search

serverlessworkflow / synapse

Serverless Workflow Management System (WFMS)
https://serverlessworkflow.io
Apache License 2.0
231 stars 35 forks source link

NullReferenceException: The token endpoint is not documented by the OIDC discovery document (when starting a workflow instance) #379

Closed bvandewe closed 2 months ago

bvandewe commented 2 months ago

What happened:

When starting a workflow instance (in Docker Desktop), the runner starts but throws:

2024-09-04 09:02:46 [07:02:46] info: Microsoft.Hosting.Lifetime[0]
2024-09-04 09:02:46       Application started. Press Ctrl+C to shut down.
2024-09-04 09:02:46 [07:02:46] info: Microsoft.Hosting.Lifetime[0]
2024-09-04 09:02:46       Hosting environment: Production
2024-09-04 09:02:46 [07:02:46] info: Microsoft.Hosting.Lifetime[0]
2024-09-04 09:02:46       Content root path: /app
2024-09-04 09:02:46 [07:02:46] fail: Synapse.Runner.Services.RunnerApplication[0]
2024-09-04 09:02:46       An error occurred while running the specified workflow instance: System.NullReferenceException: The token endpoint is not documented by the OIDC discovery document
2024-09-04 09:02:46          at Synapse.Core.Infrastructure.Services.OAuth2TokenManager.GetTokenAsync(OAuth2AuthenticationSchemeDefinitionBase configuration, CancellationToken cancellationToken) in /src/src/core/Synapse.Core.Infrastructure/Services/OAuth2TokenManager.cs:line 68
2024-09-04 09:02:46          at Program.<>c__DisplayClass0_2.<<<Main>$>b__5>d.MoveNext() in /src/src/runner/Synapse.Runner/Program.cs:line 58
2024-09-04 09:02:46       --- End of stack trace from previous location ---
2024-09-04 09:02:46          at Synapse.Api.Client.Services.ApiClientBase.ProcessRequestAsync(HttpRequestMessage request, CancellationToken cancellationToken) in /src/src/api/Synapse.Api.Client.Http/Services/ApiClientBase.cs:line 62
2024-09-04 09:02:46          at Synapse.Api.Client.Services.ResourceHttpApiClient`1.GetAsync(String name, String namespace, CancellationToken cancellationToken) in /src/src/api/Synapse.Api.Client.Http/Services/ResourceHttpApiClient.cs:line 61
2024-09-04 09:02:46          at Synapse.Runner.Services.RunnerApplication.RunAsync(CancellationToken cancellationToken) in /src/src/runner/Synapse.Runner/Services/RunnerApplication.cs:line 84

The api serves the OIDC's /.well-known/openid-configuration with the correct host (both outside and inside the Docker stack): 


# from outside the stack
curl -s http://localhost:8080/.well-known/openid-configuration | jq .token_endpoint
"http://api:8080/connect/token"

# from inside the stack
docker exec -it docker-compose-shell-1  curl -s http://api:8080/.well-known/openid-configuration | jq .token_endpoint
"http://api:8080/connect/token"

What you expected to happen:

How to reproduce it:

Add a shell-like service in the stack:


  shell:
    image: alpine:3.20.2
    tty: true
    stdin_open: true
    command: sh -c "apk update && apk add iputils nano curl jq && sh"

 # http://localhost:8080
  api:
    image: ghcr.io/serverlessworkflow/synapse/api
    environment:
      CONNECTIONSTRINGS__REDIS: ${GARNET_URI}
      SYNAPSE_DASHBOARD_SERVE: true
      SYNAPSE_API_AUTH_TOKEN_FILE: /app/tokens.yaml
      SYNAPSE_API_AUTH_AUTHORITY: http://api:8080
    volumes:
      - ./config/tokens.yaml:/app/tokens.yaml
    ports:
      - 8080:8080
    depends_on:
      - garnet

Anything else we need to know?:

Environment: DockerDesktop v4.34.0

cdavernas commented 2 months ago

Hey @bvandewe and thanks for reporting!

The issue is due to the OIDC discovery client use to download and parse the OIDC discovery document, and which expects HTTPS to be enabled.

I (temporarily) resolved the issue with #380 by disabling HTTPS requirements, and created https://github.com/serverlessworkflow/specification/issues/1006 to properly address the problem.