search

vmware-archive / gangway

An application that can be used to easily enable authentication flows via OIDC for a kubernetes cluster.
Apache License 2.0
410 stars 112 forks source link

Invalid client credentials #175

Open david-curran-90 opened 3 years ago

david-curran-90 commented 3 years ago

I've been moving endpoints from "app.domain.lan" to "k8s.domain.lan/app" type URLs and I'm now getting an error when logging in through dex

oauth2: cannot fetch token: 401 Unauthorized
Response: {"error":"invalid_client","error_description":"Invalid client credentials."}

I can see in the dex logs that the login is successful.

The only changes in config from what was working to what isn't are the URLs. Client secret and session key have stayed the same.

It seems to me the error is coming in this step

image

gangway.yaml:
----
apiServerURL: https://k8sapi-test.domain.lan:6444
audience: https://k8s.domain.lan/auth/oidc/userinfo
authorizeURL: https://k8s.domain.lan/auth/oidc/auth
clientID: ldapauth
clientSecret: abCd3fGH1Jk
clusterName: k8s-test
emailClaim: email
httpPath: /
port: 8080
redirectURL: https://k8s-test.domain.lan/auth/login/callback
scopes:
- openid
- profile
- email
- groups
- offline_access
sessionKey: lMn0PQR5TuvWxy2
tokenURL: https://k8s.domain.lan/auth/oidc/token
usernameClaim: email
config.yaml: 
issuer: https://k8s.domain.lan/auth/oidc
storage:
  config:
    inCluster: true
  type: kubernetes
logger:
  level: debug
web:
  http: 0.0.0.0:5556
connectors:
- config:
    bindDN: CN=k8s-ro,OU=Service Accounts,OU=Kubernetes,OU=Services,DC=domain,DC=lan
    bindPW: SecurePass
    clientID: ldapauth
    clientSecret: abCd3fGH1Jk
    groupSearch:
      baseDN: DC=domain,DC=lan
      filter: (objectClass=group)
      groupAttr: member
      nameAttr: cn
      userAttr: DN
    host: domain.lan:636
    insecureNoSSL: false
    insecureSkipVerify: true
    userSearch:
      baseDN: DC=domain,DC=lan
      emailAttr: mail
      filter: (objectClass=person)
      idAttr: DN
      nameAttr: cn
      username: SamAccountName
    usernamePrompt: Username
  id: ldap
  name: LDAP
  type: ldap
oauth2:
  alwaysShowLoginScreen: false
  skipApprovalScreen: true
staticClients:
- id: ldapauth
  name: oidc-auth-client
  redirectURIs:
  - https://k8s-test.domain.lan/auth/login/callback
  secret: abCd3fGH1Jk
enablePasswordDB: false