Comments (9)
Hello,
First of all, please rewrite your issue following the bug template please :).
The redirect issue must be because somewhere you continue the flux with http and not https. So the cookie, flagged as secure in your configuration, isn't forwarded.
Are you running in a Kubernetes cluster ? Did you put SSL on the full road ?
CLIENT https => https LB https => https Ingress controller https => https s3-proxy ?
If one on the path isn't with "https", put your cookieSecure
option to false
.
Tell me if it solves your problem.
Regards,
from s3-proxy.
Hi @oxyno-zeta i have reformatted it according to the bug template.
And putting cookieSecure
to false
didn't help. Although the influx is https along the way but still i tried that, didn't work.
from s3-proxy.
Hi @vishu42 ,
Thanks for the template.
Can you send me a full indented configuration and the logs please ?
Maybe I missed something... Don't why it didn't work for you.
Rergads,
from s3-proxy.
#
# See configuration of project: https://oxyno-zeta.github.io/s3-proxy/
#
# Log configuration
log:
# Log level
level: debug
# Log format
format: json
# Template configurations
# templates:
# badRequest: templates/bad-request.tpl
# folderList: templates/folder-list.tpl
# forbidden: templates/forbidden.tpl
# internalServerError: templates/internal-server-error.tpl
# notFound: templates/not-found.tpl
# targetList: templates/target-list.tpl
# unauthorized: templates/unauthorized.tpl
# Authentication Providers
authProviders:
oidc:
provider1:
clientID: <client_id>
clientSecret:
env: CLIENT_SECRET
state: mqeklfnrjfnejfnjw
issuerUrl: https://auth.demo.app.mydomain.com/
redirectUrl: https://reports.app.mydomain.com/api/ # /auth/oidc/callback will be added automatically
scopes: # OIDC Scopes (defaults: oidc, email, profile)
- oidc
- email
- profile
groupClaim: groups # path in token
cookieSecure: false # Is the cookie generated secure ?
cookieName: oidc # Cookie generated name
emailVerified: true # check email verified field from token
loginPath: / # Override login path dynamically generated from provider key
callbackPath: /callback # Override callback path dynamically generated from provider key
basic:
provider2:
realm: basic
# List targets feature
# This will generate a webpage with list of targets with links using targetList template
# listTargets:
# # To enable the list targets feature
# enabled: false
# ## Mount point
# mount:
# path:
# - /
# # A specific host can be added for filtering. Otherwise, all hosts will be accepted
# # host: localhost:8080
# ## Resource configuration
# resource:
# # A Path must be declared for a resource filtering
# path: /
# # HTTP Methods authorized (Must be in GET, PUT or DELETE)
# methods:
# - GET
# - PUT
# - DELETE
# # Whitelist
# whitelist: false
# # A authentication provider declared in section before, here is the key name
# provider: provider1
# # OIDC section for access filter
# oidc:
# # NOTE: This list can be empty ([]) for authentication only and no group filter
# authorizationAccesses: # Authorization accesses : groups or email or regexp
# - group: devops_users
# # Basic authentication section
# basic:
# credentials:
# - user: user1
# password:
# path: password1-in-file
# Targets
targets:
- name: api
mount:
path:
- /api/
# A specific host can be added for filtering. Otherwise, all hosts will be accepted
# host: reports.app.mydomain.com
resources:
- path: /api/*
# HTTP Methods authorized (Must be in GET, PUT or DELETE)
methods:
- GET
- PUT
- DELETE
# # A authentication provider declared in section before, here is the key name
provider: provider1
# OIDC section for access filter
oidc:
# NOTE: This list can be empty ([]) for authentication only and no group filter
authorizationAccesses: # Authorization accesses : groups or email or regexp
- email: "[email protected]"
