search

kyma-project / kyma

Kyma is an opinionated set of Kubernetes-based modular building blocks, including all necessary capabilities to develop and run enterprise-grade cloud-native applications.
https://kyma-project.io
Apache License 2.0
1.51k stars 404 forks source link

Unable to authenicate via OIDC with console browser #18092

Closed georgethebeatle closed 7 months ago

georgethebeatle commented 1 year ago

Description

Kyma Version: 2.17.1 Browser Name: w3m Browser Version: w3m version w3m/0.5.3+git20210102, options lang=en,m17n,image,color,ansi-color,mouse,gpm,menu,cookie,ssl,ssl-verify,external-uri-loader,w3mmailer,nntp,gopher,ipv6,alarm,mark,migemo Operating System: Ubuntu 22.04.3 LTS

We are trying to perform kubectl operations against a Kyma cluster using the kubeconfig provided by the BTP cockpit. As we are in a no GUI environment we are using the w3m console browser. In order to use this browser we have added the --browser parameter to the oidc cofig section of the kubeconfig as can be seen below:

---
apiVersion: v1
kind: Config
current-context: shoot--kyma--c-97ef3b0
clusters:
- name: shoot--kyma--c-97ef3b0
  cluster:
    certificate-authority-data: <sanitized>
    server: https://api.c-97ef3b0.kyma.ondemand.com
contexts:
- name: shoot--kyma--c-97ef3b0
  context:
    cluster: shoot--kyma--c-97ef3b0
    user: shoot--kyma--c-97ef3b0
users:
- name: shoot--kyma--c-97ef3b0
  user:
    exec:
      apiVersion: client.authentication.k8s.io/v1beta1
      args:
      - get-token
      - "--oidc-issuer-url=https://kyma.accounts.ondemand.com"
      - "--oidc-client-id=12b13a26-d993-4d0c-aa08-5f5852bbdff6"
      - "--oidc-extra-scope=email"
      - "--oidc-extra-scope=openid"
      - "--browser-command=w3m"
      command: kubectl-oidc_login

We are running kubectl get ns with this kubeconfig. The browser opens but gets stuck with the message: Your authentication request has been forwarded to the target system for processing.

Expected result

We are prompted for credentials. Upon entering valid credentials we can see kubectl output

Actual result

The browser opens but gets stuck with the message: Your authentication request has been forwarded to the target system for processing.

Steps to reproduce

Run KUBECONFIG=kyma-kubeconfig.yaml kubectl get ns, where kyma-kubeconfig.yaml is the yaml above.

Troubleshooting

We have trided the same command with several browsers with no success:

Here is the w3m request log:

❯ cat ~/.w3m/request.log
GET / HTTP/1.0
User-Agent: w3m/0.5.3+git20210102
Accept: text/html, text/*;q=0.5, image/*, application/*, x-scheme-handler/*, video/*
Accept-Encoding: gzip, compress, bzip, bzip2, deflate
Accept-Language: en;q=1.0
Host: localhost:8000

HTTP/1.0 302 Found
Content-Type: text/html; charset=utf-8
Location: https://kyma.accounts.ondemand.com/oauth2/authorize?access_type=offline&client_id=12b13a26-d993-4d0c-aa08-5f5852bbdff6&code_challenge=VhjpEadhjO0fysAkueYJfE76tLvvZokijVBrA58mgqg&code_challenge_method=S256&nonce=2erWQnNkbUrTsvEyowZli9rbFG8fObmct2RKxsWK714&redirect_uri=http%3A%2F%2Flocalhost%3A8000&response_type=code&scope=email+openid+openid&state=em96nMnvn_9bmxJqJ4-LYdbO4PB533TKuhrT_HONqwo
Date: Thu, 31 Aug 2023 09:24:21 GMT
Content-Length: 447

HTTPS: request via SSL
GET /oauth2/authorize?access_type=offline&client_id=12b13a26-d993-4d0c-aa08-5f5852bbdff6&code_challenge=VhjpEadhjO0fysAkueYJfE76tLvvZokijVBrA58mgqg&code_challenge_method=S256&nonce=2erWQnNkbUrTsvEyowZli9rbFG8fObmct2RKxsWK714&redirect_uri=http%3A%2F%2Flocalhost%3A8000&response_type=code&scope=email+openid+openid&state=em96nMnvn_9bmxJqJ4-LYdbO4PB533TKuhrT_HONqwo HTTP/1.0
User-Agent: w3m/0.5.3+git20210102
Accept: text/html, text/*;q=0.5, image/*, application/*, x-scheme-handler/*, video/*
Accept-Encoding: gzip, compress, bzip, bzip2, deflate
Accept-Language: en;q=1.0
Host: kyma.accounts.ondemand.com

