Bouncing between "authorize", "callback" and "/", ERR_TOO_MANY_REDIRECTS

[IchSchreiGleich]

I am using this plugin in treafik in conjunktion with auth0 and have configured it with

traefikoidc:
  callbackURL: /callback
  clientID: PLACEHOLDER
  clientSecret: PLACEHOLDER
  excludedURLs:
    - /login
  forceHTTPS: false
  logLevel: debug
  logoutURL: /logout
  providerURL: https://PLACEHOLDER.eu.auth0.com
  rateLimit: 100
  scopes:
    - openid
    - email
    - profile
  sessionEncryptionKey: PLACEHOLDER 

The first attempt is successful, I am redirected, use my Passkey and return to my origin and am authenticated.

Now I logout with

https://PLACEHOLDER.eu.auth0.com/v2/logout?client_id=PLACEHOLDER&returnTo=https://www.PLACEHOLDER.com/logout

and it seem to log me out, because the text "Logged out" is shown.

But when I try to sign in again (accessing https://www.PLACEHOLDER.com with redirection to auth0), I can use my Passkey but then nothing happens. Instead, the browser reports: ERR_TOO_MANY_REDIRECTS

The strange thing is that after successfully logging out and restarting traefik, the whole thing works fine. But only exactly once. Until the next time traefik is restarted.

I suspect that some status of the plugin is not cleaned up when logging out and therefore the whole thing fails?

[lukaszraczylo]

I'll have a look - just to confirm to be absolutely sure - it's with auth0 provider. There's a chance that the session details are not cleaned up after the logout and persist in the cache. I'll keep you updated :)

In the meanwhile - to eliminate all the possibilities - is your application configured by the chance to listen on any of the paths - /login, /logout or /callback? I've seen similar issues with the SPA's in NodeJS which had tendency to intercept the URLs after first load :)

[IchSchreiGleich]

That's a good hint. But at the other end there is only a 'dumb' Apache that currently only offers a directory listing. So no further logic. The complete session handling is done by the plugin. And as I said, it basically works really well. :)

I have also tried to put the logout URL on a .php page and delete the cookies there. It works well, but it doesn't change the overall behaviour. It only works once and then no longer works. - Let me know how I can support you further. :)

[lukaszraczylo]

Roger, I'll definitely investigate further as soon as I'll get back home :)

[lukaszraczylo]

Hi again, @IchSchreiGleich. Could you please check if it's resolved for you in v0.3.6 ? :)

[IchSchreiGleich]

The new version fixes the bouncing issue, but unfortunately creates a new one. When I

https://xxx.eu.auth0.com/v2/logout?client_id=xxx&returnTo=https://www.xxx.com/logout

I am not redirected back to my domain, but auth0 says that "https://www.xxx.com" is not a registered logout URL (redirect is missing the path). Regardless, I can manually go to my domain, log in via auth0 and everything is fine as expected. - Only the logout causes errors. :p

I thing, the auth0 logout URL changed to "../oidc/", is this correkt? Strange.

[IchSchreiGleich]

I think the error comes from here. Here only the base URL is set as return.

logoutURL, err := BuildLogoutURL(t.endSessionURL, idToken, baseURL)
[...]
func BuildLogoutURL(endSessionURL, idToken, postLogoutRedirectURI string) (string, error) {
[...]
q.Set("post_logout_redirect_uri", postLogoutRedirectURI)

[lukaszraczylo]

Ahhh never ending story, let me have a look at the new issue :)

Edit: Do you actually use the logout endpoint in the provider? In your config you should call HTTP://mydomain.com/logout and the plugin should be able to handle the logging out for you

[IchSchreiGleich]

Tried both. With the same result. Ending on auth0 with the error message about a missconfiguration (). When I use the local Url

https://xxx.eu.auth0.com/logout

I am redirected with

https://xxx.eu.auth0.com/oidc/logout?id_token_hint=JWT-TOKEN&post_logout_redirect_uri=https%3A%2F%2Fwww.xxx.com%2F

When I change the allowed logout urls in the auth0 configuration, everything is fine. Can I customize the "post_logout_redirect_url" from the plugin before sending, to lets say "https://www.xxx.com/"?

[lukaszraczylo]

Okay so - try the v0.3.7-rc2:

With this version ( and onwards ) you can specify:

  callbackURL: /oauth2/callback
  logoutURL: /oauth2/logout
  postLogoutRedirectURI: /oidc/different-logoutURL

If you don't do that - it will simply redirect back to http://domain.com/ :)

[IchSchreiGleich]

Great. Thank you very much, I will look at it later today. :)

One more question: When I use the middleware in the traefik for the same domain but a different subdomain, the plugin can only process "www". Is that intended or am I doing something wrong?

rule: "Host(`www.example.com`) || Host(`sub1.example.com`)"
service: apache-service
entryPoints:
  - https
middlewares:
  - my-traefikoidc
tls: {}

In the browser I type "sub1.exampe.com", but the redirect to auth0 sends

[...]redirect_uri=https%3A%2F%2Fwww.xxx.com%2Fcallback

(note the "www")

Don't get me wrong, I'm glad I was able to make it work with your help.. 😄👍🏼

[lukaszraczylo]

Ahh, okay. For example, on my home cluster, I use this middleware to authenticate quite a few routes ( let's say 30 or so ) *.internal.home-cluster.com. Configuring with OIDC was the most annoying part as I needed to specify every single subdomain ( potato.internal.home-cluster.com/oidc/callback, banana.internal.home-cluster.com/oidc/callback, etc. ), but once you do this on the OIDC side, you're done.

Configuration by design looks like the following to allow the automatic build of the URLs based on the domain the plugin serves

callbackURL: /oidc/callback
logoutURL: /oidc/logout
postLogoutRedirectURI: /oidc/different-logout

In your case - you can add in auth0 www.example.com/callback and sub1.example.com/callback in the application configuration, and change absolutely nothing in the plugin configuration itself although I've tested it only with the completely separate routes, not multi-host routes

[IchSchreiGleich]

Thanks for your tips. If I now customize the callback URLs and logout URLs at auth0, either by explicitly specifying the subdomain (banana.example.com) or using a wildcard (*.example.com), I end up at "www.example.com/callback" (although I used "banana.excample.com" as starting point) with the message

Invalid state parameter

If I go directly to "www.example.com" afterwards, everything is fine and I am authorized. But if I go to "banana.example.com", I get

CSRF token missing

May I ask if this really works for you? Have I overlooked a configuration in auth0? I don't understand why it redirects to auth0 with a different redirect_uri than the one I come from.

[lukaszraczylo]

Tried to reproduce. Check if v0.3.7-rc3 works for you. The problem was the redirect URL calculation once per start. Right now it'll be re-calculated per request

[IchSchreiGleich]

Love it! Works perfectly. Have to say thank you very, very much.

[lukaszraczylo]

Perfect, released it as 0.3.8 if you like nice round versions :)