Request-URI Too Long to /authorize endpoint (Okta as IdP)

[nonefaken]

Hello again!

still trying to setup Oauth based PoC with Okta IdP, envoy.filters.http.ext_authz and eas.

Faced following problem with Okta, which is self explanatory:

Request-URI Too Long
The requested URL's length exceeds the capacity limit for this server.

Example request:

https://zztop.oktapreview.com/oauth2/aus1nDrtgu349y9mX0x7/v1/authorize?client_id=0oa1nt2v8y7E.....

The request to /authorize endpoint is 8000+ characters. Okta documentation is confusing and there are different limits for requests. Already raised ticket to Okta support to find out limit for request to /authorize endpoint in oauth flow case.

Still curious. Is it possible to deal such things in alternative way? Like smaller pointers, so the actual request to Okta /authorize endpoint is compact, etc.

Can this help? https://github.com/travisghansen/external-auth-server/blob/e4646e151ca9062e0ace68b748fcd8d7c9c7471c/CONFIG_TOKENS.md

Thank you!

[travisghansen]

Yeah, depending on how much data/complex the config token is the encrypted data (and resulting url string). I have successfully used the project with okta but perhaps my config token has less rules etc.

If you're running into that issue then the appropriate route would likely be to use server-side tokens (which are exactly what you described...pointers): https://github.com/travisghansen/external-auth-server/blob/e4646e151ca9062e0ace68b748fcd8d7c9c7471c/CONFIG_TOKENS.md#server-side-tokens

There are various adapters for storing the tokens including use ENV vars so hypothetically the service (eas) can remain effectively stateless without the need for a DB or other storage.

[travisghansen]

Well, actually that may not be entirely correct...the config token data generally isn't all embedded in the authorize URL actually. Was the originally requested URL (not eas, but the actual service) huge?

[travisghansen]

OK, so I revisited the code here and this is the data that gets embedded into the oauth state parameter (which potentially could get quite large):

      const payload = {
        request_uri: parentReqInfo.uri,
        aud: configAudMD5,
        csrf: plugin.server.utils.generate_csrf_id(),
        req: {
          headers: {
            referer: req.headers.referer,
          },
        },
        request_is_xhr,
      };

So if the referer and/or actual service URI are super long state could become quite large. I want to say that at some point I had considered/prototyped storing that data server-side (in redis with a timeout) and only passing around a pointer to that data as well.

If you could send over the full URL (or at least indicate if the state parameter is where the majority of data is coming from) then that would be helpful.

[nonefaken]

Hi,

yes, its state. full URL, but hand edited few things not to expose my api, secrets, etc:

https://zztop.oktapreview.com/oauth2/aus1nt2tmuLH9y9mX0x7/v1/authorize?client_id=0oa1xx23x47Edr4Dffx7&scope=user&response_type=code&redirect_uri=https%3A%2F%2Flocalhost%3A10443%2Foauth%2Fcallback&state=196362e85cceeb2fba88a6531e0f87607d69053285007701aada718eca15645effa7b89a4a10878220dc9e55c4803b4e04f4ed0b6f6b9820c33fae1bf42fb9219c8bde2e54bf12daaa70fcdd12892c6e9e5c11966c4ccfe89bd17c9af63c21c8eef74f8f3a3a2e3940808b394ac231c7c02772526af3385d08af857beeef6803a9cc58462e498a3d2fca9f8229ec99e2a883d82e27c033fb10368d83617b4b86034e64989c234b86e7fc2e230098051ffcefc04f98b4e17887a47df0bd7cc6cc06acd64338df02d64cec1da318737d1a129143ce42f939042ba4bef78c113b07612b0e892d15406e82fb68efd3188b89b4e657880114d448b040a5aabc607010c4cd992435befc1513410e97dae5633dbbe47d04777a55813ee530fa7a8da54162520db5f7efa9593e5ab5d913c2ce3703640b8258afaf1117a51a4734df70d4ea70ed888bd0394a0bc37933d3947307895dc33b15a732dc8f98f60a74a4a393a0e3b544d1b425f230cb725662109991033163b62ae40b3cdadad63d9f8a3926199666318e719d8ea6762e6ed688505e80c670eb75bc26b2f9bfe344d14033f01a3d9b9cc59d511ea50d2ad4e32f47b8fe47d1ab4fdf15d9e31de67bfeb3f5c6fb72c804c507c2ae65c4991336dfa3f1cdaf38e2cb902b138ed19ac0965ab3ffbaa70008169a110556cd6efbd84895b74a431f870e64c0cf1f45ee1ead51dfe8e28889d696672ec99b571bcc5fa18cf11267f45d8f6c3a5d610fdcb656123e75ad94d97c68fb31598dbe40c27491baafe7c22609814e9caf2a2807e7185753c1655d8b38447837192201bebccae76617f7033801d5925fbee2cd643b707eb0578ee88b7c0892c9ba201514506af1f5ca5d171ae87b82f84de916b11dd6d87cb99486dc354ddcc391b71f69a805baaff40c12d9001937acc55f1c221ca027cfe2525d9f76b41c4666f68d5103bd228bf0c80a2af62c9697e83e9b1107bf327e9af9956e2fd5ebb21e8f6f087eb2d4f3845bce43777da6e667d8bac37ccd045f269e41398a935d365b9aa986106c56e56ed70655813445a141d971d7a7f1d5de7c0948bba824d7fddbc55e696c8d233ca3a0eae41b1e5ce9c11e8eacef5916976058957808577c57441a6ca60dc16bce807d777c9d6825a5697d7f03f298222c7018f4884228bd0dbf2e2110d4480e5b01357cab3ecd13d9c7c03cf172ecd9d19af6ea58e8f113220328e54df20abd4ba8e7327c5c251d1e7d6c5d548412f9b60f0b3d0f8fd077e1ccdcbe4978dd3f7f5c1c5a8900cd3ebf79e1bc3b073fc57702dfd14e39b1348f394ef2d92c2fc1cbc69e40d18dd186b769407a16fbd1fbebc3eb21bbe5c37cfe45ec71d45e3cd8220f7d418c7e2ef56c00704ce614c3720f50975ec686e2a6e898049c9300073d06e7c8f099b357d40673602d3ab7d43e2d8079ae506430a60a0c9a7866f5c833ceb61b46bfff0869e11087bff11f7c4c3e47343106f4170cc75af62d49b6b8bc360afa485652bfac0336c5d6101d0a80f2a92cbd1f9567e6e71702fa775f63597705a6071e090bcc881666b29a1b66e1da8d684a743646c284104515885ac9bdadd576ad697b669c0984f060b72c16184d293590d6d674ec517c716e41d9df61b05ea127b0941a1ea0fa32c55d8102be227d9ba254542d95be0f34028fb1b43781a6e53a56ae0eb5191e63c792ff605387b5bb1b77fd9baef0b581ab31382dd258c7025f350eeaf4419ae7ccadbe167bb93e757c4cd0830ad484d10e02e7d6d98b2c9e09282a490ef71a03bf8a54a82359ead9c627b3f0e7673f7da67e6e052cd08c67595d7230aa651f8df3db446783badd825e122d3628bc4204525819dd7916713d5996964dbde2092d71ad26af6856047d4fe83c664d0390be5eac10839d78555fb74a4ce680f064647afcbde77d13d843f96073a9dc07ba7ee997936d99b0ce0466534af25fef7f12a7fbdc3a3230d9bf311eb038672a22afd91d0b8553164ca3c1cb73d009339cf508f3c27bbee2fa0e88ec3daacd57f214ee3f31af7bb67848d0f09f36a0bd4710dd5959803a984217811f065c1294938aeb5b9ea82314372a4c75811048487fc6e1008f944bcdd29b636e46eca8d81162259e87f4742ffeb9182997114b648f3b4bdb338eb42722ee886d3687225b8bd14e01642dd7a80f488c67e9a1a052b3f5d45552042a0fa479acbd9b2f636c369a7584e8427c58646c58ce35e15535c673cb4fc395d45d1c7583add7f7b26e2375da7964d28591ff5b1ae999e335f4d672f6c95cbf97bb958fc67e741d8548ef531b20bb4b94e075067ea6307925a41c59c2b68d851b29f15274287b7b5791f392ac4fccf073f998226ab5e4dac101d65352abdace47277731eec92663c9e7bb025f71f73c33b68e8fff527003555ee73eb8e7be17fbbad50bfc0f1d74a0a4a61099f53d7d689c08f210b318ce22c304b5c56d0e3ac5dd03160b93c77dcd32b35f444bcd09ad580bedc5c3a8d5f2c9fa6c22d72d813ed67e9bc5c24674cff1381d8d927d12f6272ef2cb9d6a3e2516b5bbf88a50e1cd56cafa9ed00f174f004a43cfa81b76e73cd9ff119a74c2bb9f73d4fda5a230002919cabbd4e46e6a37cb73b86e04144601536b3537d56740a9acb5b34e5895efa83e60ca0c04fbb41f70240456574fa5d100382192de888f804071a18a9adda3429eb00fe468e13ce42e0f46c30ab69314f1dfea4b97a77a9335dcc7b799ee64fc44e63bd9d24383683486c1680f78911e0a292aa0f83c23bd0c571508addd08ad394ee462e10861fb78eb391c0fde3280fd5332b6dec918befe290d634fde020fb7dcfcebeac23a6589c67655bab107358b34b4399107f8b71513ab065102cb10d5f1fba744c4ad222b7342eda670cf30a74aebfa647a45b4a5783c1f1dd61401c952772fdc0c889518c1036873f19b494b9a764479c3f6396450a6446862c71a7edda4a2fe905c90cc36442d853ca76219c5fad602050fea3648ca58a63e4fbdf85af7198d27f3bda793ce95a31c6ee0e4ebbccb77f492989ee6e2a5c7fe8907d3dc49f7262d5b37fbf7daae8c6b91f47583c5527f96a81e4db49259d3f60d65fa952bd4915e1dcd64f135591a7a537370fc4bec2612fe34c7ee56c726e9aee3faad2fe36deab6bde551239f26745fb54407903c671d12449747ac97c20c7aa77795dd7d153d16b6196e94782dfa885a8d31b19a1d2e0d2c0538b1944849f672d159a00c68ff6acde6a9912b63c983c8ea853a95af292f3a35b7b250d3488437d7077f191cef53609b8d8cbfd1f78a901115e4319414605f279f5849ab1c97a6f9f85dabeb726a27523fe4ace70852ecf46b2d80f361a4670c29c37cbf21ae0e27e74f5752d78ab2464ce75c931112e22370448ba6fd70c38bd1e9ab440987b5f277acd8503b836c196031986ee6929329e342c6c18968c836ee1095603cb62e3a257ae5e238133113349117aa7f48219bc3b8c136be960bca7a1f381dd6226bad200f460e725727b1fc5d2ad38ae74408e81f4ce2276cccde8479b571b0a24d62f25531c88e627128735c4f4ed752d5e8286ec6cab78df453a4888014da98b6f44115ca65f4a11a462bcd7d7847ec303f881d90ef85e25bff88210f5a9a6d7e5cf1c1c1756010ab0f5c2c94bb16a8697a0cc2c569d90e8fe653d31c8f1fb86bf8818ecbcbe420d31238846723f5d28a1a895256b75111c2c2456a8638dca20ed54e25364fb73e056673afb0fc83a6645da428f08dbae32d7e083e2b43106b3f02e1af5546cd14d7749fda3fa4c34bcd926498bab4cfceed2dd26a4c0edba4a944630e79460fb078a384c07a2a1b57de1f5cc5cf7cd51c509ea1542b43cc3d0194ccd2a129c3da6225ef67a76a7798761bbd5bdb1b0884fc5c4b18006f28d53ebdc86848f1b530e6f342a0bb4c2ed0a74e6dc4d11aac77864a8370b58129435fd22b8d472c081e91c5041c1902d484b6491b05aa3fbb9bce6aea7e8f20a31b1c43fc034849da9fc3de06f0df95e72cc5571ec47a478ea29538535c305b3288cbeb1b6ff226a8ce0ef55b4768b719ad3fe3786fee45a6249bec72332bf530c4b3db4b2e53bd94322dd4342d82dd994e421e2261b16e6b11e3398717de3204e97dff3559e5e3a81eb3923e9b8c044fe8bfa1a6c169d306df2a376a320d02527b6abe9de08adfb23e5629506b189bb6e7f4939a25ecb3a0ab9d8a9820e8c7a5f8b604870305963c9e33ca29afe6606d069fea7dbd3ead0d8de24b81450647ed78b7430bed191798adb505b75a48ea74a30ff98a1e3c4ccc900a04aad8f92fe48d171dc999d7ced60143e4025659e4a40c0851eced2e98825b300d583ed248798f3f13e05b250506ca7b82bda2559529c1c4a103bfabe9e6ae75348d10913c2bedc3e25319d6d70faa7bfacb2f915e004c2977dffc0dc1d5278f80f8e8f4ba4b069cf8bddcd0cef3fb3d530bab2b0bee41d42f43e1e9d03064acf3c8b893661a24c61085f16a1340caaae1559ed7ba328a25a8f4f7c8efaccc287a200dff0c59262b0cf6daffcfdc7c343d96bd35e2ceb84fef5d5f4aac17752a15aa0f1751118bdeec89f32ea6edd05db078d521540115bf36484700a687acf121b39048c9b3708e3b9e134764b6f8045f2730164bf01af3ed88fc2964d19e1b8667e84bfb93762eceae3827ba8bbfc6002c058a4699465e683668e7ff3316ae96ed9a0be6a0b5a06be88d80e6ee972c837030f98e3b71f5b278b30100ffb4d0823c576c5227e2d4fc6f92e9a85b23e765a3e394dba1eddafab62669e6833c623841e1eb157b213755c541a0d3554a54c6a990d161d476526e28b14a45facbbec9597f89fa9064bc5ae8e98b3cfebbc8c4b26f3460427ca95e114de6663e5e6c7cd2270c75d7417e4dbda6c01d7076f4e22706d916f7d8bf073226d7dbe050424dc963f9e52bf9ee9ca3e78554a4744f9be2989b87c874d73f30e9815c6409143e5184e50a4a123d7bdcd270d689886c69491d8d6886c507d68e4dc5eee564889aeb233170744c1c245cbfc2a44369d9c9d70ccc92a4748e8f6050cd3f0b8fd9af7d17bd48e4d75b4a88a710faa5660ebf1874dbfc1b2818a67089759b71473a2e8879d4b5d531d6190fd2de21827735ec0803594ef599175e7a59dcbe39e997153ea90bb7859d5b09a43c15ddb0293668583a904fac45eb04b063f9687694afd05c1a76e39d1b7451c1f20b85413537ad19530bbaba05d12a8fe1137668d6408c27c1e92b5dc709eae2da9fe9e71b295948c6f5b644bfbea2f4736503e219251dd67934a9f569b7c18e5a1ea94ed9bc79130bcbd5c8e0ae292095b05f254f20707e1c60f7da3d2a5806c9738c84077a24da98d747cea3e645aa670849eb400711fcc8057c5128928bdcd92f8758758acf709852b096af4f1f0a698ef76df8979692d202733e92c9b94c3d33c710496f566c554a2695cb5ce0675e7215a8869f45e6e19c8e14ecc107951dab69122b570d10f916ef877cb82578251da3960db97fccd796e97232d8e57fd05495d9849ba50ad40fd015b4e1a0a24eb67f0f570359cd31f1a1b2fa34e01e1c21522a047aa830ef52304779fba193bc1452f3aa6a35e7915f6af3d288204097f07162799a33e1e9c7ff024174835a15b124522f11af28180d4515ca298c5db819343b354396f40c964cc6364eedf0595f5cac4fc341cd5adca64919265ad6e283d07f9e648a9b783236d8d92873d29143b9cae2f3b53ed66d83575ee970f92a8965dc81a92db54409e7b2f417f7

[nonefaken]

Just received answer from Okta, that the limit of characters in a request URI is 8,208 characters. In my request 842X characters.

