opendatadiscovery / odd-platform

First open-source data discovery and observability platform. We make a life for data practitioners easy so you can focus on your business.
https://opendatadiscovery.org
Apache License 2.0
1.19k stars 98 forks source link

Unable to Authentication using Custom OIDC using PKCE(Proof Key for Code Exchange) #1606

Closed mavenzer closed 6 months ago

mavenzer commented 6 months ago

We have deployed ODD in K8s cluster we added the Authentication using OIDC but in our organization we are being restricted not to use client_secret and the only allowed method is to use PKCE (Proof Key for Code Exchange). I'm not sure whether ODD supports PKCE natively rather than using client_secret.

I'm able to redirect to the Auth server but after typing the username/password is going to infinite looping state.

I'm sharing the ODD Platform manifest which we have used for the deployment


apiVersion: apps/v1
kind: Deployment
metadata:
  name: odd-helm-odd-platform
  labels:
    helm.sh/chart: odd-platform-0.1.6
    app.kubernetes.io/name: odd-platform-test
    app.kubernetes.io/instance: odd-helm-v1
    app.kubernetes.io/version: "latest"
    app.kubernetes.io/managed-by: Helm
spec:
  replicas: 1
  selector:
    matchLabels:
      app.kubernetes.io/name: odd-platform-test
      app.kubernetes.io/instance: odd-helm-v1
  template:
    metadata:
      labels:
        app.kubernetes.io/name: odd-platform-test
        app.kubernetes.io/instance: odd-helm-v1
    spec:
      serviceAccountName: odd-helm-v1-odd-platform-test
      securityContext: {}
      containers:
        - name: odd-platform
          securityContext: {}
          image: "odd-platform:0.21.0"
          imagePullPolicy: IfNotPresent
          env:
            - name: SPRING_DATASOURCE_URL
              value: "jdbc:postgresql://odd-postgresql.alex-testing-geting-cluster.svc.cluster.local/postgres"
            - name: SPRING_DATASOURCE_USERNAME
              value: postgres
            - name: SPRING_DATASOURCE_PASSWORD
              valueFrom:
                secretKeyRef:
                  name: odd-postgresql
                  key:  postgres-password
            - name : AUTH_TYPE
              value: "OAUTH2"
            - name : AUTH_OAUTH2_CLIENT_MOBILESSO_PROVIDER
              value:  "mobilesso"
            - name: AUTH_OAUTH2_CLIENT_MOBILESSO_CLIENT_ID
              value: "CLIENT_ID_TESTING_ODD"
            - name: AUTH_OAUTH2_CLIENT_MOBILESSO_CODE_CHALLENGE
              value: "RANDOM_STRING_GENERATED_HASHES"
            - name: AUTH_OAUTH2_CLIENT_MOBILESSO_CHALLENGE_METHOD
              value: "S256"
            - name: AUTH_OAUTH2_CLIENT_MOBILESSO_SCOPE
              value: "openid"
            - name:  AUTH_OAUTH2_CLIENT_MOBILESSO_REDIRECT_URI
              value: "https://omegastar.kalix.testserver.alexnet.com/"
            - name:  AUTH_OAUTH2_CLIENT_MOBILESSO_CLIENT_NAME
              value:  "MobileSSO"
            - name:  AUTH_OAUTH2_CLIENT_MOBILESSO_ISSUER_URI
              value:  "https://generic-v1-test-kalix.com/FedBroker"
            - name:  AUTH_OAUTH2_CLIENT_MOBILESSO_USER_NAME_ATTRIBUTE
              value:  "email"
            - name:  AUTH_OAUTH2_CLIENT_MOBILESSO_ADMIN_ATTRIBUTE
              value: "email"
            - name:  AUTH_OAUTH2_CLIENT_MOBILESSO_ADMIN_PRINCIPALS
              value: "rnn@kaslix-test.com"

          ports:
            - name: http
              containerPort: 8080
              protocol: TCP
          livenessProbe:
            httpGet:
              path: /actuator/health
              port: 8080
            initialDelaySeconds: 30
          readinessProbe:
            httpGet:
              path: /actuator/health
              port: 8080
            initialDelaySeconds: 60
            timeoutSeconds: 30
          resources: {}
          volumeMounts: []
      volumes: []
datadex-network

Is there any config missing in the deployment manifest of the ODD Platform.

