istio-ecosystem / authservice

Move OIDC token acquisition out of your app code and into the Istio mesh
Apache License 2.0
220 stars 62 forks source link

HTTP Redirects end up with lost token information #232

Closed brostwalt87 closed 8 months ago

brostwalt87 commented 1 year ago

We are having issues when entering http:// or urls without any http prefix. Normally they should redirect to https then go to our keycloak server and redirect back to the application. It seems however that whenever this occurs, we hit the keycloak server, authenticate, then the keycloak server again, then it hits the callback uri and we get an

Oops, your session has expired. Please try again.

Below are logs that have been slightly edited to remove extraneous/potentially sensitive info

[2023-03-01 18:11:07.033] [console] [debug] Check: processing request http://app1.staging.dso.mil/ with filter chain app1
[2023-03-01 18:11:07.033] [console] [trace] New
[2023-03-01 18:11:07.033] [console] [trace] OidcFilter
[2023-03-01 18:11:07.033] [console] [trace] Process
[2023-03-01 18:11:07.033] [console] [debug] Call from @10.42.32.0 to @10.42.30.195
[2023-03-01 18:11:07.033] [console] [info] GetSessionIdFromCookie: __Host-app1-authservice-session-id-cookie session id cookie missing
[2023-03-01 18:11:07.033] [console] [info] Process: No session cookie detected. Generating new session and sending user to re-authenticate.
[2023-03-01 18:11:07.036] [console] [trace] Request processing complete
[2023-03-01 18:11:07.036] [console] [trace] Processing completion and deleting state
[2023-03-01 18:11:08.498] [console] [trace] Creating V3 request processor state
[2023-03-01 18:11:08.498] [console] [trace] Creating V3 request processor state
[2023-03-01 18:11:08.499] [console] [trace] Launching request processor worker
[2023-03-01 18:11:08.499] [console] [trace] Processing request

[2023-03-01 18:11:16.908] [console] [debug] Check: processing request https://app1.staging.dso.mil/oauth/callback<REDACTED_TOKEN_INFO> with filter chain app1
[2023-03-01 18:11:16.908] [console] [trace] New
[2023-03-01 18:11:16.908] [console] [trace] OidcFilter
[2023-03-01 18:11:16.908] [console] [trace] Process
[2023-03-01 18:11:16.908] [console] [debug] Call from @10.42.23.0 to dso.mil@10.42.30.195
[2023-03-01 18:11:16.908] [console] [info] GetSessionIdFromCookie: __Host-app1-authservice-session-id-cookie session id cookie missing
[2023-03-01 18:11:16.908] [console] [info] Process: No session cookie detected. Generating new session and sending user to re-authenticate.
[2023-03-01 18:11:16.909] [console] [trace] Request processing complete
[2023-03-01 18:11:16.909] [console] [trace] Processing completion and deleting state
[2023-03-01 18:11:17.288] [console] [trace] Creating V3 request processor state
[2023-03-01 18:11:17.288] [console] [trace] Launching request processor worker
[2023-03-01 18:11:17.288] [console] [trace] Processing request

[2023-03-01 18:11:22.093] [console] [debug] Check: processing request https://app1.staging.dso.mil/oauth/callback?state=<REDACTED> with filter chain app1
[2023-03-01 18:11:22.093] [console] [trace] New
[2023-03-01 18:11:22.093] [console] [trace] OidcFilter
[2023-03-01 18:11:22.093] [console] [trace] Process
[2023-03-01 18:11:22.093] [console] [debug] Call from @10.42.23.0 to dso.mil@10.42.30.195
[2023-03-01 18:11:22.093] [console] [trace] MatchesCallbackRequest: checking handler for https://app1.staging.dso.mil/oauth/callback?<REDACTED_TOKEN_INFO>
[2023-03-01 18:11:22.093] [console] [trace] MatchesCallbackRequest: matches_callback: true 
[2023-03-01 18:11:22.093] [console] [trace] RetrieveToken
[2023-03-01 18:11:22.093] [console] [trace] DecodeQueryData decode query: state=<REDACTED>
[2023-03-01 18:11:22.096] [console] [trace] Post
[2023-03-01 18:11:22.107] [console] [info] Post: Trusting the provided certificate authority
[2023-03-01 18:11:22.107] [console] [info] Post: opening connection to login.dso.mil:443
[2023-03-01 18:11:22.167] [console] [trace] Post: closing connection, response payload size 11077
[2023-03-01 18:11:22.171] [console] [info] RetrieveToken: Saving token response to session store
[2023-03-01 18:11:22.176] [console] [trace] Request processing complete
[2023-03-01 18:11:22.176] [console] [trace] Processing completion and deleting state
[2023-03-01 18:11:22.426] [console] [trace] Creating V3 request processor state
[2023-03-01 18:11:22.426] [console] [trace] Launching request processor worker
[2023-03-01 18:11:22.426] [console] [trace] Processing request

[2023-03-01 18:11:22.427] [console] [debug] Check: processing request https://app1.staging.dso.mil/oauth/callback?state=<REDACTED> with filter chain app1
[2023-03-01 18:11:22.427] [console] [trace] New
[2023-03-01 18:11:22.427] [console] [trace] OidcFilter
[2023-03-01 18:11:22.427] [console] [trace] Process
[2023-03-01 18:11:22.427] [console] [debug] Call from @10.42.23.0 to dso.mil@10.42.30.195
[2023-03-01 18:11:22.427] [console] [trace] MatchesCallbackRequest: checking handler for https://app1.staging.dso.mil/oauth/callback?state=<REDACTED>
[2023-03-01 18:11:22.427] [console] [trace] MatchesCallbackRequest: matches_callback: true 
[2023-03-01 18:11:22.427] [console] [trace] RetrieveToken
[2023-03-01 18:11:22.427] [console] [trace] DecodeQueryData decode query: state=<REDACTED>
[2023-03-01 18:11:22.427] [console] [info] RetrieveToken: Missing state, nonce, and original url requested by the user. Cannot redirect.
[2023-03-01 18:11:22.427] [console] [trace] Request processing complete
[2023-03-01 18:11:22.427] [console] [trace] Processing completion and deleting state
[2023-03-01 18:11:22.778] [console] [trace] Creating V3 request processor state
[2023-03-01 18:11:22.778] [console] [trace] Launching request processor worker
[2023-03-01 18:11:22.778] [console] [trace] Processing request

Also, here is our istio gateway config

kind: Gateway
metadata:
  labels:
    name: main
    namespace: istio-system
spec:
  selector:
    app: istio-ingressgateway
  servers:
  - hosts:
    - '*.dso.mil'
    port:
      name: http
      number: 8080
      protocol: HTTP
    tls:
      httpsRedirect: true
  - hosts:
    - '*.dso.mil'
    port:
      name: https
      number: 8443
      protocol: HTTPS
    tls:
      credentialName: main-cert
      mode: SIMPLE

Additionally, here is an example authservice config for our apps. we have about 100 apps and this config is consistent across all of them

          authservice:
            values:
              chains:
                app1
                  match:
                    prefix: app1.staging.dso.mil
                  callback_uri: https://app1.staging.dso.mil/oauth/callback
                  cookie_name_prefix: app1-staging
zac-t-GGBAE commented 1 year ago

I'm experiencing a similar issue, were you able to find any resolution?

brostwalt87 commented 1 year ago

I'm experiencing a similar issue, were you able to find any resolution?

Nope, this one has been on hold for a while. Havent gotten time to re-investigate

sergicastro commented 8 months ago

This is fixed in the new v1.0.0 version.

Feel free to take a look at the e2e test added to cover it: