thomseddon / traefik-forward-auth

Minimal forward authentication service that provides Google/OpenID oauth based login and authentication for the traefik reverse proxy
MIT License
2.16k stars 410 forks source link

Endless loop when using OIDC (cognito) as provider ERR_TOO_MANY_REDIRECTS #362

Open manurawat opened 10 months ago

manurawat commented 10 months ago

Hi Team, I am using cognito as oidc provider and I do get the login page. once authenticated, I get into a loop until browser stops it.

Here is my configuration

auth deployment

apiVersion: apps/v1
kind: Deployment
metadata:
  name: traefik-forward-auth
  namespace: backstage
  labels:
    app: traefik-forward-auth
spec:
  replicas: 1
  selector:
    matchLabels:
      app: traefik-forward-auth
  strategy:
    type: Recreate
  template:
    metadata:
      labels:
        app: traefik-forward-auth
    spec:
      terminationGracePeriodSeconds: 60
      containers:
      - image: thomseddon/traefik-forward-auth:2.1
        args:
          - --log-level=$(LOG_LEVEL)
          - --url-path="/oauth"
          - --default-provider=$(DEFAULT_PROVIDER)
          - --providers.oidc.issuer-url=$(PROVIDERS_OIDC_ISSUER_ID)
          - --providers.oidc.client-id=$(PROVIDERS_OIDC_CLIENT_ID)
          - --providers.oidc.client-secret=$(PROVIDERS_OIDC_CLIENT_SECRET)
        name: traefik-forward-auth
        ports:
        - containerPort: 4181
          protocol: TCP
          name: forward-ports
        env:
        - name: AUTH_HOST
          value: "backstage-dev.tools.resources.example.com"
        - name: COOKIE_DOMAIN
          value: "tools.resources.example.com"
        - name: LOG_LEVEL
          value: "info"
        - name: DOMAIN
          value: "pings.com"
        # INSECURE_COOKIE is required unless using https entrypoint
        - name: INSECURE_COOKIE
          value: "false"
        - name: DEFAULT_PROVIDER
          value: "oidc"
        - name: PROVIDERS_OIDC_ISSUER_ID
          value: "https://cognito-idp.eu-west-1.amazonaws.com/eu-west-1_635dae24"
        - name: PROVIDERS_OIDC_CLIENT_ID
          valueFrom:
            secretKeyRef:
              name: traefik-forward-auth-secrets
              key: traefik-forward-auth-google-client-id
        - name: PROVIDERS_OIDC_CLIENT_SECRET
          valueFrom:
            secretKeyRef:
              name: traefik-forward-auth-secrets
              key: traefik-forward-auth-google-client-secret
        - name: SECRET
          valueFrom:
            secretKeyRef:
              name: traefik-forward-auth-secrets
              key: traefik-forward-auth-secret

auth service

apiVersion: v1
kind: Service
metadata:
  name: traefik-forward-auth
  namespace: backstage
  labels:
    app: traefik-forward-auth
spec:
  type: ClusterIP
  selector:
    app: traefik-forward-auth
  ports:
  - name: auth-http
    port: 4181
    targetPort: forward-ports

auth ingress

kind: IngressRoute
apiVersion: traefik.containo.us/v1alpha1
metadata:
  name: traefik-forward-auth-ingress
  namespace: backstage
  labels:
    app: traefik-forward-auth
  annotations:
    kubernetes.io/ingress.class: "traefik-external"
spec:
  entryPoints:
    - websecure
  routes:
    - kind: Rule
      match: Host(`authenticate.tools.resources.example.com`) 
      services:
        - name: traefik-forward-auth
          port: 4181
      middlewares:
        #- name: traefik-forward-auth
        - name: add-forwarded-headers

application ingress

apiVersion: traefik.containo.us/v1alpha1
kind: IngressRoute
metadata:
  name: backstage-ingress
  namespace: backstage
  annotations:
      kubernetes.io/ingress.class: "traefik-external"
spec:
  entryPoints:
    - websecure
  routes:
    - kind: Rule
      match: Host(`backstage-dev.tools.resources.example.com`)
      priority: 10
      services:
        - name: backstage
          port: 7007
      middlewares:
        - name: traefik-forward-auth

middlewares

apiVersion: traefik.containo.us/v1alpha1
kind: Middleware
metadata:
  name: traefik-forward-auth
  namespace: backstage
spec:
  forwardAuth:
    address: https://authenticate.tools.resources.example.com/
    trustForwardHeader: true
    authResponseHeaders:
      - X-Forwarded-User
---
apiVersion: traefik.containo.us/v1alpha1
kind: Middleware
metadata:
  name: add-forwarded-headers
  namespace: backstage
spec:
  headers:
    customRequestHeaders:
      X-Forwarded-Proto: "https"
      X-Forwarded-Port: "443"

