vouch / vouch-proxy

an SSO and OAuth / OIDC login solution for Nginx using the auth_request module
MIT License
2.92k stars 327 forks source link

VP-docker+Nginx gives "no jwt found" when validate and "400 bad request" when login #561

Closed LoveCatc closed 5 months ago

LoveCatc commented 5 months ago

Hi, after searching the internet and reading the similar issues for the whole afternoon, I cannot solve my problem and sincerely ask for your help.

Describe the problem I am trying to use nginx + vouch-proxy in docker to set authorization for my code-server app. However, it fails to login and throws HTTP 400 bad request. When using test mode, I found that the app fails to validate (warns "no jwt found in request") and seems to never give an /auth request.

image

I followed the instructions in readme and set the config.yml/nginx.conf just in the proposed way, so I have no idea what could be the problem. Please check my config for more detailed information.

Expected behavior The app should validate and log in without any errors.

Desktop (please complete the following information):

Additional context My nginx server has a wildcard SSL certificate and it would also listen the bare domain "bigcat.eu.org". I want to bind my code-server with subdomain "code.bigcat.eu.org" so I set github oauth APP's homepage url and authorization callback url to "code.bigcat.eu.org".

Anyway, thank you for your precious time in viewing my issue. Any advice would be appreciated.

LoveCatc commented 5 months ago

Hi, today I have some more trials and find something new. I tried the other two ways of configuring nginx: "vouch-proxy in a path" and "nginx_with_vouch_single_server" in nginx conf examples. I found that the first way neither worked just as the first config above, but the second way, would correctly return an /auth link but still give a HTTP 400 error when login. Please see the log and check if there are any clues. I did not attach the nginx confs this time as they are just strictly the same as mentioned in your examples. Please tell me to upload if needed.

The vp log with nginx_with_vouch_single_server nginx conf: https://gist.github.com/LoveCatc/ad053a291883daec9fd209e10ccbb138

Thanks for your patience!

LoveCatc commented 5 months ago

I guess this might be something wrong like #272, but I cannot see his full logs now... I notice he saw a refused connection in his log, but I did not see one. But we do both have no destination URL requested. Is this the problem?

bnfinet commented 5 months ago

Looking at your most recent logs it looks like VP is working properly and issuing a JWT after successful login. If the next request is returning you to VP then there's probably something wrong with storing the cookie in your browser. This is usually network and hostname config related.

Is oauth.callback_url set? Please include full configs

FYI - I will be out of the office for the next few days starting shortly and will not be responding to issues

LoveCatc commented 5 months ago

Hi, your point is right. After I change to the vp_in_a_path setting and explicitly set the oauth.callback_url, the whole system works smoothly now. I also noticed that the config example of "nginx_with_vouch_single_server" does not to work properly. So if anyone has a problem like me, please note that:

  1. Try NOT to use the "nginx_with_vouch_single_server" config, use the latest one in examples or vp_in_a_path config.
  2. Remember to add oauth.callback_url - the github yml example does not uncomment it, and I thought I did not need to add this config because the callback_url for github oauth app is unique. But this is not the case. Do add this in your yml file.
  3. If using vp_in_a_path, remember to set the github callback_url to yourdomain/vp_in_a_path/auth. Most of the tutorials on the internet are too old and they simply tell you to use yourdomain/auth.

Anyway, thank you again for your kindness bnfinet! Hope you enjoy your trip :)