search

thomseddon / traefik-forward-auth

Minimal forward authentication service that provides Google/OpenID oauth based login and authentication for the traefik reverse proxy
MIT License
2.16k stars 410 forks source link

Not Authorized error #31

Closed osotechie closed 4 years ago

osotechie commented 5 years ago

Hi,

I've just setup traefik-forward-auth docker container for the first time, and after some playing in both overlay and auth-host modes I get the same "Not Authroized" error displayed.

I ran the container up with debug mode and am getting the following error: Error validating csrf cookie: CSRF cookie does not match state

This is my config (with secrets removed of course):

traefik-forward-auth container: Traefik-Forward-Auth: container_name: Traefik-Forward-Auth hostname: Traefik-Forward-Auth image: thomseddon/traefik-forward-auth networks: IoT: ipv4_address: 10.1.11.253 environment:

whoami container which I'm trying to forward auth as a test: Whoami: container_name: Whoami hostname: whoami image: containous/whoami networks: IoT: ipv4_address: 10.1.11.251 labels:

Traefik - General

- "traefik.enable=true"
- "traefik.frontend.entryPoints=http,https"
- "traefik.default.protocol=http"
- "traefik.default.port=80"
- "traefik.frontend.rule=Host:whoami.<domain>"
# Traefik - SSL
- "traefik.frontend.headers.SSLRedirect=true"
- "traefik.frontend.headers.STSSeconds=315360000"
- "traefik.frontend.headers.browserXSSFilter=true"
- "traefik.frontend.headers.contentTypeNosniff=true"
- "traefik.frontend.headers.forceSTSHeader=true"
- "traefik.frontend.headers.SSLHost=<domain>"
- "traefik.frontend.headers.STSIncludeSubdomains=true"
- "traefik.frontend.headers.STSPreload=true"
- "traefik.frontend.headers.frameDeny=true"
# Traefik - Whitelisting
- "traefik.frontend.auth.forward.address=http://10.1.11.253:4181"
- traefik.frontend.auth.forward.authResponseHeaders = ["X-Forwarded-User"]

As I am using labels for everything instead of making changes to the treafik.toml file I added the auth.forward.address and auth.forward.authResponseHeaders to the treafik-forward-auth container as I saw something around this in another post when using auth-host mode. Which solved my endless login loop when it wasnt in there.

I have gone through as setup the Google side as per the instructions, and added https://auth./_oauth and https://whoami./_oauth (for when I was testing in overlay mode.

Any ideas, I have tried multiple options around the DOMAIN and WHITELIST options, and multiple google accounts. And all give me the same problem. The error probably suggests its not something with the accounts Im using somwhere else Im guessing?

Thanks in advance. O

Originally posted by @owendemooy in https://github.com/thomseddon/traefik-forward-auth/issues/20#issuecomment-468239480

strazto commented 2 years ago

I can confirm that although a similar issue (intermittently) persisted on tags :2 AND 2.2, they are resolved on :latest ( b364aa6a4117)

ghhv commented 2 years ago

I find myself revisiting this thread again but this time, my issue was I didn't have the user in the WHITELIST - added that and voila! If that helps anyone..

GuyKh commented 1 year ago

I can confirm that although a similar issue (intermittently) persisted on tags :2 AND 2.2, they are resolved on :latest ( b364aa6a4117)

What would we, the ones running on arm do? :(

blampe commented 1 year ago

I can confirm that although a similar issue (intermittently) persisted on tags :2 AND 2.2, they are resolved on :latest ( b364aa6a4117)

What would we, the ones running on arm do? :(

@GuyKh you can use the 2.2.1 multi-arch image here https://github.com/Beanow/traefik-forward-auth/pkgs/container/traefik-forward-auth. Works like a charm.

Credit to @Beanow who built it as part of https://github.com/thomseddon/traefik-forward-auth/pull/275.

GuyKh commented 1 year ago

Nope... still getting 

level=info msg="Missing csrf cookie" handler=AuthCallback ...