[travisghansen]

Is the svc uri huge? Or the referer?

[nonefaken]

its actually a 302 ping / pong between envoy and okta, ending in large state on 3rd pass.

1. connect to localhost:10443/ and 302 redirect to okta.

   location
   https://zztop.oktapreview.com/oauth2/reducted_auth_srv/v1/authorize?client_id=reducted_client_id&scope=user&response_type=code&redirect_uri=https%3A%2F%2Flocalhost%3A10443%2Foauth%2Fcallback&state=196362e85cceeb2fba88a6531e0f87607d69053285007701aada718eca15645effa7b89a4a10878220dc9e55c4803b4e04f4ed0b6f6b9820c33fae1bf42fb9219c8bde2e54bf12daaa70fcdd12892c6e599dba1ff064d579e5495f2934fbe6ed7876acbf8871fb9cea7540a6aea729627291e7edbd0e181e6a97f22983e129b4929c4fca1e8fd15c6a494f06b9a77a44a930f26ee770cbda6ca9de5ab346059766e91aaf10bf9a123ad23954f5a9606dcac2c07aa05ff7232f47024e448746a9412c9f860fcad149b23a9be9f42b6753aa2e4c640b5419e47be7dcb561b22aa348857e5867dad88b2a4404a4a1ab0cb8f3f29182140e44369010986bd05087d76292419ba25c999420670d077b968d3c2af271f086975b8a1d85e578b6b3d196d1ff4a532681928d9988e7af371466571fb3aacb85ce35523cf06e8bd3bf0674870305987d7b9886f4ff43f9829fea936821f2e209d938995809b2eea71e0670
   server
   envoy
   set-cookie
   _eas_oauth_csrf=s%3Ak%2Fn2rBTjTf%2FeYw33ymZXLQEayFLaJl460QRVCHJEw8NUrXSsvZ3Qd0yIAror9aaP.3wCRI5Vy1eLoHc48DBtAF3Eus%2F0ZslPIYMe0FFGhrpw; Path=/; Expires=Sat, 17 Jul 2021 08:51:18 GMT; HttpOnly; SameSite=Lax

2. request to Okta ending in redirect to localhost:10443/oauth/callback with authorization code

   client_id
   ---redacted---
   scope
   user
   response_type
   code
   redirect_uri
   https://localhost:10443/oauth/callback
   state
   196362e85cceeb2fba88a6531e0f87607d69053285007701aada718eca15645effa7b89a4a10878220dc9e55c4803b4e04f4ed0b6f6b9820c33fae1bf42fb9219c8bde2e54bf12daaa70fcdd12892c6e599dba1ff064d579e5495f2934fbe6ed7876acbf8871fb9cea7540a6aea729627291e7edbd0e181e6a97f22983e129b4929c4fca1e8fd15c6a494f06b9a77a44a930f26ee770cbda6ca9de5ab346059766e91aaf10bf9a123ad23954f5a9606dcac2c07aa05ff7232f47024e448746a9412c9f860fcad149b23a9be9f42b6753aa2e4c640b5419e47be7dcb561b22aa348857e5867dad88b2a4404a4a1ab0cb8f3f29182140e44369010986bd05087d76292419ba25c999420670d077b968d3c2af271f086975b8a1d85e578b6b3d196d1ff4a532681928d9988e7af371466571fb3aacb85ce35523cf06e8bd3bf0674870305987d7b9886f4ff43f9829fea936821f2e209d938995809b2eea71e0670

3. call to localhost:10443/oauth/callback with authorization code, which actually ends up with 302 redirect back to okta

   host | localhost:10443/oauth/callback
   filename | /oauth/callback
    
   code | ArGFB2Nff0RVwS2i3Sx8tlix_33J66WLaE8Z4D651m4
   state | 196362e85cceeb2fba88a6531e0f87607d69053285007701aada718eca15645effa7b89a4a10878220dc9e55c4803b4e04f4ed0b6f6b9820c33fae1bf42fb9219c8bde2e54bf12daaa70fcdd12892c6e599dba1ff064d579e5495f2934fbe6ed7876acbf8871fb9cea7540a6aea729627291e7edbd0e181e6a97f22983e129b4929c4fca1e8fd15c6a494f06b9a77a44a930f26ee770cbda6ca9de5ab346059766e91aaf10bf9a123ad23954f5a9606dcac2c07aa05ff7232f47024e448746a9412c9f860fcad149b23a9be9f42b6753aa2e4c640b5419e47be7dcb561b22aa348857e5867dad88b2a4404a4a1ab0cb8f3f29182140e44369010986bd05087d76292419ba25c999420670d077b968d3c2af271f086975b8a1d85e578b6b3d196d1ff4a532681928d9988e7af371466571fb3aacb85ce35523cf06e8bd3bf0674870305987d7b9886f4ff43f9829fea936821f2e209d938995809b2eea71e0670

4. it takes another pass and a half of the same and ends up with 403 on Okta side with huge state.

I might be configuring something wrongly.

Should it be like?

1. connect to envoy front (localhost:10443/) and 302 redirect to IdP after request is processed by ext_authz and eas
2. Auth at IdP and redirect back with authorization code to envoy localhost:10443/oauth/callback
3. authorization code passed to eas via ext_authz (?) and eas exchanges code and secret for tokens, etc.
4. and so on

[nonefaken]

EAS log:

