search

mesosphere / traefik-forward-auth

214 stars 45 forks source link

Authenticated in KeyCloak, yet not Authorized #36

Open TobenderZephyr opened 3 years ago

TobenderZephyr commented 3 years ago

Before I dive too deep in this matter, I want to apologize beforehand, that i stumpled on KeyCloak and therefore your project by accident. I did not yet dig deep enough to know if these projects would exactly fit my needs or if I am doing it all wrong.

My setup currently are three different Docker Hosts (no swarm), each running one of: keycloak + traefik, traefik-forward-auth+ traefik, application + traefik. The plan was to have the application run in a LAN environment (or wherever), while the forward-auth-host is inside a DMZ allowing only HTTP/HTTPS+outgoing LDAP for Authentication against Active Directory. The KeyCloak Server could either be inside the same DMZ or internal - yet to decide where it makes most sense.

I followed your instructions in #1 and made a few changes here and there to fit my needs. Now I am at a point where I am unable to progress, because I tried so much beforehand and this is the furthest I achieved.

When I hit the whoami page, I will get redirected to the KeyCloak login page by traefik-forward-auth. After entering username+password, I get redirected again to traefik-forward-auth with /_oauth?.

Yet I receive 401 Not Authenticated. Inspecting the Browser Cookies (F12) I don't see anything in the list.

This is the output of the debug log. I believe the error message appeared after building the latest version (Dockerhub is 6 months old)

time="2020-08-20T20:40:56Z" level=debug msg="Handling callback" headers="map[Accept:[text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9] Accept-Encoding:[gzip, deflate, br] Accept-Language:[de-DE,de;q=0.9,en-US;q=0.8,en;q=0.7] Cookie:[_forward_auth=JVeFDoXTziwDqQVRie7f0BTWWvEykUz0EcB4d1vkphc=|1597978340|<user-email>; _forward_auth_name=\"Marcus Netz\"; _forward_auth_claims=MTU5NzkzNTE0MHxEdi1CQkFFQ180SUFBUkFCRUFBQUt2LUNBQUVHYzNSeWFXNW5EQWdBQm1keWIzVndjd2hiWFhOMGNtbHVaXy1EQWdFQ180UUFBUXdBQUFYX2hBSUFBQT09fC67IXEzpPk-NYaNXp9rA8oHssDd0XMwpAuDClyWFiCq; _forward_auth_csrf=c14e6a963f9feebe255ca56b9b2e53da] Sec-Fetch-Dest:[document] Sec-Fetch-Mode:[navigate] Sec-Fetch-Site:[none] Sec-Fetch-User:[?1] Upgrade-Insecure-Requests:[1] User-Agent:[Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/84.0.4147.127 Safari/537.36] X-Forwarded-For:[172.25.217.3] X-Forwarded-Host:[auth.<example.com>] X-Forwarded-Method:[GET] X-Forwarded-Port:[443] X-Forwarded-Proto:[https] X-Forwarded-Server:[653a6f2df7e7] X-Forwarded-Uri:[/_oauth?state=3e34e70914815040fcc8d9048c838a12%3Ahttp%3A%2F%2Fauth.<example.com>%2F&session_state=65813182-46c8-4ef1-820c-450466d3a9fc&code=a4b90e68-5e06-42ef-a08b-c40e41bea54f.65813182-46c8-4ef1-820c-450466d3a9fc.dd176887-3e47-4319-8337-44b68b520582] X-Real-Ip:[172.25.217.3]]" rule=default source_ip=172.25.217.3
time="2020-08-20T20:40:56Z" level=warning msg="Error validating CSRF cookie: CSRF cookie does not match state" source_ip=172.25.217.3
time="2020-08-20T20:40:56Z" level=debug msg="Authenticate request" headers="map[Accept:[image/webp,image/apng,image/*,*/*;q=0.8] Accept-Encoding:[gzip, deflate, br] Accept-Language:[de-DE,de;q=0.9,en-US;q=0.8,en;q=0.7] Cookie:[_forward_auth=JVeFDoXTziwDqQVRie7f0BTWWvEykUz0EcB4d1vkphc=|1597978340|<user email>; _forward_auth_name=\"Marcus Netz\"; _forward_auth_claims=MTU5NzkzNTE0MHxEdi1CQkFFQ180SUFBUkFCRUFBQUt2LUNBQUVHYzNSeWFXNW5EQWdBQm1keWIzVndjd2hiWFhOMGNtbHVaXy1EQWdFQ180UUFBUXdBQUFYX2hBSUFBQT09fC67IXEzpPk-NYaNXp9rA8oHssDd0XMwpAuDClyWFiCq; _forward_auth_csrf=c14e6a963f9feebe255ca56b9b2e53da] Referer:[https://auth.<example.com>/_oauth?state=3e34e70914815040fcc8d9048c838a12%3Ahttp%3A%2F%2Fauth.<example.com>%2F&session_state=65813182-46c8-4ef1-820c-450466d3a9fc&code=a4b90e68-5e06-42ef-a08b-c40e41bea54f.65813182-46c8-4ef1-820c-450466d3a9fc.dd176887-3e47-4319-8337-44b68b520582] Sec-Fetch-Dest:[image] Sec-Fetch-Mode:[no-cors] Sec-Fetch-Site:[same-origin] User-Agent:[Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/84.0.4147.127 Safari/537.36] X-Forwarded-For:[172.25.217.3] X-Forwarded-Host:[auth.<example.com>] X-Forwarded-Method:[GET] X-Forwarded-Port:[443] X-Forwarded-Proto:[https] X-Forwarded-Server:[653a6f2df7e7] X-Forwarded-Uri:[/favicon.ico] X-Real-Ip:[172.25.217.3]]" rule=default source_ip=172.25.217.3
time="2020-08-20T20:40:56Z" level=error msg="error getting groups from session: error getting session: securecookie: error - caused by: crypto/aes: invalid key size 0" source_ip=172.25.217.3
time="2020-08-20T20:40:56Z" level=warning msg="Non-HTML request: image/webp,image/apng,image/*,*/*;q=0.8" source_ip=172.25.217.3