# Basic authentication section
# basic:
# credentials:
# - user: ondtestreports
# password:
# env: PASSWORD
# ## Index document to display if exists in folder
# indexDocument: index.html
# ## Actions
# actions:
# # Action for GET requests on target
# GET:
# # Will allow GET requests
# enabled: true
# # Action for PUT requests on target
# PUT:
# # Will allow PUT requests
# enabled: true
# # Configuration for PUT requests
# config:
# # Metadata key/values that will be put on S3 objects
# metadata:
# key: value
# # Storage class that will be used for uploaded objects
# # See storage class here: https://docs.aws.amazon.com/AmazonS3/latest/dev/storage-class-intro.html
# storageClass: STANDARD # GLACIER, ...
# # Will allow override objects if enabled
# allowOverride: false
# # Action for DELETE requests on target
# DELETE:
# # Will allow DELETE requests
# enabled: true
## Target custom templates
# templates:
# # Folder list template
# folderList:
# inBucket: false
# path: ""
# # Not found template
# notFound:
# inBucket: false
# path: ""
# # Internal server error template
# internalServerError:
# inBucket: false
# path: ""
# # Forbidden template
# forbidden:
# inBucket: false
# path: ""
# # Unauthorized template
# unauthorized:
# inBucket: false
# path: ""
# # BadRequest template
# badRequest:
# inBucket: false
# path: ""
## Bucket configuration
bucket:
name: api-tests.reports.app.mydomain.com
prefix:
region: us-east-1
s3Endpoint:
disableSSL: false
credentials:
accessKey:
env: AWS_ACCESS_KEY
secretKey:
env: AWS_SECRET_KEY
- name: web
## Mount point
mount:
path:
- /web/
# A specific host can be added for filtering. Otherwise, all hosts will be accepted
# host: reports.app.mydomain.com
## Resources declaration
resources:
# A Path must be declared for a resource filtering (a wildcard can be added to match every sub path)
# - path: /
# # Whitelist
# whiteList: true
# # A Path must be declared for a resource filtering (a wildcard can be added to match every sub path)
# - path: /*
# # HTTP Methods authorized (Must be in GET, PUT or DELETE)
# methods:
# - GET
# - PUT
# - DELETE
# # A authentication provider declared in section before, here is the key name
# provider: provider1
# # OIDC section for access filter
# oidc:
# # NOTE: This list can be empty ([]) for authentication only and no group filter
# authorizationAccesses: # Authorization accesses : groups or email or regexp
# - group: specific_users
# # A Path must be declared for a resource filtering (a wildcard can be added to match every sub path)
- path: /web/*
# HTTP Methods authorized (Must be in GET, PUT or DELETE)
methods:
- GET
# - PUT
# - DELETE
# A authentication provider declared in section before, here is the key name
provider: provider2
# Basic authentication section
basic:
credentials:
- user: etcetcetc
password:
env: PASSWORD
# ## Index document to display if exists in folder
# indexDocument: index.html
# ## Actions
# actions:
# # Action for GET requests on target
# GET:
# # Will allow GET requests
# enabled: true
# # Action for PUT requests on target
# PUT:
# # Will allow PUT requests
# enabled: true
# # Configuration for PUT requests
# config:
# # Metadata key/values that will be put on S3 objects
# metadata:
# key: value
# # Storage class that will be used for uploaded objects
# # See storage class here: https://docs.aws.amazon.com/AmazonS3/latest/dev/storage-class-intro.html
# storageClass: STANDARD # GLACIER, ...
# # Will allow override objects if enabled
# allowOverride: false
# # Action for DELETE requests on target
# DELETE:
# # Will allow DELETE requests
# enabled: true
## Target custom templates
# templates:
# # Folder list template
# folderList:
# inBucket: false
# path: ""
# # Not found template
# notFound:
# inBucket: false
# path: ""
# # Internal server error template
# internalServerError:
# inBucket: false
# path: ""
# # Forbidden template
# forbidden:
# inBucket: false
# path: ""
# # Unauthorized template
# unauthorized:
# inBucket: false
# path: ""
# # BadRequest template
# badRequest:
# inBucket: false
# path: ""
## Bucket configuration
bucket:
name: web-tests.reports.app.mydomain.com
prefix:
region: us-east-1
s3Endpoint:
disableSSL: false
credentials:
accessKey:
env: AWS_ACCESS_KEY
secretKey:
env: AWS_SECRET_KEY
@oxyno-zeta I copied the config file that get inject in kubernetes. Let me know if I missed any sensitive info in there. 😄
from s3-proxy.
