search

istio-ecosystem / authservice

Move OIDC token acquisition out of your app code and into the Istio mesh
Apache License 2.0
217 stars 63 forks source link

Documentation/example for "trusted_certificate_authority" #121

Open atoy3731 opened 4 years ago

atoy3731 commented 4 years ago

Can an example be provided detailing how exactly to reference a multi-line trusted CA using the trusted_certificate_authority option. There's no way to tell if it is an escaped string with \n, a base-64 encoded value, or a pointer to a file that should be mounted into the container.

We've tried most of the above with no luck.

perezjasonr commented 3 years ago

can we convert this to a proposal wherein that value is a base 64 encoded value? i tried that initially and it didn't seem to like that the bookinfo example is a helm chart and it would be much easier to pass the value in that way.

perezjasonr commented 3 years ago

did you ever figure this out? i took the ca that is used to secure our keycloak w/ https (from cert manager)

its an escaped string with \n which i've seen other folks apparently doing.

but i keep getting:

[2021-09-17 14:18:33.365] [console] [trace] MatchesCallbackRequest: matches_callback: true
[2021-09-17 14:18:33.365] [console] [trace] RetrieveToken
[2021-09-17 14:18:33.365] [console] [trace] Post
[2021-09-17 14:18:33.365] [console] [info] Post: Trusting the provided certificate authority
[2021-09-17 14:18:33.365] [console] [info] Post: opening connection to keycloak.myredacteddomain.com:443
[2021-09-17 14:18:33.378] [console] [info] Post: unexpected exception: CERTIFICATE_VERIFY_FAILED
[2021-09-17 14:18:33.378] [console] [info] RetrieveToken: HTTP error encountered: IdP connection error
[2021-09-17 14:18:33.378] [console] [trace] Request processing complete
[2021-09-17 14:18:33.378] [console] [trace] Processing completion and deleting state
[2021-09-17 14:19:02.729] [console] [info] operator(): Starting periodic cleanup (period of 60 seconds)

when I do a curl call with the same ca in a file, it seems to be ok with the token endpoint:

curl --cacert ca.crt -L -X POST https://keycloak.myredacteddomain.com/auth/realms/endgame/protocol/openid-connect/token -H 'Content-Type: application/x-www-form-urlencoded' --data-urlencode 'client_id=bookinfo' --data-urlencode 'grant_type=password' --data-urlencode 'client_secret=same-secret-thats-in-the-configmap' --data-urlencode 'scope=openid' --data-urlencode 'username=user' --data-urlencode 'password=password'

perezjasonr commented 3 years ago

ok i think i finally got it...i think, for me what got past this was providing it the ca of keycloak's https endpoint. and in escaped string format w/ \ns i hope someone finds this useful