ExtAuth pod should be able to automatically fetch Authconfig endpoint

edubonifs commented 1 year ago

Gloo Edge Version

1.14.x (latest stable)

Kubernetes Version

None

Describe the bug

I am using OIDC with Gloo Edge, for one of our customers .well-known/openid-configuration endpoint is not available during the ExtAuth pod startup. It seems extauth does not recover from this anymore, so the only workaround is to restart extauth. Then everything is working fine again.

Steps to reproduce the bug

These are the steps used to reproduce the issue (the authserver is providing the OAuth endpoints, including .well-known/openid-configuration):

Scale authserver to 0
Restart extauth
Try login -> the mentioned behaviour can be observed
Scale authserver to 1
Try login -> the mentioned behaviour still persists. Even after 10 minutes it does not recover, so I assume it never recovers.
Restart extauth
Login works again

This is the example AuthConfig:

apiVersion: enterprise.gloo.solo.io/v1
kind: AuthConfig
spec:
  configs:
  - oauth2:
      oidcAuthorizationCode:
        afterLogoutUrl: /session/unblu-logout
        appUrl: https://example.net/co-unblu/
        callbackPath: session/callback
        clientId: client-portal-admin-center
        clientSecretRef:
          name: bbl-dev-unblu-oidc-client-secret
          namespace: gloo-unstable
        headers:
          idTokenHeader: X-CLX-IDENTITY
        issuerUrl: https://example.com/authserver/oauth/bbl
        logoutPath: session/logout
        session:
          failOnFetchFailure: true
          redis:
            cookieName: gloo-session
            options:
              host: redis.gloo-unstable.svc.cluster.local:6379

Here are the logs for Gloo 1.14:

{"level":"error","ts":"2023-06-07T05:43:20.738Z","caller":"oidc/oidc.go:228","msg":"error during discovery","version":"1.14.0","error":"request failed with code 404 Not Found","stacktrace":"github.com/solo-io/ext-auth-service/pkg/config/oidc.(*IssuerImpl).Discover\n\t/go/pkg/mod/github.com/solo-io/ext-auth-service@v0.35.1/pkg/config/oidc/oidc.go:228\ngithub.com/solo-io/ext-auth-service/pkg/config/oidc.(*IssuerImpl).Start.func1\n\t/go/pkg/mod/github.com/solo-io/ext-auth-service@v0.35.1/pkg/config/oidc/oidc.go:152"}
{"level":"error","ts":"2023-06-07T05:43:20.738Z","caller":"oidc/oidc.go:154","msg":"issuer discovery failed","version":"1.14.0","error":"request failed with code 404 Not Found","stacktrace":"github.com/solo-io/ext-auth-service/pkg/config/oidc.(*IssuerImpl).Start.func1\n\t/go/pkg/mod/github.com/solo-io/ext-auth-service@v0.35.1/pkg/config/oidc/oidc.go:154"}
{"level":"error","ts":"2023-06-07T05:43:22.909Z","caller":"oidc/discovery.go:131","msg":"can't parse issuer's discovery document","version":"1.14.0","error":"request failed with code 503 Service Unavailable","stacktrace":"github.com/solo-io/ext-auth-service/pkg/config/oidc.Discover\n\t/go/pkg/mod/github.com/solo-io/ext-auth-service@v0.35.1/pkg/config/oidc/discovery.go:131\ngithub.com/solo-io/ext-auth-service/pkg/config/oidc.(*IssuerImpl).Discover\n\t/go/pkg/mod/github.com/solo-io/ext-auth-service@v0.35.1/pkg/config/oidc/oidc.go:215\ngithub.com/solo-io/ext-auth-service/pkg/config/oidc.(*IssuerImpl).Start.func1\n\t/go/pkg/mod/github.com/solo-io/ext-auth-service@v0.35.1/pkg/config/oidc/oidc.go:152"}
{"level":"error","ts":"2023-06-07T05:43:22.909Z","caller":"oidc/oidc.go:228","msg":"error during discovery","version":"1.14.0","error":"request failed with code 503 Service Unavailable","stacktrace":"github.com/solo-io/ext-auth-service/pkg/config/oidc.(*IssuerImpl).Discover\n\t/go/pkg/mod/github.com/solo-io/ext-auth-service@v0.35.1/pkg/config/oidc/oidc.go:228\ngithub.com/solo-io/ext-auth-service/pkg/config/oidc.(*IssuerImpl).Start.func1\n\t/go/pkg/mod/github.com/solo-io/ext-auth-service@v0.35.1/pkg/config/oidc/oidc.go:152"}
{"level":"error","ts":"2023-06-07T05:43:22.909Z","caller":"oidc/oidc.go:154","msg":"issuer discovery failed","version":"1.14.0","error":"request failed with code 503 Service Unavailable","stacktrace":"github.com/solo-io/ext-auth-service/pkg/config/oidc.(*IssuerImpl).Start.func1\n\t/go/pkg/mod/github.com/solo-io/ext-auth-service@v0.35.1/pkg/config/oidc/oidc.go:154"}
{"level":"error","ts":"2023-06-07T05:43:23.668Z","caller":"oidc/discovery.go:131","msg":"can't parse issuer's discovery document","version":"1.14.0","error":"request failed with code 503 Service Unavailable","stacktrace":"github.com/solo-io/ext-auth-service/pkg/config/oidc.Discover\n\t/go/pkg/mod/github.com/solo-io/ext-auth-service@v0.35.1/pkg/config/oidc/discovery.go:131\ngithub.com/solo-io/ext-auth-service/pkg/config/oidc.(*IssuerImpl).Discover\n\t/go/pkg/mod/github.com/solo-io/ext-auth-service@v0.35.1/pkg/config/oidc/oidc.go:215\ngithub.com/solo-io/ext-auth-service/pkg/config/oidc.(*IssuerImpl).Start.func1\n\t/go/pkg/mod/github.com/solo-io/ext-auth-service@v0.35.1/pkg/config/oidc/oidc.go:152"}

Expected Behavior

ExtAuth should be able to refetch the .well-known/openid-configuration endpoint

Additional Context

No response

edubonifs commented 1 year ago

As an update about this issue, we found the parameter: discoveryPollInterval -> The interval at which OIDC configuration is discovered at /.well-known/openid-configuration If not specified, the default value is 30 minutes.

So with this parameter we are able to refresh the OIDC configuration. However the customer would like to distinguish between ExtAuth not being able to fetch OIDC because of errors, and ExtAuth refetching the configuration.

So they think this parameter is good when you change the OIDC configuration and want ExtAuth to refresh, but they think 30 minutes by default is too long to wait if an error is produced because not being able to fetch the config and should be treated in a different way.

github-actions[bot] commented 3 months ago

This issue has been marked as stale because of no activity in the last 180 days. It will be closed in the next 180 days unless it is tagged "no stalebot" or other activity occurs.

anessi commented 3 months ago

This is still an issue.

solo-io / gloo