logs from traefik

`{"ClientAddr":"10.1.0.82:32908","ClientHost":"10.1.0.82","ClientPort":"32908","ClientUsername":"-","DownstreamContentSize":0,"DownstreamStatus":307,"Duration":1061483,"OriginContentSize":0,"OriginDuration":974138,"OriginStatus":307,"Overhead":87345,"RequestAddr":"authenticate.tools.resources.example.com","RequestContentSize":0,"RequestCount":269,"RequestHost":"authenticate.tools.resources.example.com","RequestMethod":"GET","RequestPath":"/","RequestPort":"-","RequestProtocol":"HTTP/1.1","RequestScheme":"http","RetryAttempts":0,"RouterName":"backstage-traefik-forward-auth-ingress-5f386ef6609642ab5b7d@kubernetescrd","ServiceAddr":"10.1.0.250:4181","ServiceName":"backstage-traefik-forward-auth-ingress-5f386ef6609642ab5b7d@kubernetescrd","ServiceURL":{"Scheme":"http","Opaque":"","User":null,"Host":"10.1.0.250:4181","Path":"","RawPath":"","OmitHost":false,"ForceQuery":false,"RawQuery":"","Fragment":"","RawFragment":""},"StartLocal":"2023-12-29T12:35:52.990931227Z","StartUTC":"2023-12-29T12:35:52.990931227Z","entryPointName":"websecure","level":"info","msg":"","time":"2023-12-29T12:35:52Z"}
time="2023-12-29T12:35:52Z" level=debug msg="Remote error [https://authenticate.tools.resources.example.com](https://authenticate.tools.resources.example.com/).StatusCode: 307" middlewareName=backstage-traefik-forward-auth@kubernetescrd middlewareType=ForwardedAuthType
{"ClientAddr":"10.1.0.82:7369","ClientHost":"10.1.0.82","ClientPort":"7369","ClientUsername":"-","DownstreamContentSize":0,"DownstreamStatus":307,"Duration":46996994,"OriginContentSize":0,"OriginDuration":0,"OriginStatus":0,"Overhead":46996994,"RequestAddr":"backstage-dev.tools.resources.example.com","RequestContentSize":0,"RequestCount":268,"RequestHost":"backstage-dev.tools.resources.example.com","RequestMethod":"GET","RequestPath":"/","RequestPort":"-","RequestProtocol":"HTTP/1.1","RequestScheme":"http","RetryAttempts":0,"RouterName":"backstage-backstage-ingress-3838c1308de02b28f9a1@kubernetescrd","StartLocal":"2023-12-29T12:35:52.945933677Z","StartUTC":"2023-12-29T12:35:52.945933677Z","entryPointName":"websecure","level":"info","msg":"","time":"2023-12-29T12:35:52Z"}
{"ClientAddr":"10.1.0.82:32908","ClientHost":"10.1.0.82","ClientPort":"32908","ClientUsername":"-","DownstreamContentSize":0,"DownstreamStatus":307,"Duration":525310,"OriginContentSize":0,"OriginDuration":443615,"OriginStatus":307,"Overhead":81695,"RequestAddr":"authenticate.tools.resources.example.com","RequestContentSize":0,"RequestCount":271,"RequestHost":"authenticate.tools.resources.example.com","RequestMethod":"GET","RequestPath":"/","RequestPort":"-","RequestProtocol":"HTTP/1.1","RequestScheme":"http","RetryAttempts":0,"RouterName":"backstage-traefik-forward-auth-ingress-5f386ef6609642ab5b7d@kubernetescrd","ServiceAddr":"10.1.0.250:4181","ServiceName":"backstage-traefik-forward-auth-ingress-5f386ef6609642ab5b7d@kubernetescrd","ServiceURL":{"Scheme":"http","Opaque":"","User":null,"Host":"10.1.0.250:4181","Path":"","RawPath":"","OmitHost":false,"ForceQuery":false,"RawQuery":"","Fragment":"","RawFragment":""},"StartLocal":"2023-12-29T12:35:53.422994401Z","StartUTC":"2023-12-29T12:35:53.422994401Z","entryPointName":"websecure","level":"info","msg":"","time":"2023-12-29T12:35:53Z"}
time="2023-12-29T12:35:53Z" level=debug msg="Remote error [https://authenticate.tools.resources.example.com](https://authenticate.tools.resources.example.com/). StatusCode: 307" middlewareType=ForwardedAuthType middlewareName=backstage-traefik-forward-auth@kubernetescrd
{"ClientAddr":"10.1.0.82:7369","ClientHost":"10.1.0.82","ClientPort":"7369","ClientUsername":"-","DownstreamContentSize":0,"DownstreamStatus":307,"Duration":2663661,"OriginContentSize":0,"OriginDuration":0,"OriginStatus":0,"Overhead":2663661,"RequestAddr":"backstage-dev.tools.resources.example.com","RequestContentSize":0,"RequestCount":270,"RequestHost":"backstage-dev.tools.resources.example.com","RequestMethod":"GET","RequestPath":"/","RequestPort":"-","RequestProtocol":"HTTP/1.1","RequestScheme":"http","RetryAttempts":0,"RouterName":"backstage-backstage-ingress-3838c1308de02b28f9a1@kubernetescrd","StartLocal":"2023-12-29T12:35:53.421803551Z","StartUTC":"2023-12-29T12:35:53.421803551Z","entryPointName":"websecure","level":"info","msg":"","time":"2023-12-29T12:35:53Z"}

