sevensolutions / traefik-oidc-auth

🧩 A traefik Plugin for securing the upstream service with OpenID Connect acting as a relying party.
https://github.com/sevensolutions/traefik-oidc-auth
MIT License
10 stars 1 forks source link

token signature is invalid: crypto/rsa: verification error after succesfull login Azure Entra ID #15

Open nv202410 opened 4 days ago

nv202410 commented 4 days ago

Hello,

With the traefik-oidc-auth plugin I have an issue that is dificult to resolve. I want to use this plugin to enforce Azure Entra ID authentication before entering the Traefik Dashboard page:

I use this in my static file

experimental: plugins: traefik-oidc-auth: moduleName: "github.com/sevensolutions/traefik-oidc-auth" version: "v0.3.0"

I use this config in my dynamic file:

http: routers: dashboard: entryPoints:

When I enter the URL for the dashboard page I get redirected to Microsoft Entra ID to authenticate. This works successfull and I dont see any issues in the login logs in Azure itself.

But after the login I get redirected and my traefik page prompts the following error:

token signature is invalid: crypto/rsa: verification error

I Tried to skipp issuer and audience validation but nothing but result keeps the same. What is missing or what is the reason why I get this error when I use this plugin?

These are my logs:

Oct 25 12:48:22 [hostname] traefik[829151]: 2024-10-25 12:48:22 [INFO] [traefik-oidc-auth] Redirecting to OIDC provider... Oct 25 12:48:22 [hostname] traefik[829151]: 2024-10-25 12:48:22 [INFO] [traefik-oidc-auth] Redirecting to OIDC provider... Oct 25 12:48:22 [hostname] traefik[829151]: 2024-10-25 12:48:22 [DEBUG] [traefik-oidc-auth] AuthorizationEndPoint: https://login.microsoftonline.com/[tenant]/oauth2/v2.0/authorize Oct 25 12:48:22 [hostname] traefik[829151]: 2024-10-25 12:48:22 [DEBUG] [traefik-oidc-auth] AuthorizationEndPoint: https://login.microsoftonline.com/[tenant]/oauth2/v2.0/authorize Oct 25 12:48:33 [hostname] traefik[829151]: 2024-10-25 12:48:33 [ERROR] [traefik-oidc-auth] Returned token is not valid: token signature is invalid: crypto/rsa: verification error Oct 25 12:48:33 [hostname] traefik[829151]: 2024-10-25 12:48:33 [ERROR] [traefik-oidc-auth] Returned token is not valid: token signature is invalid: crypto/rsa: verification error

What is the reason why i get this issue and how can it be resolved?

sevensolutions commented 4 days ago

I can reproduce this one but it's very strange.. The problem is that the returned token contains an invalid "kid" which is not published in the JWKS document. Looks like other people have similar problems using EntraID: https://learn.microsoft.com/en-us/answers/questions/1693101/how-to-fix-signature-validation-failed-when-trying

I need to do more research...

sevensolutions commented 4 days ago

Ok, at least i have a workaround:

  1. Follow this comment https://github.com/AzureAD/microsoft-authentication-library-for-js/issues/521#issuecomment-577400515 and add this weird scope
  2. Disable issuer validation using ValidateIssuer: false

EDIT: I've also seen that you've specified CallbackUri: "/dashboard/. Do you really want to do this? CallbackUri is the internal uri, where EntraID posts pack the authorization code, not the url where you want to be redirected after login. This would be PostLoginRedirectUri.

nv202410 commented 1 day ago

Microsoft give the following output with these settings:

oidc-auth: plugin: traefik-oidc-auth: Loglevel: DEBUG Provider: Url: "hhttps://login.microsoftonline.com/XXXXXXXX-XXX-XXXX-XXXX-XXXXXXXXXXXX/v2.0/" ClientId: "XXXXXXXX-XXXX-XXXX-XXXX-XXXXXXXXXXXX" ClientSecret: "[SECRET]" ValidateIssuer: false CallbackUri: "/oidc/callback" PostLoginRedirectUri: "/dashboard/" Scopes: ["XXXXXXXX-XXXX-XXXX-XXXX-XXXXXXXXXXXX/.default"]

Sorry, but we’re having trouble signing you in.

