Open roquie opened 7 months ago
fforootd
commented
7 months ago I am not fully sure I can follow 😁 so let me try and ask some questions.
roquie
commented
7 months ago External access to zitadel works, right? (but you are fencing with CF)
It works, but we want to close it to the test environment behind an IP whitelist using WAF.
Accessing zitadel directly through the internal k8s server does return an error (should be instance not found)
It used to return an error, but now it doesn't, because I'm substituting the Host header at the sidecar (istio) level. By doing so, I just bypassed the zitadel check to try to use the service entirely inside the Kubernetes network.
The problem is that by closing the zitadel service behind CF, my service's integration with the zitadel service breaks. And this is despite the fact that zitadel's GPRC address is listed as local (service name in kubernetes)!
HaimKortovich
commented
4 months ago Hi @roquie, did you find a workaround? I'm having the same issue
roquie
commented
4 months ago No. @fforootd any updates?
HaimKortovich
commented
4 months ago ok so I managed to do it by creating my own (and probably not very good solution)
func Discover(key []byte, discoverUrl string) func(issuer string, scopes []string) (oauth2.TokenSource, error) {
return func(issuer string, scopes []string) (oauth2.TokenSource, error) {
var machineKeyData MachineKey
if err := json.Unmarshal(key, &machineKeyData); err != nil {
return nil, err
}
signer, err := client.NewSignerFromPrivateKeyByte([]byte(machineKeyData.Key), machineKeyData.KeyID)
if err != nil {
return nil, err
}
source := &jwtProfileTokenSource{
clientID: machineKeyData.UserID,
audience: []string{issuer},
signer: signer,
scopes: scopes,
httpClient: http.DefaultClient,
}
config, err := client.Discover(discoverUrl, http.DefaultClient)
if err != nil {
return nil, err
}
source.tokenEndpoint = config.TokenEndpoint
return source, nil
}
}
func GetDiscoveryConfig(issuer string, httpClient *http.Client, wellKnownUrl ...string) (*oidc.DiscoveryConfiguration, error) {
wellKnown := strings.TrimSuffix(issuer, "/") + oidc.DiscoveryEndpoint
if len(wellKnownUrl) == 1 && wellKnownUrl[0] != "" {
wellKnown = wellKnownUrl[0]
}
req, err := http.NewRequest("GET", wellKnown, nil)
if err != nil {
return nil, err
}
discoveryConfig := new(oidc.DiscoveryConfiguration)
err = httphelper.HttpRequest(httpClient, req, &discoveryConfig)
if err != nil {
return nil, err
}
return discoveryConfig, nil
}and passing it to the client
zitadel.WithJWTProfileTokenSource(Discover([]byte(machineKeyData), GetAPIUrl(zitadelCluster))),@fforootd
I want to do a simple thing. Close my development environment behind Cloudflare so no one can access, including the Zitadel test instance. But here's the trouble, by closing IP access to WAF I get 403 errors in the logs of my service which is integrated with Zitadel via this SDK.
In order to be able to use Zitadel within the local network (Kubernetes), I wrote a local GRPC endpoint address for the Zitadel service and at the Istio level, in sidecar, made a host replacement (to pass the security check).
This allowed the
zitadel:80/.well-known/openid-configurationendpoint to converge successfully, similarly configured h2c app protocol in Kubernetes Service. Everything is done, for successful local operation.My settings for the go-client: issuer: https://sso.example.com grpc_endpoint: zitadel:80 option: WithInsecure()
Log when trying to get a user profile:
Now the question is why it ignores the local grpc endpoint and uses
issuerto perform the request?