Also the logs
{"client_ip":"192.168.46.131","http_method":"GET","http_proto":"HTTP/1.1","http_scheme":"http","level":"debug","msg":"request started","remote_addr":"192.168.46.131","req_id":"2710d10109596abfda849570ec6409c3","time":"2020-04-23T17:29:41Z","uri":"http://reports.app.mydomain.com/","user_agent":"Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/80.0.3987.132 Safari/537.36"}
{"client_ip":"192.168.46.131","http_method":"GET","http_proto":"HTTP/1.1","http_scheme":"http","level":"warning","msg":"request complete","remote_addr":"192.168.46.131","req_id":"2710d10109596abfda849570ec6409c3","resp_bytes_length":292,"resp_elapsed_ms":0.045871,"resp_status":302,"time":"2020-04-23T17:29:41Z","uri":"http://reports.app.mydomain.com/","user_agent":"Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/80.0.3987.132 Safari/537.36"}
{"client_ip":"192.168.46.131","http_method":"GET","http_proto":"HTTP/1.1","http_scheme":"http","level":"debug","msg":"request started","remote_addr":"192.168.46.131","req_id":"4a7735a86d1748318895d08cc6699143","time":"2020-04-23T17:29:43Z","uri":"http://reports.app.mydomain.com/api/callback?code=jfwnjfwbefjwbfjiwbfjwifjf2_4tO2xmADnBbBDI\u0026locale=en_IN\u0026state=mqeklfnrjfnejfnjw\u0026userState=Authenticated","user_agent":"Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/80.0.3987.132 Safari/537.36"}
{"client_ip":"192.168.46.131","http_method":"GET","http_proto":"HTTP/1.1","http_scheme":"http","level":"info","msg":"/api/callback?code=jfwnjfwbefjwbfjiwbfjwifjf2_4tO2xmADnBbBDI\u0026locale=en_IN\u0026state=mqeklfnrjfnejfnjw\u0026userState=Authenticated","remote_addr":"192.168.46.131","req_id":"4a7735a86d1748318895d08cc6699143","time":"2020-04-23T17:29:43Z","uri":"http://reports.app.mydomain.com/api/callback?code=jfwnjfwbefjwbfjiwbfjwifjf2_4tO2xmADnBbBDI\u0026locale=en_IN\u0026state=mqeklfnrjfnejfnjw\u0026userState=Authenticated","user_agent":"Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/80.0.3987.132 Safari/537.36"}
{"client_ip":"192.168.46.131","http_method":"GET","http_proto":"HTTP/1.1","http_scheme":"http","level":"debug","msg":"Try to get Authorization header from request","remote_addr":"192.168.46.131","req_id":"4a7735a86d1748318895d08cc6699143","time":"2020-04-23T17:29:43Z","uri":"http://reports.app.mydomain.com/api/callback?code=jfwnjfwbefjwbfjiwbfjwifjf2_4tO2xmADnBbBDI\u0026locale=en_IN\u0026state=mqeklfnrjfnejfnjw\u0026userState=Authenticated","user_agent":"Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/80.0.3987.132 Safari/537.36"}
{"client_ip":"192.168.46.131","http_method":"GET","http_proto":"HTTP/1.1","http_scheme":"http","level":"debug","msg":"Try get auth cookie from request","remote_addr":"192.168.46.131","req_id":"4a7735a86d1748318895d08cc6699143","time":"2020-04-23T17:29:43Z","uri":"http://reports.app.mydomain.com/api/callback?code=jfwnjfwbefjwbfjiwbfjwifjf2_4tO2xmADnBbBDI\u0026locale=en_IN\u0026state=mqeklfnrjfnejfnjw\u0026userState=Authenticated","user_agent":"Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/80.0.3987.132 Safari/537.36"}
{"client_ip":"192.168.46.131","http_method":"GET","http_proto":"HTTP/1.1","http_scheme":"http","level":"debug","msg":"Can't load auth cookie","remote_addr":"192.168.46.131","req_id":"4a7735a86d1748318895d08cc6699143","time":"2020-04-23T17:29:43Z","uri":"http://reports.app.mydomain.com/api/callback?code=jfwnjfwbefjwbfjiwbfjwifjf2_4tO2xmADnBbBDI\u0026locale=en_IN\u0026state=mqeklfnrjfnejfnjw\u0026userState=Authenticated","user_agent":"Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/80.0.3987.132 Safari/537.36"}
{"client_ip":"192.168.46.131","http_method":"GET","http_proto":"HTTP/1.1","http_scheme":"http","level":"error","msg":"No auth cookie detected, redirect to oidc login","remote_addr":"192.168.46.131","req_id":"4a7735a86d1748318895d08cc6699143","time":"2020-04-23T17:29:43Z","uri":"http://reports.app.mydomain.com/api/callback?code=jfwnjfwbefjwbfjiwbfjwifjf2_4tO2xmADnBbBDI\u0026locale=en_IN\u0026state=mqeklfnrjfnejfnjw\u0026userState=Authenticated","user_agent":"Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/80.0.3987.132 Safari/537.36"}
{"client_ip":"192.168.46.131","http_method":"GET","http_proto":"HTTP/1.1","http_scheme":"http","level":"warning","msg":"request complete","remote_addr":"192.168.46.131","req_id":"4a7735a86d1748318895d08cc6699143","resp_bytes_length":37,"resp_elapsed_ms":0.269001,"resp_status":307,"time":"2020-04-23T17:29:43Z","uri":"http://reports.app.mydomain.com/api/callback?code=jfwnjfwbefjwbfjiwbfjwifjf2_4tO2xmADnBbBDI\u0026locale=en_IN\u0026state=mqeklfnrjfnejfnjw\u0026userState=Authenticated","user_agent":"Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/80.0.3987.132 Safari/537.36"}
from s3-proxy.
