search

pgadmin-org / pgadmin4

pgAdmin is the most popular and feature rich Open Source administration and development platform for PostgreSQL, the most advanced Open Source database in the world.
https://www.pgadmin.org
Other
2.53k stars 657 forks source link

PGAdmin Hosted in AKS Redirect URI is incorrect #8111

Open arunalakmal opened 5 days ago

arunalakmal commented 5 days ago

Describe the bug

We have deployed the latest version of PGAdmin in AKS and exposed it using an NGINX ingress with an internal DNS and a Load Balancer. To make PGAdmin accessible from the on-premises network, we configured an Azure Application Gateway, setting the backend pool to point to the Ingress's internal URL.

The Application Gateway frontend has a unique URL, different from the internal Ingress URL, that allows access to PGAdmin from the on-premises network.

PGAdmin is also configured for OIDC authentication with Azure AD, with the OIDC redirect URI set to the Application Gateway frontend URL (on-prem URL, not the ingress URL). However, after users authenticate, the OIDC callback is directed to the internal Ingress URL instead, which is inaccessible externally.

Is there any way to configure PGAdmin to ensure it uses the correct URI (the Application Gateway frontend URL) for the callback after authentication? Currently, it seems to default to the Ingress URL rather than using the redirect URI defined in the Azure AD app registration.

Expected behavior

After the Azure AD Authentication call the correct call back url with the authentication.

khushboovashi commented 2 days ago

Hi @arunalakmal,

Once the user authenticated via any OAuth2 provider, the provider is responsible for the redirection to the pgAdmin. Can you please make sure, you have configured the Azure AD correctly ?

You can share all the NGINX, pgAdmin and Azure configurations here, so we can check it out.

arunalakmal commented 2 days ago

Hi @khushboovashi Thank you for your reply!

I found that , it is the azure app registration configurations responsibility and match the redirect URI. I can confirm it is the URL I access in the browser (https://CUSTOM_URL/oauth2/authorize is set in the redirect URI). But redirect comes from the url we use from the Ingress, it is not even added to the redirect URI in the Azure App Registration.

Here is a little simplified diagram to understand more my networking flow:

Screenshot 2024-11-11 at 10 45 47

Here is my OIDC Config in the PGAdmin: 

   OAUTH2_CONFIG = [
        {
            'OAUTH2_NAME': 'azure',
            'OAUTH2_DISPLAY_NAME': 'Azure',
            'OAUTH2_CLIENT_ID': os.environ['OAUTH2_CLIENT_ID'],
            'OAUTH2_CLIENT_SECRET': os.environ['OAUTH2_CLIENT_SECRET'],
            'OAUTH2_TOKEN_URL': 'https://login.microsoftonline.com/xxxxx-xxx-xx-xx-xxxxxxx/oauth2/v2.0/token',
            'OAUTH2_AUTHORIZATION_URL': 'https://login.microsoftonline.com/xxxxx-xxx-xx-xx-xxxxxxx/oauth2/v2.0/authorize',
            'OAUTH2_SERVER_METADATA_URL': 'https://login.microsoftonline.com/xxxxx-xxx-xx-xx-xxxxxxx/v2.0/.well-known/openid-configuration',
            'OAUTH2_API_BASE_URL': 'https://graph.microsoft.com/v1.0/',
            'OAUTH2_USERINFO_ENDPOINT': 'me',
            'OAUTH2_SCOPE': 'User.Read openid email profile',
            'OAUTH2_USERNAME_CLAIM': None,
            'OAUTH2_ICON': 'fa-microsoft',
            'OAUTH2_BUTTON_COLOR': '#0000ff',
            'OAUTH2_ADDITIONAL_CLAIMS': {
                'groups': ["xxxx-xxxx-xxxxx-xxxx-xxxxxxxx"],
                # 'wids': ["xxxx-xx-xxx-xxx-xxxxxxxx"],
              },
            'OAUTH2_SSL_CERT_VERIFICATION': True,
            'OAUTH2_LOGOUT_URL': None
        }
    ]

Also the values of these vars were set as below:

OAUTH2_AUTO_CREATE_USER = True MASTER_PASSWORD_REQUIRED = False AUTHENTICATION_SOURCES = ['oauth2','internal'] PGADMIN_CONFIG_ENHANCED_COOKIE_PROTECTION = 'False' PGADMIN_CONFIG_WTF_CSRF_ENABLED = 'False' SERVER_MODE = 'True' USE_X_FORWARDED_HOST = 'True'

I haven't used any overrides for PROXYX* variables and those are currently the default once.

Do you have any recommendations or values updates to overcome with this? As per our network configuration, APP GW and Ingress Controller sitting behind the Internal LB can be act as two proxies.

It would be really nice any recommendation you can provide for this.

yogeshmahajan-1903 commented 2 days ago

@arunalakmal Can you please share your backend setting for App gateway? Also try setting PROXY_X_PROTO_COUNT and PROXY_X_PORT_COUNT = 2

arunalakmal commented 2 days ago

I did the PROXY_X_PORT_COUNT = 2 and PROXY_X_PROTO_COUNT = 2 and please find the below backend settings for the backend pool. Same results, unfortunately.

Screenshot 2024-11-11 at 13 04 31

BTW, this is issue is only with PGAdmin. We have the similar apps in this pattern works well. For example, ArgoCD.

yogeshmahajan-1903 commented 1 day ago

@arunalakmal Can you please check what is the value set for redirect_uri in headers like below?

Screenshot 2024-10-23 at 3 57 53 PM
arunalakmal commented 1 day ago

@arunalakmal Can you please check what is the value set for redirect_uri in headers like below? Screenshot 2024-10-23 at 3 57 53 PM

It's the Ingress URL, not the Front facing custom URI. That's where I confused and there is no option to define it and even it's not defined in the app registration call back URI. Can I override it?

yogeshmahajan-1903 commented 9 hours ago

@arunalakmal Can you please share deployment yaml?