search

istio-ecosystem / authservice

Move OIDC token acquisition out of your app code and into the Istio mesh
Apache License 2.0
217 stars 63 forks source link

Invalid padding detected: GET request without QUERY #109

Closed dippynark closed 4 years ago

dippynark commented 4 years ago

I have deployed the authservice very similarly to the Bookinfo example except I have deployed it as its own Deployment in its own Namespace with an EnvoyFilter configuring redirection for my application. I have therefore exposed authservice with a separate Gateway. I am using dex as my identity provider on the same cluster.

Most things seem to be working, however after signing into dex and getting redirected to the authservice callback (e.g. https://authservice./oauth/callback?code=y4df3ohtmbkpem7mvk2yrbkk4&state=c-e8G4sKuars0dWry2zixAtG_Ou9itd0PHPmrjyFJ4k) I am seeing

upstream connect error or disconnect/reset before headers. reset reason: remote reset

with the following in the authservice logs

[2020-07-06 16:04:50.145] [console] [info] GetSessionIdFromCookie: __Host-authservice-authservice-session-id-cookie session id cookie missing
[2020-07-06 16:04:50.145] [console] [info] Process: No session cookie detected. Generating new session and sending user to re-authenticate.
[2020-07-06 16:04:50.146] [console] [trace] Request processing complete
[2020-07-06 16:04:50.146] [console] [trace] Processing completion and deleting state
E0706 16:04:56.087232908       1 b64.cc:168]                 Invalid padding detected.
E0706 16:04:56.093079904       1 b64.cc:168]                 Invalid padding detected.
E0706 16:04:56.120460228       1 b64.cc:168]                 Invalid padding detected.
E0706 16:04:56.193790372       1 http_server_filter.cc:277]  GET request without QUERY
E0706 16:04:56.210178748       1 http_server_filter.cc:277]  GET request without QUERY
E0706 16:04:56.220458189       1 http_server_filter.cc:277]  GET request without QUERY
[2020-07-06 16:05:36.586] [console] [info] operator(): Starting periodic cleanup (period of 60 seconds)
[2020-07-06 16:05:36.586] [console] [info] DoPeriodicCleanup: removing expired sessions from chain idp_filter_chain

My authservice config looks like:

{
  "listen_address": "0.0.0.0",
  "listen_port": "10003",
  "log_level": "trace",
  "threads": 8,
  "chains": [
    {
      "name": "idp_filter_chain",
      "filters": [
      {
        "oidc":
          {
            "authorization_uri": "https://dex.<MY_DOMAIN>/auth",
            "token_uri": "https://dex.<MY_DOMAIN>/token",
            "callback_uri": "https://authservice.<MY_DOMAIN>/oauth/callback",
            "jwks": "{\"keys\":[{\"use\":\"sig\",\"kty\":\"RSA\",\"kid\":\"8b3dd8a504bf055c71df49af8428fa14b6322553\",\"alg\":\"RS256\",\"n\":\"vJYoeabiie9l8XQ4fKYTSBrxRFlq4BkQATttrqfLQwvBs30qxDJYWqLojOrglxrTZwonHjNvn_mRz-_h993Bi9rvKWulm5TnWI1fjroGuXqMmYgRmeLojgbqXsJmxTMiZL0TyYLGsJH7TM3zXyO1pVx0UEAntfWcA5vJIE0L3-eJkEPgtj_P2FsITPnDJDJT7Q5TARNAtde8aXO75b_K6ShPaI6IsdyRCN2E5uztWL35X7XSkdfdV5EGXjh5d9LEkEMjiUM2YnGgzSyVyI6SW2anNizaUiUHikS0njv3l-XMpwEIpD5g7QvmwJpUWyaz4r1UDDXkbvGCOU5Fu5zTcw\",\"e\":\"AQAB\"}]}",
            "client_id": "authservice",
            "client_secret": "authservice",
            "scopes": [],
            "cookie_name_prefix": "authservice",
            "id_token": {
              "preamble": "Bearer",
              "header": "Authorization"
            },
            "logout": {
              "path": "/authservice_logout",
              "redirect_uri": "https://dex.<MY_DOMAIN>/logout"
            }
          }
        }
      ]
    }
  ]
}

I am using the following rather ugly command to generate the jwks field (potentially the mistake is there but I cannot see any):

printf "%q" `curl https://dex.<MY_DOMAIN>/keys` | sed 's/\\{/\{/g' | sed 's/\\}/\}/g' | sed 's/\\\[/[/g' | sed 's/\\\]/]/g'

Here's the raw response:

$ curl https://dex.<MY_DOMAIN>/keys
{
  "keys": [
    {
      "use": "sig",
      "kty": "RSA",
      "kid": "8b3dd8a504bf055c71df49af8428fa14b6322553",
      "alg": "RS256",
      "n": "vJYoeabiie9l8XQ4fKYTSBrxRFlq4BkQATttrqfLQwvBs30qxDJYWqLojOrglxrTZwonHjNvn_mRz-_h993Bi9rvKWulm5TnWI1fjroGuXqMmYgRmeLojgbqXsJmxTMiZL0TyYLGsJH7TM3zXyO1pVx0UEAntfWcA5vJIE0L3-eJkEPgtj_P2FsITPnDJDJT7Q5TARNAtde8aXO75b_K6ShPaI6IsdyRCN2E5uztWL35X7XSkdfdV5EGXjh5d9LEkEMjiUM2YnGgzSyVyI6SW2anNizaUiUHikS0njv3l-XMpwEIpD5g7QvmwJpUWyaz4r1UDDXkbvGCOU5Fu5zTcw",
      "e": "AQAB"
    }
  ]
}

I am using the latest authservice image: v0.3.1

dippynark commented 4 years ago

I'm a fool, the callback URL should be going to my application rather than directly to the authservice Deployment.

Fixed by changing https://authservice.<MY_DOMAIN>/oauth/callback to https://grafana.<MY_DOMAIN>/oauth/callback in my case

cfryanr commented 4 years ago

Glad you figured it out!