search

kiali / kiali

Kiali project, observability for the Istio service mesh
https://www.kiali.io
Apache License 2.0
3.38k stars 478 forks source link

OpenID login fails with "Error fetching OpenID provider metadata" #2978

Closed joba-hy closed 3 years ago

joba-hy commented 4 years ago

Describe the bug I am trying to configure Kiali to use the openid authentication. When I press the "Log In With OpenID" button, I am redirected to /kiali/api/auth/openid_redirect with the error message: 

{"error":"Error fetching OpenID provider metadata.","detail":"Get \"/.well-known/openid-configuration\": unsupported protocol scheme \"\""}

There is no error in the Kiali log.

Kiali configuration in istio profile.yaml:

    kiali:
      contextPath: /kiali
      createDemoSecret: true
      prometheusAddr: http://prometheus-operator.monitoring.svc.cluster.local:9090
      dashboard:
        auth:
          strategy: openid
          openid:
            client_id: <id>.apps.googleusercontent.com
            issuer_uri: https://accounts.google.com
            username_claim: email
        grafanaInClusterURL: http://grafana:3000
        jaegerInClusterURL: http://tracing/jaeger
        viewOnlyMode: false
      hub: quay.io/kiali
      nodeSelector: {}
      podAntiAffinityLabelSelector: []
      podAntiAffinityTermLabelSelector: []
      security:
        cert_file: /kiali-cert/cert-chain.pem
        enabled: false
        private_key_file: /kiali-cert/key.pem
      service:
        annotations: {}
      tag: v1.20

The values for client_id, issuer_uri and username_claim are set as defined in the documentation

Versions used Kiali: v1.20 Istio: 1.6.5 Kubernetes: 1.18.5

jmazzitelli commented 4 years ago

I don't think the upstream Istio helm chart supports that - openid auth strategy is a relatively new feature in Kiali, and I doubt Istio has incorporated it into the helm chart, especially considering the addons like prometheus, kiali, grafana are being removed from the istioctl helm charts.

Is there a reason you think that kiali.dashboard.auth.openid section is valid in the istio helm values?

fai555 commented 3 years ago

@joba-hy Were you able to solve this issue? I am having the same problem. I am using issuer_uri: "https://accounts.google.com/.well-known/openid-configuration"

israel-hdez commented 3 years ago

@fai555 I think the issure_uri for google is https://accounts.google.com/. It should not include the other part.

israel-hdez commented 3 years ago

Closing as stale, because we didn't get a reply from the OP.

jacob-kuder commented 1 year ago

For those who are trying to get this working, please make sure you only include your root CA, and if utilizing Helm, make sure the formatting is correct (appropriate line breaks, no double quotes, etc.). Also, we at first were trying to use base64 encoding, however, it does not appear to be appropriate/needed. We setup the config map to JUST have the root CA, in normal certificate text/formatting, with no encoding, and this worked for us.

yudiz-Manushi commented 8 months ago

I am trying to configure Kiali to use the openid authentication. When I press the "Log In With OpenID" button, I am redirected to /kiali/api/auth/openid_redirect with the error message:

{"error":"Error fetching OpenID provider metadata.","detail":"Get \"/.well-known/openid-configuration\": unsupported protocol scheme \"\""}

Also I'm using key-cloack as openid provider. Let me know what is an issue. Also I'm not aware of what can be value for issuer_uri?

jshaughn commented 7 months ago

@yudiz-Manushi If you are still having a problem you may want to open a Discussion, and see if someone can help.