Describe the bug I am trying to integrate oidc in s3-proxy and af

Hi <a class="user-mention notranslate" data-hovercard-type="user" data-hovercard-url="

<div class="highlight highlight-source-yaml notranslate position-relative overflow-auto" dir="auto"

Also the logs <div class="highlight highlight-source-json notranslate position-rel

<a class="user-mention notranslate" data-hovercard-type="user" data-hovercard-url="/us

OIDC not working: ERR_TOO_MANY_REDIRECTS about s3-proxy HOT 9 CLOSED

oxyno-zeta commented on May 24, 2024

OIDC not working: ERR_TOO_MANY_REDIRECTS

from s3-proxy.

Comments (9)

oxyno-zeta commented on May 24, 2024

Hello,

First of all, please rewrite your issue following the bug template please :).

The redirect issue must be because somewhere you continue the flux with http and not https. So the cookie, flagged as secure in your configuration, isn't forwarded.

Are you running in a Kubernetes cluster ? Did you put SSL on the full road ?

CLIENT https => https LB https => https Ingress controller https => https s3-proxy ?
If one on the path isn't with "https", put your cookieSecure option to false.

Tell me if it solves your problem.

Regards,

from s3-proxy.

vishu42 commented on May 24, 2024

Hi @oxyno-zeta i have reformatted it according to the bug template.
And putting cookieSecure to false didn't help. Although the influx is https along the way but still i tried that, didn't work.

from s3-proxy.

oxyno-zeta commented on May 24, 2024

Hi @vishu42 ,

Thanks for the template.

Can you send me a full indented configuration and the logs please ?
Maybe I missed something... Don't why it didn't work for you.

Rergads,

from s3-proxy.

vishu42 commented on May 24, 2024

#
# See configuration of project: https://oxyno-zeta.github.io/s3-proxy/
#
# Log configuration
log:
  # Log level
  level: debug
  # Log format
  format: json
# Template configurations
# templates:
#   badRequest: templates/bad-request.tpl
#   folderList: templates/folder-list.tpl
#   forbidden: templates/forbidden.tpl
#   internalServerError: templates/internal-server-error.tpl
#   notFound: templates/not-found.tpl
#   targetList: templates/target-list.tpl
#   unauthorized: templates/unauthorized.tpl

# Authentication Providers
authProviders:
  oidc:
    provider1:
      clientID: <client_id>
      clientSecret:
        env: CLIENT_SECRET
      state: mqeklfnrjfnejfnjw
      issuerUrl: https://auth.demo.app.mydomain.com/
      redirectUrl: https://reports.app.mydomain.com/api/ # /auth/oidc/callback will be added automatically
      scopes: # OIDC Scopes (defaults: oidc, email, profile)
        - oidc
        - email
        - profile
      groupClaim: groups # path in token
      cookieSecure: false # Is the cookie generated secure ?
      cookieName: oidc # Cookie generated name
      emailVerified: true # check email verified field from token
      loginPath: / # Override login path dynamically generated from provider key
      callbackPath: /callback # Override callback path dynamically generated from provider key
  basic:
    provider2:
      realm: basic

# List targets feature
# This will generate a webpage with list of targets with links using targetList template
# listTargets:
#   # To enable the list targets feature
#   enabled: false
#   ## Mount point
#   mount:
#     path:
#       - /
#     # A specific host can be added for filtering. Otherwise, all hosts will be accepted
#     # host: localhost:8080
#   ## Resource configuration
#   resource:
#     # A Path must be declared for a resource filtering
#     path: /
#     # HTTP Methods authorized (Must be in GET, PUT or DELETE)
#     methods:
#       - GET
#       - PUT
#       - DELETE
#     # Whitelist
#     whitelist: false
#     # A authentication provider declared in section before, here is the key name
#     provider: provider1
#     # OIDC section for access filter
#     oidc:
#       # NOTE: This list can be empty ([]) for authentication only and no group filter
#       authorizationAccesses: # Authorization accesses : groups or email or regexp
#         - group: devops_users
#     # Basic authentication section
#     basic:
#       credentials:
#         - user: user1
#           password:
#             path: password1-in-file