Ok I think I got it.
In fact, the app doesn't mount /api/callback. The app is developed to consider that redirect URL will be a simple URL without any path.
And because it isn't mounted, the redirect won't match the mounted callback, so the app won't generate a cookie. So the app doesn't find a cookie and redirect to login page which conduct to circular redirect.
Can you change your configuration to this one ?
# Authentication Providers
authProviders:
oidc:
provider1:
clientID: <client_id>
clientSecret:
env: CLIENT_SECRET
state: mqeklfnrjfnejfnjw
issuerUrl: https://auth.demo.app.mydomain.com/
redirectUrl: https://reports.app.mydomain.com/ # /auth/oidc/callback will be added automatically
scopes: # OIDC Scopes (defaults: oidc, email, profile)
- oidc
- email
- profile
groupClaim: groups # path in token
cookieSecure: false # Is the cookie generated secure ?
cookieName: oidc # Cookie generated name
emailVerified: true # check email verified field from token
loginPath: / # Override login path dynamically generated from provider key
callbackPath: /callback # Override callback path dynamically generated from provider key
Should work with that. But (yes a but), this won't redirect you automatically to "/api". The application doesn't support this for the moment. It will redirect you to: "/" => with the full URL: https://reports.app.mydomain.com/
In fact, the redirect URL is the redirect URL after the authentication system but not the final one. I don't know if it is clear... Tell me if not.
PS: I strongly recommend you to change your state secret value :)
from s3-proxy.
@oxyno-zeta ok I tried that and result is same. I am still left hanging after auth is done and chrome still showing same screen.
logs
k logs s3-proxy | jq .msg
"Successful authentication detected"
"request complete"
"request started"
"request complete"
"request started"
"Successful authentication detected"
"request complete"
"request started"
"request complete"
"request started"
"Successful authentication detected"
"request complete"
"request started"
"request complete"
"request started"
"Successful authentication detected"
"request complete"
"request started"
"request complete"
"request started"
"Successful authentication detected"
"request complete"
"request started"
"request complete"
"request started"
"Successful authentication detected"
"request complete"
"request started"
from s3-proxy.
Oh yes sorry... I forgot that part...
Can you test with that configuration ?
# Authentication Providers
authProviders:
oidc:
provider1:
clientID: <client_id>
clientSecret:
env: CLIENT_SECRET
state: mqeklfnrjfnejfnjw
issuerUrl: https://auth.demo.app.mydomain.com/
redirectUrl: https://reports.app.mydomain.com/ # /auth/oidc/callback will be added automatically
scopes: # OIDC Scopes (defaults: oidc, email, profile)
- oidc
- email
- profile
groupClaim: groups # path in token
cookieSecure: false # Is the cookie generated secure ?
cookieName: oidc # Cookie generated name
emailVerified: true # check email verified field from token
loginPath: /auth # Override login path dynamically generated from provider key
callbackPath: /callback # Override callback path dynamically generated from provider key
In fact, the loginPath
is the path where the application starts the authentication process. It isn't the point where users should be authenticated.
The application will create loginPath: /auth/provider1
and callbackPath: /auth/provider1/callback
automatically. But it is in the application only. Maybe you can let the application do it automatically.
In fact, when you override the login or callback path, take care of not overriding bucket side path :).
Regards,
from s3-proxy.
@oxyno-zeta yes that solved the issue. But I had to switch to Nginx proxy and oauth2 proxy because this proxy isn't redirecting me back to the URL that I came from and in my case, it was very much needed. I guess i will close the issue now. Thanks for the quick response and help.
from s3-proxy.
Related Issues (20)
- Using s3cmd HOT 4
- folder-list page leads to Internal server error HOT 4
- Allow application/octet-stream HOT 1
- Sub bucket HOT 1
- Let the docker image build itself HOT 3
- Add support for filesystem as a target HOT 1
- Proxy pre-compressed data as-is HOT 13
- Provide a way to disable folder listing HOT 9
- Support PASETO authentication HOT 4
- OIDC: no resource declared message when it is HOT 8
- Signed URL for PUT requests HOT 10
- Assume role failing via WebIdentity HOT 4
- Uploading large objects using multipart HOT 2
- [oidc] JWT auth failures respond with HTTP 500 instead of 401 HOT 2
- How to integrate with an SPA using a bearer token HOT 2
- Update project to resolve dependabot and renovate suggestions HOT 2
- Can't set a context-path for the server config HOT 1
- Handling method for storing audit log to somewhere HOT 4
- does this support Azure active directory for authentication and authorization ? HOT 9
- Potential memory leak HOT 11
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from s3-proxy.