Attaching to eas
eas                               | debug: cache opts: {"store":"memory","max":0,"ttl":0}
eas                               | info: revoked JTIs: []
eas                               | info: starting server on port 8080
eas                               | info: starting verify pipeline
eas                               | debug: config token: {"aud":"client_id","eas":{"plugins":[{"type":"oauth2","issuer":{"authorization_endpoint":"https://zztop.oktapreview.com/oauth2/custom_author_server/v1/authorize","token_endpoint":"https://zztop.oktapreview.com/oauth2/custom_author_server/v1/token"},"client":{"client_id":"client_id","client_secret":"client_secret"},"scopes":["user"],"redirect_uri":"https://localhost:10443/oauth/callback","features":{"cookie_expiry":false,"userinfo_expiry":86400,"session_expiry":604800,"session_expiry_refresh_window":86400,"session_retain_id":true,"refresh_access_token":true,"fetch_userinfo":true,"userinfo":{"provider":"github","config":{"fetch_teams":true,"fetch_organizations":true,"fetch_emails":true}}},"assertions":{"exp":true},"cookie":{"name":"_eas_localhost_session_","domain":"localhost_domain"}}]},"iat":1626468604,"audMD5":"6e887c200f47fa1f11907dde1c2a2266"}
eas                               | info: starting verify for plugin: oauth2
eas                               | (node:18) [DEP0106] DeprecationWarning: crypto.createDecipher is deprecated.
eas                               | verbose: parent request info: {"uri":"undefined://localhost:10443/","parsedUri":{"scheme":"undefined","host":"localhost","port":10443,"path":"/","reference":"absolute"},"parsedQuery":{},"method":"GET"}
eas                               | verbose: audMD5: 6e887c200f47fa1f11907dde1c2a2266
eas                               | verbose: cookie name: _eas_localhost_session_
eas                               | verbose: redirect_uri: https://localhost:10443/oauth/callback
eas                               | verbose: callback redirect_uri: https://zztop.oktapreview.com/oauth2/custom_author_server/v1/authorize?client_id=client_id&scope=user&response_type=code&redirect_uri=https%3A%2F%2Flocalhost%3A10443%2Foauth%2Fcallback&state=196362e85cceeb2fba88a6531e0f87607d69053285007701aada718eca15645effa7b89a4a10878220dc9e55c4803b4e04f4ed0b6f6b9820c33fae1bf42fb9219c8bde2e54bf12daaa70fcdd12892c6e599dba1ff064d579e5495f2934fbe6ed7876acbf8871fb9cea7540a6aea729627291e7edbd0e181e6a97f22983e129b4929c4fca1e8fd15c6a494f06b9a77a44a930f26ee770cbda6ca9de5ab3460597e904d33bbae877a5e1a045e846afce155035eaf0b4e3f478e22705b13da86890e0a957517c452d93508b8bf97304491c26d2543478d7a760ae8a329bfb03521cf6fbed4b05e4a98a35a09ed63816ca93fb598808a3411611b6adda5accd50844ef8b5d1085ec8c491f0b662556d41eb8a4f76ae62c172c00921e7328199d25297ec0fb6445ea46c87e87f5733d5a950bddb92566f7e53978329235b462beaa30458bc889f617541b17968f4a5bac055d80963271229c6fb1041b712b7e2cc37e
eas                               | debug: plugin response {"statusCode":302,"statusMessage":"","body":"","cookies":[["_eas_oauth_csrf","oViZTcdaRQacOdJiO2BlWdBUTkx9TcWXCsoHR/taV3CTfiNtEvpi2j8hNWVEYtRB",{"expires":"2021-07-17T09:51:28.789Z","domain":null,"path":"/","httpOnly":true,"secure":false,"sameSite":"lax","signed":true}]],"clearCookies":[],"headers":{"Location":"https://zztop.oktapreview.com/oauth2/custom_author_server/v1/authorize?client_id=client_id&scope=user&response_type=code&redirect_uri=https%3A%2F%2Flocalhost%3A10443%2Foauth%2Fcallback&state=196362e85cceeb2fba88a6531e0f87607d69053285007701aada718eca15645effa7b89a4a10878220dc9e55c4803b4e04f4ed0b6f6b9820c33fae1bf42fb9219c8bde2e54bf12daaa70fcdd12892c6e599dba1ff064d579e5495f2934fbe6ed7876acbf8871fb9cea7540a6aea729627291e7edbd0e181e6a97f22983e129b4929c4fca1e8fd15c6a494f06b9a77a44a930f26ee770cbda6ca9de5ab3460597e904d33bbae877a5e1a045e846afce155035eaf0b4e3f478e22705b13da86890e0a957517c452d93508b8bf97304491c26d2543478d7a760ae8a329bfb03521cf6fbed4b05e4a98a35a09ed63816ca93fb598808a3411611b6adda5accd50844ef8b5d1085ec8c491f0b662556d41eb8a4f76ae62c172c00921e7328199d25297ec0fb6445ea46c87e87f5733d5a950bddb92566f7e53978329235b462beaa30458bc889f617541b17968f4a5bac055d80963271229c6fb1041b712b7e2cc37e"},"authenticationData":{},"plugin":{"server":{},"config":{"type":"oauth2","issuer":{"authorization_endpoint":"https://zztop.oktapreview.com/oauth2/custom_author_server/v1/authorize","token_endpoint":"https://zztop.oktapreview.com/oauth2/custom_author_server/v1/token"},"client":{"client_id":"client_id","client_secret":"client_secret"},"scopes":["user"],"redirect_uri":"https://localhost:10443/oauth/callback","features":{"cookie_expiry":false,"userinfo_expiry":86400,"session_expiry":604800,"session_expiry_refresh_window":86400,"session_retain_id":true,"refresh_access_token":true,"fetch_userinfo":true,"userinfo":{"provider":"github","config":{"fetch_teams":true,"fetch_organizations":true,"fetch_emails":true}},"filtered_service_headers":[],"logout":{"end_provider_session":{},"backchannel":{}}},"assertions":{"exp":true},"cookie":{"name":"_eas_localhost_session_","domain":"localhost_domain","path":"/","secure":false,"httpOnly":true,"sameSite":"lax"},"pcb":{},"custom_authorization_parameters":{},"custom_authorization_code_parameters":{},"custom_refresh_parameters":{},"custom_revoke_parameters":{},"csrf_cookie":{"enabled":true,"domain":null,"path":"/","secure":false,"httpOnly":true,"sameSite":"lax"},"xhr":{}}}}
eas                               | info: end verify pipeline with status: 302
eas                               | info: starting verify pipeline
eas                               | debug: config token: {"aud":"client_id","eas":{"plugins":[{"type":"oauth2","issuer":{"authorization_endpoint":"https://zztop.oktapreview.com/oauth2/custom_author_server/v1/authorize","token_endpoint":"https://zztop.oktapreview.com/oauth2/custom_author_server/v1/token"},"client":{"client_id":"client_id","client_secret":"client_secret"},"scopes":["user"],"redirect_uri":"https://localhost:10443/oauth/callback","features":{"cookie_expiry":false,"userinfo_expiry":86400,"session_expiry":604800,"session_expiry_refresh_window":86400,"session_retain_id":true,"refresh_access_token":true,"fetch_userinfo":true,"userinfo":{"provider":"github","config":{"fetch_teams":true,"fetch_organizations":true,"fetch_emails":true}}},"assertions":{"exp":true},"cookie":{"name":"_eas_localhost_session_","domain":"localhost_domain"}}]},"iat":1626468604,"audMD5":"6e887c200f47fa1f11907dde1c2a2266"}
eas                               | info: starting verify for plugin: oauth2
eas                               | verbose: parent request info: {"uri":"undefined://localhost:10443/oauth/callback?code=pHISgLGAsj-qqB0VzNBreaJhg1Bee5aszwWs1waqcYY&state=196362e85cceeb2fba88a6531e0f87607d69053285007701aada718eca15645effa7b89a4a10878220dc9e55c4803b4e04f4ed0b6f6b9820c33fae1bf42fb9219c8bde2e54bf12daaa70fcdd12892c6e599dba1ff064d579e5495f2934fbe6ed7876acbf8871fb9cea7540a6aea729627291e7edbd0e181e6a97f22983e129b4929c4fca1e8fd15c6a494f06b9a77a44a930f26ee770cbda6ca9de5ab3460597e904d33bbae877a5e1a045e846afce155035eaf0b4e3f478e22705b13da86890e0a957517c452d93508b8bf97304491c26d2543478d7a760ae8a329bfb03521cf6fbed4b05e4a98a35a09ed63816ca93fb598808a3411611b6adda5accd50844ef8b5d1085ec8c491f0b662556d41eb8a4f76ae62c172c00921e7328199d25297ec0fb6445ea46c87e87f5733d5a950bddb92566f7e53978329235b462beaa30458bc889f617541b17968f4a5bac055d80963271229c6fb1041b712b7e2cc37e","parsedUri":{"scheme":"undefined","host":"localhost","port":10443,"path":"/oauth/callback","query":"code=pHISgLGAsj-qqB0VzNBreaJhg1Bee5aszwWs1waqcYY&state=196362e85cceeb2fba88a6531e0f87607d69053285007701aada718eca15645effa7b89a4a10878220dc9e55c4803b4e04f4ed0b6f6b9820c33fae1bf42fb9219c8bde2e54bf12daaa70fcdd12892c6e599dba1ff064d579e5495f2934fbe6ed7876acbf8871fb9cea7540a6aea729627291e7edbd0e181e6a97f22983e129b4929c4fca1e8fd15c6a494f06b9a77a44a930f26ee770cbda6ca9de5ab3460597e904d33bbae877a5e1a045e846afce155035eaf0b4e3f478e22705b13da86890e0a957517c452d93508b8bf97304491c26d2543478d7a760ae8a329bfb03521cf6fbed4b05e4a98a35a09ed63816ca93fb598808a3411611b6adda5accd50844ef8b5d1085ec8c491f0b662556d41eb8a4f76ae62c172c00921e7328199d25297ec0fb6445ea46c87e87f5733d5a950bddb92566f7e53978329235b462beaa30458bc889f617541b17968f4a5bac055d80963271229c6fb1041b712b7e2cc37e","reference":"absolute"},"parsedQuery":{"code":"pHISgLGAsj-qqB0VzNBreaJhg1Bee5aszwWs1waqcYY","state":"196362e85cceeb2fba88a6531e0f87607d69053285007701aada718eca15645effa7b89a4a10878220dc9e55c4803b4e04f4ed0b6f6b9820c33fae1bf42fb9219c8bde2e54bf12daaa70fcdd12892c6e599dba1ff064d579e5495f2934fbe6ed7876acbf8871fb9cea7540a6aea729627291e7edbd0e181e6a97f22983e129b4929c4fca1e8fd15c6a494f06b9a77a44a930f26ee770cbda6ca9de5ab3460597e904d33bbae877a5e1a045e846afce155035eaf0b4e3f478e22705b13da86890e0a957517c452d93508b8bf97304491c26d2543478d7a760ae8a329bfb03521cf6fbed4b05e4a98a35a09ed63816ca93fb598808a3411611b6adda5accd50844ef8b5d1085ec8c491f0b662556d41eb8a4f76ae62c172c00921e7328199d25297ec0fb6445ea46c87e87f5733d5a950bddb92566f7e53978329235b462beaa30458bc889f617541b17968f4a5bac055d80963271229c6fb1041b712b7e2cc37e"},"method":"GET"}
eas                               | verbose: audMD5: 6e887c200f47fa1f11907dde1c2a2266
eas                               | verbose: cookie name: _eas_localhost_session_
eas                               | verbose: redirect_uri: https://localhost:10443/oauth/callback
eas                               | verbose: callback redirect_uri: https://zztop.oktapreview.com/oauth2/custom_author_server/v1/authorize?client_id=client_id&scope=user&response_type=code&redirect_uri=https%3A%2F%2Flocalhost%3A10443%2Foauth%2Fcallback&state=196362e85cceeb2fba88a6531e0f87607d69053285007701aada718eca15645effa7b89a4a10878220dc9e55c4803b4e04f4ed0b6f6b9820c33fae1bf42fb9219c8bde2e54bf12daaa70fcdd12892c6e9e5c11966c4ccfe89bd17c9af63c21c8eef74f8f3a3a2e3940808b394ac231c703c0f12b1104080a4c5213c81ce931a9ce7766d31278461294aa2ae2887a4d291b8597e24a1068293445404bc9986d2571edc25170ebf90db0235be514260feccd67025177d8bb461c5084fea5da585892164d35d32f2d08626bbadad1f3c569054cafc2aa9883e53aee710c3a0977cebca758864d8122e544be3393553c6a73ee67812fe951f6134b7d88d6c7ef5dfb271410f5d0981e990c355e9cb9c450055981d1ee336020382733f9839cfd53b0d36b24c2172ce00da46c3410579dc851c554a54ccf3379adaa547da1eb30b97e08e36ab9d60e4f11400c9bd50aa82d5ce1220f9cc2599b26465d3c1da93dc59cd6d696a705b72abc61e54d321f58b8096bf0f24a1d18d98efa93daa7fa5e53d8be20b2f223ecd04ece44bf9f98b06bbf1c6dbe4e07f87020b169edc80aae000347bb2cb7c3659bb794ed31d89d20ff8471a2113cb2dff99711949d45e2c4e6fab947b59a8e1e7ab1b4bf3ee219d17e19edfd10468e4cb4e81d90bd6db3a7eb54f9002354004e11ec010aeb734b15e979024b3017077e962f1207a57f84efc42dc3f2178f49c78cdb20ed70980b07f4e119fa34a64e3712a2435862fc47741b8fcd415362b7e8db8ea16870f30abffe68e2d4805a7a8c65ecfaee1d6c73f7e7aaf9323adeac1d2bdfe4e0bfaa04c44bc7ea3c78e48d44fa54956289faf54dafe09bfc46a9e12b87be12497589de15a61ea576709665c30ef1761dea2bd5e8aed14d50e6a4aec7ca3e9a962bb90d2bd210c17a4f06040e27c79e44b4620859b3d4cf2da32446e6d3705412cd9fcab05ba6ac8bf41d1554671c5add74e82e8c2561279c631f3752826330908462d4f0a691167c5e09f882f7e12cd2704294bdd2afe6b61d9873769cbc34de2545915069c97a71f111f18741f92aa0f084a73e747294e9d04e01e00c41540b7726799c617831e958bfad62629f5f0489b9ab113f2038d1cb17c837bd62e4c6ad192b8b204dfdfba0bf49166c8dfd26464afa6c1f2f275bcdda37376f17b177bd74b8ff98828d6cd98e29d6c002aa3ee81a3a1c03cea24d8633ff1c3f38aa5dda2781027bee9a9e720776a505f4d9f1e7c1dd7b522a78bb806a9d8eb2a793f9434b1bff2d35ff026fa43636b0e846b3f749f835692b4da605fb461556ca2943c23d06d56976267251550c8b6537082fc0b6fac18dff4f5f30652305056829bb0e23dc567e9851498ea6e555878854244eacfbad934328d32b07d1b9eedac6ad3f2c346e580b65010a1c43b8e25940585f8cdc7eec9290c7518b4559ea32bb064686bff5f7db456c0fe271ea4baeb0f38799ecf6ebcbd24a701ab1f61f09fb68a61a0ca196176b512a86a8fa93393cce5be80ac48251dddcc01cccfe77bf61cffc27c4574ea08ce6c80e263619e6d25422bb8d11ae7057dd8f94bc0ede919b2a826223f79dbfe6adb348e30ee460fdd85e7ec434bf29926385675ceea2dcabfb50231bc3ce4084bb53b25bcec388089bb93cbb33046e82968309f1f9ef263b749332f7a9211168f084376dcaee7457d58446d64d775cd2ef065176bdefe6ba66e12fb28ad7e7984b81bac10e680857f9e3d7e2cf8a65b5763adfa06e7b759bafe0e58b00174c07377b48d2d5f05c7ba6179916d9e5b909510564f01015bbeb1a4331d566f0d8a61a3843a17b1eeeb7de625128ba4195db39b718eac84197cc1f4dc9ab5d1d5643eb7b0c19f24d796b137d24f7926a3e21be60f7aea761ffbdd0a93e8f208e6563aa3cb8e0b5329cdb5e8b50c4e70eb5
eas                               | debug: plugin response {"statusCode":302,"statusMessage":"","body":"","cookies":[["_eas_oauth_csrf","7wt2Ijf1STvX957gt+MbQN0/WJ/1y+O3nmmbE8xOLHr6OL20puhsJGvM1dfNy89g",{"expires":"2021-07-17T09:51:29.331Z","domain":null,"path":"/","httpOnly":true,"secure":false,"sameSite":"lax","signed":true}]],"clearCookies":[],"headers":{"Location":"https://zztop.oktapreview.com/oauth2/custom_author_server/v1/authorize?client_id=client_id&scope=user&response_type=code&redirect_uri=https%3A%2F%2Flocalhost%3A10443%2Foauth%2Fcallback&state=196362e85cceeb2fba88a6531e0f87607d69053285007701aada718eca15645effa7b89a4a10878220dc9e55c4803b4e04f4ed0b6f6b9820c33fae1bf42fb9219c8bde2e54bf12daaa70fcdd12892c6e9e5c11966c4ccfe89bd17c9af63c21c8eef74f8f3a3a2e3940808b394ac231c703c0f12b1104080a4c5213c81ce931a9ce7766d31278461294aa2ae2887a4d291b8597e24a1068293445404bc9986d2571edc25170ebf90db0235be514260feccd67025177d8bb461c5084fea5da585892164d35d32f2d08626bbadad1f3c569054cafc2aa9883e53aee710c3a0977cebca758864d8122e544be3393553c6a73ee67812fe951f6134b7d88d6c7ef5dfb271410f5d0981e990c355e9cb9c450055981d1ee336020382733f9839cfd53b0d36b24c2172ce00da46c3410579dc851c554a54ccf3379adaa547da1eb30b97e08e36ab9d60e4f11400c9bd50aa82d5ce1220f9cc2599b26465d3c1da93dc59cd6d696a705b72abc61e54d321f58b8096bf0f24a1d18d98efa93daa7fa5e53d8be20b2f223ecd04ece44bf9f98b06bbf1c6dbe4e07f87020b169edc80aae000347bb2cb7c3659bb794ed31d89d20ff8471a2113cb2dff99711949d45e2c4e6fab947b59a8e1e7ab1b4bf3ee219d17e19edfd10468e4cb4e81d90bd6db3a7eb54f9002354004e11ec010aeb734b15e979024b3017077e962f1207a57f84efc42dc3f2178f49c78cdb20ed70980b07f4e119fa34a64e3712a2435862fc47741b8fcd415362b7e8db8ea16870f30abffe68e2d4805a7a8c65ecfaee1d6c73f7e7aaf9323adeac1d2bdfe4e0bfaa04c44bc7ea3c78e48d44fa54956289faf54dafe09bfc46a9e12b87be12497589de15a61ea576709665c30ef1761dea2bd5e8aed14d50e6a4aec7ca3e9a962bb90d2bd210c17a4f06040e27c79e44b4620859b3d4cf2da32446e6d3705412cd9fcab05ba6ac8bf41d1554671c5add74e82e8c2561279c631f3752826330908462d4f0a691167c5e09f882f7e12cd2704294bdd2afe6b61d9873769cbc34de2545915069c97a71f111f18741f92aa0f084a73e747294e9d04e01e00c41540b7726799c617831e958bfad62629f5f0489b9ab113f2038d1cb17c837bd62e4c6ad192b8b204dfdfba0bf49166c8dfd26464afa6c1f2f275bcdda37376f17b177bd74b8ff98828d6cd98e29d6c002aa3ee81a3a1c03cea24d8633ff1c3f38aa5dda2781027bee9a9e720776a505f4d9f1e7c1dd7b522a78bb806a9d8eb2a793f9434b1bff2d35ff026fa43636b0e846b3f749f835692b4da605fb461556ca2943c23d06d56976267251550c8b6537082fc0b6fac18dff4f5f30652305056829bb0e23dc567e9851498ea6e555878854244eacfbad934328d32b07d1b9eedac6ad3f2c346e580b65010a1c43b8e25940585f8cdc7eec9290c7518b4559ea32bb064686bff5f7db456c0fe271ea4baeb0f38799ecf6ebcbd24a701ab1f61f09fb68a61a0ca196176b512a86a8fa93393cce5be80ac48251dddcc01cccfe77bf61cffc27c4574ea08ce6c80e263619e6d25422bb8d11ae7057dd8f94bc0ede919b2a826223f79dbfe6adb348e30ee460fdd85e7ec434bf29926385675ceea2dcabfb50231bc3ce4084bb53b25bcec388089bb93cbb33046e82968309f1f9ef263b749332f7a9211168f084376dcaee7457d58446d64d775cd2ef065176bdefe6ba66e12fb28ad7e7984b81bac10e680857f9e3d7e2cf8a65b5763adfa06e7b759bafe0e58b00174c07377b48d2d5f05c7ba6179916d9e5b909510564f01015bbeb1a4331d566f0d8a61a3843a17b1eeeb7de625128ba4195db39b718eac84197cc1f4dc9ab5d1d5643eb7b0c19f24d796b137d24f7926a3e21be60f7aea761ffbdd0a93e8f208e6563aa3cb8e0b5329cdb5e8b50c4e70eb5"},"authenticationData":{},"plugin":{"server":{},"config":{"type":"oauth2","issuer":{"authorization_endpoint":"https://zztop.oktapreview.com/oauth2/custom_author_server/v1/authorize","token_endpoint":"https://zztop.oktapreview.com/oauth2/custom_author_server/v1/token"},"client":{"client_id":"client_id","client_secret":"client_secret"},"scopes":["user"],"redirect_uri":"https://localhost:10443/oauth/callback","features":{"cookie_expiry":false,"userinfo_expiry":86400,"session_expiry":604800,"session_expiry_refresh_window":86400,"session_retain_id":true,"refresh_access_token":true,"fetch_userinfo":true,"userinfo":{"provider":"github","config":{"fetch_teams":true,"fetch_organizations":true,"fetch_emails":true}},"filtered_service_headers":[],"logout":{"end_provider_session":{},"backchannel":{}}},"assertions":{"exp":true},"cookie":{"name":"_eas_localhost_session_","domain":"localhost_domain","path":"/","secure":false,"httpOnly":true,"sameSite":"lax"},"pcb":{},"custom_authorization_parameters":{},"custom_authorization_code_parameters":{},"custom_refresh_parameters":{},"custom_revoke_parameters":{},"csrf_cookie":{"enabled":true,"domain":null,"path":"/","secure":false,"httpOnly":true,"sameSite":"lax"},"xhr":{}}}}
