search

pgadmin-org / pgadmin4

pgAdmin is the most popular and feature rich Open Source administration and development platform for PostgreSQL, the most advanced Open Source database in the world.
https://www.pgadmin.org
Other
2.39k stars 629 forks source link

Unable to authenticate via Okta #7677

Closed nathanpreen closed 1 month ago

nathanpreen commented 1 month ago

Please note that security bugs or issues should be reported to security@pgadmin.org.

Describe the bug

Currently using Okta as an Oauth2 proxy for PGAdmin as a Web Server running inside of our EKS cluster. Traffic flow for our cluster is: Client -> ALB -> HAProxy -> Service.

Upon hitting the login button on it takes me to Okta to login as normal, however it appears the redirect_uri is incorrect and I cannot find a way to override it.

Note: I have replaced all our domains with example.com. Looking at the url, I can see it is setting it to be http://example.com:443/oauth2/authorize. However I require this to be https://example.com/oauth2/authorize. That's what we currently have set up in our Okta app to use. If I adjust it to be what is being sent by PGAdmin we get the following error. image

This is the error that we currently see: image

I have tried adjusting various options however I can't seem to get the right one.

Config:

    import os

    MASTER_PASSWORD_REQUIRED = True
    AUTHENTICATION_SOURCES = ['oauth2']
    OAUTH2_AUTO_CREATE_USER = True
    OAUTH2_CONFIG = [
      {
          'OAUTH2_NAME': 'okta',
          'OAUTH2_DISPLAY_NAME': 'Okta',
          'OAUTH2_CLIENT_ID': os.environ['OAUTH2_CLIENT_ID'],
          'OAUTH2_CLIENT_SECRET': os.environ['OAUTH2_CLIENT_SECRET'],
          'OAUTH2_TOKEN_URL': 'https://example.com/oauth2/v1/token',
          'OAUTH2_AUTHORIZATION_URL': 'https://example.com/oauth2/v1/authorize',
          'OAUTH2_API_BASE_URL': 'https://example.com/',
          'OAUTH2_USERINFO_ENDPOINT': 'https://example.com/oauth2/v1/userinfo',
          'OAUTH2_SERVER_METADATA_URL': 'https://example.com/.well-known/openid-configuration',
          'OAUTH2_SCOPE': 'openid profile email',
          'OAUTH2_ICON': 'fa-okta',
          'OAUTH2_BUTTON_COLOR': '#0000ff',
      }
    ]

Additional context

Add any other context about the problem here.

khushboovashi commented 1 month ago

@nathanpreen, the redirect_url needs to be set in the OAUTH2 provider; in your case, it is OKTA. Please refer https://www.pgadmin.org/docs/pgadmin4/8.9/oauth2.html.

nathanpreen commented 1 month ago

Hey @khushboovashi. So we have set it in Okta to be https://example.com/oauth2/authorize, however we see that in the url every time it is set to http://example.com:443/oauth2/authorize. Is the redirect_uri solely handled by the OAUTH2 provider? My understanding was that PGAdmin would send it up also with the auth request and then it should match what is set in Okta

khushboovashi commented 1 month ago

Hi @nathanpreen, pgAdmin doesn't send redirect_uri. It is being handled at the OAUTH2 provider end. Once you can check your proxy settings too.

pravesh-sharma commented 1 month ago

No response from the author, hence closing the issue.