This is my setup:

traefik-forward-auth:

version: '3'
services:
  auth-proxy:
    container_name: auth-proxy
    build: /opt/sources/traefik-forward-auth
    image: mesosphere/traefik-forward-auth
    environment:
      CLIENT_ID: auth-proxy-internal
      CLIENT_SECRET: 51cfe608-6b1a-4698-9d15-02cbca2811ff
      PROVIDER_URI: https://<keycloak>/auth/realms/Internal
      SECRET: 554034e6a2da367916f11b73d385ac99
      AUTH_HOST: auth.<example.com>
      INSECURE_COOKIE: 'true'
      CSRF_COOKIE_NAME: '_forward_auth_csrf'
      LOG_LEVEL: debug
    networks:
      - proxy
    restart: unless-stopped
    volumes:
      - /etc/ssl/certs/ca-bundle.crt:/etc/ssl/certs/ca-certificates.crt:ro
    labels:
      - "traefik.enable=true"
      - "traefik.http.middlewares.forward-auth.forwardauth.address=http://auth-proxy:4181/"
      - "traefik.http.middlewares.forward-auth.forwardauth.trustForwardHeader=true"
      - "traefik.http.middlewares.forward-auth.forwardauth.authResponseHeaders=X-Forwarded-User"
      - "traefik.http.routers.auth-proxy.rule=Host(`auth.<example.com>`)"
      - "traefik.http.routers.auth-proxy.entrypoints=http"
      - "traefik.http.routers.auth-proxy.middlewares=forward-auth"
      - "traefik.http.services.auth-proxy.loadbalancer.server.port=4181"
      - "traefik.http.routers.auth-proxy-secure.entrypoints=https"
      - "traefik.http.routers.auth-proxy-secure.rule=Host(`auth.<example.com>`)"
      - "traefik.http.routers.auth-proxy-secure.middlewares=forward-auth"
      - "traefik.http.routers.auth-proxy-secure.tls=true"
      - "traefik.docker.network=proxy"

networks:
  proxy:
    external: true

whoami:

version: '3'
services:
  test:
    image: mendhak/http-https-echo
    networks:
      - proxy
    labels:
      - "traefik.enable=true"
      - "traefik.http.middlewares.forward-auth.forwardauth.address=https://auth.<example.com>/"
      - "traefik.http.middlewares.forward-auth.forwardauth.trustForwardHeader=true"
      - "traefik.http.middlewares.forward-auth.forwardauth.authResponseHeaders=X-Forwarded-User"
      - "traefik.http.services.test.loadbalancer.server.port=80"
      - "traefik.http.routers.test.entrypoints=http"
      - "traefik.http.routers.test.rule=Host(`whoami.<example.local>`)"
      - "traefik.http.routers.test.middlewares=forward-auth"
      - "traefik.docker.network=proxy"

networks:
  proxy:
    external: true

I guess it comes down to normal Docker Networking now and avoiding traefik at a certain point, so proxy headers won't get mixed up.