eas                               | info: end verify pipeline with status: 302
eas                               | info: starting verify pipeline
eas                               | debug: config token: {"aud":"client_id","eas":{"plugins":[{"type":"oauth2","issuer":{"authorization_endpoint":"https://zztop.oktapreview.com/oauth2/custom_author_server/v1/authorize","token_endpoint":"https://zztop.oktapreview.com/oauth2/custom_author_server/v1/token"},"client":{"client_id":"client_id","client_secret":"client_secret"},"scopes":["user"],"redirect_uri":"https://localhost:10443/oauth/callback","features":{"cookie_expiry":false,"userinfo_expiry":86400,"session_expiry":604800,"session_expiry_refresh_window":86400,"session_retain_id":true,"refresh_access_token":true,"fetch_userinfo":true,"userinfo":{"provider":"github","config":{"fetch_teams":true,"fetch_organizations":true,"fetch_emails":true}}},"assertions":{"exp":true},"cookie":{"name":"_eas_localhost_session_","domain":"localhost_domain"}}]},"iat":1626468604,"audMD5":"6e887c200f47fa1f11907dde1c2a2266"}
eas                               | info: starting verify for plugin: oauth2
eas                               | verbose: parent request info: {"uri":"undefined://localhost:10443/oauth/callback?code=bO_7HMQI4jzHfQECUFmLRQa7jH6pJfJ82NIXORdLFQc&state=196362e85cceeb2fba88a6531e0f87607d69053285007701aada718eca15645effa7b89a4a10878220dc9e55c4803b4e04f4ed0b6f6b9820c33fae1bf42fb9219c8bde2e54bf12daaa70fcdd12892c6e9e5c11966c4ccfe89bd17c9af63c21c8eef74f8f3a3a2e3940808b394ac231c703c0f12b1104080a4c5213c81ce931a9ce7766d31278461294aa2ae2887a4d291b8597e24a1068293445404bc9986d2571edc25170ebf90db0235be514260feccd67025177d8bb461c5084fea5da585892164d35d32f2d08626bbadad1f3c569054cafc2aa9883e53aee710c3a0977cebca758864d8122e544be3393553c6a73ee67812fe951f6134b7d88d6c7ef5dfb271410f5d0981e990c355e9cb9c450055981d1ee336020382733f9839cfd53b0d36b24c2172ce00da46c3410579dc851c554a54ccf3379adaa547da1eb30b97e08e36ab9d60e4f11400c9bd50aa82d5ce1220f9cc2599b26465d3c1da93dc59cd6d696a705b72abc61e54d321f58b8096bf0f24a1d18d98efa93daa7fa5e53d8be20b2f223ecd04ece44bf9f98b06bbf1c6dbe4e07f87020b169edc80aae000347bb2cb7c3659bb794ed31d89d20ff8471a2113cb2dff99711949d45e2c4e6fab947b59a8e1e7ab1b4bf3ee219d17e19edfd10468e4cb4e81d90bd6db3a7eb54f9002354004e11ec010aeb734b15e979024b3017077e962f1207a57f84efc42dc3f2178f49c78cdb20ed70980b07f4e119fa34a64e3712a2435862fc47741b8fcd415362b7e8db8ea16870f30abffe68e2d4805a7a8c65ecfaee1d6c73f7e7aaf9323adeac1d2bdfe4e0bfaa04c44bc7ea3c78e48d44fa54956289faf54dafe09bfc46a9e12b87be12497589de15a61ea576709665c30ef1761dea2bd5e8aed14d50e6a4aec7ca3e9a962bb90d2bd210c17a4f06040e27c79e44b4620859b3d4cf2da32446e6d3705412cd9fcab05ba6ac8bf41d1554671c5add74e82e8c2561279c631f3752826330908462d4f0a691167c5e09f882f7e12cd2704294bdd2afe6b61d9873769cbc34de2545915069c97a71f111f18741f92aa0f084a73e747294e9d04e01e00c41540b7726799c617831e958bfad62629f5f0489b9ab113f2038d1cb17c837bd62e4c6ad192b8b204dfdfba0bf49166c8dfd26464afa6c1f2f275bcdda37376f17b177bd74b8ff98828d6cd98e29d6c002aa3ee81a3a1c03cea24d8633ff1c3f38aa5dda2781027bee9a9e720776a505f4d9f1e7c1dd7b522a78bb806a9d8eb2a793f9434b1bff2d35ff026fa43636b0e846b3f749f835692b4da605fb461556ca2943c23d06d56976267251550c8b6537082fc0b6fac18dff4f5f30652305056829bb0e23dc567e9851498ea6e555878854244eacfbad934328d32b07d1b9eedac6ad3f2c346e580b65010a1c43b8e25940585f8cdc7eec9290c7518b4559ea32bb064686bff5f7db456c0fe271ea4baeb0f38799ecf6ebcbd24a701ab1f61f09fb68a61a0ca196176b512a86a8fa93393cce5be80ac48251dddcc01cccfe77bf61cffc27c4574ea08ce6c80e263619e6d25422bb8d11ae7057dd8f94bc0ede919b2a826223f79dbfe6adb348e30ee460fdd85e7ec434bf29926385675ceea2dcabfb50231bc3ce4084bb53b25bcec388089bb93cbb33046e82968309f1f9ef263b749332f7a9211168f084376dcaee7457d58446d64d775cd2ef065176bdefe6ba66e12fb28ad7e7984b81bac10e680857f9e3d7e2cf8a65b5763adfa06e7b759bafe0e58b00174c07377b48d2d5f05c7ba6179916d9e5b909510564f01015bbeb1a4331d566f0d8a61a3843a17b1eeeb7de625128ba4195db39b718eac84197cc1f4dc9ab5d1d5643eb7b0c19f24d796b137d24f7926a3e21be60f7aea761ffbdd0a93e8f208e6563aa3cb8e0b5329cdb5e8b50c4e70eb5","parsedUri":{"scheme":"undefined","host":"localhost","port":10443,"path":"/oauth/callback","query":"code=bO_7HMQI4jzHfQECUFmLRQa7jH6pJfJ82NIXORdLFQc&state=196362e85cceeb2fba88a6531e0f87607d69053285007701aada718eca15645effa7b89a4a10878220dc9e55c4803b4e04f4ed0b6f6b9820c33fae1bf42fb9219c8bde2e54bf12daaa70fcdd12892c6e9e5c11966c4ccfe89bd17c9af63c21c8eef74f8f3a3a2e3940808b394ac231c703c0f12b1104080a4c5213c81ce931a9ce7766d31278461294aa2ae2887a4d291b8597e24a1068293445404bc9986d2571edc25170ebf90db0235be514260feccd67025177d8bb461c5084fea5da585892164d35d32f2d08626bbadad1f3c569054cafc2aa9883e53aee710c3a0977cebca758864d8122e544be3393553c6a73ee67812fe951f6134b7d88d6c7ef5dfb271410f5d0981e990c355e9cb9c450055981d1ee336020382733f9839cfd53b0d36b24c2172ce00da46c3410579dc851c554a54ccf3379adaa547da1eb30b97e08e36ab9d60e4f11400c9bd50aa82d5ce1220f9cc2599b26465d3c1da93dc59cd6d696a705b72abc61e54d321f58b8096bf0f24a1d18d98efa93daa7fa5e53d8be20b2f223ecd04ece44bf9f98b06bbf1c6dbe4e07f87020b169edc80aae000347bb2cb7c3659bb794ed31d89d20ff8471a2113cb2dff99711949d45e2c4e6fab947b59a8e1e7ab1b4bf3ee219d17e19edfd10468e4cb4e81d90bd6db3a7eb54f9002354004e11ec010aeb734b15e979024b3017077e962f1207a57f84efc42dc3f2178f49c78cdb20ed70980b07f4e119fa34a64e3712a2435862fc47741b8fcd415362b7e8db8ea16870f30abffe68e2d4805a7a8c65ecfaee1d6c73f7e7aaf9323adeac1d2bdfe4e0bfaa04c44bc7ea3c78e48d44fa54956289faf54dafe09bfc46a9e12b87be12497589de15a61ea576709665c30ef1761dea2bd5e8aed14d50e6a4aec7ca3e9a962bb90d2bd210c17a4f06040e27c79e44b4620859b3d4cf2da32446e6d3705412cd9fcab05ba6ac8bf41d1554671c5add74e82e8c2561279c631f3752826330908462d4f0a691167c5e09f882f7e12cd2704294bdd2afe6b61d9873769cbc34de2545915069c97a71f111f18741f92aa0f084a73e747294e9d04e01e00c41540b7726799c617831e958bfad62629f5f0489b9ab113f2038d1cb17c837bd62e4c6ad192b8b204dfdfba0bf49166c8dfd26464afa6c1f2f275bcdda37376f17b177bd74b8ff98828d6cd98e29d6c002aa3ee81a3a1c03cea24d8633ff1c3f38aa5dda2781027bee9a9e720776a505f4d9f1e7c1dd7b522a78bb806a9d8eb2a793f9434b1bff2d35ff026fa43636b0e846b3f749f835692b4da605fb461556ca2943c23d06d56976267251550c8b6537082fc0b6fac18dff4f5f30652305056829bb0e23dc567e9851498ea6e555878854244eacfbad934328d32b07d1b9eedac6ad3f2c346e580b65010a1c43b8e25940585f8cdc7eec9290c7518b4559ea32bb064686bff5f7db456c0fe271ea4baeb0f38799ecf6ebcbd24a701ab1f61f09fb68a61a0ca196176b512a86a8fa93393cce5be80ac48251dddcc01cccfe77bf61cffc27c4574ea08ce6c80e263619e6d25422bb8d11ae7057dd8f94bc0ede919b2a826223f79dbfe6adb348e30ee460fdd85e7ec434bf29926385675ceea2dcabfb50231bc3ce4084bb53b25bcec388089bb93cbb33046e82968309f1f9ef263b749332f7a9211168f084376dcaee7457d58446d64d775cd2ef065176bdefe6ba66e12fb28ad7e7984b81bac10e680857f9e3d7e2cf8a65b5763adfa06e7b759bafe0e58b00174c07377b48d2d5f05c7ba6179916d9e5b909510564f01015bbeb1a4331d566f0d8a61a3843a17b1eeeb7de625128ba4195db39b718eac84197cc1f4dc9ab5d1d5643eb7b0c19f24d796b137d24f7926a3e21be60f7aea761ffbdd0a93e8f208e6563aa3cb8e0b5329cdb5e8b50c4e70eb5","reference":"absolute"},"parsedQuery":{"code":"bO_7HMQI4jzHfQECUFmLRQa7jH6pJfJ82NIXORdLFQc","state":"196362e85cceeb2fba88a6531e0f87607d69053285007701aada718eca15645effa7b89a4a10878220dc9e55c4803b4e04f4ed0b6f6b9820c33fae1bf42fb9219c8bde2e54bf12daaa70fcdd12892c6e9e5c11966c4ccfe89bd17c9af63c21c8eef74f8f3a3a2e3940808b394ac231c703c0f12b1104080a4c5213c81ce931a9ce7766d31278461294aa2ae2887a4d291b8597e24a1068293445404bc9986d2571edc25170ebf90db0235be514260feccd67025177d8bb461c5084fea5da585892164d35d32f2d08626bbadad1f3c569054cafc2aa9883e53aee710c3a0977cebca758864d8122e544be3393553c6a73ee67812fe951f6134b7d88d6c7ef5dfb271410f5d0981e990c355e9cb9c450055981d1ee336020382733f9839cfd53b0d36b24c2172ce00da46c3410579dc851c554a54ccf3379adaa547da1eb30b97e08e36ab9d60e4f11400c9bd50aa82d5ce1220f9cc2599b26465d3c1da93dc59cd6d696a705b72abc61e54d321f58b8096bf0f24a1d18d98efa93daa7fa5e53d8be20b2f223ecd04ece44bf9f98b06bbf1c6dbe4e07f87020b169edc80aae000347bb2cb7c3659bb794ed31d89d20ff8471a2113cb2dff99711949d45e2c4e6fab947b59a8e1e7ab1b4bf3ee219d17e19edfd10468e4cb4e81d90bd6db3a7eb54f9002354004e11ec010aeb734b15e979024b3017077e962f1207a57f84efc42dc3f2178f49c78cdb20ed70980b07f4e119fa34a64e3712a2435862fc47741b8fcd415362b7e8db8ea16870f30abffe68e2d4805a7a8c65ecfaee1d6c73f7e7aaf9323adeac1d2bdfe4e0bfaa04c44bc7ea3c78e48d44fa54956289faf54dafe09bfc46a9e12b87be12497589de15a61ea576709665c30ef1761dea2bd5e8aed14d50e6a4aec7ca3e9a962bb90d2bd210c17a4f06040e27c79e44b4620859b3d4cf2da32446e6d3705412cd9fcab05ba6ac8bf41d1554671c5add74e82e8c2561279c631f3752826330908462d4f0a691167c5e09f882f7e12cd2704294bdd2afe6b61d9873769cbc34de2545915069c97a71f111f18741f92aa0f084a73e747294e9d04e01e00c41540b7726799c617831e958bfad62629f5f0489b9ab113f2038d1cb17c837bd62e4c6ad192b8b204dfdfba0bf49166c8dfd26464afa6c1f2f275bcdda37376f17b177bd74b8ff98828d6cd98e29d6c002aa3ee81a3a1c03cea24d8633ff1c3f38aa5dda2781027bee9a9e720776a505f4d9f1e7c1dd7b522a78bb806a9d8eb2a793f9434b1bff2d35ff026fa43636b0e846b3f749f835692b4da605fb461556ca2943c23d06d56976267251550c8b6537082fc0b6fac18dff4f5f30652305056829bb0e23dc567e9851498ea6e555878854244eacfbad934328d32b07d1b9eedac6ad3f2c346e580b65010a1c43b8e25940585f8cdc7eec9290c7518b4559ea32bb064686bff5f7db456c0fe271ea4baeb0f38799ecf6ebcbd24a701ab1f61f09fb68a61a0ca196176b512a86a8fa93393cce5be80ac48251dddcc01cccfe77bf61cffc27c4574ea08ce6c80e263619e6d25422bb8d11ae7057dd8f94bc0ede919b2a826223f79dbfe6adb348e30ee460fdd85e7ec434bf29926385675ceea2dcabfb50231bc3ce4084bb53b25bcec388089bb93cbb33046e82968309f1f9ef263b749332f7a9211168f084376dcaee7457d58446d64d775cd2ef065176bdefe6ba66e12fb28ad7e7984b81bac10e680857f9e3d7e2cf8a65b5763adfa06e7b759bafe0e58b00174c07377b48d2d5f05c7ba6179916d9e5b909510564f01015bbeb1a4331d566f0d8a61a3843a17b1eeeb7de625128ba4195db39b718eac84197cc1f4dc9ab5d1d5643eb7b0c19f24d796b137d24f7926a3e21be60f7aea761ffbdd0a93e8f208e6563aa3cb8e0b5329cdb5e8b50c4e70eb5"},"method":"GET"}
eas                               | verbose: audMD5: 6e887c200f47fa1f11907dde1c2a2266
eas                               | verbose: cookie name: _eas_localhost_session_
eas                               | verbose: redirect_uri: https://localhost:10443/oauth/callback
eas                               | verbose: callback redirect_uri: https://zztop.oktapreview.com/oauth2/custom_author_server/v1/authorize?client_id=client_id&scope=user&response_type=code&redirect_uri=https%3A%2F%2Flocalhost%3A10443%2Foauth%2Fcallback&state=196362e85cceeb2fba88a6531e0f87607d69053285007701aada718eca15645effa7b89a4a10878220dc9e55c4803b4e04f4ed0b6f6b9820c33fae1bf42fb9219c8bde2e54bf12daaa70fcdd12892c6e9e5c11966c4ccfe89bd17c9af63c21c8eef74f8f3a3a2e3940808b394ac231c7df26e8b9076664346fff9e0506d260fea8dc5f0e0b7f909e3d41715bb12f6bb17f3f58073a9682759aeda2e4d4c3b583611ccc5d9747affed39b0aefdf2b5a34f2aa4323076789630f7eb023174d680291a461968139bdc638292c0fd288ca749fd536c36ddf95a9aefbdff4f4fe972104a159c8ffb4de66a8d9d72e622cffff35d596d183085d070ed0a7b7436d57105ef0719c8f48b59fdab8d53249d9b55704a65b4fa788738145159ed2f57d7edfd64e8f9b78c42832129787708795d9da6d5df0fa25ea180aa52a37dee3db769bc0e602f72259216706badda963a508db4759518660659c0065b9d4240df74d2133a9d77859ef81c5b3551c90738f065897e408aa6d329dd9f8069a15824a4f44dbb1fb2ee6fd6036d559ab2bf5f4d433058236dfd26925ce11635e949b10f1ab45b7ef250a8b68df36ba18273507ce1fead1d562c46d8f8ed311c049dd8d991f78b3b18bfa22499ae2e8e8ae3fbd7ee36a574dfb385b3a2de9e97be8ade804b4e48971f6aa5f9f0772f6f938534fa30ae1a5163e00fff04f56467bf4ca9a11c16c6a0d0236679279b9ffe98aaa61e2f9c86e36494ff1203e582cd9d6c3e22f91b98f33591679f56f6e294efa5d37a7523135eea38419f1c10f03856798fe6b5d58a1c71e9f2820982c00ebd582d47cca00a4bc4e6c91076603acb0caa9d580a0229d4fceaa859fc5824b37bfaa4c2d360e64fbdbba1d6a1a929b8fa66fdbbd75f5a05693aaf85aea5780191333fa9146792069f3b6697e17ccef80925d64c3e29d0845dc1d1a117192fd2bf269e9a4547087c8e439cfa0497e14fe4c90c9bc15b53969b5db17ffba6d4f66c44b13004bab9ab769c8589565257c411f08df03a262179675d4c1f96dc83bec470937f6c3585b9aaeb9a5e860b6694e73e0f7d36c9634ee43884d0ba37fcaffc2fd42f4726aa3bfa34216898a2b3dceb257d0b3a533bb1e75315fb6e035fa3971e0583788aff59cca453ec31c148022a5d0429b188a4cfad8dd3a365514ac9f8588b3ebb26d574bb7b588246792a59b2768a5de0a3d3c41fe1edb87ac57b5d1148f7639989e56a20ae09e208b5644ef99c7bd72c9c9eeced38fc23fbab32bcc9849f9566bd1bee4aaf38247e2b191ad30386a21ac0e7f7b6e17c99fc7165e92d45f1d3cb21f8c177ac2b395fbd2c2e210a89f37132ba304af9f91930365c5fe509076083af7ce9c9eb4e52243197e3ac8bea978b49e1e5cb95365f66580e96c79b37cc4134044e56794069afaa0bfc029ae2a03e323aa7b3efe5e39151468a5367f57f8a65eae75c7e3cfec0f14aa29e4ba950671ee8624f85498c04718013d4262a37955da45a36b7b2bc0283c5fb760e1a7bc3a50f715908c4ef192a466a4e0a9dc6639d933f3c63aea1e0009f4b4a87f03e913c326bab97fd55a0c1cdecf4848752577c55934f781e66cc44039ff1cffb4abbcafc5d616d650084500f5e919a80690522bf6fdf8dacf18e1357ca59706c0fa675fa1bd604713f706d9f6422464ab783d2f7296978f41328a8712b9d9ee7ba0771e11a7cdc810b5a50141c2c11023b27b9b2da9db1677f71c1443227ae7a9b215b896e594b237a4d12bb5e10213f2b82e5f6399694c60f452700ebbd3eacab8101f098529da2460ca82b2dc1579680a83ed1341791f8458cafd31a9a4948121f5cd88f05678d3d3ccb371906f1e85caaa0ba73c3e2106e0010e2b0d369c3e07d9c03f396ef9c495e63a1a3835f635992f7685781743d2dc8a9321a6c33b2beae620d4e12daf01710893eee557508e3dcae534621ec91695b42dd1c2c4770138239b8306c970cf8c3741901c3aeaa4b080ebe37c045bad2093eb6624a09962056b5dd035a84a6f4c48fa2665702a65ea5283d6030e8490c00e0d81c2bcea63cb165af60c0c30a555b6f9b05cffb6ff4b9b078f499a71236e0a0613fa78f34e001734c851ac7c3849f08e0e9856e685a5ff4c594b63296f0c2fae469c23f6f35442b5269bf198fcc90f36f741c16bb11505f533313d21f8ad9eb80beae6af8edf4908b6f89cb6da0f9fce5f86da3aee09cfae8e8ee0