search

jkroepke / openvpn-auth-oauth2

openvpn-auth-oauth2 is a plugin/management interface client for OpenVPN server to handle an OIDC based single sign-on (SSO) auth flows
https://github.com/jkroepke/openvpn-auth-oauth2/wiki
MIT License
180 stars 27 forks source link

Configure openvpn-auth-oauth2 with AWS Cognito OIDC Provider #313

Closed davidka79 closed 1 month ago

davidka79 commented 2 months ago

Problem Statement

Hello, I've tried to configure openvpn OIDC authentification with AWS Cognito, set up "Cognito domain" and put it to "CONFIG_OAUTH2_ISSUER" but I am getting errors like URL does not exists, I've checked url it - url responds empty page

Please, could you explain what to write to CONFIG_OAUTH2_ISSUER

openvpn-auth-oauth2 logs

/var/logs/syslog
2024-09-03T19:57:51.453396+00:00 ip-10-0-0-206 openvpn-auth-oauth2[34992]: time=2024-09-03T19:57:51.452Z level=INFO msg="discover oidc auto configuration with provider generic for issuer https://openvpn.auth.eu-central-1.amazoncognito.com"
2024-09-03T19:57:51.599593+00:00 ip-10-0-0-206 openvpn-auth-oauth2[34992]: time=2024-09-03T19:57:51.599Z level=ERROR msg="error oauth2 provider: ErrorType=This URL doesn't exist on the authorization server."
2024-09-03T19:57:51.603227+00:00 ip-10-0-0-206 systemd[1]: openvpn-auth-oauth2.service: Main process exited, code=exited, status=1/FAILURE
2024-09-03T19:57:51.603470+00:00 ip-10-0-0-206 systemd[1]: openvpn-auth-oauth2.service: Failed with result 'exit-code'.

Environment

jkroepke commented 2 months ago

It's the error, if I'm open this url: https://openvpn.auth.eu-central-1.amazoncognito.com/.well-known/openid-configuration

Based on reading https://stackoverflow.com/a/50190625, the issue URL has the format

https://cognito-idp.{region}.amazonaws.com/{userPoolId}

You can confirm the correct url by calling this one:

https://cognito-idp.{region}.amazonaws.com/{userPoolId}/.well-known/openid-configuration
jkroepke commented 2 months ago

btw. I'm looking for someone who can contribute the documentation for AWS Cognito.

davidka79 commented 2 months ago

Thank you very much, will try it

OpenVPN with OIDC via AWS Cognito is critical for me, so if I will be succeed I will be happy to describe and document it

btw, about linux clients, I found that https://github.com/OpenVPN/openvpn3-indicator works fine with openvpn-auth-oauth2 and waiting authentication and understands it correct, not like partially working openvpn3-cli

davidka79 commented 2 months ago

hello I had finish with start-up openvpn-auth-oauth2 with AWS Cognito, but I am getting problems now with call Cognito auth page Cognito waiting call in format https://{COGNITO-DOMAIN}/oauth2/authorize?client_id={CLIENT_ID}&response_type=code&scope=openid&redirect_uri={CALLBACK_URL}

but openvpn-auth-oauth2 sends request as https://{COGNITO-DOMAIN}/oauth2/start?state={SOME_TOKEN}, and Cognito seponds redirect_url is not correct

When I've configured up oauth with github I remember that openvpn-auth-oauth2 called exactly with correct format https://github.com/login/oauth/authorize?client_id={CLIENT_ID}&code_challenge={CLIENT_CODE}&code_challenge_method=nonce={SECRET}&redirect_uri={CALLBACK_URL}&response_type=code

and I do not understand how to set format for openvpn-auth-oauth2 :(

in configuration file I have CONFIG_OAUTH2_ISSUER=https://cognito-idp.{region}.amazonaws.com/{userPoolId} CONFIG_OAUTH2_CLIENT_ID={CLIENT_ID} CONFIG_OAUTH2_CLIENT_SECRET={SECRET}

jkroepke commented 2 months ago

The issuer must be prefix with https://

CONFIG_OAUTH2_ISSUER=https://cognito-idp.{region}.amazonaws.com/{userPoolId}

cognito responds redirect_url is not correct

Yes you have to configure the redirect_url inside the Cognito

davidka79 commented 2 months ago

The issuer must be prefix with https:// I did not get it, yes I put prefix https:// in CONFIG_OAUTH2_ISSUER

cognito responds redirect_url is not correct

Yes you have to configure the redirect_url inside the Cognito

I configure call back url in Cognito, and in Congnito it works, I mean there is a button there "test a cognito domain" where I can provide username and password and Cognito call Call_back_url with generatet token

for now I have problem with calling cognito from openvpn-auth-oauth2 for authentication :( Cognito respond "redirect_url is not correct" but when I manually call in this format https://{COGNITO-DOMAIN}/oauth2/authorize?client_id={CLIENT_ID}&response_type=code&scope=openid&redirect_uri={CALLBACK_URL} cognito responds correct

I am trying to find probably openvpn-auth-oauth2 has some parameters to configure call format ?

jkroepke commented 2 months ago

callback is just https://{COGNITO-DOMAIN}/oauth2/callback.

jkroepke commented 2 months ago

You could try the follow the Keycloak (https://github.com/jkroepke/openvpn-auth-oauth2/wiki/Providers) documentation for such things like redirect url.

davidka79 commented 2 months ago

Finally I think I did it I will prepare description for AWS Cognito connection

jkroepke commented 2 months ago

It would be great to documented what needs to be done in AWS, too.

github-actions[bot] commented 1 month ago

This issue is stale because it has been open 30 days with no activity. Remove stale label or comment or this will be closed in 5 days.