Open nv202410 opened 4 days ago
I can reproduce this one but it's very strange.. The problem is that the returned token contains an invalid "kid" which is not published in the JWKS document. Looks like other people have similar problems using EntraID: https://learn.microsoft.com/en-us/answers/questions/1693101/how-to-fix-signature-validation-failed-when-trying
I need to do more research...
Ok, at least i have a workaround:
ValidateIssuer: false
EDIT: I've also seen that you've specified CallbackUri: "/dashboard/
.
Do you really want to do this? CallbackUri is the internal uri, where EntraID posts pack the authorization code, not the url where you want to be redirected after login. This would be PostLoginRedirectUri
.
Microsoft give the following output with these settings:
oidc-auth: plugin: traefik-oidc-auth: Loglevel: DEBUG Provider: Url: "hhttps://login.microsoftonline.com/XXXXXXXX-XXX-XXXX-XXXX-XXXXXXXXXXXX/v2.0/" ClientId: "XXXXXXXX-XXXX-XXXX-XXXX-XXXXXXXXXXXX" ClientSecret: "[SECRET]" ValidateIssuer: false CallbackUri: "/oidc/callback" PostLoginRedirectUri: "/dashboard/" Scopes: ["XXXXXXXX-XXXX-XXXX-XXXX-XXXXXXXXXXXX/.default"]
Sorry, but we’re having trouble signing you in.
AADSTS70011: The provided request must include a 'scope' input parameter. The provided value for the input parameter 'scope' is not valid. The scope XXXXXXXX-XXXX-XXXX-XXXX-XXXXXXXXXXXX/.default profile email is not valid. openid scope is required.
and these are the local logs:
Oct 28 15:18:39 [hostname] traefik[903157]: 2024-10-28 15:18:39 [INFO] [traefik-oidc-auth] Redirecting to OIDC provider... Oct 28 15:18:39 [hostname]traefik[903157]: 2024-10-28 15:18:39 [INFO] [traefik-oidc-auth] Redirecting to OIDC provider... Oct 28 15:18:39 [hostname] traefik[903157]: 2024-10-28 15:18:39 [DEBUG] [traefik-oidc-auth] AuthorizationEndPoint: https://login.microsoftonline.com/XXXXXXXX-XXXX-XXXX-XXXX-XXXXXXXXXXXX/oauth2/v2.0/authorize Oct 28 15:18:39 [hostname] traefik[903157]: 2024-10-28 15:18:39 [DEBUG] [traefik-oidc-auth] AuthorizationEndPoint: https://login.microsoftonline.com/XXXXXXXX-XXXX-XXXX-XXXX-XXXXXXXXXXXX/oauth2/v2.0/authorize
This workaround doesn't work and when use the config
oidc-auth: plugin: traefik-oidc-auth: Loglevel: DEBUG Provider: Url: "hhttps://login.microsoftonline.com/XXXXXXXX-XXX-XXXX-XXXX-XXXXXXXXXXXX/v2.0/" ClientId: "XXXXXXXX-XXXX-XXXX-XXXX-XXXXXXXXXXXX" ClientSecret: "[SECRET]" ValidateIssuer: false CallbackUri: "/oidc/callback" PostLoginRedirectUri: "/dashboard/" Scopes: ["openid"]
I get the error: 404 page not found
When I chose the call back uri /dashboard/ and I use the scope openid I get token signature is invalid: crypto/rsa: verification error.
If I use the the default uri callback i get errror 404 and the plugin doesnt redirect me to /dashboard/ but to the url: https://[domain]:8080/oidc/callback?code[codeoutput].
And then I get these logs:
Oct 28 15:28:28 [hostname] traefik[903157]: 2024-10-28 15:28:28 [INFO] [traefik-oidc-auth] Redirecting to OIDC provider... Oct 28 15:28:28 [hostname] traefik[903157]: 2024-10-28 15:28:28 [INFO] [traefik-oidc-auth] Redirecting to OIDC provider... Oct 28 15:28:28 [hostname] traefik[903157]: 2024-10-28 15:28:28 [DEBUG] [traefik-oidc-auth] AuthorizationEndPoint: https://login.microsoftonline.com/XXXXXXXX-XXXX-XXXX-XXXX-XXXXXXXXXXXX/oauth2/v2.0/authorize Oct 28 15:28:28 [hostname] traefik[903157]: 2024-10-28 15:28:28 [DEBUG] [traefik-oidc-auth] AuthorizationEndPoint: https://login.microsoftonline.com/XXXXXXXX-XXXX-XXXX-XXXX-XXXXXXXXXXXX/oauth2/v2.0/authorize
Do I miss steps in the config? I followed the shared article but Microsoft seems not to accept this config.