# Targets
targets:
  - name: api
    mount:
      path:
        - /api/
      # A specific host can be added for filtering. Otherwise, all hosts will be accepted
      # host: reports.app.mydomain.com
    resources:
      - path: /api/*
        # HTTP Methods authorized (Must be in GET, PUT or DELETE)
        methods:
          - GET
          - PUT
          - DELETE
        # # A authentication provider declared in section before, here is the key name
        provider: provider1
        # OIDC section for access filter
        oidc:
          # NOTE: This list can be empty ([]) for authentication only and no group filter
          authorizationAccesses: # Authorization accesses : groups or email or regexp
            - email: "[email protected]"
        # Basic authentication section
        # basic:
        #   credentials:
        #     - user: ondtestreports
        #       password:
        #         env: PASSWORD
    # ## Index document to display if exists in folder
    # indexDocument: index.html
    # ## Actions
    # actions:
    #   # Action for GET requests on target
    #   GET:
    #     # Will allow GET requests
    #     enabled: true
    #   # Action for PUT requests on target
    #   PUT:
    #     # Will allow PUT requests
    #     enabled: true
    #     # Configuration for PUT requests
    #     config:
    #       # Metadata key/values that will be put on S3 objects
    #       metadata:
    #         key: value
    #       # Storage class that will be used for uploaded objects
    #       # See storage class here: https://docs.aws.amazon.com/AmazonS3/latest/dev/storage-class-intro.html
    #       storageClass: STANDARD # GLACIER, ...
    #       # Will allow override objects if enabled
    #       allowOverride: false
    #   # Action for DELETE requests on target
    #   DELETE:
    #     # Will allow DELETE requests
    #     enabled: true
    ## Target custom templates
    # templates:
    #   # Folder list template
    #   folderList:
    #     inBucket: false
    #     path: ""
    #   # Not found template
    #   notFound:
    #     inBucket: false
    #     path: ""
    #   # Internal server error template
    #   internalServerError:
    #     inBucket: false
    #     path: ""
    #   # Forbidden template
    #   forbidden:
    #     inBucket: false
    #     path: ""
    #   # Unauthorized template
    #   unauthorized:
    #     inBucket: false
    #     path: ""
    #   # BadRequest template
    #   badRequest:
    #     inBucket: false
    #     path: ""
    ## Bucket configuration
    bucket:
      name: api-tests.reports.app.mydomain.com
      prefix:
      region: us-east-1
      s3Endpoint:
      disableSSL: false
      credentials:
        accessKey:
          env: AWS_ACCESS_KEY
        secretKey:
          env: AWS_SECRET_KEY