Vladysl commented 6 months ago

Hi @mavenzer , thank you for your feedback. Currently, we are not supporting authentication using PKCE. Could you please let us know? 1) Do you have any workarounds for this? 2) Do you have any time limits on how long you can use client_secret instead of PKCE? We will try to prioritise the implementation of this.

Also could you please provide some logs from odd-platform.

mavenzer commented 6 months ago

Hi @Vladysl,

There is nothing specific in the logs(I'm attaching the logs below) So by policy our SSO doesn't support client secret, and currently only PKCE is supported.

We are also looking into the implementation of LDAP.

PLatform LOGS


  .   ____          _            __ _ _
 /\\ / ___'_ __ _ _(_)_ __  __ _ \ \ \ \
( ( )\___ | '_ | '_| | '_ \/ _` | \ \ \ \
 \\/  ___)| |_)| | | | | || (_| |  ) ) ) )
  '  |____| .__|_| |_|_| |_\__, | / / / /
 =========|_|==============|___/=/_/_/_/
 :: Spring Boot ::                (v3.1.0)

2024-02-05T16:18:52.592Z  INFO 1 --- [           main] o.o.oddplatform.ODDPlatformApplication   : Starting ODDPlatformApplication using Java 17.0.2 with PID 1 (/app/classes started by 1005330000 in /app)
2024-02-05T16:18:52.596Z  INFO 1 --- [           main] o.o.oddplatform.ODDPlatformApplication   : No active profile set, falling back to 1 default profile: "default"
2024-02-05T16:18:56.495Z  INFO 1 --- [           main] .s.d.r.c.RepositoryConfigurationDelegate : Multiple Spring Data modules found, entering strict repository configuration mode
2024-02-05T16:18:56.498Z  INFO 1 --- [           main] .s.d.r.c.RepositoryConfigurationDelegate : Bootstrapping Spring Data Redis repositories in DEFAULT mode.
2024-02-05T16:18:56.721Z  INFO 1 --- [           main] .s.d.r.c.RepositoryConfigurationDelegate : Finished Spring Data repository scanning in 213 ms. Found 0 Redis repository interfaces.
2024-02-05T16:18:59.720Z  INFO 1 --- [           main] com.zaxxer.hikari.HikariDataSource       : HikariPool-1 - Starting...
2024-02-05T16:19:00.195Z  INFO 1 --- [           main] com.zaxxer.hikari.pool.HikariPool        : HikariPool-1 - Added connection org.postgresql.jdbc.PgConnection@7455204c
2024-02-05T16:19:00.197Z  INFO 1 --- [           main] com.zaxxer.hikari.HikariDataSource       : HikariPool-1 - Start completed.
2024-02-05T16:19:00.400Z  INFO 1 --- [           main] o.f.core.internal.command.DbValidate     : Successfully validated 86 migrations (execution time 00:00.170s)
2024-02-05T16:19:00.411Z  INFO 1 --- [           main] o.f.core.internal.command.DbMigrate      : Current version of schema "public": 0.0.86
2024-02-05T16:19:00.412Z  WARN 1 --- [           main] o.f.core.internal.command.DbMigrate      : Schema "public" has a version (0.0.86) that is newer than the latest available migration (0.0.85) !
2024-02-05T16:19:00.413Z  INFO 1 --- [           main] o.f.core.internal.command.DbMigrate      : Schema "public" is up to date. No migration necessary.
2024-02-05T16:19:04.282Z  INFO 1 --- [           main] org.reflections.Reflections              : Reflections took 94 ms to scan 1 urls, producing 2 keys and 58 values
2024-02-05T16:19:06.021Z  INFO 1 --- [           main] ctiveUserDetailsServiceAutoConfiguration : 

Using generated security password: 4c22e6bc-7f86-43aa-91d8-6a5fd1ff910d

2024-02-05T16:19:08.197Z  INFO 1 --- [           main] o.s.b.a.e.web.EndpointLinksResolver      : Exposing 4 endpoint(s) beneath base path '/actuator'
2024-02-05T16:19:09.314Z  INFO 1 --- [           main] o.s.b.web.embedded.netty.NettyWebServer  : Netty started on port 8080
2024-02-05T16:19:09.403Z  INFO 1 --- [           main] o.o.oddplatform.ODDPlatformApplication   : Started ODDPlatformApplication in 17.703 seconds (process running for 18.38)
2024-02-05T16:27:31.850Z  INFO 1 --- [tor-tcp-epoll-1] org.jooq.Constants                       : 

