search

louketo / louketo-proxy

A OpenID / Proxy service
Apache License 2.0
950 stars 345 forks source link

access forbidden with working keycloak-gatekeeper-10.0.1 configuration #671

Open gunterze opened 4 years ago

gunterze commented 4 years ago

Title

access forbidden with working keycloak-gatekeeper-10.0.1 configuration

Summary

Get access forbidden with same ENV/CLI params which works with keycloak-gatekeeper-10.0.1

Environment

docker-compose.yml:

services:
  kibana-gatekeeper:
    image: quay.io/louketo/louketo-proxy:1.0.0
    ports:
      - "8643:8643"
    environment:
      PROXY_LISTEN: 0.0.0.0:8643
      PROXY_REDIRECTION_URL: http://test-ng:8643
      PROXY_UPSTREAM_URL: http://kibana:5601
      PROXY_DISCOVERY_URL: https://test-ng:8843/auth/realms/dcm4che
      PROXY_CLIENT_ID: kibana
      PROXY_CLIENT_SECRET: f02e8c1b-97be-42d3-bf9a-926ff6004234
      PROXY_ENCRYPTION_KEY: AgXa7xRcoClDEU0ZDSH4X0XhL5Qy2Z2j
    command:
      - "--openid-provider-timeout=120s"
      - "--skip-openid-provider-tls-verify=true"
      - "--enable-refresh-tokens=true"
      - "--enable-token-header=false"
      - "--enable-authorization-header=false"
      - "--enable-authorization-cookies=false"
      - "--resources=uri=/*|methods=GET|roles=auditlog"
      - "--forbidden-page=/opt/louketo/templates/forbidden.html.tmpl"
      - "--secure-cookie=false"
      - "--verbose=true"
    depends_on:
      - kibana
      - keycloak

Expected Results

Redirect http://test-ng:8643 to Keycloak Login and after successful login, forward request to http://kibana:5601

Actual Results

Redirect http://test-ng:8643 to Keycloak Login, but return forbidden-page after successful login.

Steps to reproduce

Additional Information

$ docker-compose logs kibana-gatekeeper
Attaching to dcm4cheearc_kibana-gatekeeper_1
kibana-gatekeeper_1         | 2020-07-22T11:38:04.695Z  info    src/server.go:86    starting the service    {"prog": "louketo-proxy", "author": "Louketo", "version": "v2.3.0 (git+sha: 9eca196-dirty, built: 01-07-2020)"}
kibana-gatekeeper_1         | 2020-07-22T11:38:04.695Z  info    src/server.go:700   attempting to retrieve configuration discovery url  {"url": "https://test-ng:8843/auth/realms/dcm4che", "timeout": "2m0s"}
kibana-gatekeeper_1         | 2020-07-22T11:38:04.740Z  info    src/server.go:716   successfully retrieved openid configuration from the discovery
kibana-gatekeeper_1         | 2020-07-22T11:38:04.743Z  info    src/server.go:161   enabled reverse proxy mode, upstream url    {"url": "http://kibana:5601"}
kibana-gatekeeper_1         | 2020-07-22T11:38:04.743Z  info    src/server.go:236   using session cookies only for access and refresh tokens
kibana-gatekeeper_1         | 2020-07-22T11:38:04.743Z  debug   src/server.go:650   loading the custom sign forbidden page  {"page": "/opt/louketo/templates/forbidden.html.tmpl"}
kibana-gatekeeper_1         | 2020-07-22T11:38:04.743Z  info    src/server.go:655   loading the custom templates    {"templates": "/opt/louketo/templates/forbidden.html.tmpl"}
kibana-gatekeeper_1         | 2020-07-22T11:38:04.743Z  info    src/server.go:268   protecting resource {"resource": "uri: /*, methods: GET, required: auditlog"}
kibana-gatekeeper_1         | 2020-07-22T11:38:04.743Z  info    src/server.go:393   Louketo proxy service starting  {"interface": "0.0.0.0:8643"}
kibana-gatekeeper_1         | 2020-07-22T11:39:12.831Z  error   src/middleware.go:174   no session found in request, redirecting for authorization  {"error": "authentication session not found"}
kibana-gatekeeper_1         | 2020-07-22T11:39:12.839Z  debug   src/handlers.go:85  incoming authorization request from client address  {"access_type": {}, "auth_url": "https://test-ng:8843/auth/realms/dcm4che/protocol/openid-connect/auth?access_type=online&client_id=kibana&redirect_uri=http%3A%2F%2Ftest-ng%3A8643%2Foauth%2Fcallback&response_type=code&scope=openid+email+profile&state=d042623a-3dc4-46e0-84ac-1b351d52d27b", "client_ip": "192.168.2.131:38018"}
kibana-gatekeeper_1         | 2020-07-22T11:39:18.605Z  error   src/handlers.go:120 unable to exchange code for access token    {"error": "Post \"https://test-ng:8843/auth/realms/dcm4che/protocol/openid-connect/token\": x509: certificate is valid for PACS_J4C, not test-ng"}
kibana-gatekeeper_1         | 2020-07-22T11:39:18.736Z  error   src/middleware.go:174   no session found in request, redirecting for authorization  {"error": "authentication session not found"}
kibana-gatekeeper_1         | 2020-07-22T11:39:18.778Z  debug   src/handlers.go:85  incoming authorization request from client address  {"access_type": {}, "auth_url": "https://test-ng:8843/auth/realms/dcm4che/protocol/openid-connect/auth?access_type=online&client_id=kibana&redirect_uri=http%3A%2F%2Ftest-ng%3A8643%2Foauth%2Fcallback&response_type=code&scope=openid+email+profile&state=d7630a45-5b99-4b82-9b38-dc7d733cd209", "client_ip": "192.168.2.131:38018"}
kibana-gatekeeper_1         | 2020-07-22T11:39:18.904Z  error   src/handlers.go:120 unable to exchange code for access token    {"error": "Post \"https://test-ng:8843/auth/realms/dcm4che/protocol/openid-connect/token\": x509: certificate is valid for PACS_J4C, not test-ng"}