@nv202410 Sorry i can't really follow you.. Did you specify these exact scopes? Scopes: ["openid", "profile", "XXXXXXXX-XXXX-XXXX-XXXX-XXXXXXXXXXXX/.default"]
I think "openid" is always required and this is also what the error message is saying.
EDIT: Oh i tried it again i think it's also important to include the "email" scope. So with this config it was working: Scopes: ["openid", "profile", "email", "XXXXXXXX-XXXX-XXXX-XXXX-XXXXXXXXXXXX/.default"]
I have to do some further investigation why EntraID isn't working without this weird default-scope as soon as i have some time.
EDIT2: Ok.. after some more testing i now also get this error: token signature is invalid: crypto/rsa: verification error
The problem is that some tokens returned by Microsoft are using key-id's which aren't contained in their JWKS document. Very strange...
Ok i know what the problem is: I'am validating the access_token but tokens from EntraID contain a "nonce" in the JWT-header. In this case it's not allowed or not possible to validate the token using the public provided in the JWKS document. I have to think of a completely different solution.
I used your code but I still get this result:
I get errror 404 and the plugin doesnt redirect me to /dashboard/ but to the url: https://[domain]:8080/oidc/callback?code[codeoutput].
Oct 29 10:32:02 [hostname] traefik[1121793]: 2024-10-29 10:32:02 [INFO] [traefik-oidc-auth] Redirecting to OIDC provider... Oct 29 10:32:02 [hostname] traefik[1121793]: 2024-10-29 10:32:02 [INFO] [traefik-oidc-auth] Redirecting to OIDC provider... Oct 29 10:32:02 [hostname] traefik[1121793]: 2024-10-29 10:32:02 [DEBUG] [traefik-oidc-auth] AuthorizationEndPoint: https://login.microsoftonline.com/XXXXXXXX-XXXX-XXXX-XXXX-XXXXXXXXXXXX/oauth2/v2.0/authorize Oct 29 10:32:02 [hostname] traefik[1121793]: 2024-10-29 10:32:02 [DEBUG] [traefik-oidc-auth] AuthorizationEndPoint: https://login.microsoftonline.com/XXXXXXXX-XXXX-XXXX-XXXX-XXXXXXXXXXXX/oauth2/v2.0/authorize
Another strange thing is that in my duck duck go browser it skips the authentication even when I am logged out with Azure but I still get allot of these logs repating in once also after restarting traefik and the browser:
ct 29 10:33:52 [hostname] traefik[1121793]: 2024-10-29 10:33:52 [INFO] [traefik-oidc-auth] Redirecting to OIDC provider... Oct 29 10:33:52 [hostname] traefik[1121793]: 2024-10-29 10:33:52 [INFO] [traefik-oidc-auth] Redirecting to OIDC provider... Oct 29 10:33:52 [hostname] traefik[1121793]: 2024-10-29 10:33:52 [DEBUG] [traefik-oidc-auth] AuthorizationEndPoint: https://login.microsoftonline.com/XXXXXXXX-XXXX-XXXX-XXXX-XXXXXXXXXXXX/oauth2/v2.0/authorize Oct 29 10:33:52 [hostname] traefik[1121793]: 2024-10-29 10:33:52 [DEBUG] [traefik-oidc-auth] AuthorizationEndPoint: https://login.microsoftonline.com/XXXXXXXX-XXXX-XXXX-XXXX-XXXXXXXXXXXX/oauth2/v2.0/authorize Oct 29 10:33:52 [hostname] traefik[1121793]: 2024-10-29 10:33:52 [INFO] [traefik-oidc-auth] Redirecting to OIDC provider... Oct 29 10:33:52 [hostname] traefik[1121793]: 2024-10-29 10:33:52 [INFO] [traefik-oidc-auth] Redirecting to OIDC provider... Oct 29 10:33:52 [hostname] traefik[1121793]: 2024-10-29 10:33:52 [DEBUG] [traefik-oidc-auth] AuthorizationEndPoint: https://login.microsoftonline.com/XXXXXXXX-XXXX-XXXX-XXXX-XXXXXXXXXXXX/oauth2/v2.0/authorize Oct 29 10:33:52 [hostname] traefik[1121793]: 2024-10-29 10:33:52 [DEBUG] [traefik-oidc-auth] AuthorizationEndPoint: https://login.microsoftonline.com/XXXXXXXX-XXXX-XXXX-XXXX-XXXXXXXXXXXX/oauth2/v2.0/authorize Oct 29 10:33:53 [hostname] traefik[1121793]: 2024-10-29 10:33:53 [INFO] [traefik-oidc-auth] Redirecting to OIDC provider... Oct 29 10:33:53 [hostname] traefik[1121793]: 2024-10-29 10:33:53 [INFO] [traefik-oidc-auth] Redirecting to OIDC provider... Oct 29 10:33:53 [hostname] traefik[1121793]: 2024-10-29 10:33:53 [DEBUG] [traefik-oidc-auth] AuthorizationEndPoint: https://login.microsoftonline.com/XXXXXXXX-XXXX-XXXX-XXXX-XXXXXXXXXXXX/oauth2/v2.0/authorize Oct 29 10:33:53 [hostname] traefik[1121793]: 2024-10-29 10:33:53 [DEBUG] [traefik-oidc-auth] AuthorizationEndPoint: https://login.microsoftonline.com/XXXXXXXX-XXXX-XXXX-XXXX-XXXXXXXXXXXX/oauth2/v2.0/authorize Oct 29 10:33:53 [hostname] traefik[1121793]: 2024-10-29 10:33:53 [INFO] [traefik-oidc-auth] Redirecting to OIDC provider... Oct 29 10:33:53 [hostname] traefik[1121793]: 2024-10-29 10:33:53 [INFO] [traefik-oidc-auth] Redirecting to OIDC provider... Oct 29 10:33:53 [hostname] traefik[1121793]: 2024-10-29 10:33:53 [DEBUG] [traefik-oidc-auth] AuthorizationEndPoint: https://login.microsoftonline.com/XXXXXXXX-XXXX-XXXX-XXXX-XXXXXXXXXXXX/oauth2/v2.0/authorize Oct 29 10:33:53 [hostname] traefik[1121793]: 2024-10-29 10:33:53 [DEBUG] [traefik-oidc-auth] AuthorizationEndPoint: https://login.microsoftonline.com/XXXXXXXX-XXXX-XXXX-XXXX-XXXXXXXXXXXX/oauth2/v2.0/authorize Oct 29 10:33:53 [hostname] traefik[1121793]: 2024-10-29 10:33:53 [INFO] [traefik-oidc-auth] Redirecting to OIDC provider... Oct 29 10:33:53 [hostname] traefik[1121793]: 2024-10-29 10:33:53 [INFO] [traefik-oidc-auth] Redirecting to OIDC provider... Oct 29 10:33:53 [hostname] traefik[1121793]: 2024-10-29 10:33:53 [DEBUG] [traefik-oidc-auth] AuthorizationEndPoint: https://login.microsoftonline.com/XXXXXXXX-XXXX-XXXX-XXXX-XXXXXXXXXXXX/oauth2/v2.0/authorize Oct 29 10:33:53 [hostname] traefik[1121793]: 2024-10-29 10:33:53 [DEBUG] [traefik-oidc-auth] AuthorizationEndPoint: https://login.microsoftonline.com/XXXXXXXX-XXXX-XXXX-XXXX-XXXXXXXXXXXX/oauth2/v2.0/authorize Oct 29 10:33:53 [hostname] traefik[1121793]: 2024-10-29 10:33:53 [INFO] [traefik-oidc-auth] Redirecting to OIDC provider... Oct 29 10:33:53 [hostname] traefik[1121793]: 2024-10-29 10:33:53 [INFO] [traefik-oidc-auth] Redirecting to OIDC provider... Oct 29 10:33:53 [hostname] traefik[1121793]: 2024-10-29 10:33:53 [DEBUG] [traefik-oidc-auth] AuthorizationEndPoint: https://login.microsoftonline.com/XXXXXXXX-XXXX-XXXX-XXXX-XXXXXXXXXXXX/oauth2/v2.0/authorize Oct 29 10:33:53 [hostname] traefik[1121793]: 2024-10-29 10:33:53 [INFO] [traefik-oidc-auth] Redirecting to OIDC provider... Oct 29 10:33:53 [hostname] traefik[1121793]: 2024-10-29 10:33:53 [DEBUG] [traefik-oidc-auth] AuthorizationEndPoint: https://login.microsoftonline.com/XXXXXXXX-XXXX-XXXX-XXXX-XXXXXXXXXXXX/oauth2/v2.0/authorize Oct 29 10:33:53 [hostname] traefik[1121793]: 2024-10-29 10:33:53 [INFO] [traefik-oidc-auth] Redirecting to OIDC provider... Oct 29 10:33:53 [hostname] traefik[1121793]: 2024-10-29 10:33:53 [DEBUG] [traefik-oidc-auth] AuthorizationEndPoint: https://login.microsoftonline.com/XXXXXXXX-XXXX-XXXX-XXXX-XXXXXXXXXXXX/oauth2/v2.0/authorize Oct 29 10:33:53 [hostname] traefik[1121793]: 2024-10-29 10:33:53 [DEBUG] [traefik-oidc-auth] AuthorizationEndPoint: https://login.microsoftonline.com/XXXXXXXX-XXXX-XXXX-XXXX-XXXXXXXXXXXX/oauth2/v2.0/authorize Oct 29 10:33:53 [hostname] traefik[1121793]: 2024-10-29 10:33:53 [INFO] [traefik-oidc-auth] Redirecting to OIDC provider... Oct 29 10:33:53 [hostname] traefik[1121793]: 2024-10-29 10:33:53 [INFO] [traefik-oidc-auth] Redirecting to OIDC provider... Oct 29 10:33:53 [hostname] traefik[1121793]: 2024-10-29 10:33:53 [DEBUG] [traefik-oidc-auth] AuthorizationEndPoint: https://login.microsoftonline.com/XXXXXXXX-XXXX-XXXX-XXXX-XXXXXXXXXXXX/oauth2/v2.0/authorize Oct 29 10:33:53 [hostname] traefik[1121793]: 2024-10-29 10:33:53 [DEBUG] [traefik-oidc-auth] AuthorizationEndPoint: https://login.microsoftonline.com/XXXXXXXX-XXXX-XXXX-XXXX-XXXXXXXXXXXX/oauth2/v2.0/authorize
after these logs I can just enter the dashboard but I should authenticate.