AADSTS70011: The provided request must include a 'scope' input parameter. The provided value for the input parameter 'scope' is not valid. The scope XXXXXXXX-XXXX-XXXX-XXXX-XXXXXXXXXXXX/.default profile email is not valid. openid scope is required.

and these are the local logs:

Oct 28 15:18:39 [hostname] traefik[903157]: 2024-10-28 15:18:39 [INFO] [traefik-oidc-auth] Redirecting to OIDC provider... Oct 28 15:18:39 [hostname]traefik[903157]: 2024-10-28 15:18:39 [INFO] [traefik-oidc-auth] Redirecting to OIDC provider... Oct 28 15:18:39 [hostname] traefik[903157]: 2024-10-28 15:18:39 [DEBUG] [traefik-oidc-auth] AuthorizationEndPoint: https://login.microsoftonline.com/XXXXXXXX-XXXX-XXXX-XXXX-XXXXXXXXXXXX/oauth2/v2.0/authorize Oct 28 15:18:39 [hostname] traefik[903157]: 2024-10-28 15:18:39 [DEBUG] [traefik-oidc-auth] AuthorizationEndPoint: https://login.microsoftonline.com/XXXXXXXX-XXXX-XXXX-XXXX-XXXXXXXXXXXX/oauth2/v2.0/authorize

This workaround doesn't work and when use the config

oidc-auth: plugin: traefik-oidc-auth: Loglevel: DEBUG Provider: Url: "hhttps://login.microsoftonline.com/XXXXXXXX-XXX-XXXX-XXXX-XXXXXXXXXXXX/v2.0/" ClientId: "XXXXXXXX-XXXX-XXXX-XXXX-XXXXXXXXXXXX" ClientSecret: "[SECRET]" ValidateIssuer: false CallbackUri: "/oidc/callback" PostLoginRedirectUri: "/dashboard/" Scopes: ["openid"]

I get the error: 404 page not found

When I chose the call back uri /dashboard/ and I use the scope openid I get token signature is invalid: crypto/rsa: verification error.

If I use the the default uri callback i get errror 404 and the plugin doesnt redirect me to /dashboard/ but to the url: https://[domain]:8080/oidc/callback?code[codeoutput].

And then I get these logs:

Oct 28 15:28:28 [hostname] traefik[903157]: 2024-10-28 15:28:28 [INFO] [traefik-oidc-auth] Redirecting to OIDC provider... Oct 28 15:28:28 [hostname] traefik[903157]: 2024-10-28 15:28:28 [INFO] [traefik-oidc-auth] Redirecting to OIDC provider... Oct 28 15:28:28 [hostname] traefik[903157]: 2024-10-28 15:28:28 [DEBUG] [traefik-oidc-auth] AuthorizationEndPoint: https://login.microsoftonline.com/XXXXXXXX-XXXX-XXXX-XXXX-XXXXXXXXXXXX/oauth2/v2.0/authorize Oct 28 15:28:28 [hostname] traefik[903157]: 2024-10-28 15:28:28 [DEBUG] [traefik-oidc-auth] AuthorizationEndPoint: https://login.microsoftonline.com/XXXXXXXX-XXXX-XXXX-XXXX-XXXXXXXXXXXX/oauth2/v2.0/authorize

Do I miss steps in the config? I followed the shared article but Microsoft seems not to accept this config.

sevensolutions commented 1 day ago

@nv202410 Sorry i can't really follow you.. Did you specify these exact scopes? Scopes: ["openid", "profile", "XXXXXXXX-XXXX-XXXX-XXXX-XXXXXXXXXXXX/.default"]

I think "openid" is always required and this is also what the error message is saying.

EDIT: Oh i tried it again i think it's also important to include the "email" scope. So with this config it was working: Scopes: ["openid", "profile", "email", "XXXXXXXX-XXXX-XXXX-XXXX-XXXXXXXXXXXX/.default"]

I have to do some further investigation why EntraID isn't working without this weird default-scope as soon as i have some time.

EDIT2: Ok.. after some more testing i now also get this error: token signature is invalid: crypto/rsa: verification error

The problem is that some tokens returned by Microsoft are using key-id's which aren't contained in their JWKS document. Very strange...

sevensolutions commented 22 hours ago

Ok i know what the problem is: I'am validating the access_token but tokens from EntraID contain a "nonce" in the JWT-header. In this case it's not allowed or not possible to validate the token using the public provided in the JWKS document. I have to think of a completely different solution.

nv202410 commented 18 hours ago

I used your code but I still get this result:

I get errror 404 and the plugin doesnt redirect me to /dashboard/ but to the url: https://[domain]:8080/oidc/callback?code[codeoutput].

