Dex Microsoft connector gives me "Unregistered redirect_uri ("/oauth2/callback")."

JCoupalK commented 3 months ago

Validation Checklist

[X] Is this a Kubeflow issue?
[X] Are you posting in the right repository ?
[X] Did you follow the installation guide https://github.com/kubeflow/manifests?tab=readme-ov-file ?
[X] Is the issue report properly structured and detailed with version numbers?
[ ] Is this for Kubeflow development ?
[ ] Would you like to work on this issue?
[ ] You can join the CNCF Slack and access our meetings at the Kubeflow Community website. Our channel on the CNCF Slack is here #kubeflow-platform.

Version

master

Describe your issue

I configured the Dex config-map.yaml to use the Microsoft connector following those instructions: https://dexidp.io/docs/connectors/microsoft/

Applied and restarted the deployments.

And when I clicked Login with Microsoft I got this:

I tried to modify the config but anything I tried seemed to result in this Bad request.

Not sure if that's purely a Dex issue or the way it is in Kubeflow.

I expected to be able to login with my Microsoft Azure AD account and access the dashboard.

Anything else you would like to add: My current (censored) config-maps.yaml at ./manifests/common/dex/base/config-map.yaml

apiVersion: v1
kind: ConfigMap
metadata:
  name: dex
data:
  config.yaml: |
    issuer: http://dex.auth.svc.cluster.local:5556/dex
    storage:
      type: kubernetes
      config:
        inCluster: true
    web:
      http: 0.0.0.0:5556
    logger:
      level: "debug"
      format: text
    oauth2:
      skipApprovalScreen: true
    staticClients:
    # https://github.com/dexidp/dex/pull/1664
    - idEnv: OIDC_CLIENT_ID
      redirectURIs: ["/authservice/oidc/callback"]
      name: 'Dex Login Application'
      secretEnv: OIDC_CLIENT_SECRET
    connectors:
      - type: microsoft
        id: microsoft
        name: Microsoft
        config:
          clientID: client-id-here
          clientSecret: secret-here
          redirectURI: https://external.domain.com/dex/callback
          tenant: organizations
          emailToLowercase: true

Environment:

Kubeflow version: 1.8.0
Kubernetes platform: K3S
Kubernetes version: 1.26.15
OS: Ubuntu 22.04 LTS
The istio gateway is also behind an external nginx reverse proxy

Steps to reproduce the issue

I configured the Dex config-map.yaml to use the Microsoft connector following those instructions: https://dexidp.io/docs/connectors/microsoft/

Applied and restarted the deployments.

And when I clicked Login with Microsoft I got this:

Put here any screenshots or videos (optional)

My (censored) Azure app:

juliusvonkohout commented 2 months ago

I see conflicting Inforamation. Are you using "Kubeflow version: 1.8.0" or "Version master". Please test against the 1.9 release or the master branch. Kubeflow 1.8 and 1.8.1 are EOL soon.

JCoupalK commented 2 months ago

This issue was opened before 1.9 release but I'll check out if 1.9 fixes my issue

juliusvonkohout commented 2 months ago

Please check whether this is related to https://github.com/kubeflow/manifests/pull/2815

kubeflow / manifests