  - name: web
    ## Mount point
    mount:
      path:
        - /web/
      # A specific host can be added for filtering. Otherwise, all hosts will be accepted
      # host: reports.app.mydomain.com
    ## Resources declaration
    resources:
      # A Path must be declared for a resource filtering (a wildcard can be added to match every sub path)
      # - path: /
      #   # Whitelist
      #   whiteList: true
      #   # A Path must be declared for a resource filtering (a wildcard can be added to match every sub path)
      # - path: /*
      #   # HTTP Methods authorized (Must be in GET, PUT or DELETE)
      #   methods:
      #     - GET
      #     - PUT
      #     - DELETE
      #   # A authentication provider declared in section before, here is the key name
      #   provider: provider1
      #   # OIDC section for access filter
      #   oidc:
      #     # NOTE: This list can be empty ([]) for authentication only and no group filter
      #     authorizationAccesses: # Authorization accesses : groups or email or regexp
      #       - group: specific_users
      #   # A Path must be declared for a resource filtering (a wildcard can be added to match every sub path)
      - path: /web/*
        # HTTP Methods authorized (Must be in GET, PUT or DELETE)
        methods:
          - GET
          # - PUT
          # - DELETE
        # A authentication provider declared in section before, here is the key name
        provider: provider2
        # Basic authentication section
        basic:
          credentials:
            - user: etcetcetc
              password:
                env: PASSWORD
    # ## Index document to display if exists in folder
    # indexDocument: index.html
    # ## Actions
    # actions:
    #   # Action for GET requests on target
    #   GET:
    #     # Will allow GET requests
    #     enabled: true
    #   # Action for PUT requests on target
    #   PUT:
    #     # Will allow PUT requests
    #     enabled: true
    #     # Configuration for PUT requests
    #     config:
    #       # Metadata key/values that will be put on S3 objects
    #       metadata:
    #         key: value
    #       # Storage class that will be used for uploaded objects
    #       # See storage class here: https://docs.aws.amazon.com/AmazonS3/latest/dev/storage-class-intro.html
    #       storageClass: STANDARD # GLACIER, ...
    #       # Will allow override objects if enabled
    #       allowOverride: false
    #   # Action for DELETE requests on target
    #   DELETE:
    #     # Will allow DELETE requests
    #     enabled: true
    ## Target custom templates
    # templates:
    #   # Folder list template
    #   folderList:
    #     inBucket: false
    #     path: ""
    #   # Not found template
    #   notFound:
    #     inBucket: false
    #     path: ""
    #   # Internal server error template
    #   internalServerError:
    #     inBucket: false
    #     path: ""
    #   # Forbidden template
    #   forbidden:
    #     inBucket: false
    #     path: ""
    #   # Unauthorized template
    #   unauthorized:
    #     inBucket: false
    #     path: ""
    #   # BadRequest template
    #   badRequest:
    #     inBucket: false
    #     path: ""
    ## Bucket configuration
    bucket:
      name: web-tests.reports.app.mydomain.com
      prefix:
      region: us-east-1
      s3Endpoint:
      disableSSL: false
      credentials:
        accessKey:
          env: AWS_ACCESS_KEY
        secretKey:
          env: AWS_SECRET_KEY

@oxyno-zeta I copied the config file that get inject in kubernetes. Let me know if I missed any sensitive info in there. 😄

from s3-proxy.