444751b72c00ea43ec7ba0fe1f40dd285184b60d41970995cbf7481197291b6c1056124d3aa294b7da503f87e1d0d2b82aa162721c9a9b79e3c01a44f453e858479cf110372b6b714b4b3087c323c9880880926d516fe3e698ee144f666f37e23585aef9edd9709f04516b3aae3f72889a48c75bafb2888841784ca080142dbf8eb04b27bb97cd63fbc01e09eed6390ec77d903b59c5cf36d958d8d90a926d5b4a8f89d9d1fee1edb23ad2c3bec662f66a0d0a1ddb5370c6236ae9c8ea3f38f29054553631934b359ed397de5abc1965e97aba5c960034a943f2edf8b8e5b5e5bd49e8de7131bb4a6690a543ff0ca79c26b4bf379ae51449c3cce8a676b10a0744f338ab84f5374d190229b6d88093c1dfae10649771dc0c1306a9de936b5ade208d4a3e739fb67d04be12dbee68c36731b3ccb60d5b96cfb9ec9b7697dc16684319add5a13d5dc2495087b96aedb1576ffd8a3ccc1b813704c9320afe3d65944bd64c9cd0ec34b68be466e7a0fed9214a3cccc6e6a3a3008ab2a17b4e44a38f6d6828d5869ea52fd1ab58238b300b81d744c83d44327b99ee3c8c2b6f8b2fef0a3100d2a6cfa6afaf420ce5ac8adafedc670872fafd771b8a65407a3c6a2dc39ea6262b7202a50145456d42b931ebf9ad7ff0ccabc995be294cac13472259e11f6ffde4b45f912237d2c53076b5d763f250befad32c844e220264b433f9a257d7dc7907a830e4476734d2911729b63a37382a3ea7027b85cd5672ae4be241d287ad8c2629c44e1cb855f708ddf062db97a0ba3d4761c4df08808d69080c129df83d1f31819e576bb80a325c83a186c8964dfa406646908308cd4c52aff759636151bcd2b50b81249808779a155a39ffeadec6563f35579fa55f2e4e5eae98d244572061652aa94cd52544fa3c815de8c2f5bb70ca24fdefbcad1fc475bb01b06674942d732f1c19b689a260a4a559a7119b64227237256f4c82b913ad2bef42453d6cde370ced8982c6096615209c3fd6e8b969bb075feec7b549648b6a54e0b717f64e0ede3c4504935f20383bbf7f7b0d2c82e1c64f3e080b5789cae273e8ba16779a05a94f96c3227ba671402f66cc1030ea61789eeb9a921549d550c908bfda22defe28cd2d59ba3582b21573e8227086db24c92db7a42268068e6580096e49ccd895f2b12ea98ff72884d8027563c5c4a1a926da409c1680b9b2be932fe6bde480f75c93b4f894665c7fd8cfaef6db305505d8176a96e9b2db6e6aedea937cb2acf98a34b2ef739f5ed84902b4dbbff2d55f0ef73485796cc99e4211b645509ab781951eb39e07a2c75e3a4e8fd1a8f05eaa0446f90e60187cb94865f61d4476382598fdf443077421adffad713efc6ce50b5d36beef810fe0f762cef18dcb14788c18bcc1f73469587f101131a4e1624b2a7f6180a2e534da6982dc91cd615d1da755eba75d560d9c73e093b9e6b3d222b2b5eacd9ed996b19f54332314de73a9bb0b131dbd5e1a5e27f2cfac175dc6352842e93550cf22c49214a723ea02e88a2dc2250787b3a1b15d36b26229829c1362f9c05bbb659344c32b0f006d83ec76412af2504537aa769ee2c5afbb71f54de4af8b3ddeb9afec216287e2401cd8491978808d9a68b8ba93877651c98b03da47c6a44bc7fadcc0a2b5658a759f35415f0053374e9a5cdf84ee6abd395e611132fa57085f8d7f11b0598fea416cd96a3753fd88dadf7933bcbcc9c0130e360eda6dabf77d29b206698e0102c900405cfe0ded8c3073c2cd0f52aa4c56f8d4b803605c002459324fa66bb42e03a7246973f7ab7abfcfd0ed4f6f3cd7095aac3271e58a63be6d48a04115822e24462ed9c5056744575750e629581a2c2bd0082282ce46f7db11d2f7587f07c061d8fb1f7ebec0cbc96f80cc220b72313edfec38e972b5c124ecf6b459e5007ed8001c128c643bf6a4faa67670fb6fe99b50ba8ac0a8fede3c461676bef7e95deaccbf7da94fad0d9c9efe99b054bf7e9208de07d4289300d06276d3b55328c775ab401a1a65bfea838594d0d1bf59a8ae0a4ac1d190358047745604bf7cd17c8e465390c1b852f7e671664a26bbd8038bcdb98933059a9f4afdc9ed9f198b094727f04bc0d431f9f5d4eef3cfe6ee57c4048fcbe652dbe8018a1740433c88d600b3cbce88ee1e86aea9b8bdae14568253d498bffb43f7ab04eef6b1fdcf838b383b8e4bc685e88f2edded0e4b28081dea6837db849ea3db34d9f1715129f003f606cc9ca4aab09a90fbefaa001b37b553d91b2b3d5b318ff4d614605c0ce1b6bab515d4c2ccac3d27cd5a603e4d0d0bced7bc4dd88e34eec102ec92db7793d9d55a3626648b58aa27c581b3ac68ae8b2d1c83982d3b06a18485c7c58c6f1b2815e7eea08bcd991d45ef8e56684052a78be8bf518483581c7384ca9442d7bfd8a0ca0e3dbb338f40a86e5a9232128d2b824b6e835c9b4f0b2c06385113fb8826f74fff384741f132293605edc9beca4784b1b7256a33aaa81e0bd73c7f036a1282c9810afe80c691179434efc12858568908e296778fa86d851a163b60ffa9582299276f65cbb463f249205924f694144ede070c73e61a85c1087ee646a9843fdf36226a02514bc8e44495a20f05345913dcd634e99b3c8ff783a4f0e9d1ba667f44c315d01f18853d7f25ecfdf9c99fe37678b063c853cdbce029b6e6dad6cde281ec3ae71078a3baae3cfff898fc16e354b25dacff2c9c23e85d5e88ea14d7768d83b3dfa80e566075e8695b0455174002724900a923321ddbbde0fb8b3639e5aaa18790f66e1bdb4a389aca8fd64d2ae5cd7ba07e03f2a3361b0449029e685d0069144f1bebf60fc4caa2af4103cf87f30d8fc1fe4a431abc184fad426300ffae2e0fc402dd690f9de54b70fb8d066ba4e8a5a00d76fb764efd3fb0aabd18d455cbf6a74dd2a3310f58e1046c57ab5f4413b0d75bb2ba9591c085b41ab2e1f5ad797cc1c3a195c6e4cd639545c4ec5828188f85a54381d4e861a2d26d3efb862a749d20473dc5d4456a7282a84d521d89e6681aba23fc301a1ecad2eff58481d2cea6e35a469e60fa9472c8eb1d8ca1db977d836b5c17a22f7ed778542eb34bc0cf13d12ffd1dcdc34b34a85574313da833218bf6030d2669df000f987798d7efe0de3fcc8fe8061d7726101f854f612be46452c942c95e3798c5602d6d20e56dcab6bc90d5ddd57a73ad037d2516e631d5fbec9b1e58a1ac6291f8d374eb06cb1304850e02d9f2d06c727787b6bc875c3dadeaecaf39f4aac5cd5750fb695d36faf6b9cff6afc33cf85067be3abe41846da4172e0d5285c8e651c974b3bcc55449cf246d4ddc10a9b00d1a252f5644ab239fa7f13ea69fe03f255af2ae9ead5b3f573a468f6b43ef453c1486c85803157ff0165c83486397b2c8b333daff7dbc0f967b425fc788337655485d7aed62416a5e272eb030ecc839d174901364a4d64c6aa31dda33b2b957cf5a54989a956028bc83e7cd2ba9a0191eed36132bc434196a7ace0dc47ef359d25f1dd0012266c7d78cd5dcfae4e1753b
eas                               | debug: plugin response {"statusCode":302,"statusMessage":"","body":"","cookies":[["_eas_oauth_csrf","mLjBhbLEfXshz1BWoAvQXLQzKi42A60iEbAdW0NUQ5Gr9DP0YcuxNJLAhXMnHfTM",{"expires":"2021-07-17T09:51:29.739Z","domain":null,"path":"/","httpOnly":true,"secure":false,"sameSite":"lax","signed":true}]],"clearCookies":[],"headers":{"Location":"https://zztop.oktapreview.com/oauth2/custom_author_server/v1/authorize?client_id=client_id&scope=user&response_type=code&redirect_uri=https%3A%2F%2Flocalhost%3A10443%2Foauth%2Fcallback&state=196362e85cceeb2fba88a6531e0f87607d69053285007701aada718eca15645effa7b89a4a10878220dc9e55c4803b4e04f4ed0b6f6b9820c33fae1bf42fb9219c8bde2e54bf12daaa70fcdd12892c6e9e5c11966c4ccfe89bd17c9af63c21c8eef74f8f3a3a2e3940808b394ac231c7df26e8b9076664346fff9e0506d260fea8dc5f0e0b7f909e3d41715bb12f6bb17f3f58073a9682759aeda2e4d4c3b583611ccc5d9747affed39b0aefdf2b5a34f2aa4323076789630f7eb023174d680291a461968139bdc638292c0fd288ca749fd536c36ddf95a9aefbdff4f4fe972104a159c8ffb4de66a8d9d72e622cffff35d596d183085d070ed0a7b7436d57105ef0719c8f48b59fdab8d53249d9b55704a65b4fa788738145159ed2f57d7edfd64e8f9b78c42832129787708795d9da6d5df0fa25ea180aa52a37dee3db769bc0e602f72259216706badda963a508db4759518660659c0065b9d4240df74d2133a9d77859ef81c5b3551c90738f065897e408aa6d329dd9f8069a15824a4f44dbb1fb2ee6fd6036d559ab2bf5f4d433058236dfd26925ce11635e949b10f1ab45b7ef250a8b68df36ba18273507ce1fead1d562c46d8f8ed311c049dd8d991f78b3b18bfa22499ae2e8e8ae3fbd7ee36a574dfb385b3a2de9e97be8ade804b4e48971f6aa5f9f0772f6f938534fa30ae1a5163e00fff04f56467bf4ca9a11c16c6a0d0236679279b9ffe98aaa61e2f9c86e36494ff1203e582cd9d6c3e22f91b98f33591679f56f6e294efa5d37a7523135eea38419f1c10f03856798fe6b5d58a1c71e9f2820982c00ebd582d47cca00a4bc4e6c91076603acb0caa9d580a0229d4fceaa859fc5824b37bfaa4c2d360e64fbdbba1d6a1a929b8fa66fdbbd75f5a05693aaf85aea5780191333fa9146792069f3b6697e17ccef80925d64c3e29d0845dc1d1a117192fd2bf269e9a4547087c8e439cfa0497e14fe4c90c9bc15b53969b5db17ffba6d4f66c44b13004bab9ab769c8589565257c411f08df03a262179675d4c1f96dc83bec470937f6c3585b9aaeb9a5e860b6694e73e0f7d36c9634ee43884d0ba37fcaffc2fd42f4726aa3bfa34216898a2b3dceb257d0b3a533bb1e75315fb6e035fa3971e0583788aff59cca453ec31c148022a5d0429b188a4cfad8dd3a365514ac9f8588b3ebb26d574bb7b588246792a59b2768a5de0a3d3c41fe1edb87ac57b5d1148f7639989e56a20ae09e208b5644ef99c7bd72c9c9eeced38fc23fbab32bcc9849f9566bd1bee4aaf38247e2b191ad30386a21ac0e7f7b6e17c99fc7165e92d45f1d3cb21f8c177ac2b395fbd2c2e210a89f37132ba304af9f91930365c5fe509076083af7ce9c9eb4e52243197e3ac8bea978b49e1e5cb95365f66580e96c79b37cc4134044e56794069afaa0bfc029ae2a03e323aa7b3efe5e39151468a5367f57f8a65eae75c7e3cfec0f14aa29e4ba950671ee8624f85498c04718013d4262a37955da45a36b7b2bc0283c5fb760e1a7bc3a50f715908c4ef192a466a4e0a9dc6639d933f3c63aea1e0009f4b4a87f03e913c326bab97fd55a0c1cdecf4848752577c55934f781e66cc44039ff1cffb4abbcafc5d616d650084500f5e919a80690522bf6fdf8dacf18e1357ca59706c0fa675fa1bd604713f706d9f6422464ab783d2f7296978f41328a8712b9d9ee7ba0771e11a7cdc810b5a50141c2c11023b27b9b2da9db1677f71c1443227ae7a9b215b896e594b237a4d12bb5e10213f2b82e5f6399694c60f452700ebbd3eacab8101f098529da2460ca82b2dc1579680a83ed1341791f8458cafd31a9a4948121f5cd88f05678d3d3ccb371906f1e85caaa0ba73c3e2106e0010e2b0d369c3e07d9c03f396ef9c495e63a1a3835f635992f7685781743d2dc8a9321a6c33b2beae620d4e12daf01710893eee557508e3dcae534621ec91695b42dd1c2c4770138239b8306c970cf8c3741901c3aeaa4b080ebe37c045bad2093eb6624a09962056b5dd035a84a6f4c48fa2665702a65ea5283d6030e8490c00e0d81c2bcea63cb165af60c0c30a555b6f9b05cffb6ff4b9b078f499a71236e0a0613fa78f34e001734c851ac7c3849f08e0e9856e685a5ff4c594b63296f0c2fae469c23f6f35442b5269bf198fcc90f36f741c16bb11505f533313d21f8ad9eb80beae6af8edf4908b6f89cb6da0f9fce5f86da3aee09cfae8e8ee0444751b72c00ea43ec7ba0fe1f40dd285184b60d41970995cbf7481197291b6c1056124d3aa294b7da503f87e1d0d2b82aa162721c9a9b79e3c01a44f453e858479cf110372b6b714b4b3087c323c9880880926d516fe3e698ee144f666f37e23585aef9edd9709f04516b3aae3f72889a48c75bafb2888841784ca080142dbf8eb04b27bb97cd63fbc01e09eed6390ec77d903b59c5cf36d958d8d90a926d5b4a8f89d9d1fee1edb23ad2c3bec662f66a0d0a1ddb5370c6236ae9c8ea3f38f29054553631934b359ed397de5abc1965e97aba5c960034a943f2edf8b8e5b5e5bd49e8de7131bb4a6690a543ff0ca79c26b4bf379ae51449c3cce8a676b10a0744f338ab84f5374d190229b6d88093c1dfae10649771dc0c1306a9de936b5ade208d4a3e739fb67d04be12dbee68c36731b3ccb60d5b96cfb9ec9b7697dc16684319add5a13d5dc2495087b96aedb1576ffd8a3ccc1b813704c9320afe3d65944bd64c9cd0ec34b68be466e7a0fed9214a3cccc6e6a3a3008ab2a17b4e44a38f6d6828d5869ea52fd1ab58238b300b81d744c83d44327b99ee3c8c2b6f8b2fef0a3100d2a6cfa6afaf420ce5ac8adafedc670872fafd771b8a65407a3c6a2dc39ea6262b7202a50145456d42b931ebf9ad7ff0ccabc995be294cac13472259e11f6ffde4b45f912237d2c53076b5d763f250befad32c844e220264b433f9a257d7dc7907a830e4476734d2911729b63a37382a3ea7027b85cd5672ae4be241d287ad8c2629c44e1cb855f708ddf062db97a0ba3d4761c4df08808d69080c129df83d1f31819e576bb80a325c83a186c8964dfa406646908308cd4c52aff759636151bcd2b50b81249808779a155a39ffeadec6563f35579fa55f2e4e5eae98d244572061652aa94cd52544fa3c815de8c2f5bb70ca24fdefbcad1fc475bb01b06674942d732f1c19b689a260a4a559a7119b64227237256f4c82b913ad2bef42453d6cde370ced8982c6096615209c3fd6e8b969bb075feec7b549648b6a54e0b717f64e0ede3c4504935f20383bbf7f7b0d2c82e1c64f3e080b5789cae273e8ba16779a05a94f96c3227ba671402f66cc1030ea61789eeb9a921549d550c908bfda22defe28cd2d59ba3582b21573e8227086db24c92db7a42268068e6580096e49ccd895f2b12ea98ff72884d8027563c5c4a1a926da409c1680b9b2be932fe6bde480f75c93b4f894665c7fd8cfaef6db305505d8176a96e9b2db6e6aedea937cb2acf98a34b2ef739f5ed84902b4dbbff2d55f0ef73485796cc99e4211b645509ab781951eb39e07a2c75e3a4e8fd1a8f05eaa0446f90e60187cb94865f61d4476382598fdf443077421adffad713efc6ce50b5d36beef810fe0f762cef18dcb14788c18bcc1f73469587f101131a4e1624b2a7f6180a2e534da6982dc91cd615d1da755eba75d560d9c73e093b9e6b3d222b2b5eacd9ed996b19f54332314de73a9bb0b131dbd5e1a5e27f2cfac175dc6352842e93550cf22c49214a723ea02e88a2dc2250787b3a1b15d36b26229829c1362f9c05bbb659344c32b0f006d83ec76412af2504537aa769ee2c5afbb71f54de4af8b3ddeb9afec216287e2401cd8491978808d9a68b8ba93877651c98b03da47c6a44bc7fadcc0a2b5658a759f35415f0053374e9a5cdf84ee6abd395e611132fa57085f8d7f11b0598fea416cd96a3753fd88dadf7933bcbcc9c0130e360eda6dabf77d29b206698e0102c900405cfe0ded8c3073c2cd0f52aa4c56f8d4b803605c002459324fa66bb42e03a7246973f7ab7abfcfd0ed4f6f3cd7095aac3271e58a63be6d48a04115822e24462ed9c5056744575750e629581a2c2bd0082282ce46f7db11d2f7587f07c061d8fb1f7ebec0cbc96f80cc220b72313edfec38e972b5c124ecf6b459e5007ed8001c128c643bf6a4faa67670fb6fe99b50ba8ac0a8fede3c461676bef7e95deaccbf7da94fad0d9c9efe99b054bf7e9208de07d4289300d06276d3b55328c775ab401a1a65bfea838594d0d1bf59a8ae0a4ac1d190358047745604bf7cd17c8e465390c1b852f7e671664a26bbd8038bcdb98933059a9f4afdc9ed9f198b094727f04bc0d431f9f5d4eef3cfe6ee57c4048fcbe652dbe8018a1740433c88d600b3cbce88ee1e86aea9b8bdae14568253d498bffb43f7ab04eef6b1fdcf838b383b8e4bc685e88f2edded0e4b28081dea6837db849ea3db34d9f1715129f003f606cc9ca4aab09a90fbefaa001b37b553d91b2b3d5b318ff4d614605c0ce1b6bab515d4c2ccac3d27cd5a603e4d0d0bced7bc4dd88e34eec102ec92db7793d9d55a3626648b58aa27c581b3ac68ae8b2d1c83982d3b06a18485c7c58c6f1b2815e7eea08bcd991d45ef8e56684052a78be8bf518483581c7384ca9442d7bfd8a0ca0e3dbb338f40a86e5a9232128d2b824b6e835c9b4f0b2c06385113fb8826f74fff384741f132293605edc9beca4784b1b7256a33aaa81e0bd73c7f036a1282c9810afe80c691179434efc12858568908e296778fa86d851a163b60ffa9582299276f65cbb463f249205924f694144ede070c73e61a85c1087ee646a9843fdf36226a02514bc8e44495a20f05345913dcd634e99b3c8ff783a4f0e9d1ba667f44c315d01f18853d7f25ecfdf9c99fe37678b063c853cdbce029b6e6dad6cde281ec3ae71078a3baae3cfff898fc16e354b25dacff2c9c23e85d5e88ea14d7768d83b3dfa80e566075e8695b0455174002724900a923321ddbbde0fb8b3639e5aaa18790f66e1bdb4a389aca8fd64d2ae5cd7ba07e03f2a3361b0449029e685d0069144f1bebf60fc4caa2af4103cf87f30d8fc1fe4a431abc184fad426300ffae2e0fc402dd690f9de54b70fb8d066ba4e8a5a00d76fb764efd3fb0aabd18d455cbf6a74dd2a3310f58e1046c57ab5f4413b0d75bb2ba9591c085b41ab2e1f5ad797cc1c3a195c6e4cd639545c4ec5828188f85a54381d4e861a2d26d3efb862a749d20473dc5d4456a7282a84d521d89e6681aba23fc301a1ecad2eff58481d2cea6e35a469e60fa9472c8eb1d8ca1db977d836b5c17a22f7ed778542eb34bc0cf13d12ffd1dcdc34b34a85574313da833218bf6030d2669df000f987798d7efe0de3fcc8fe8061d7726101f854f612be46452c942c95e3798c5602d6d20e56dcab6bc90d5ddd57a73ad037d2516e631d5fbec9b1e58a1ac6291f8d374eb06cb1304850e02d9f2d06c727787b6bc875c3dadeaecaf39f4aac5cd5750fb695d36faf6b9cff6afc33cf85067be3abe41846da4172e0d5285c8e651c974b3bcc55449cf246d4ddc10a9b00d1a252f5644ab239fa7f13ea69fe03f255af2ae9ead5b3f573a468f6b43ef453c1486c85803157ff0165c83486397b2c8b333daff7dbc0f967b425fc788337655485d7aed62416a5e272eb030ecc839d174901364a4d64c6aa31dda33b2b957cf5a54989a956028bc83e7cd2ba9a0191eed36132bc434196a7ace0dc47ef359d25f1dd0012266c7d78cd5dcfae4e1753b"},"authenticationData":{},"plugin":{"server":{},"config":{"type":"oauth2","issuer":{"authorization_endpoint":"https://zztop.oktapreview.com/oauth2/custom_author_server/v1/authorize","token_endpoint":"https://zztop.oktapreview.com/oauth2/custom_author_server/v1/token"},"client":{"client_id":"client_id","client_secret":"client_secret"},"scopes":["user"],"redirect_uri":"https://localhost:10443/oauth/callback","features":{"cookie_expiry":false,"userinfo_expiry":86400,"session_expiry":604800,"session_expiry_refresh_window":86400,"session_retain_id":true,"refresh_access_token":true,"fetch_userinfo":true,"userinfo":{"provider":"github","config":{"fetch_teams":true,"fetch_organizations":true,"fetch_emails":true}},"filtered_service_headers":[],"logout":{"end_provider_session":{},"backchannel":{}}},"assertions":{"exp":true},"cookie":{"name":"_eas_localhost_session_","domain":"localhost_domain","path":"/","secure":false,"httpOnly":true,"sameSite":"lax"},"pcb":{},"custom_authorization_parameters":{},"custom_authorization_code_parameters":{},"custom_refresh_parameters":{},"custom_revoke_parameters":{},"csrf_cookie":{"enabled":true,"domain":null,"path":"/","secure":false,"httpOnly":true,"sameSite":"lax"},"xhr":{}}}}
eas                               | info: end verify pipeline with status: 302
^CGracefully stopping... (press Ctrl+C again to force)
Killing eas  ... done