@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
@@@@@@@@@@@@@@@@  @@        @@@@@@@@@@
@@@@@@@@@@@@@@@@@@@@        @@@@@@@@@@
@@@@@@@@@@@@@@@@  @@  @@    @@@@@@@@@@
@@@@@@@@@@  @@@@  @@  @@    @@@@@@@@@@
@@@@@@@@@@        @@        @@@@@@@@@@
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
@@@@@@@@@@        @@        @@@@@@@@@@
@@@@@@@@@@    @@  @@  @@@@  @@@@@@@@@@
@@@@@@@@@@    @@  @@  @@@@  @@@@@@@@@@
@@@@@@@@@@        @@  @  @  @@@@@@@@@@
@@@@@@@@@@        @@        @@@@@@@@@@
@@@@@@@@@@@@@@@@@@@@@@@  @@@@@@@@@@@@@
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@  Thank you for using jOOQ 3.18.4

2024-02-05T16:27:31.851Z  INFO 1 --- [tor-tcp-epoll-1] org.jooq.Constants                       : 

jOOQ tip of the day: In order to improve cardinality estimates, it can be valuable to auto-inline bind variables on certain columns, e.g. on enum types: https://www.jooq.org/doc/latest/manual/sql-building/dsl-context/custom-settings/settings-auto-inline-bind-values/

2024-02-05T16:34:09.467Z  INFO 1 --- [   scheduling-1] o.j.i.D.logVersionSupport                : Version                  : Database version is supported by dialect POSTGRES: 15.3
Vladysl commented 6 months ago

Hi @mavenzer Implemented in https://github.com/opendatadiscovery/odd-platform/pull/1611 We added new boolean variable pkce, so, you need to specify AUTH_OAUTH2_CLIENT_MOBILESSO_PKCE We will try to release this feature during current week.

We tested it locally using keycloak with this config

      keycloak:
        provider: 'keycloak'
        client-id: 'odd-platform'
        client-secret:
        scope:
          - openid
        client-name: 'odd-platform'
        redirect-uri: 'http://localhost:8080/login/oauth2/code/keycloak'
        issuer-uri: 'http://localhost:8081/realms/odd-login'
        user-name-attribute: preferred_username
        admin-attribute: preferred_username
        admin-principals: admin
        pkce : true
mavenzer commented 6 months ago

Thanks @Vladysl for implementing it. One question which I wanted to asked whenever we are pulling the updated images: To confirm we need to add two env variable in the deployment manifest :

           - name: AUTH_OAUTH2_CLIENT_MOBILESSO_CODE_CHALLENGE
              value: "RANDOM_STRING_GENERATED_HASHES"
            - name: AUTH_OAUTH2_CLIENT_MOBILESSO_CHALLENGE_METHOD
              value: "S256"

Or do we need to add any other values as well?

Vladysl commented 6 months ago

Hi @mavenzer we are using spring boot and according to documentation

image

when you pass client-secret as empty string and specify AUTH_OAUTH2_CLIENT_MOBILESSO_PKCE=true. We will apply PKCE. We are not controlling any CHALLENGE_METHOD or CODE_CHALLENGE.

In our case with keycloak it was enough to perform authorization
Also for keycloak we specified Challenge Method = S256

image

If you have any specific cases, could you please describe them?

Example auth page:

image

Invalid creds:

image

Valid creds:

image image
mavenzer commented 6 months ago

Thanks a lot for the explanation. @Vladysl is it possible for you to release an intermediate release(Image release) to test the connection to our auth servers with PKCE.