With working keycloak-gatekeeper:10.0.1:

kibana-gatekeeper_1         | 1.5954192258886871e+09    info    keycloak-gatekeeper/server.go:84    starting the service    {"prog": "keycloak-gatekeeper", "author": "Keycloak", "version": "10.0.1 (git+sha: 691bc4c, built: 08-05-2020)"}
kibana-gatekeeper_1         | 1.595419225888778e+09 info    keycloak-gatekeeper/server.go:694   attempting to retrieve configuration discovery url  {"url": "https://test-ng:8843/auth/realms/dcm4che", "timeout": "2m0s"}
kibana-gatekeeper_1         | 1.5954192259393873e+09    info    keycloak-gatekeeper/server.go:710   successfully retrieved openid configuration from the discovery
kibana-gatekeeper_1         | 1.5954192259412553e+09    info    keycloak-gatekeeper/server.go:157   enabled reverse proxy mode, upstream url    {"url": "http://kibana:5601"}
kibana-gatekeeper_1         | 1.5954192259413161e+09    info    keycloak-gatekeeper/server.go:229   using session cookies only for access and refresh tokens
kibana-gatekeeper_1         | 1.5954192259413319e+09    debug   keycloak-gatekeeper/server.go:644   loading the custom sign forbidden page  {"page": "/templates/forbidden_page.html.tmpl"}
kibana-gatekeeper_1         | 1.59541922594134e+09  info    keycloak-gatekeeper/server.go:649   loading the custom templates    {"templates": "/templates/forbidden_page.html.tmpl"}
kibana-gatekeeper_1         | 1.5954192259414353e+09    info    keycloak-gatekeeper/server.go:261   protecting resource {"resource": "uri: /*, methods: GET, required: auditlog"}
kibana-gatekeeper_1         | 1.5954192259415472e+09    info    keycloak-gatekeeper/server.go:386   keycloak proxy service starting {"interface": "0.0.0.0:8643"}
kibana-gatekeeper_1         | 1.5954192666286752e+09    error   keycloak-gatekeeper/middleware.go:108   no session found in request, redirecting for authorization  {"error": "authentication session not found"}
kibana-gatekeeper_1         | 1.5954192666322625e+09    debug   keycloak-gatekeeper/handlers.go:89  incoming authorization request from client address  {"access_type": "", "auth_url": "https://test-ng:8843/auth/realms/dcm4che/protocol/openid-connect/auth?client_id=kibana&redirect_uri=http%3A%2F%2Ftest-ng%3A8643%2Foauth%2Fcallback&response_type=code&scope=openid+email+profile&state=931077cc-ff5a-4fc4-9ce3-5212077dcf89", "client_ip": "192.168.2.131:38230"}
kibana-gatekeeper_1         | 1.5954192722838438e+09    info    keycloak-gatekeeper/handlers.go:180 issuing access token for user   {"email": "", "expires": "2020-07-22T12:06:12Z", "duration": "4m59.716157366s"}
kibana-gatekeeper_1         | 1.5954192722839189e+09    debug   keycloak-gatekeeper/misc.go:130 parsed refresh token with new duration  {"new duration": 1799.71608143}
kibana-gatekeeper_1         | 1.5954192722882106e+09    debug   keycloak-gatekeeper/session.go:51   found the user identity {"id": "35636f1e-1595-48c7-883f-549ef5185249", "name": "admin", "email": "", "roles": "ADMINISTRATOR,auditlog,admin,user,account:manage-account,account:manage-account-links,account:view-profile,realm-management:view-realm,realm-management:view-identity-providers,realm-management:manage-identity-providers,realm-management:impersonation,realm-management:realm-admin,realm-management:create-client,realm-management:manage-users,realm-management:query-realms,realm-management:view-authorization,realm-management:query-clients,realm-management:query-users,realm-management:manage-events,realm-management:manage-realm,realm-management:view-events,realm-management:view-users,realm-management:view-clients,realm-management:manage-authorization,realm-management:manage-clients,realm-management:query-groups", "groups": ""}
kibana-gatekeeper_1         | 1.5954192722883925e+09    debug   keycloak-gatekeeper/middleware.go:369   access permitted to resource    {"access": "permitted", "email": "", "expires": 299.711608252, "resource": "/*"}

... unable to exchange code for access token {"error": "Post \"https://test-ng:8843/auth/realms/dcm4che/protocol/openid-connect/token\": x509: certificate is valid for PACS_J4C, not test-ng"}

=> seems --skip-openid-provider-tls-verify=true is not fully applied by louketo-proxy:1.0.0

jangaraj commented 4 years ago

That looks like https://github.com/louketo/louketo-proxy/issues/657