vishu42 commented on May 24, 2024

Also the logs

{"client_ip":"192.168.46.131","http_method":"GET","http_proto":"HTTP/1.1","http_scheme":"http","level":"debug","msg":"request started","remote_addr":"192.168.46.131","req_id":"2710d10109596abfda849570ec6409c3","time":"2020-04-23T17:29:41Z","uri":"http://reports.app.mydomain.com/","user_agent":"Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/80.0.3987.132 Safari/537.36"}
{"client_ip":"192.168.46.131","http_method":"GET","http_proto":"HTTP/1.1","http_scheme":"http","level":"warning","msg":"request complete","remote_addr":"192.168.46.131","req_id":"2710d10109596abfda849570ec6409c3","resp_bytes_length":292,"resp_elapsed_ms":0.045871,"resp_status":302,"time":"2020-04-23T17:29:41Z","uri":"http://reports.app.mydomain.com/","user_agent":"Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/80.0.3987.132 Safari/537.36"}
{"client_ip":"192.168.46.131","http_method":"GET","http_proto":"HTTP/1.1","http_scheme":"http","level":"debug","msg":"request started","remote_addr":"192.168.46.131","req_id":"4a7735a86d1748318895d08cc6699143","time":"2020-04-23T17:29:43Z","uri":"http://reports.app.mydomain.com/api/callback?code=jfwnjfwbefjwbfjiwbfjwifjf2_4tO2xmADnBbBDI\u0026locale=en_IN\u0026state=mqeklfnrjfnejfnjw\u0026userState=Authenticated","user_agent":"Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/80.0.3987.132 Safari/537.36"}
{"client_ip":"192.168.46.131","http_method":"GET","http_proto":"HTTP/1.1","http_scheme":"http","level":"info","msg":"/api/callback?code=jfwnjfwbefjwbfjiwbfjwifjf2_4tO2xmADnBbBDI\u0026locale=en_IN\u0026state=mqeklfnrjfnejfnjw\u0026userState=Authenticated","remote_addr":"192.168.46.131","req_id":"4a7735a86d1748318895d08cc6699143","time":"2020-04-23T17:29:43Z","uri":"http://reports.app.mydomain.com/api/callback?code=jfwnjfwbefjwbfjiwbfjwifjf2_4tO2xmADnBbBDI\u0026locale=en_IN\u0026state=mqeklfnrjfnejfnjw\u0026userState=Authenticated","user_agent":"Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/80.0.3987.132 Safari/537.36"}
{"client_ip":"192.168.46.131","http_method":"GET","http_proto":"HTTP/1.1","http_scheme":"http","level":"debug","msg":"Try to get Authorization header from request","remote_addr":"192.168.46.131","req_id":"4a7735a86d1748318895d08cc6699143","time":"2020-04-23T17:29:43Z","uri":"http://reports.app.mydomain.com/api/callback?code=jfwnjfwbefjwbfjiwbfjwifjf2_4tO2xmADnBbBDI\u0026locale=en_IN\u0026state=mqeklfnrjfnejfnjw\u0026userState=Authenticated","user_agent":"Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/80.0.3987.132 Safari/537.36"}
{"client_ip":"192.168.46.131","http_method":"GET","http_proto":"HTTP/1.1","http_scheme":"http","level":"debug","msg":"Try get auth cookie from request","remote_addr":"192.168.46.131","req_id":"4a7735a86d1748318895d08cc6699143","time":"2020-04-23T17:29:43Z","uri":"http://reports.app.mydomain.com/api/callback?code=jfwnjfwbefjwbfjiwbfjwifjf2_4tO2xmADnBbBDI\u0026locale=en_IN\u0026state=mqeklfnrjfnejfnjw\u0026userState=Authenticated","user_agent":"Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/80.0.3987.132 Safari/537.36"}
{"client_ip":"192.168.46.131","http_method":"GET","http_proto":"HTTP/1.1","http_scheme":"http","level":"debug","msg":"Can't load auth cookie","remote_addr":"192.168.46.131","req_id":"4a7735a86d1748318895d08cc6699143","time":"2020-04-23T17:29:43Z","uri":"http://reports.app.mydomain.com/api/callback?code=jfwnjfwbefjwbfjiwbfjwifjf2_4tO2xmADnBbBDI\u0026locale=en_IN\u0026state=mqeklfnrjfnejfnjw\u0026userState=Authenticated","user_agent":"Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/80.0.3987.132 Safari/537.36"}
{"client_ip":"192.168.46.131","http_method":"GET","http_proto":"HTTP/1.1","http_scheme":"http","level":"error","msg":"No auth cookie detected, redirect to oidc login","remote_addr":"192.168.46.131","req_id":"4a7735a86d1748318895d08cc6699143","time":"2020-04-23T17:29:43Z","uri":"http://reports.app.mydomain.com/api/callback?code=jfwnjfwbefjwbfjiwbfjwifjf2_4tO2xmADnBbBDI\u0026locale=en_IN\u0026state=mqeklfnrjfnejfnjw\u0026userState=Authenticated","user_agent":"Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/80.0.3987.132 Safari/537.36"}
{"client_ip":"192.168.46.131","http_method":"GET","http_proto":"HTTP/1.1","http_scheme":"http","level":"warning","msg":"request complete","remote_addr":"192.168.46.131","req_id":"4a7735a86d1748318895d08cc6699143","resp_bytes_length":37,"resp_elapsed_ms":0.269001,"resp_status":307,"time":"2020-04-23T17:29:43Z","uri":"http://reports.app.mydomain.com/api/callback?code=jfwnjfwbefjwbfjiwbfjwifjf2_4tO2xmADnBbBDI\u0026locale=en_IN\u0026state=mqeklfnrjfnejfnjw\u0026userState=Authenticated","user_agent":"Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/80.0.3987.132 Safari/537.36"}

from s3-proxy.

oxyno-zeta commented on May 24, 2024

Ok I think I got it.

In fact, the app doesn't mount /api/callback. The app is developed to consider that redirect URL will be a simple URL without any path.