AndreyNenashev commented 6 months ago

@mavenzer @Vladysl the latest minor release with pkce

https://github.com/opendatadiscovery/odd-platform/pkgs/container/odd-platform/176555201?tag=0.23.1

mavenzer commented 6 months ago

Thanks a lot for the minor release. Really appreciate the efforts @AndreyNenashev @Vladysl .

mavenzer commented 6 months ago

Hi @Vladysl,

I have applied the same configs as mentioned by you:

apiVersion: apps/v1
kind: Deployment
metadata:
  name: odd-helm-odd-platform
  labels:
    helm.sh/chart: odd-platform-0.1.6
    app.kubernetes.io/name: odd-platform-test
    app.kubernetes.io/instance: odd-helm-v1
    app.kubernetes.io/version: "latest"
    app.kubernetes.io/managed-by: Helm
spec:
  replicas: 1
  selector:
    matchLabels:
      app.kubernetes.io/name: odd-platform-test
      app.kubernetes.io/instance: odd-helm-v1
  template:
    metadata:
      labels:
        app.kubernetes.io/name: odd-platform-test
        app.kubernetes.io/instance: odd-helm-v1
    spec:
      serviceAccountName: odd-helm-v1-odd-platform-test
      securityContext: {}
      containers:
        - name: odd-platform
          securityContext: {}
          image: "odd-platform:0.23.1"
          imagePullPolicy: IfNotPresent
          env:
            - name: SPRING_DATASOURCE_URL
              value: "jdbc:postgresql://odd-postgresql.alex-testing-geting-cluster.svc.cluster.local/postgres"
            - name: SPRING_DATASOURCE_USERNAME
              value: postgres
            - name: SPRING_DATASOURCE_PASSWORD
              valueFrom:
                secretKeyRef:
                  name: odd-postgresql
                  key:  postgres-password
            - name : AUTH_TYPE
              value: "OAUTH2"
            - name : AUTH_OAUTH2_CLIENT_MOBILESSO_PROVIDER
              value:  "mobilesso"
            - name: AUTH_OAUTH2_CLIENT_MOBILESSO_CLIENT_ID
              value: "CLIENT_ID_TESTING_ODD"
            - name: AUTH_OAUTH2_CLIENT_MOBILESSO_PKCE
              value: "true"
            - name: AUTH_OAUTH2_CLIENT_MOBILESSO_CODE_CHALLENGE_METHOD
              value: "S256"
            - name: AUTH_OAUTH2_CLIENT_MOBILESSO_SCOPE
              value: "openid,email"
            - name:  AUTH_OAUTH2_CLIENT_MOBILESSO_REDIRECT_URI
              value: "https://omegastar.kalix.testserver.alexnet.com/login"
            - name:  AUTH_OAUTH2_CLIENT_MOBILESSO_CLIENT_NAME
              value:  "MobileSSO"
            - name:  AUTH_OAUTH2_CLIENT_MOBILESSO_ISSUER_URI
              value:  "https://generic-v1-test-kalix.com/FedBroker"
            - name:  AUTH_OAUTH2_CLIENT_MOBILESSO_USER_NAME_ATTRIBUTE
              value:  "email"
            - name:  AUTH_OAUTH2_CLIENT_MOBILESSO_ADMIN_ATTRIBUTE
              value: "email"
            - name:  AUTH_OAUTH2_CLIENT_MOBILESSO_ADMIN_PRINCIPALS
              value: "rnn@kaslix-test.com"

          ports:
            - name: http
              containerPort: 8080
              protocol: TCP
          livenessProbe:
            httpGet:
              path: /actuator/health
              port: 8080
            initialDelaySeconds: 30
          readinessProbe:
            httpGet:
              path: /actuator/health
              port: 8080
            initialDelaySeconds: 60
            timeoutSeconds: 30
          resources: {}
          volumeMounts: []
      volumes: []

Whenever I'm going to the URL(https://omegastar.kalix.testserver.alexnet.com/login) entering the password and username its returning with it's failing back to the same state(https://omegastar.kalix.testserver.alexnet.com/login?code=YSasasasASAXTSF7nf6YASASKLANSw50K4sWsC7LiDQmwfWd8kjESwAAAEs&state=cb5ace6d96e64530838fd2a6808b37b9) But not able to see the ODD-Interface

Any possible thing which I'm missing in the configs ?

Best Regards

Vladysl commented 6 months ago

Hi @mavenzer auth.oauth2.client.{client-id}.redirect-uri. Redirect URL. Must be defined as {domain}/login/oauth2/code/{client-id} but you defined as AUTH_OAUTH2_CLIENT_MOBILESSO_REDIRECT_URI= "https://omegastar.kalix.testserver.alexnet.com/login"

More info here - https://docs.opendatadiscovery.org/configuration-and-deployment/enable-security/authentication/oauth2-oidc#other-oidc-providers

mavenzer commented 6 months ago

Thanks a lot!