[travisghansen]

Ok yeah I was wondering about that. Let me review the logs to see if I can determine where the cyclic behavior is coming from. You’re sure eas isn’t configured to auth itself?

[nonefaken]

Im not sure. Do i have to expose /oauth/callback endpoint directly to eas without any auth?

Currently in my config envoy.filters.http.ext_authz is not configured per route and hits all routes:

static_resources:
  listeners:
  - name: listener_proxy
    address:
      socket_address:
        address: 0.0.0.0
        port_value: 10443
    listener_filters:
    - name: "tls_inspector"
      typed_config:
        "@type": type.googleapis.com/envoy.extensions.filters.listener.tls_inspector.v3.TlsInspector
    filter_chains:
    - filter_chain_match:
        server_names: ["localhost"]
      transport_socket:
        name: envoy.transport_sockets.tls
        typed_config:
          "@type": type.googleapis.com/envoy.extensions.transport_sockets.tls.v3.DownstreamTlsContext
          common_tls_context:
            tls_certificates:
            - certificate_chain:
                filename: /etc/envoy/certs/cert.crt
              private_key:
                filename: /etc/envoy/certs/cert.key
      filters:
      - name: envoy.filters.network.http_connection_manager
        typed_config:
          "@type": type.googleapis.com/envoy.extensions.filters.network.http_connection_manager.v3.HttpConnectionManager
          stat_prefix: envoy-front
          codec_type: auto
          route_config:
            name: local_route
            virtual_hosts:
              - name: local_service
                domains: 
                  - "*"
                routes:
                  - match: { prefix: "/" }
                    route: 
                      cluster: nginx-static-website
                    typed_per_filter_config:
                      envoy.filters.http.rbac:
                        "@type": type.googleapis.com/envoy.extensions.filters.http.rbac.v3.RBACPerRoute
                        rbac:
                          rules:
                            action: ALLOW
                            policies:
                              policy_1:
                                principals:
                                  - metadata:
                                      filter: envoy.filters.http.jwt_authn
                                      path:
                                        - key: my_payload
                                        - key: groups
                                      value:
                                        list_match:
                                          one_of:
                                            string_match:
                                              exact: Everyone
                                permissions:
                                  - any: true
          http_filters:
          - name: envoy.filters.http.ext_authz
            typed_config:
              "@type": type.googleapis.com/envoy.extensions.filters.http.ext_authz.v3.ExtAuthz
              transport_api_version: V3
              http_service:
                authorizationRequest:
                  allowedHeaders:
                    patterns:
                      - exact: cookie
                      - exact: X-Forwarded-Host
                      - exact: X-Forwarded-Method
                      - exact: X-Forwarded-Proto
                      - exact: X-Forwarded-Uri
                  headers_to_add:
                    - key: "x-eas-verify-params"
                      value: '{"config_token":"---reducted---"}'
                pathPrefix: /envoy/verify-params-header
                serverUri:
                  cluster: eas
                  timeout: 2.25s
                  uri: http://eas:8080
          - name: envoy.filters.http.jwt_authn
            typed_config: 
              "@type": type.googleapis.com/envoy.extensions.filters.http.jwt_authn.v3.JwtAuthentication
              providers:
                auth_okta:
                  issuer: https://zztop.oktapreview.com/oauth2/custom_auth_srv
                  payload_in_metadata: "my_payload"
                  audiences: some_audience
                  forward: true
                  remote_jwks:
                    http_uri:
                      uri: https://zztop.oktapreview.com/oauth2/custom_auth_srv/v1/keys
                      cluster: okta-cluster-https
                      timeout: 5s
                    cache_duration:
                      seconds: 300
              rules:
              - match:
                  prefix: /
                requires:
                  provider_name: auth_okta
          - name: envoy.filters.http.rbac
          - name: envoy.filters.http.router
  clusters:
  - name: eas
    connect_timeout: 2.25s
    type: LOGICAL_DNS
    dns_lookup_family: V4_ONLY
    lb_policy: ROUND_ROBIN
    load_assignment:
      cluster_name: eas
      endpoints:
      - lb_endpoints:
        - endpoint:
            address:
              socket_address:
                address: eas
                port_value: 8080
  etc.

[travisghansen]

Yeah you need to ensure eas itself is bypassing any kind of forward auth configuration. I’m not an expert in envoy based setups but I think you can apply annotations on the eas namespace that excludes the whole namespace from the config auth process?

[nonefaken]

Hi, i will configure envoy (currently using plain envoy and docker, no kubernetes, istio and such), but just have to understand the configuration.

Lets say right now i have single domain name "localhost" and apps will live in different paths/routes, like: /app1, /app2 (ie. full url https://localhost/app1).

Does EAS needs entire different domain and all paths (/) for itself? (like https://localhost2/)

Or should i only whitelist one endpoint (say path /oauth/callback, full url https://localhost/oauth/callback) and forward it to EAS without any auth?

[travisghansen]

All eas endpoints should bypass auth. I’d have to audit the code base but I think you may run into issues trying to run eas with a prefix (ie: localhost/eas/oauth/callback) so for now it would be best to assign a dedicated domain/host. There are situations where urls etc are automatically generated and eas doesn’t have a setting to make it ‘aware’ of running with a prefix like that presently but I haven’t fully audited that use case so ymmv.

[nonefaken]

So i tested the scenario and it still fails with different error.

system configuration:

1. envoy proxy with ext_authn listening on https://localhost:10443
2. EAS server listening on https://localhost7:10443 and envoy is configured to pass all to downstream eas service
3. added Sign-in redirect URI in Okta to point to EAS: "https://localhost7:10443/oauth/callback"
4. changed redirect_uri in generate-config-token.js to "https://localhost7:10443/oauth/callback"
5. regenerated config_token and updated envoy proxy config with ext_authn filter (https://localhost:10443)

Test workflow:

1. user-agent connect to "https://localhost:10443" and redirect to Okta
2. success auth in Okta and redirect to "https://localhost7:10443/oauth/callback" (EAS address) with authorization code
3. request to "https://localhost7:10443/oauth/callback" with code fails with browser message "The address wasn’t understood" and EAS http response headers are following:

   HTTP/1.1 302 Found
   x-powered-by: Express
   location: undefined://localhost:10443/?__eas_oauth_handler__=authorization_callback&code=UlDNlGYlBv5angifd6OLayLi_CsAmYSYov35iagcjj0&state=196362e85cceeb2fba88a6531e0f87607d69053285007701aada718eca15645effa7b89a4a10878220dc9e55c4803b4e04f4ed0b6f6b9820c33fae1bf42fb9219c8bde2e54bf12daaa70fcdd12892c6e599dba1ff064d579e5495f2934fbe6ed7876acbf8871fb9cea7540a6aea729627291e7edbd0e181e6a97f22983e129b4929c4fca1e8fd15c6a494f06b9a77a44a930f26ee770cbda6ca9de5ab346059726470ddf0a7a446af0d8c5204a7f85ab6eda5a680cf1ed97e18ceff37e80a018387512dc20af13f673c853c10342b13a02f528a95b792c24d582fbee649dc0e909bbdb1b9c22ba7369b56e66a7299b6b9794b9d97a1682af321ae0bde4fa20e871bdb3adcd697b1754a3969292cc15dd79c77f280b64582a77816ced918e885a241f31c21e2cda6df1d8b6d49fa2dfd98e09e114ffebf6e42f1d07eaaed1247f6431572262441b229055b60ccddaf1cb2cdfd4f8ab818822b2abeeaef8f4e7bd
   date: Sat, 17 Jul 2021 14:59:14 GMT
   content-length: 0
   x-envoy-upstream-service-time: 6
   cache-control: no-cache, no-store
   server: envoy

Here is i think interesting part:

location: undefined://localhost:10443/?...

