Closed snkshukla closed 4 years ago
Hi @snkshukla,
Thanks so much for your very detailed issue and your investigation.
Your log indicates that the request was successful right up until the end, when the Authservice tried to gracefully shutdown the TLS connection, and the server on the other side did not participate fully in the graceful shutdown. It sounds like the same problem as described in this issue: https://github.com/boostorg/beast/issues/824
We ran into a similar situation when we were implementing the trusted_certificate_authority
configuration option. As a result, when that option is set the Authservice will always ignore boost::asio::ssl::error::stream_truncated
errors during stream shutdown.
A possible fix for your issue might be for Authservice to always ignore the specific error boost::asio::ssl::error::stream_truncated
during stream shutdown (both when trusted_certificate_authority
is set and when it is not set). We pushed this implementation of this potential fix to a branch called issue79_always_ignore_stream_truncated
.
Would you mind helping us to confirm that such a fix would solve your issue? To build the Authservice on that branch, on either a Mac or linux machine:
git clone git@github.com:istio-ecosystem/authservice.git
git checkout issue79_always_ignore_stream_truncated
make docker-from-scratch
docker tag <image_id_which_was_just_built> <your_image_repository>/<image_name>:<tag_name>
docker push <your_image_repository>/<image_name>:<tag_name>
Best, Ryan and Andrew (@Changdrew)
Hi @cfryanr, thank you so much for your quick reply. As you suggested, I deployed the image created from branch issue79_always_ignore_stream_truncated
and it has fixed the issue for me. I was able to successfully authenticate my application.
We are trying to setup an oidc provider for authZ and authN with istio in our k8s cluster. We followed this example here: Bookinfo with Authservice Example for the integration. Below are the details on the setup:
OIDC provider: Keycloak
Grant type:
authorization_code
Istio version:
1.5
Authentication flow:
authservice
successfully redirects to Keycloak, where we're able to login successfully.This is the step where authservice fails and gives the error
IdP connection error
. The log for the request is as follows:On further checking the code, I found this error is triggered from here: Authservice oidc filter - Github
To rule out the issues with the configuration, I used OpenID Debugger to manually generate an authorization code and then called the api to exchange it for an api token. I was able to successfully retrieve it, there was no issue with that. But somehow it is failing with authservice.
Could there be something wrong on my end? Has anyone experienced this issue before? Any help appreciated. Let me know if any more details are needed.