search

istio-ecosystem / authservice

Move OIDC token acquisition out of your app code and into the Istio mesh
Apache License 2.0
217 stars 63 forks source link

Support http proxy servers when exchanging authcode for token #63

Closed cfryanr closed 4 years ago

cfryanr commented 4 years ago

From a Slack conversation with Enrique Medina Montenegro.

Good morning from the Netherlands :slightly_smiling_face: Here is the info about the proxy issue:

My company uses a corporative proxy --> http://proxy.internal.mycompany.org:8080 <-- to provide access to the Internet

  • If any Pod running in our K8s cluster needs outbound Internet access, then it must configure this proxy as env variables --> HTTP_PROXY, HTTPS_PROXY and NO_PROXY
  • When using the auth-service, the first redirection to our Azure AD IdP is actually performed by the browser, so there is no issue here
  • However, when the auth-service needs to exchange the authorization code for the access token, then it cannot due to not being able to access the Internet

Taking a look at the code, I see that you use the Boost.Beast library for HTTP matters, which claims not to have in its scope the addition of such proxy support: https://groups.google.com/d/msg/boost-developers-archive/-Zf7f-dfcmA/BUAjLnngBAAJ

However, it seems to be pretty easy: https://stackoverflow.com/questions/11523829/how-to-add-proxy-support-to-boostasio/11537603#11537603

These are the precise logs:

# kubectl logs productpage-v1-5c6798d7d4-mzhs9 -c authservice
[2019-12-03 08:04:48.487] [console] [info] RunServer: Server listening on 127.0.0.1:10003
[2019-12-03 08:05:01.305] [console] [trace] Check
[2019-12-03 08:05:01.305] [console] [trace] Matches
[2019-12-03 08:05:01.305] [console] [debug] Check: processing request ://bookinfo.dev.epocloud.altia.es/productpage with filter chain idp_filter_chain
[2019-12-03 08:05:01.305] [console] [trace] New
[2019-12-03 08:05:01.306] [console] [trace] OidcFilter
[2019-12-03 08:05:01.306] [console] [trace] Process
[2019-12-03 08:05:01.306] [console] [debug] Call from @172.16.20.105 to @172.16.135.3
[2019-12-03 08:05:01.306] [console] [info] GetTokenFromCookie: __Host-bookinfo-authservice-id-token-cookie token cookie missing
[2019-12-03 08:05:01.306] [console] [info] GetTokenFromCookie: __Host-bookinfo-authservice-access-token-cookie token cookie missing
[2019-12-03 08:05:01.306] [console] [trace] Process: checking handler for ://bookinfo.dev.epocloud.altia.es-/productpage
[2019-12-03 08:05:01.794] [console] [trace] Check
[2019-12-03 08:05:01.794] [console] [trace] Matches
[2019-12-03 08:05:01.794] [console] [debug] Check: processing request ://bookinfo.dev.epocloud.altia.es/productpage/oauth/callback?code=OAQABAAIAAACQN9QBRU3jT6bcBQLZNUj7FraunBPo2Anx9gyAxLsdu-bjmfQnfzP9GJZCGakYWsHRzeV_eP89xj8IlweogBgNVF-IJW88VHMjUF2mb1qBgxYUOcOhN4X0RovpJOv25ad5dUCGWpoHmK0n1Q04dDi5dYtbZDAYqPyc_xJmr-rwtSneZoVu7jL16aJ-cF6M96iJQSoZw5fUXlJDaECEls1FKHr6XOhsqtQYgyu8hEL9yt5r3ONyG7Oo6QDWheJi96axsOrOa4toF62bElJeVm4Rsv5C2FFEvMkTQJXXj1hEhc-zk-owBC4D8m5NVGKzRhwphgpkYtRBMyEZtouiJQReKRcGry4KbbXA87LDfM0S5XGX-Kyad7WHV3-s62gFwjW7QqyG0OUq2D6Obm0xIlnmlk6alUOowSAijHHbgf_zXlI34ACRW4pv7SqZ0b6SHtMEioJe0CNFCDBlUVC7Md3_9lCMoonwNoVpEHNE-9eOLKamC-sJyevrATPt6A-WX9HsWcPk3OBwiqnzwMP9DJxj7MLl6KATfLI0mmeswhluYLINKKuvhr6a6oWncaVK9HlsBjH-MYXoRv5kqoaMCh3tU6lNhFMHhUodCcwvPUG4CBDoPQ9UubmEctTyGway7viwDniuqfzP1hj1pVTH09ZrUcVgeSv4sEHeXgupQ4_j7lYtBqWaohHsoQngxVq5HvmSBA8qd_8_Qlxx3vXyGfXuZSFWaZghaKYKrRP7Dm8Dc9R8PvoliTBvL1fLh2KiyePncMfAalIh96NdN27zCLDtbLoNeJpf0NVvp-HXsBckBMxCxLsxMKm22UNLhB3wdSnBEND-HUFxCiPA1IzXsgCGoZW9cFvMFJtbIjyy3ZXkE7DJSewKjW4I7MIVABBEeccgAA&state=0w05_ITARWBE0BfMcW2oSNwFTMtiPRW3Iq_VBkLbAJY&session_state=c302d6d2-c392-424d-97d3-2579814617c4 with filter chain idp_filter_chain
[2019-12-03 08:05:01.794] [console] [trace] New
[2019-12-03 08:05:01.794] [console] [trace] OidcFilter
[2019-12-03 08:05:01.794] [console] [trace] Process
[2019-12-03 08:05:01.794] [console] [debug] Call from @172.16.20.105 to @172.16.135.3
[2019-12-03 08:05:01.795] [console] [info] GetTokenFromCookie: __Host-bookinfo-authservice-id-token-cookie token cookie missing
[2019-12-03 08:05:01.795] [console] [info] GetTokenFromCookie: __Host-bookinfo-authservice-access-token-cookie token cookie missing
[2019-12-03 08:05:01.795] [console] [trace] Process: checking handler for ://bookinfo.dev.epocloud.altia.es-/productpage/oauth/callback?code=OAQABAAIAAACQN9QBRU3jT6bcBQLZNUj7FraunBPo2Anx9gyAxLsdu-bjmfQnfzP9GJZCGakYWsHRzeV_eP89xj8IlweogBgNVF-IJW88VHMjUF2mb1qBgxYUOcOhN4X0RovpJOv25ad5dUCGWpoHmK0n1Q04dDi5dYtbZDAYqPyc_xJmr-rwtSneZoVu7jL16aJ-cF6M96iJQSoZw5fUXlJDaECEls1FKHr6XOhsqtQYgyu8hEL9yt5r3ONyG7Oo6QDWheJi96axsOrOa4toF62bElJeVm4Rsv5C2FFEvMkTQJXXj1hEhc-zk-owBC4D8m5NVGKzRhwphgpkYtRBMyEZtouiJQReKRcGry4KbbXA87LDfM0S5XGX-Kyad7WHV3-s62gFwjW7QqyG0OUq2D6Obm0xIlnmlk6alUOowSAijHHbgf_zXlI34ACRW4pv7SqZ0b6SHtMEioJe0CNFCDBlUVC7Md3_9lCMoonwNoVpEHNE-9eOLKamC-sJyevrATPt6A-WX9HsWcPk3OBwiqnzwMP9DJxj7MLl6KATfLI0mmeswhluYLINKKuvhr6a6oWncaVK9HlsBjH-MYXoRv5kqoaMCh3tU6lNhFMHhUodCcwvPUG4CBDoPQ9UubmEctTyGway7viwDniuqfzP1hj1pVTH09ZrUcVgeSv4sEHeXgupQ4_j7lYtBqWaohHsoQngxVq5HvmSBA8qd_8_Qlxx3vXyGfXuZSFWaZghaKYKrRP7Dm8Dc9R8PvoliTBvL1fLh2KiyePncMfAalIh96NdN27zCLDtbLoNeJpf0NVvp-HXsBckBMxCxLsxMKm22UNLhB3wdSnBEND-HUFxCiPA1IzXsgCGoZW9cFvMFJtbIjyy3ZXkE7DJSewKjW4I7MIVABBEeccgAA&state=0w05_ITARWBE0BfMcW2oSNwFTMtiPRW3Iq_VBkLbAJY&session_state=c302d6d2-c392-424d-97d3-2579814617c4
[2019-12-03 08:05:01.795] [console] [trace] RetrieveToken
[2019-12-03 08:05:01.795] [console] [trace] Post
[2019-12-03 08:05:01.860] [console] [info] Post: unexpected exception: handshake: WRONG_VERSION_NUMBER
[2019-12-03 08:05:01.860] [console] [info] RetrieveToken: HTTP error encountered: IdP connection error