Oct 29 10:32:02 [hostname] traefik[1121793]: 2024-10-29 10:32:02 [INFO] [traefik-oidc-auth] Redirecting to OIDC provider... Oct 29 10:32:02 [hostname] traefik[1121793]: 2024-10-29 10:32:02 [INFO] [traefik-oidc-auth] Redirecting to OIDC provider... Oct 29 10:32:02 [hostname] traefik[1121793]: 2024-10-29 10:32:02 [DEBUG] [traefik-oidc-auth] AuthorizationEndPoint: https://login.microsoftonline.com/XXXXXXXX-XXXX-XXXX-XXXX-XXXXXXXXXXXX/oauth2/v2.0/authorize Oct 29 10:32:02 [hostname] traefik[1121793]: 2024-10-29 10:32:02 [DEBUG] [traefik-oidc-auth] AuthorizationEndPoint: https://login.microsoftonline.com/XXXXXXXX-XXXX-XXXX-XXXX-XXXXXXXXXXXX/oauth2/v2.0/authorize

Another strange thing is that in my duck duck go browser it skips the authentication even when I am logged out with Azure but I still get allot of these logs repating in once also after restarting traefik and the browser:

ct 29 10:33:52 [hostname] traefik[1121793]: 2024-10-29 10:33:52 [INFO] [traefik-oidc-auth] Redirecting to OIDC provider... Oct 29 10:33:52 [hostname] traefik[1121793]: 2024-10-29 10:33:52 [INFO] [traefik-oidc-auth] Redirecting to OIDC provider... Oct 29 10:33:52 [hostname] traefik[1121793]: 2024-10-29 10:33:52 [DEBUG] [traefik-oidc-auth] AuthorizationEndPoint: https://login.microsoftonline.com/XXXXXXXX-XXXX-XXXX-XXXX-XXXXXXXXXXXX/oauth2/v2.0/authorize Oct 29 10:33:52 [hostname] traefik[1121793]: 2024-10-29 10:33:52 [DEBUG] [traefik-oidc-auth] AuthorizationEndPoint: https://login.microsoftonline.com/XXXXXXXX-XXXX-XXXX-XXXX-XXXXXXXXXXXX/oauth2/v2.0/authorize Oct 29 10:33:52 [hostname] traefik[1121793]: 2024-10-29 10:33:52 [INFO] [traefik-oidc-auth] Redirecting to OIDC provider... Oct 29 10:33:52 [hostname] traefik[1121793]: 2024-10-29 10:33:52 [INFO] [traefik-oidc-auth] Redirecting to OIDC provider... Oct 29 10:33:52 [hostname] traefik[1121793]: 2024-10-29 10:33:52 [DEBUG] [traefik-oidc-auth] AuthorizationEndPoint: https://login.microsoftonline.com/XXXXXXXX-XXXX-XXXX-XXXX-XXXXXXXXXXXX/oauth2/v2.0/authorize Oct 29 10:33:52 [hostname] traefik[1121793]: 2024-10-29 10:33:52 [DEBUG] [traefik-oidc-auth] AuthorizationEndPoint: https://login.microsoftonline.com/XXXXXXXX-XXXX-XXXX-XXXX-XXXXXXXXXXXX/oauth2/v2.0/authorize Oct 29 10:33:53 [hostname] traefik[1121793]: 2024-10-29 10:33:53 [INFO] [traefik-oidc-auth] Redirecting to OIDC provider... Oct 29 10:33:53 [hostname] traefik[1121793]: 2024-10-29 10:33:53 [INFO] [traefik-oidc-auth] Redirecting to OIDC provider... Oct 29 10:33:53 [hostname] traefik[1121793]: 2024-10-29 10:33:53 [DEBUG] [traefik-oidc-auth] AuthorizationEndPoint: https://login.microsoftonline.com/XXXXXXXX-XXXX-XXXX-XXXX-XXXXXXXXXXXX/oauth2/v2.0/authorize Oct 29 10:33:53 [hostname] traefik[1121793]: 2024-10-29 10:33:53 [DEBUG] [traefik-oidc-auth] AuthorizationEndPoint: https://login.microsoftonline.com/XXXXXXXX-XXXX-XXXX-XXXX-XXXXXXXXXXXX/oauth2/v2.0/authorize Oct 29 10:33:53 [hostname] traefik[1121793]: 2024-10-29 10:33:53 [INFO] [traefik-oidc-auth] Redirecting to OIDC provider... Oct 29 10:33:53 [hostname] traefik[1121793]: 2024-10-29 10:33:53 [INFO] [traefik-oidc-auth] Redirecting to OIDC provider... Oct 29 10:33:53 [hostname] traefik[1121793]: 2024-10-29 10:33:53 [DEBUG] [traefik-oidc-auth] AuthorizationEndPoint: https://login.microsoftonline.com/XXXXXXXX-XXXX-XXXX-XXXX-XXXXXXXXXXXX/oauth2/v2.0/authorize Oct 29 10:33:53 [hostname] traefik[1121793]: 2024-10-29 10:33:53 [DEBUG] [traefik-oidc-auth] AuthorizationEndPoint: https://login.microsoftonline.com/XXXXXXXX-XXXX-XXXX-XXXX-XXXXXXXXXXXX/oauth2/v2.0/authorize Oct 29 10:33:53 [hostname] traefik[1121793]: 2024-10-29 10:33:53 [INFO] [traefik-oidc-auth] Redirecting to OIDC provider... Oct 29 10:33:53 [hostname] traefik[1121793]: 2024-10-29 10:33:53 [INFO] [traefik-oidc-auth] Redirecting to OIDC provider... Oct 29 10:33:53 [hostname] traefik[1121793]: 2024-10-29 10:33:53 [DEBUG] [traefik-oidc-auth] AuthorizationEndPoint: https://login.microsoftonline.com/XXXXXXXX-XXXX-XXXX-XXXX-XXXXXXXXXXXX/oauth2/v2.0/authorize Oct 29 10:33:53 [hostname] traefik[1121793]: 2024-10-29 10:33:53 [DEBUG] [traefik-oidc-auth] AuthorizationEndPoint: https://login.microsoftonline.com/XXXXXXXX-XXXX-XXXX-XXXX-XXXXXXXXXXXX/oauth2/v2.0/authorize Oct 29 10:33:53 [hostname] traefik[1121793]: 2024-10-29 10:33:53 [INFO] [traefik-oidc-auth] Redirecting to OIDC provider... Oct 29 10:33:53 [hostname] traefik[1121793]: 2024-10-29 10:33:53 [INFO] [traefik-oidc-auth] Redirecting to OIDC provider... Oct 29 10:33:53 [hostname] traefik[1121793]: 2024-10-29 10:33:53 [DEBUG] [traefik-oidc-auth] AuthorizationEndPoint: https://login.microsoftonline.com/XXXXXXXX-XXXX-XXXX-XXXX-XXXXXXXXXXXX/oauth2/v2.0/authorize Oct 29 10:33:53 [hostname] traefik[1121793]: 2024-10-29 10:33:53 [INFO] [traefik-oidc-auth] Redirecting to OIDC provider... Oct 29 10:33:53 [hostname] traefik[1121793]: 2024-10-29 10:33:53 [DEBUG] [traefik-oidc-auth] AuthorizationEndPoint: https://login.microsoftonline.com/XXXXXXXX-XXXX-XXXX-XXXX-XXXXXXXXXXXX/oauth2/v2.0/authorize Oct 29 10:33:53 [hostname] traefik[1121793]: 2024-10-29 10:33:53 [INFO] [traefik-oidc-auth] Redirecting to OIDC provider... Oct 29 10:33:53 [hostname] traefik[1121793]: 2024-10-29 10:33:53 [DEBUG] [traefik-oidc-auth] AuthorizationEndPoint: https://login.microsoftonline.com/XXXXXXXX-XXXX-XXXX-XXXX-XXXXXXXXXXXX/oauth2/v2.0/authorize Oct 29 10:33:53 [hostname] traefik[1121793]: 2024-10-29 10:33:53 [DEBUG] [traefik-oidc-auth] AuthorizationEndPoint: https://login.microsoftonline.com/XXXXXXXX-XXXX-XXXX-XXXX-XXXXXXXXXXXX/oauth2/v2.0/authorize Oct 29 10:33:53 [hostname] traefik[1121793]: 2024-10-29 10:33:53 [INFO] [traefik-oidc-auth] Redirecting to OIDC provider... Oct 29 10:33:53 [hostname] traefik[1121793]: 2024-10-29 10:33:53 [INFO] [traefik-oidc-auth] Redirecting to OIDC provider... Oct 29 10:33:53 [hostname] traefik[1121793]: 2024-10-29 10:33:53 [DEBUG] [traefik-oidc-auth] AuthorizationEndPoint: https://login.microsoftonline.com/XXXXXXXX-XXXX-XXXX-XXXX-XXXXXXXXXXXX/oauth2/v2.0/authorize Oct 29 10:33:53 [hostname] traefik[1121793]: 2024-10-29 10:33:53 [DEBUG] [traefik-oidc-auth] AuthorizationEndPoint: https://login.microsoftonline.com/XXXXXXXX-XXXX-XXXX-XXXX-XXXXXXXXXXXX/oauth2/v2.0/authorize

after these logs I can just enter the dashboard but I should authenticate.

This is the config I use:

oidc-auth: plugin: traefik-oidc-auth: Loglevel: DEBUG Provider: Url: "https://login.microsoftonline.com/XXXXXXXX-XXXX-XXXX-XXXX-XXXXXXXXXXXX/v2.0/" ClientId: "XXXXXXXX-XXXX-XXXX-XXXX-XXXXXXXXXXXX" ClientSecret: "[secret]" ValidateIssuer: false Scopes: [ "openid", "profile", "email", "XXXXXXXX-XXXX-XXXX-XXXX-XXXXXXXXXXXX/.default"] CallbackUri: "/oidc/callback" PostLoginRedirectUri: "/dashboard/"

EDIT:

issue with loop is gone but redirect is still not working I get error page 404 PostlogRedirectUri: doesnt redirect