search

tchiotludo / akhq

Kafka GUI for Apache Kafka to manage topics, topics data, consumers group, schema registry, connect and more...
https://akhq.io/
Apache License 2.0
3.37k stars 653 forks source link

Github / OAuth2 login not redirecting properly #1526

Closed pavilalopes closed 8 months ago

pavilalopes commented 1 year ago

@tchiotludo This a continuation of bug #1516 that you asked me to reopen, but I don't have that option.

So, after trying the current dev tag of the docker image I can report the following:

  • Bug 1: even though login succeeds, upon return from the Oauth callback I'm redirected to the login page again. (I can then manually navigate to /ui and am logged in)
  • Bug 2: logout doesn't work. I'm redirected to the login page but the JWT cookie is not deleted. I can, again, manually navigate to /ui and see that I'm logged in. I can logout by deleting the cookie in developer tools.

Bug 1 still happens as before. Bug 2 is fixed.

I did some digging in developer tools, and I suspect the problem is in the 4th request shown here: screenshot

The context-path "kafkahq" is duplicated: "/kafkahq/kafkahq/ui".

pha91 commented 1 year ago

Hi, we're facing the same issue with a custom oidc provider (ADFS). We're using context-path config on micronaut to serve akhq on subpath of the main app. We've deployed akhq helmchart 0.24.0 with following config:


  akhq: 
    connections:
      {{ .Values.akhq.clusterName }}: 
        properties:
          bootstrap.servers: kafka:9092
    security:
      default-group: no-roles
      oidc:
        enabled: true
        providers:
          adfs:
            label: "Login with ADFS"
            username-field: preferred_username
            groups-field: groups
            default-group: no-roles
            groups:
            - name: {{ .Values..akhq.users }}
              groups:
              - reader
            - name: {{ .Values..akhq.admins }}
              groups:
              - admin
  micronaut:
    server:
      context-path: /akhq
    security:
      enabled: true
      token:
        jwt:
          signatures:
            secret:
              generator:
                secret: ${AKHQ_JWT_SECRET_GENERATOR_SECRET}
      oauth2:
        enabled: true
        callback-uri: https://{{ .Values..domain }}/akhq/oauth/callback/{provider}
        clients:
          adfs:
            client-id: ${AKHQ_OAUTH_CLIENT_ID}
            client-secret: ${AKHQ_OAUTH_CLIENT_SECRET}
            openid:
              issuer: ${AKHQ_OAUTH_ISSUER}

We run also into Bug 2 where the logout doesn't works properly

slinkel-vkb commented 1 year ago

I just had the same problem, after debugging locally, I discovered that the lines 48 to 55 in src/main/resources/application.yml manually prepend the context-path although the context-path is later prepended as well (in DefaultRedirectService, e.g. line 69).

If my finding turns out to be correct (still playing around), I will submit a pull request. as a workaround, you can override the lines in your overlay application:

micronaut:
  security:
    redirect:
      login-success: "/ui"
      forbidden:
        url: "/ui/login/forbidden"
      unauthorized:
        url: "/ui/login/unauthorized"
      login-failure: "/ui/login/failed"
      logout:  "/ui"