{"ClientAddr":"10.1.0.82:32908","ClientHost":"10.1.0.82","ClientPort":"32908","ClientUsername":"-","DownstreamContentSize":0,"DownstreamStatus":307,"Duration":995049,"OriginContentSize":0,"OriginDuration":916186,"OriginStatus":307,"Overhead":78863,"RequestAddr":"authenticate.tools.resources.example.com","RequestContentSize":0,"RequestCount":277,"RequestHost":"authenticate.tools.resources.example.com","RequestMethod":"GET","RequestPath":"/","RequestPort":"-","RequestProtocol":"HTTP/1.1","RequestScheme":"http","RetryAttempts":0,"RouterName":"backstage-traefik-forward-auth-ingress-5f386ef6609642ab5b7d@kubernetescrd","ServiceAddr":"10.1.0.250:4181","ServiceName":"backstage-traefik-forward-auth-ingress-5f386ef6609642ab5b7d@kubernetescrd","ServiceURL":{"Scheme":"http","Opaque":"","User":null,"Host":"10.1.0.250:4181","Path":"","RawPath":"","OmitHost":false,"ForceQuery":false,"RawQuery":"","Fragment":"","RawFragment":""},"StartLocal":"2023-12-29T12:36:11.355063574Z","StartUTC":"2023-12-29T12:36:11.355063574Z","entryPointName":"websecure","level":"info","msg":"","time":"2023-12-29T12:36:11Z"}
time="2023-12-29T12:36:11Z" level=debug msg="Remote error [https://authenticate.tools.resources.example.com](https://authenticate.tools.resources.example.com/).StatusCode: 307" middlewareName=backstage-traefik-forward-auth@kubernetescrd middlewareType=ForwardedAuthType
{"ClientAddr":"10.1.0.82:7369","ClientHost":"10.1.0.82","ClientPort":"7369","ClientUsername":"-","DownstreamContentSize":0,"DownstreamStatus":307,"Duration":3356018,"OriginContentSize":0,"OriginDuration":0,"OriginStatus":0,"Overhead":3356018,"RequestAddr":"backstage-dev.tools.resources.example.com","RequestContentSize":0,"RequestCount":276,"RequestHost":"backstage-dev.tools.resources.example.com","RequestMethod":"GET","RequestPath":"/oauth?code=88a007d2-11c5-46ba-9e29-3f99d0dc5d04\u0026state=ed59527371c0ec61ab20f4414b1624ae:oidc:https://authenticate.tools.resources.example.com","RequestPort":"-","RequestProtocol":"HTTP/1.1","RequestScheme":"http","RetryAttempts":0,"RouterName":"backstage-backstage-ingress-3838c1308de02b28f9a1@kubernetescrd","StartLocal":"2023-12-29T12:36:11.353784628Z","StartUTC":"2023-12-29T12:36:11.353784628Z","entryPointName":"websecure","level":"info","msg":"","time":"2023-12-29T12:36:11Z"}
{"ClientAddr":"10.1.0.82:32908","ClientHost":"10.1.0.82","ClientPort":"32908","ClientUsername":"-","DownstreamContentSize":0,"DownstreamStatus":307,"Duration":512959,"OriginContentSize":0,"OriginDuration":437126,"OriginStatus":307,"Overhead":75833,"RequestAddr":"authenticate.tools.resources.example.com","RequestContentSize":0,"RequestCount":279,"RequestHost":"authenticate.tools.resources.example.com","RequestMethod":"GET","RequestPath":"/","RequestPort":"-","RequestProtocol":"HTTP/1.1","RequestScheme":"http","RetryAttempts":0,"RouterName":"backstage-traefik-forward-auth-ingress-5f386ef6609642ab5b7d@kubernetescrd","ServiceAddr":"10.1.0.250:4181","ServiceName":"backstage-traefik-forward-auth-ingress-5f386ef6609642ab5b7d@kubernetescrd","ServiceURL":{"Scheme":"http","Opaque":"","User":null,"Host":"10.1.0.250:4181","Path":"","RawPath":"","OmitHost":false,"ForceQuery":false,"RawQuery":"","Fragment":"","RawFragment":""},"StartLocal":"2023-12-29T12:36:11.59199596Z","StartUTC":"2023-12-29T12:36:11.59199596Z","entryPointName":"websecure","level":"info","msg":"","time":"2023-12-29T12:36:11Z"}