And because it isn't mounted, the redirect won't match the mounted callback, so the app won't generate a cookie. So the app doesn't find a cookie and redirect to login page which conduct to circular redirect.

Can you change your configuration to this one ?

# Authentication Providers
authProviders:
  oidc:
    provider1:
      clientID: <client_id>
      clientSecret:
        env: CLIENT_SECRET
      state: mqeklfnrjfnejfnjw
      issuerUrl: https://auth.demo.app.mydomain.com/
      redirectUrl: https://reports.app.mydomain.com/ # /auth/oidc/callback will be added automatically
      scopes: # OIDC Scopes (defaults: oidc, email, profile)
        - oidc
        - email
        - profile
      groupClaim: groups # path in token
      cookieSecure: false # Is the cookie generated secure ?
      cookieName: oidc # Cookie generated name
      emailVerified: true # check email verified field from token
      loginPath: / # Override login path dynamically generated from provider key
      callbackPath: /callback # Override callback path dynamically generated from provider key

Should work with that. But (yes a but), this won't redirect you automatically to "/api". The application doesn't support this for the moment. It will redirect you to: "/" => with the full URL: https://reports.app.mydomain.com/

In fact, the redirect URL is the redirect URL after the authentication system but not the final one. I don't know if it is clear... Tell me if not.

PS: I strongly recommend you to change your state secret value :)

from s3-proxy.

vishu42 commented on May 24, 2024

@oxyno-zeta ok I tried that and result is same. I am still left hanging after auth is done and chrome still showing same screen.
logs
k logs s3-proxy | jq .msg

"Successful authentication detected"
"request complete"
"request started"
"request complete"
"request started"
"Successful authentication detected"
"request complete"
"request started"
"request complete"
"request started"
"Successful authentication detected"
"request complete"
"request started"
"request complete"
"request started"
"Successful authentication detected"
"request complete"
"request started"
"request complete"
"request started"
"Successful authentication detected"
"request complete"
"request started"
"request complete"
"request started"
"Successful authentication detected"
"request complete"
"request started"

from s3-proxy.

oxyno-zeta commented on May 24, 2024

Oh yes sorry... I forgot that part...

Can you test with that configuration ?

# Authentication Providers
authProviders:
  oidc:
    provider1:
      clientID: <client_id>
      clientSecret:
        env: CLIENT_SECRET
      state: mqeklfnrjfnejfnjw
      issuerUrl: https://auth.demo.app.mydomain.com/
      redirectUrl: https://reports.app.mydomain.com/ # /auth/oidc/callback will be added automatically
      scopes: # OIDC Scopes (defaults: oidc, email, profile)
        - oidc
        - email
        - profile
      groupClaim: groups # path in token
      cookieSecure: false # Is the cookie generated secure ?
      cookieName: oidc # Cookie generated name
      emailVerified: true # check email verified field from token
      loginPath: /auth # Override login path dynamically generated from provider key
      callbackPath: /callback # Override callback path dynamically generated from provider key

In fact, the loginPath is the path where the application starts the authentication process. It isn't the point where users should be authenticated.

The application will create loginPath: /auth/provider1 and callbackPath: /auth/provider1/callback automatically. But it is in the application only. Maybe you can let the application do it automatically.
In fact, when you override the login or callback path, take care of not overriding bucket side path :).

Regards,

from s3-proxy.

vishu42 commented on May 24, 2024

@oxyno-zeta yes that solved the issue. But I had to switch to Nginx proxy and oauth2 proxy because this proxy isn't redirecting me back to the URL that I came from and in my case, it was very much needed. I guess i will close the issue now. Thanks for the quick response and help.

from s3-proxy.

OIDC not working: ERR_TOO_MANY_REDIRECTS about s3-proxy HOT 9 CLOSED

Comments (9)

Related Issues (20)

Recommend Projects

React

Vue.js

Typescript

TensorFlow

Django

Laravel

D3

Recommend Topics

javascript

web

server

Machine learning

Visualization

Game

Recommend Org

Facebook

Microsoft

Google

Alibaba

D3

Tencent