This is the config I use:
oidc-auth: plugin: traefik-oidc-auth: Loglevel: DEBUG Provider: Url: "https://login.microsoftonline.com/XXXXXXXX-XXXX-XXXX-XXXX-XXXXXXXXXXXX/v2.0/" ClientId: "XXXXXXXX-XXXX-XXXX-XXXX-XXXXXXXXXXXX" ClientSecret: "[secret]" ValidateIssuer: false Scopes: [ "openid", "profile", "email", "XXXXXXXX-XXXX-XXXX-XXXX-XXXXXXXXXXXX/.default"] CallbackUri: "/oidc/callback" PostLoginRedirectUri: "/dashboard/"
EDIT:
issue with loop is gone but redirect is still not working I get error page 404 PostlogRedirectUri: doesnt redirect
Hello,
With the traefik-oidc-auth plugin I have an issue that is dificult to resolve. I want to use this plugin to enforce Azure Entra ID authentication before entering the Traefik Dashboard page:
I use this in my static file
experimental: plugins: traefik-oidc-auth: moduleName: "github.com/sevensolutions/traefik-oidc-auth" version: "v0.3.0"
I use this config in my dynamic file:
http: routers: dashboard: entryPoints:
{{ inventory_hostname }}
) && (PathPrefix(/api
) || PathPrefix(/dashboard
)) service: api@internal middlewares:oidc-auth
oidc-auth: plugin: traefik-oidc-auth: Loglevel: DEBUG Provider: Url: "https://login.microsoftonline.com/XXXXXXXX-XXX-XXXX-XXXX-XXXXXXXXXXXX/v2.0/" ClientId: "XXXXXXXX-XXXX-XXXX-XXXX-XXXXXXXXXXXX" ClientSecret: "[SECRET]" CallbackUri: "/dashboard/
When I enter the URL for the dashboard page I get redirected to Microsoft Entra ID to authenticate. This works successfull and I dont see any issues in the login logs in Azure itself.
But after the login I get redirected and my traefik page prompts the following error:
token signature is invalid: crypto/rsa: verification error
I Tried to skipp issuer and audience validation but nothing but result keeps the same. What is missing or what is the reason why I get this error when I use this plugin?
These are my logs:
Oct 25 12:48:22 [hostname] traefik[829151]: 2024-10-25 12:48:22 [INFO] [traefik-oidc-auth] Redirecting to OIDC provider... Oct 25 12:48:22 [hostname] traefik[829151]: 2024-10-25 12:48:22 [INFO] [traefik-oidc-auth] Redirecting to OIDC provider... Oct 25 12:48:22 [hostname] traefik[829151]: 2024-10-25 12:48:22 [DEBUG] [traefik-oidc-auth] AuthorizationEndPoint: https://login.microsoftonline.com/[tenant]/oauth2/v2.0/authorize Oct 25 12:48:22 [hostname] traefik[829151]: 2024-10-25 12:48:22 [DEBUG] [traefik-oidc-auth] AuthorizationEndPoint: https://login.microsoftonline.com/[tenant]/oauth2/v2.0/authorize Oct 25 12:48:33 [hostname] traefik[829151]: 2024-10-25 12:48:33 [ERROR] [traefik-oidc-auth] Returned token is not valid: token signature is invalid: crypto/rsa: verification error Oct 25 12:48:33 [hostname] traefik[829151]: 2024-10-25 12:48:33 [ERROR] [traefik-oidc-auth] Returned token is not valid: token signature is invalid: crypto/rsa: verification error
What is the reason why i get this issue and how can it be resolved?