EAS logs (again edited it to protect my API secrets):

Creating eas ... done
Attaching to eas
eas                               | debug: cache opts: {"store":"memory","max":0,"ttl":0}
eas                               | info: revoked JTIs: []
eas                               | info: starting server on port 8080
eas                               | silly: verify request details: {"url":"/envoy/verify-params-header/","params":{"0":"/","1":""},"query":{},"http_method":"GET","http_version":"1.1","headers":{"host":"localhost:10443","content-length":"0","cookie":"_eas_oauth_csrf=s%3ATNV%2Fh%2FhWKEvHGYybY1XeDOuv9J2lCo%2BjVeAdgyVdZJLRpOaCQSnxX%2B6mi%2FR2uWfn.93xjOvOPL7UcPWdmWAlluGXXX%2BMOD580nLPrA8X2ho0","x-eas-verify-params":"{\"config_token\":\"tsUdAn/pNXvl58Uon2IzBS/YffLbSAxZZasxx9f6ZbB+UYanfDXMtsWIXnr3dtoJ0tPoHOLH7kUZIK3ON0K6tTTg3Bqlm3GYR9ArMrgTFeC7qZ8/d4fVJQGNEpWMNymYa6ZVdT+z9CQlZ7L6jYO9Of3BFs7k8GnJW2//QojgkMhgNlhgDfOURbMdu5Z/+qVOmmblj1l6D4URL4Hn2RIllxFR+dY8fVjYrA4p+CLffxbmjnLn+CA6+dgdl9i4uKCvc8Iel6wvB+kS0GqSmShHtzqx7ucO84kdErMfa0dG3LeTykwsfhkdYdYfGaVnOAqq91nTKb9bqnzgW4hwPsaAWLgFU/mKvcHjSTaCmVRO4rHb09d90PcXWjM0fO9uBenN1dDZ6Xv3kxlhX8zh90jZg8aWEDGqNt3AYhONhwSpjoVGsBxst7qucEVsSV4n4XvFhUjV6Ekv3Uc8AenIcq+XRa3tbUuKtFkGUbQJoU1/2phW7m+vvT+5YyDc5LFVIQzp8V4MVo9TcI7XbP38SbtFI1Y8Ka28+C7TdN/ogj0z43KbH8HiLyeZlKXW/Pkmg2lHnkwvavH17ctaheWgj0zYw5Rq7l2DKG0HAXnwKD/xPWOKC7/TzvWDSOaQLyUtRIJFt/27Erz0B6L1pxFpLAG8avukOw6vAY9NtwkoGkOn+VT+X30Q5Co29Qd0UHlLb1JEJ8V77V2ludGx9kha3m8l1G54NDbTIgkbcNQV1JZrwimeYkkzO4BLggqJCFDYySFodP1lLNFP5TqkEWvYFXVrQnyhdXDsK89VTn2no4IUHKCfU8mxF+tKL14QhwQDyyOsRb8z/HBHMagAV6EdOiqTqWkDGNC5+eQBC1Oq1ffoQHv2iY+4KkgZh9ZP2RBR8T4iSKYdZ9MjgtCr+0AGz+6Tbu+n/0hGxyyfAwGvCIbGYQzjBGAmg7dz2ueMlqOQC+fQItocGIZ7rgorWQRF/lr4XR5alss3IzQlYQLGjibQiT0Kp+OqoMIj6tQpOGWhNNQmoc8+3Ck//+45YX7NeBLgtD8xZjXEdjP5Mh+PyRbkVc5f8y3jvdVpoXZf//Y1U+CBazF4q7tBxI4BeoHtjW/2xoH38c//lH+2NYvA+296tFI1rhoiLZapt2V3ZguzT4Bqy4f94F2KdOCwG5MWXJ60VObFtVRphrzeWXq+64eTW/6FEija9c8GgWr5m9+VRYF1vHDYXyPnN1Wz+mNZodZ2b8f4ibIM+qBVGdyxNqu6u+zHNjG5rz6Du5ndtl4Y0vnjjWsHhEftj3FQJlxMVvvh5+/h1OfDm2pEIG1d//N4Zc0IRI8xeIBZebjdKxqCZ7ZUVf9VS6jTLaJn9L6hq48vxRKtY3i7yK1jfarjq3mP4f7OjPwu+QZESreypr1tc2LKrM3GO+TyEfWvu4lpNm+dMlUVvxTKmM+qjbelkz7RadiA75qTY2QvxkCxkWPA4L6G0NPqtHY9fWSjk5y4wCpYg97L5TxSJcq95Vc9B8w6soXgDsJ7mHfzljX8ZP3Fz5ZFfSboBdJBuMP1HD9+HBmwidcFKHaXgLKh8/b9ooQxGdKCmWaRnupJuGKGw6G/c8aMYNkPYY4/Jg4GkQWsP+3YdNdPYdBEq/WmQSS0ffaO681ELHKTZKgPjLy3ggMZ6Eo5\"}","x-b3-traceid":"0c8333cc6098118e","x-b3-spanid":"75c1f0fcd93538f4","x-b3-parentspanid":"0c8333cc6098118e","x-b3-sampled":"1","x-envoy-internal":"true","x-forwarded-for":"172.31.0.2","x-envoy-expected-rq-timeout-ms":"2250","x-forwarded-uri":"/","x-forwarded-method":"GET"},"body":{}}
eas                               | info: starting verify pipeline
eas                               | silly: verify params: {"config_token":"tsUdAn/pNXvl58Uon2IzBS/YffLbSAxZZasxx9f6ZbB+UYanfDXMtsWIXnr3dtoJ0tPoHOLH7kUZIK3ON0K6tTTg3Bqlm3GYR9ArMrgTFeC7qZ8/d4fVJQGNEpWMNymYa6ZVdT+z9CQlZ7L6jYO9Of3BFs7k8GnJW2//QojgkMhgNlhgDfOURbMdu5Z/+qVOmmblj1l6D4URL4Hn2RIllxFR+dY8fVjYrA4p+CLffxbmjnLn+CA6+dgdl9i4uKCvc8Iel6wvB+kS0GqSmShHtzqx7ucO84kdErMfa0dG3LeTykwsfhkdYdYfGaVnOAqq91nTKb9bqnzgW4hwPsaAWLgFU/mKvcHjSTaCmVRO4rHb09d90PcXWjM0fO9uBenN1dDZ6Xv3kxlhX8zh90jZg8aWEDGqNt3AYhONhwSpjoVGsBxst7qucEVsSV4n4XvFhUjV6Ekv3Uc8AenIcq+XRa3tbUuKtFkGUbQJoU1/2phW7m+vvT+5YyDc5LFVIQzp8V4MVo9TcI7XbP38SbtFI1Y8Ka28+C7TdN/ogj0z43KbH8HiLyeZlKXW/Pkmg2lHnkwvavH17ctaheWgj0zYw5Rq7l2DKG0HAXnwKD/xPWOKC7/TzvWDSOaQLyUtRIJFt/27Erz0B6L1pxFpLAG8avukOw6vAY9NtwkoGkOn+VT+X30Q5Co29Qd0UHlLb1JEJ8V77V2ludGx9kha3m8l1G54NDbTIgkbcNQV1JZrwimeYkkzO4BLggqJCFDYySFodP1lLNFP5TqkEWvYFXVrQnyhdXDsK89VTn2no4IUHKCfU8mxF+tKL14QhwQDyyOsRb8z/HBHMagAV6EdOiqTqWkDGNC5+eQBC1Oq1ffoQHv2iY+4KkgZh9ZP2RBR8T4iSKYdZ9MjgtCr+0AGz+6Tbu+n/0hGxyyfAwGvCIbGYQzjBGAmg7dz2ueMlqOQC+fQItocGIZ7rgorWQRF/lr4XR5alss3IzQlYQLGjibQiT0Kp+OqoMIj6tQpOGWhNNQmoc8+3Ck//+45YX7NeBLgtD8xZjXEdjP5Mh+PyRbkVc5f8y3jvdVpoXZf//Y1U+CBazF4q7tBxI4BeoHtjW/2xoH38c//lH+2NYvA+296tFI1rhoiLZapt2V3ZguzT4Bqy4f94F2KdOCwG5MWXJ60VObFtVRphrzeWXq+64eTW/6FEija9c8GgWr5m9+VRYF1vHDYXyPnN1Wz+mNZodZ2b8f4ibIM+qBVGdyxNqu6u+zHNjG5rz6Du5ndtl4Y0vnjjWsHhEftj3FQJlxMVvvh5+/h1OfDm2pEIG1d//N4Zc0IRI8xeIBZebjdKxqCZ7ZUVf9VS6jTLaJn9L6hq48vxRKtY3i7yK1jfarjq3mP4f7OjPwu+QZESreypr1tc2LKrM3GO+TyEfWvu4lpNm+dMlUVvxTKmM+qjbelkz7RadiA75qTY2QvxkCxkWPA4L6G0NPqtHY9fWSjk5y4wCpYg97L5TxSJcq95Vc9B8w6soXgDsJ7mHfzljX8ZP3Fz5ZFfSboBdJBuMP1HD9+HBmwidcFKHaXgLKh8/b9ooQxGdKCmWaRnupJuGKGw6G/c8aMYNkPYY4/Jg4GkQWsP+3YdNdPYdBEq/WmQSS0ffaO681ELHKTZKgPjLy3ggMZ6Eo5"}
eas                               | debug: config token: {"aud":"client_id","eas":{"plugins":[{"type":"oauth2","issuer":{"authorization_endpoint":"https://zztop.oktapreview.com/oauth2/audience_or_auth_provider/v1/authorize","token_endpoint":"https://zztop.oktapreview.com/oauth2/audience_or_auth_provider/v1/token"},"client":{"client_id":"client_id","client_secret":"client_secret"},"scopes":["user"],"redirect_uri":"https://localhost7:10443/oauth/callback","features":{"cookie_expiry":false,"userinfo_expiry":86400,"session_expiry":604800,"session_expiry_refresh_window":86400,"session_retain_id":true,"refresh_access_token":true,"fetch_userinfo":true,"userinfo":{"provider":"github","config":{"fetch_teams":true,"fetch_organizations":true,"fetch_emails":true}}},"assertions":{"exp":true},"cookie":{"name":"_eas_localhost_session_","domain":"localhost_domain"}}]},"iat":1626532749,"audMD5":"6e887c200f47fa1f11907dde1c2a2266"}
eas                               | info: starting verify for plugin: oauth2
eas                               | (node:18) [DEP0106] DeprecationWarning: crypto.createDecipher is deprecated.
eas                               | verbose: parent request info: {"uri":"undefined://localhost:10443/","parsedUri":{"scheme":"undefined","host":"localhost","port":10443,"path":"/","reference":"absolute"},"parsedQuery":{},"method":"GET"}
eas                               | verbose: audMD5: 6e887c200f47fa1f11907dde1c2a2266
eas                               | verbose: cookie name: _eas_localhost_session_
eas                               | verbose: redirect_uri: https://localhost7:10443/oauth/callback
eas                               | verbose: callback redirect_uri: https://zztop.oktapreview.com/oauth2/audience_or_auth_provider/v1/authorize?client_id=client_id&scope=user&response_type=code&redirect_uri=https%3A%2F%2Flocalhost7%3A10443%2Foauth%2Fcallback&state=196362e85cceeb2fba88a6531e0f87607d69053285007701aada718eca15645effa7b89a4a10878220dc9e55c4803b4e04f4ed0b6f6b9820c33fae1bf42fb9219c8bde2e54bf12daaa70fcdd12892c6e599dba1ff064d579e5495f2934fbe6ed7876acbf8871fb9cea7540a6aea729627291e7edbd0e181e6a97f22983e129b4929c4fca1e8fd15c6a494f06b9a77a44a930f26ee770cbda6ca9de5ab346059726470ddf0a7a446af0d8c5204a7f85ab6eda5a680cf1ed97e18ceff37e80a018387512dc20af13f673c853c10342b13a02f528a95b792c24d582fbee649dc0e909bbdb1b9c22ba7369b56e66a7299b6b9794b9d97a1682af321ae0bde4fa20e871bdb3adcd697b1754a3969292cc15dd79c77f280b64582a77816ced918e885a241f31c21e2cda6df1d8b6d49fa2dfd98e09e114ffebf6e42f1d07eaaed1247f6431572262441b229055b60ccddaf1cb2cdfd4f8ab818822b2abeeaef8f4e7bd
eas                               | debug: plugin response {"statusCode":302,"statusMessage":"","body":"","cookies":[["_eas_oauth_csrf","CvKh4Lz1NkqR1kKavpBeUOL5DSt6QLQpDCQxxl6bhuyksBU8tyIg0xa13Vf5prmt",{"expires":"2021-07-18T02:59:13.674Z","domain":null,"path":"/","httpOnly":true,"secure":false,"sameSite":"lax","signed":true}]],"clearCookies":[],"headers":{"Location":"https://zztop.oktapreview.com/oauth2/audience_or_auth_provider/v1/authorize?client_id=client_id&scope=user&response_type=code&redirect_uri=https%3A%2F%2Flocalhost7%3A10443%2Foauth%2Fcallback&state=196362e85cceeb2fba88a6531e0f87607d69053285007701aada718eca15645effa7b89a4a10878220dc9e55c4803b4e04f4ed0b6f6b9820c33fae1bf42fb9219c8bde2e54bf12daaa70fcdd12892c6e599dba1ff064d579e5495f2934fbe6ed7876acbf8871fb9cea7540a6aea729627291e7edbd0e181e6a97f22983e129b4929c4fca1e8fd15c6a494f06b9a77a44a930f26ee770cbda6ca9de5ab346059726470ddf0a7a446af0d8c5204a7f85ab6eda5a680cf1ed97e18ceff37e80a018387512dc20af13f673c853c10342b13a02f528a95b792c24d582fbee649dc0e909bbdb1b9c22ba7369b56e66a7299b6b9794b9d97a1682af321ae0bde4fa20e871bdb3adcd697b1754a3969292cc15dd79c77f280b64582a77816ced918e885a241f31c21e2cda6df1d8b6d49fa2dfd98e09e114ffebf6e42f1d07eaaed1247f6431572262441b229055b60ccddaf1cb2cdfd4f8ab818822b2abeeaef8f4e7bd"},"authenticationData":{},"plugin":{"server":{},"config":{"type":"oauth2","issuer":{"authorization_endpoint":"https://zztop.oktapreview.com/oauth2/audience_or_auth_provider/v1/authorize","token_endpoint":"https://zztop.oktapreview.com/oauth2/audience_or_auth_provider/v1/token"},"client":{"client_id":"client_id","client_secret":"client_secret"},"scopes":["user"],"redirect_uri":"https://localhost7:10443/oauth/callback","features":{"cookie_expiry":false,"userinfo_expiry":86400,"session_expiry":604800,"session_expiry_refresh_window":86400,"session_retain_id":true,"refresh_access_token":true,"fetch_userinfo":true,"userinfo":{"provider":"github","config":{"fetch_teams":true,"fetch_organizations":true,"fetch_emails":true}},"filtered_service_headers":[],"logout":{"end_provider_session":{},"backchannel":{}}},"assertions":{"exp":true},"cookie":{"name":"_eas_localhost_session_","domain":"localhost_domain","path":"/","secure":false,"httpOnly":true,"sameSite":"lax"},"pcb":{},"custom_authorization_parameters":{},"custom_authorization_code_parameters":{},"custom_refresh_parameters":{},"custom_revoke_parameters":{},"csrf_cookie":{"enabled":true,"domain":null,"path":"/","secure":false,"httpOnly":true,"sameSite":"lax"},"xhr":{}}}}
eas                               | info: end verify pipeline with status: 302
eas                               | silly: {"headers":{"host":"localhost7:10443","user-agent":"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:90.0) Gecko/20100101 Firefox/90.0","accept":"text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8","accept-language":"en-US,en;q=0.5","accept-encoding":"gzip, deflate, br","dnt":"1","upgrade-insecure-requests":"1","sec-fetch-dest":"document","sec-fetch-mode":"navigate","sec-fetch-site":"none","sec-fetch-user":"?1","x-forwarded-proto":"https","x-request-id":"22c050f6-09ef-445a-8ae3-cd80c38ed839","x-envoy-expected-rq-timeout-ms":"15000"},"body":{}}
eas                               | verbose: parsed state redirect uri: {"scheme":"undefined","host":"localhost","port":10443,"path":"/","reference":"absolute"}
eas                               | verbose: parsed request uri: {"path":"/oauth/callback","query":"code=UlDNlGYlBv5angifd6OLayLi_CsAmYSYov35iagcjj0&state=196362e85cceeb2fba88a6531e0f87607d69053285007701aada718eca15645effa7b89a4a10878220dc9e55c4803b4e04f4ed0b6f6b9820c33fae1bf42fb9219c8bde2e54bf12daaa70fcdd12892c6e599dba1ff064d579e5495f2934fbe6ed7876acbf8871fb9cea7540a6aea729627291e7edbd0e181e6a97f22983e129b4929c4fca1e8fd15c6a494f06b9a77a44a930f26ee770cbda6ca9de5ab346059726470ddf0a7a446af0d8c5204a7f85ab6eda5a680cf1ed97e18ceff37e80a018387512dc20af13f673c853c10342b13a02f528a95b792c24d582fbee649dc0e909bbdb1b9c22ba7369b56e66a7299b6b9794b9d97a1682af321ae0bde4fa20e871bdb3adcd697b1754a3969292cc15dd79c77f280b64582a77816ced918e885a241f31c21e2cda6df1d8b6d49fa2dfd98e09e114ffebf6e42f1d07eaaed1247f6431572262441b229055b60ccddaf1cb2cdfd4f8ab818822b2abeeaef8f4e7bd","reference":"relative"}
eas                               | verbose: parsed redirect uri: {"scheme":"undefined","host":"localhost","port":10443,"path":"/","query":"__eas_oauth_handler__=authorization_callback&code=UlDNlGYlBv5angifd6OLayLi_CsAmYSYov35iagcjj0&state=196362e85cceeb2fba88a6531e0f87607d69053285007701aada718eca15645effa7b89a4a10878220dc9e55c4803b4e04f4ed0b6f6b9820c33fae1bf42fb9219c8bde2e54bf12daaa70fcdd12892c6e599dba1ff064d579e5495f2934fbe6ed7876acbf8871fb9cea7540a6aea729627291e7edbd0e181e6a97f22983e129b4929c4fca1e8fd15c6a494f06b9a77a44a930f26ee770cbda6ca9de5ab346059726470ddf0a7a446af0d8c5204a7f85ab6eda5a680cf1ed97e18ceff37e80a018387512dc20af13f673c853c10342b13a02f528a95b792c24d582fbee649dc0e909bbdb1b9c22ba7369b56e66a7299b6b9794b9d97a1682af321ae0bde4fa20e871bdb3adcd697b1754a3969292cc15dd79c77f280b64582a77816ced918e885a241f31c21e2cda6df1d8b6d49fa2dfd98e09e114ffebf6e42f1d07eaaed1247f6431572262441b229055b60ccddaf1cb2cdfd4f8ab818822b2abeeaef8f4e7bd","reference":"absolute"}
eas                               | info: redirecting browser to: "undefined://localhost:10443/?__eas_oauth_handler__=authorization_callback&code=UlDNlGYlBv5angifd6OLayLi_CsAmYSYov35iagcjj0&state=196362e85cceeb2fba88a6531e0f87607d69053285007701aada718eca15645effa7b89a4a10878220dc9e55c4803b4e04f4ed0b6f6b9820c33fae1bf42fb9219c8bde2e54bf12daaa70fcdd12892c6e599dba1ff064d579e5495f2934fbe6ed7876acbf8871fb9cea7540a6aea729627291e7edbd0e181e6a97f22983e129b4929c4fca1e8fd15c6a494f06b9a77a44a930f26ee770cbda6ca9de5ab346059726470ddf0a7a446af0d8c5204a7f85ab6eda5a680cf1ed97e18ceff37e80a018387512dc20af13f673c853c10342b13a02f528a95b792c24d582fbee649dc0e909bbdb1b9c22ba7369b56e66a7299b6b9794b9d97a1682af321ae0bde4fa20e871bdb3adcd697b1754a3969292cc15dd79c77f280b64582a77816ced918e885a241f31c21e2cda6df1d8b6d49fa2dfd98e09e114ffebf6e42f1d07eaaed1247f6431572262441b229055b60ccddaf1cb2cdfd4f8ab818822b2abeeaef8f4e7bd"