Any help on this is appreciated,

Thanks Marcus

thmo commented 2 years ago

error - caused by: crypto/aes: invalid key size 0

I think you need to pass --encryption-key or set ENCRYPTION_KEY.

tgerakitis commented 2 years ago

here a working example docker-compose.yml

version: '2.4'
networks:
  web:
    external: true

services:
  traefik:
    image: traefik
    command:
      - "--accesslog"
      - "--api.insecure=true"
      - "--providers.docker=true"
      - "--providers.docker.exposedbydefault=false"
      - "--entrypoints.web.address=:80"
    ports:
      - 80:80
    networks:
      - web
    volumes:
      - "/var/run/docker.sock:/var/run/docker.sock"
    labels:
      traefik.enable: true
      traefik.docker.network: web
      #v2
      traefik.http.routers.traefik.rule: Host(`traefik.localtest.me`)
      traefik.http.services.traefik.loadbalancer.server.port: 8080

  whoami:
    image: traefik/whoami
    networks:
      - web
    labels:
      traefik.enable: true
      treafik.docker.network: web
      #v2
      traefik.http.routers.php-test-router.rule: Host(`whoami.localtest.me`)
      traefik.http.services.php-test-service.loadbalancer.server.port: 80
      traefik.http.routers.php-test-router.middlewares: traefik-forward-auth-middleware

  traefik-forward-auth:
    image: mesosphere/traefik-forward-auth:3.1.0
    networks:
      - web
      - default
    environment:
      #options https://github.com/mesosphere/traefik-forward-auth/blob/master/internal/configuration/config.go
      INSECURE_COOKIE: 1
      ENCRYPTION_KEY: 45659373957778734945638459467936 #32 character encryption key
      COOKIE_DOMAIN: whoami.localtest.me
      SCOPE: profile email openid # scope openid is necessary for keycloak...
      SECRET: abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789
      PROVIDER_URI: https://my-keycloak.com/auth/realms/my-realm
      CLIENT_ID: myclient
      CLIENT_SECRET: mysecret
      LOG_LEVEL: debug
    labels:
      traefik.enable: true
      traefik.docker.network: web
      traefik.http.services.traefik-forward-auth.loadbalancer.server.port: 4181
      traefik.http.routers.traefik-forward-auth.entrypoints: web
      traefik.http.routers.traefik-forward-auth.rule: Path(`/_oauth`)
      traefik.http.routers.traefik-forward-auth.middlewares: traefik-forward-auth
      traefik.http.middlewares.traefik-forward-auth-middleware.forwardauth.address: http://traefik-forward-auth:4181
      traefik.http.middlewares.traefik-forward-auth-middleware.forwardauth.authResponseHeaders: X-Forwarded-User
      traefik.http.middlewares.traefik-forward-auth-middleware.forwardauth.trustForwardHeader: "true"
suikast42 commented 1 year ago

COOKIE_DOMAIN: whoami.localtest.me

I try with the wildcard .localtest.me that doen't work but without dot works localtest.me 😕

arulrajnet commented 11 months ago

I am using the latest/22.00 keycloak with this config. Getting the following error

time="2023-08-13T17:48:57Z" level=error msg="error generating secure session cookie: securecookie: error - caused by: crypto/aes: invalid key size 22" source_ip=172.27.0.1

To generate cookie used this github.com/gorilla/securecookie module.

Refer https://github.com/mesosphere/traefik-forward-auth/blob/057c6d41a7126080c08f011a7fbaa0f12c16d10a/internal/handlers/server.go#L344

Refer https://github.com/mesosphere/traefik-forward-auth/blob/057c6d41a7126080c08f011a7fbaa0f12c16d10a/internal/authentication/auth.go#L111

Refer https://go.dev/src/crypto/aes/cipher.go#25

The error crypto/aes: invalid key size 22 coming from cipher.go.

How to fix this?

HWiese1980 commented 9 months ago

Anyone around here, who can shed some light upon this? I'm having the same issues. I can't find a valid key size. What is a valid key size anyway? How do I generate a valid key?

thmo commented 9 months ago

In my config, I have a SECRET with a length of 32 chars, and an --encryption-key with a length of 16 chars.

They can be generated, e.g., with pwgen 32 1 and pwgen 16 1, respectively.