Invalid email error, empty email field using GitLab as provider

[Pixtriks]

I am experiencing this issue (#60) as well. I am running in overlay mode and have one whitelisted e-mail address. Identity provider is GitLab. The e-mail field is empty causing a "Not Authorized" error.

Log file:

time="2020-02-17T15:22:03Z" level=debug msg="Starting with options: {\"LogLevel\":\"debug\",\"LogFormat\":\"text\",\"AuthHost\":\"\",\"CookieDomains\":[{\"Domain\":\"example.com\",\"DomainLen\":12,\"SubDomain\":\".example.com\",\"SubDomainLen\":13}],\"InsecureCookie\":false,\"CookieName\":\"_forward_auth\",\"CSRFCookieName\":\"_forward_auth_csrf\",\"DefaultAction\":\"auth\",\"DefaultProvider\":\"oidc\",\"Domains\":null,\"LifetimeString\":43200,\"Path\":\"/_oauth\",\"Whitelist\":[\"redacted@users.noreply.gitlab.com\"],\"Providers\":{\"Google\":{\"ClientID\":\"\",\"Scope\":\"\",\"Prompt\":\"\",\"LoginURL\":null,\"TokenURL\":null,\"UserURL\":null},\"OIDC\":{\"Config\":{\"ClientID\":\"redacted\",\"ClientSecret\":\"redacted\",\"Endpoint\":{\"AuthURL\":\"https://gitlab.com/oauth/authorize\",\"TokenURL\":\"https://gitlab.com/oauth/token\",\"AuthStyle\":0},\"RedirectURL\":\"\",\"Scopes\":[\"openid\",\"profile\",\"email\"]},\"IssuerURL\":\"https://gitlab.com\",\"ClientID\":\"redacted\"}},\"Rules\":{},\"Lifetime\":43200000000000,\"CookieDomainsLegacy\":null,\"CookieSecureLegacy\":\"\",\"ClientIdLegacy\":\"\",\"PromptLegacy\":\"\"}"

time="2020-02-17T15:22:03Z" level=info msg="Listening on :4181"

time="2020-02-17T15:24:23Z" level=debug msg="Authenticating request" headers="map[Accept:[text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8] Accept-Encoding:[gzip, deflate, br] Accept-Language:[en-US,en;q=0.5] Cookie:[_forward_auth=QukNvOaeDrdgPha876Pdn9EyRmLEfFcrJqqctDUO2MM=|1581995233|] Dnt:[1] Upgrade-Insecure-Requests:[1] User-Agent:[Mozilla/5.0 (X11; Linux x86_64; rv:73.0) Gecko/20100101 Firefox/73.0] X-Forwarded-For:[192.168.2.254] X-Forwarded-Host:[example.com] X-Forwarded-Method:[GET] X-Forwarded-Port:[443] X-Forwarded-Proto:[https] X-Forwarded-Server:[cd8bb7cff384] X-Forwarded-Uri:[/] X-Real-Ip:[redacted]]" rule=default source_ip=redacted

time="2020-02-17T15:24:23Z" level=error msg="Invalid email" email= source_ip=redacted

This is my docker-compose:

  traefik-oauth:
    container_name: traefik-oauth
    image: thomseddon/traefik-forward-auth:2.1-arm
    environment:
      - DEFAULT_PROVIDER=oidc
      - PROVIDERS_OIDC_ISSUER_URL=https://gitlab.com
      - PROVIDERS_OIDC_CLIENT_ID=<redacted>
      - PROVIDERS_OIDC_CLIENT_SECRET=<redacted>
      - SECRET=<redacted>
      - WHITELIST=<redacted>@users.noreply.gitlab.com
      - COOKIE_DOMAIN=example.com
      - LOG_LEVEL=debug
    networks:
      - proxy-net
    labels:
      - "traefik.enable=true"
      - "traefik.http.services.oauth-secured.loadbalancer.server.port=4181"
      - "traefik.http.routers.oauth-secured.entrypoints=web-secured"
      - "traefik.http.routers.oauth-secured.rule=Host(`auth.example.com`)"
      - "traefik.http.routers.oauth-secured.tls.certresolver=mytlschallenge"

These are my GitLab settings:

I should also note that my profile and e-mail address are all set to public on GitLab. GitLab documentation states the following with regards to OpenID Connect:

Only the sub and sub_legacy claims are included in the ID token, all other claims are available from the /oauth/userinfo endpoint used by OIDC clients.