And some small connectivity and envoy filter test to make sure all is passed to EAS through second envoy filter_chain with match on "localhost7". If you connect directly to "https://localhost7:10443/oauth/callback" EAS server logs:

eas                               | silly: {"headers":{"host":"localhost7:10443","user-agent":"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:90.0) Gecko/20100101 Firefox/90.0","accept":"text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8","accept-language":"en-US,en;q=0.5","accept-encoding":"gzip, deflate, br","dnt":"1","upgrade-insecure-requests":"1","sec-fetch-dest":"document","sec-fetch-mode":"navigate","sec-fetch-site":"none","sec-fetch-user":"?1","x-forwarded-proto":"https","x-request-id":"a1c193a8-3329-44c3-86a3-4458b39f7490","x-envoy-expected-rq-timeout-ms":"15000"},"body":{}}
eas                               | error: The first argument must be of type string or an instance of Buffer, ArrayBuffer, or Array or an Array-like Object. Received undefined {"stack":"Error: The first argument must be of type string or an instance of Buffer, ArrayBuffer, or Array or an Array-like Object. Received undefined\n    at Object.decrypt (/home/eas/app/src/utils.js:82:11)\n    at /home/eas/app/src/plugin/oauth/index.js:496:36\n    at Layer.handle [as handle_request] (/home/eas/app/node_modules/express/lib/router/layer.js:95:5)\n    at next (/home/eas/app/node_modules/express/lib/router/route.js:137:13)\n    at Route.dispatch (/home/eas/app/node_modules/express/lib/router/route.js:112:3)\n    at Layer.handle [as handle_request] (/home/eas/app/node_modules/express/lib/router/layer.js:95:5)\n    at /home/eas/app/node_modules/express/lib/router/index.js:281:22\n    at Function.process_params (/home/eas/app/node_modules/express/lib/router/index.js:335:12)\n    at next (/home/eas/app/node_modules/express/lib/router/index.js:275:10)\n    at middleware (/home/eas/app/node_modules/express-prom-bundle/src/index.js:204:5)"}

which is expected.

[travisghansen]

I think the issue is in line 4 of your debug logs:

eas                               | silly: verify request details: {"url":"/envoy/verify-params-header/","params":{"0":"/","1":""},"query":{},"http_method":"GET","http_version":"1.1","headers":{"host":"localhost:10443","content-length":"0","cookie":"_eas_oauth_csrf=s%3ATNV%2Fh%2FhWKEvHGYybY1XeDOuv9J2lCo%2BjVeAdgyVdZJLRpOaCQSnxX%2B6mi%2FR2uWfn.93xjOvOPL7UcPWdmWAlluGXXX%2BMOD580nLPrA8X2ho0","x-eas-verify-params":"{\"config_token\":\"tsUdAn/pNXvl58Uon2IzBS/YffLbSAxZZasxx9f6ZbB+UYanfDXMtsWIXnr3dtoJ0tPoHOLH7kUZIK3ON0K6tTTg3Bqlm3GYR9ArMrgTFeC7qZ8/d4fVJQGNEpWMNymYa6ZVdT+z9CQlZ7L6jYO9Of3BFs7k8GnJW2//QojgkMhgNlhgDfOURbMdu5Z/+qVOmmblj1l6D4URL4Hn2RIllxFR+dY8fVjYrA4p+CLffxbmjnLn+CA6+dgdl9i4uKCvc8Iel6wvB+kS0GqSmShHtzqx7ucO84kdErMfa0dG3LeTykwsfhkdYdYfGaVnOAqq91nTKb9bqnzgW4hwPsaAWLgFU/mKvcHjSTaCmVRO4rHb09d90PcXWjM0fO9uBenN1dDZ6Xv3kxlhX8zh90jZg8aWEDGqNt3AYhONhwSpjoVGsBxst7qucEVsSV4n4XvFhUjV6Ekv3Uc8AenIcq+XRa3tbUuKtFkGUbQJoU1/2phW7m+vvT+5YyDc5LFVIQzp8V4MVo9TcI7XbP38SbtFI1Y8Ka28+C7TdN/ogj0z43KbH8HiLyeZlKXW/Pkmg2lHnkwvavH17ctaheWgj0zYw5Rq7l2DKG0HAXnwKD/xPWOKC7/TzvWDSOaQLyUtRIJFt/27Erz0B6L1pxFpLAG8avukOw6vAY9NtwkoGkOn+VT+X30Q5Co29Qd0UHlLb1JEJ8V77V2ludGx9kha3m8l1G54NDbTIgkbcNQV1JZrwimeYkkzO4BLggqJCFDYySFodP1lLNFP5TqkEWvYFXVrQnyhdXDsK89VTn2no4IUHKCfU8mxF+tKL14QhwQDyyOsRb8z/HBHMagAV6EdOiqTqWkDGNC5+eQBC1Oq1ffoQHv2iY+4KkgZh9ZP2RBR8T4iSKYdZ9MjgtCr+0AGz+6Tbu+n/0hGxyyfAwGvCIbGYQzjBGAmg7dz2ueMlqOQC+fQItocGIZ7rgorWQRF/lr4XR5alss3IzQlYQLGjibQiT0Kp+OqoMIj6tQpOGWhNNQmoc8+3Ck//+45YX7NeBLgtD8xZjXEdjP5Mh+PyRbkVc5f8y3jvdVpoXZf//Y1U+CBazF4q7tBxI4BeoHtjW/2xoH38c//lH+2NYvA+296tFI1rhoiLZapt2V3ZguzT4Bqy4f94F2KdOCwG5MWXJ60VObFtVRphrzeWXq+64eTW/6FEija9c8GgWr5m9+VRYF1vHDYXyPnN1Wz+mNZodZ2b8f4ibIM+qBVGdyxNqu6u+zHNjG5rz6Du5ndtl4Y0vnjjWsHhEftj3FQJlxMVvvh5+/h1OfDm2pEIG1d//N4Zc0IRI8xeIBZebjdKxqCZ7ZUVf9VS6jTLaJn9L6hq48vxRKtY3i7yK1jfarjq3mP4f7OjPwu+QZESreypr1tc2LKrM3GO+TyEfWvu4lpNm+dMlUVvxTKmM+qjbelkz7RadiA75qTY2QvxkCxkWPA4L6G0NPqtHY9fWSjk5y4wCpYg97L5TxSJcq95Vc9B8w6soXgDsJ7mHfzljX8ZP3Fz5ZFfSboBdJBuMP1HD9+HBmwidcFKHaXgLKh8/b9ooQxGdKCmWaRnupJuGKGw6G/c8aMYNkPYY4/Jg4GkQWsP+3YdNdPYdBEq/WmQSS0ffaO681ELHKTZKgPjLy3ggMZ6Eo5\"}","x-b3-traceid":"0c8333cc6098118e","x-b3-spanid":"75c1f0fcd93538f4","x-b3-parentspanid":"0c8333cc6098118e","x-b3-sampled":"1","x-envoy-internal":"true","x-forwarded-for":"172.31.0.2","x-envoy-expected-rq-timeout-ms":"2250","x-forwarded-uri":"/","x-forwarded-method":"GET"},"body":{}}

It appears as if envoy isn't sending down an x-forwarded-proto header to eas during the initial sub-request.

[travisghansen]

There are some other items (unrelated to the flow issues) that likely need to be cleaned up. For example using okta with the github userinfo provider won’t work. We’ll get the overall flow worked out and address those though.

You will likely want to use oidc instead of oauth with okta which inherently supports userinfo. The cookie domain likely needs to be altered to just localhost etc

[nonefaken]

Yes, i have not sorted this out yet. Initially i plan not to use userinfo, so i suppose i should disable it. Set fetch_userinfo: false and domain: "localhost".

Thank you for suggestion!

Right now thinking that easier to run EAS with TLS, rather than force envoy pass "x-forwarded-proto = https" to EAS downstream, as it gets removed for reason unknown to me.

Any tip how to configure EAS with TLS? I can mount certs in any required location and pass starttls in docker without issues.

[travisghansen]

I don't currently have direct support for running eas with tls directly (I am open to allowing that) but it could be easily coupled with stunnel or similar. I personally don't worry about it for cluster/internal access as I have blanket encryption for cluster internal traffic with my cni provider. I do 'front' it with an ingress controller for external/direct access which handles tls for me in those circumstances.

The proxy (envoy) must send x-forwarded-proto down to the sub-request to eas. Note that the value eas receives should be the value of however the user-agent is accessing the real service and not necessarily how eas itself is accessed. Meaning: it's purpose is to determine what protocol was used by the user-agent for the initial request to the user-facing service.

[travisghansen]

https://github.com/travisghansen/external-auth-server/blob/master/README.md#prerequisites bullet point 8. When envoy invokes eas as a sub-request envoy must pass/insert the x-forwarded-proto header in the request to eas. Essentially eas needs to know/reconstruct the entirety of the actual request (specifically the uri) made to the proxy by the user-agent.

EDIT: don't feel bad, it's a relatively complex series of events going on with oauth especially/generally. How this all comes together can take a minute to digest and this project is a particularly unique approach as well. We'll get you over the finish line, I promise!

[nonefaken]

ill get back. i cant find out why envoy strips x-forwarded-proto, event that i force add it.

[travisghansen]

Are you putting envoy in front of eas as well (must have something since it’s running over https)? It could be getting stripped on that side of the equation.

I think it’s pretty easy to add ssl to the built-in server. I may add that in my next batch of updates to eliminate any possible problems associated with a proxy sitting in front of eas itself.

[nonefaken]

yes, im terminating ssl on envoy in front of eas as well. im trying to investigate that. it should only strip proto if i set "xff_num_trusted_hops: 0" in envoy prior to version 1.19.

Worst case scenario i will put something else to terminate ssl in front of eas, but want to find out cause of the problem, since i extensive use envoy and plan to use even more.

[nonefaken]

i mean built in ssl is not always problem, as in real life people would probably use kubernetes with service mesh (like istio) and sidecars.

[nonefaken]

ok it is because of extensions.filters.http.ext_authz.v3.ExtAuthz. I just force added "X-Forwarded-Proto" header in it instead of "routes:".

Im sorry i will continue to bug you, as my next step is to figure out how to plug "envoy.filters.http.jwt_authn" and "envoy.filters.http.rbac" to the whole concept, so it is possible to implement RBAC based on group claims in JWT tokens.

Thank you very much for help. Again, very interesting project!

[travisghansen]

Sounds good! I'm going to work on supporting ssl directly as L7 proxy in front of eas can result in some weird/unintentional behaviors for sure.