HTTP/1.1 302
Date: Thu, 31 Aug 2023 09:24:20 GMT
Server: SAP
Strict-Transport-Security: max-age=31536000; includeSubDomains; preload
X-IDS-ID: B4294DCD-50D4-417B-8CDE-1B3CC8408C81
Location: https://kyma.accounts.ondemand.com/saml2/idp/sso?sp=garden-kyma&RelayState=access_type%3Doffline%26client_id%3D12b13a26-d993-4d0c-aa08-5f5852bbdff6%26code_challenge%3DVhjpEadhjO0fysAkueYJfE76tLvvZokijVBrA58mgqg%26code_challenge_method%3DS256%26nonce%3D2erWQnNkbUrTsvEyowZli9rbFG8fObmct2RKxsWK714%26redirect_uri%3Dhttp%253A%252F%252Flocalhost%253A8000%26response_type%3Dcode%26scope%3Demail%2Bopenid%2Bopenid%26state%3Dem96nMnvn_9bmxJqJ4-LYdbO4PB533TKuhrT_HONqwo
Content-Language: en
Content-Length: 0
Vary: X-CSP-STRIP
X-IDS-Node: idp11
X-IDS-Pool: green
X-IDS-Project: prod
X-IDS-Landscape: eu-nl-1
Referrer-Policy: origin
X-Robots-Tag: none
X-Content-Type-Options: nosniff
Cache-Control: private,no-cache,no-store
Connection: close

HTTPS: request via SSL
GET /saml2/idp/sso?sp=garden-kyma&RelayState=access_type%3Doffline%26client_id%3D12b13a26-d993-4d0c-aa08-5f5852bbdff6%26code_challenge%3DVhjpEadhjO0fysAkueYJfE76tLvvZokijVBrA58mgqg%26code_challenge_method%3DS256%26nonce%3D2erWQnNkbUrTsvEyowZli9rbFG8fObmct2RKxsWK714%26redirect_uri%3Dhttp%253A%252F%252Flocalhost%253A8000%26response_type%3Dcode%26scope%3Demail%2Bopenid%2Bopenid%26state%3Dem96nMnvn_9bmxJqJ4-LYdbO4PB533TKuhrT_HONqwo HTTP/1.0
User-Agent: w3m/0.5.3+git20210102
Accept: text/html, text/*;q=0.5, image/*, application/*, x-scheme-handler/*, video/*
Accept-Encoding: gzip, compress, bzip, bzip2, deflate
Accept-Language: en;q=1.0
Host: kyma.accounts.ondemand.com

HTTP/1.1 200
Date: Thu, 31 Aug 2023 09:24:20 GMT
Server: SAP
Strict-Transport-Security: max-age=31536000; includeSubDomains; preload
X-IDS-ID: 401626A3-F91E-406E-95F9-6E1DB5CBF97A
Pragma: no-cache
Expires: Thu, 01 Jan 1970 00:00:00 GMT
Cache-Control: private,no-cache,no-store
P3P: CP="IDC DSP COR ADM DEVi TAIi PSA PSD IVAi IVDi CONi HIS OUR IND CNT"
Content-Security-Policy: script-src 'self' consent.trustarc.com 'nonce-Wqs1BkqfY9lhIaCOQ+I1I72R23LQY9ci/wKgYOFCKs0='
x-xss-protection: 1; mode=block
vary: accept-encoding,X-CSP-STRIP
Content-Encoding: gzip
Content-Type: text/html;charset=utf-8
Content-Language: en
Set-Cookie: arcf94499=<sanitized>; Path=/; HttpOnly; Secure
Set-Cookie: XSRF_COOKIE=<sanitized>; Path=/; Secure; HttpOnly
Set-Cookie: JSESSIONID=<sanitized>; Path=/; Secure; HttpOnly
X-IDS-Node: idp05
X-IDS-Pool: green
X-IDS-Project: prod
X-IDS-Landscape: eu-nl-1
Referrer-Policy: origin
X-Robots-Tag: none
X-Content-Type-Options: nosniff
Connection: close

@danail-branekov

kyma-bot commented 10 months ago

This issue or PR has been automatically marked as stale due to the lack of recent activity. Thank you for your contributions.

This bot triages issues and PRs according to the following rules:

You can:

If you think that I work incorrectly, kindly raise an issue with the problem.

/lifecycle stale

kyma-bot commented 8 months ago

This issue or PR has been automatically marked as stale due to the lack of recent activity. Thank you for your contributions.

This bot triages issues and PRs according to the following rules:

You can:

If you think that I work incorrectly, kindly raise an issue with the problem.

/lifecycle stale

pbochynski commented 7 months ago

I assume that the goal is to interact with the kyma cluster in the automated way (script, ci/cd). We are working on alternative solution that you can get kubeconfig without OIDC plugin: