ago

First, please migrate to using ghcr.io/authcrunch/authcrunch. See here.

@andrefmarques , the instances do not share state by design.

There is a cookie with unique session id: AUTHP_SESSION_ID. Configure the load-balancer with the sticky based on the cookie.

GKE does not support setting your own cookie. BUT, it can generate its own.

image

Look for the term "Session affinity". See https://cloud.google.com/kubernetes-engine/docs/how-to/ingress-configuration#session_affinity

image