Source: https://docs.gitlab.com/ee/integration/openid_connect_provider.html

[awaited-hare]

Encountered the same issue today.

[Pixtriks]

It seems as if GitLab is not following the official OpenID connect implementation by exposing all other claims under the /oauth/userinfo endpoint (including e-mail address). Maybe a change on the side of traefik-forward-auth could account for this?

https://gitlab.com/gitlab-org/gitlab/issues/21560

[SuperSandro2000]

I think it would be a better idea to allow GitLab trough oAuth2.

[thomseddon]

Hmm, that's a pain! I agree it would probably be easier to just add a customer gitlab provider as opposed to an extra workaround in the OIDC code.

[pstadler]

Unfortunately, the same applies to GitHub.

There's an example of how OpenID Connect can still be used with GitHub, by providing the required endpoints manually: https://fusionauth.io/docs/v1/tech/identity-providers/openid-connect/github

[AndreKR]

Is this issue accepting PRs?

This is a relatively simple bug. GitLab provides a UserInfo endpoint (example from gitlab.com). According to the OIDC specs, when requesting claims using scopes,

The Claims requested by the profile, email, address, and phone scope values are returned from the UserInfo Endpoint [...]

Traefik Forward Auth does not currently query the UserInfo endpoint but expects the claims as part of the id_token:

https://github.com/thomseddon/traefik-forward-auth/blob/529e28d83bca652720db72906b24e6e41a3dbf82/internal/provider/oidc.go#L88-L101

[AndreKR]

GitLab will soon add the email claim to the ID token, which will make this obsolete for GitLab.

[thomseddon]

This should now be doable using the generic oauth provider, I'll test with gitlab this week, add some docs and update this issue

[maxisme]

I have the same issue with GitHub also my X-Forwarded-User is empty.

[maxisme]

Ahh sorry just read:

Note: as per Github's documentation, their /user endpoint only returns the user's email if it's publicly visible. As such, you will not be able to use the User Restriction features with the Github provider, unless all your users have their email addresses public.

[MelleD]

@thomseddon Is it not possible to introduce another whitelist for github to check the login (username) or name instead of the email?

[blacs30]

GitLab works fine for me with OIDC including email whitelist.

As mentioned before, email claim was added some while ago.

This is the working base config:

env:

        DEFAULT_PROVIDER="oidc"
        PROVIDERS_OIDC_ISSUER_URL="https://gitlab.com"
        SECRET="${cookie_secret}"
        WHITELIST=<redacted>@users.noreply.gitlab.com

service stanza for the traefik-forward-auth task (I'm on Nomad)

{
[...]
      namespace: traefik
[...]
      service {
        name = "traefik-forward-auth"
        provider = "nomad"
        port = "http"
        tags = [
          "traefik.enable=true",
          "traefik.http.middlewares.traefik-auth.forwardauth.address=https://auth.example.com",
          "traefik.http.middlewares.traefik-auth.forwardauth.authResponseHeaders=X-Forwarded-User",
          "traefik.http.routers.traefik-auth.entrypoints=websecure",
          "traefik.http.routers.traefik-auth.rule=Host(`auth.example.com`)",
          "traefik.http.routers.traefik-auth.tls=true",
          "traefik.http.routers.traefik-auth.tls.certresolver=letsencrypt"
        ]}
}

demo task service stanza:

    service {
      name = "demo-webapp"
      provider = "nomad"
      port = "http"
      tags = [
        "traefik.enable=true",
        "traefik.http.routers.demoapp-secure.rule=Host(`demoapp.example.com`)",
        "traefik.http.routers.demoapp-secure.entrypoints=websecure",
        "traefik.http.routers.demoapp-secure.tls=true",
        "traefik.http.routers.demoapp-secure.tls.certresolver=letsencrypt",
        "traefik.http.routers.demoapp-secure.middlewares=traefik-auth@nomad-traefik"
]}

the demoapp.example and auth.example.com (example.com is of course replaced my own domain) dns records are both public.

In GitLab I have created an app with the following scopes, it's more than needed here I think because I use it also for other apps: api,read_user,openid,profile,email

The redirect uri is this: https://demoapp.example.com/_oauth

Maybe it's a help for someone in the future