time="2023-12-29T12:36:11Z" level=debug msg="Remote error [https://authenticate.tools.resources.example.com](https://authenticate.tools.resources.example.com/).StatusCode: 307" middlewareName=backstage-traefik-forward-auth@kubernetescrd middlewareType=ForwardedAuthType
{"ClientAddr":"10.1.0.82:7369","ClientHost":"10.1.0.82","ClientPort":"7369","ClientUsername":"-","DownstreamContentSize":0,"DownstreamStatus":307,"Duration":3147681,"OriginContentSize":0,"OriginDuration":0,"OriginStatus":0,"Overhead":3147681,"RequestAddr":"backstage-dev.tools.resources.example.com","RequestContentSize":0,"RequestCount":278,"RequestHost":"backstage-dev.tools.resources.example.com","RequestMethod":"GET","RequestPath":"/oauth?code=3f448d77-45f7-44ea-aa63-428f057ed9af\u0026state=3035ee52838a74844ca5f0c139c78c62%3Aoidc%3Ahttps%3A%2F%2Fauthenticate.tools.resources.example.com","RequestPort":"-","RequestProtocol":"HTTP/1.1","RequestScheme":"http","RetryAttempts":0,"RouterName":"backstage-backstage-ingress-3838c1308de02b28f9a1@kubernetescrd","StartLocal":"2023-12-29T12:36:11.590849246Z","StartUTC":"2023-12-29T12:36:11.590849246Z","entryPointName":"websecure","level":"info","msg":"","time":"2023-12-29T12:36:11Z"}
{"ClientAddr":"10.1.0.82:32908","ClientHost":"10.1.0.82","ClientPort":"32908","ClientUsername":"-","DownstreamContentSize":0,"DownstreamStatus":307,"Duration":582717,"OriginContentSize":0,"OriginDuration":494794,"OriginStatus":307,"Overhead":87923,"RequestAddr":"authenticate.tools.resources.example.com","RequestContentSize":0,"RequestCount":281,"RequestHost":"authenticate.tools.resources.example.com","RequestMethod":"GET","RequestPath":"/","RequestPort":"-","RequestProtocol":"HTTP/1.1","RequestScheme":"http","RetryAttempts":0,"RouterName":"backstage-traefik-forward-auth-ingress-5f386ef6609642ab5b7d@kubernetescrd","ServiceAddr":"10.1.0.250:4181","ServiceName":"backstage-traefik-forward-auth-ingress-5f386ef6609642ab5b7d@kubernetescrd","ServiceURL":{"Scheme":"http","Opaque":"","User":null,"Host":"10.1.0.250:4181","Path":"","RawPath":"","OmitHost":false,"ForceQuery":false,"RawQuery":"","Fragment":"","RawFragment":""},"StartLocal":"2023-12-29T12:36:11.736648187Z","StartUTC":"2023-12-29T12:36:11.736648187Z","entryPointName":"websecure","level":"info","msg":"","time":"2023-12-29T12:36:11Z"}
time="2023-12-29T12:36:11Z" level=debug msg="Remote error [https://authenticate.tools.resources.example.com](https://authenticate.tools.resources.example.com/). StatusCode: 307" middlewareType=ForwardedAuthType middlewareName=backstage-traefik-forward-auth@kubernetescrd`
Paladin-F commented 10 months ago

In auth ingress, keep - name: traefik-forward-auth in middleware. I've been struggling with this for a long time too.

AfrazHussain commented 6 months ago

@manurawat Did you ever find a solution for this issue? I want to implement Traefik with Cognito's user pool too, so I was just looking at resources on how to do that.

clambin commented 5 months ago

Did you ever find a solution for this issue? I want to implement Traefik with Cognito's user pool too, so I was just looking at resources on how to do that.

@AfrazHussain: It's a configuration issue: you need to specify the traefik-forward-auth middleware on the ingress for the auth flow. It's commented out in the example above.