Comments (10)
Welcome! Sorry it’s been such a struggle :( I’m sure we can get you going though.
So generally the process you followed looks sane. The structure of your json is off a little bit and what you sent seems like invalid json as well. But that may not be your issue currently anyway. Can you send the output/config token data from running the docker run command?
from external-auth-server.
And send over the logs previous to the 503 line/error as well.
from external-auth-server.
While waiting for further details, here are some notes:
- the structure of the json is off, use something like the following (you can use yaml vs json):
aud: someaudience
eas:
plugins:
- type: oidc
issuer:
discover_url: >-
https://identity.mydomain.com/realms/test/.well-known/openid-configuration
client:
client_id: eas
client_secret: supersecretkey
scopes:
- openid
- email
- profile
pkce:
enabled: false
code_challenge_method: S256
nonce:
enabled: false
ttl: 600
custom_authorization_parameters: {}
custom_authorization_code_parameters: {}
custom_refresh_parameters: {}
custom_revoke_parameters: {}
redirect_uri: 'https://eas.mydomain.com/oauth/callback'
features:
cookie_expiry: false
userinfo_expiry: true
session_expiry: true
session_expiry_refresh_window: 86400
session_retain_id: true
refresh_access_token: true
fetch_userinfo: true
introspect_access_token: false
introspect_expiry: 0
authorization_token: access_token
filtered_service_headers: []
logout:
revoke_tokens_on_logout: []
end_provider_session:
enabled: false
post_logout_redirect_uri: 'https://eas.mydomain.com/oauth/end-session-redirect'
backchannel:
enabled: false
assertions:
aud: true
exp: true
nbf: true
iss: true
sig:
enabled: false
xhr: {}
csrf_cookie: {}
cookie: {}
custom_error_headers: {}
custom_service_headers: {}
- if your keycloak env supports it I would suggest enabling
nonce
andpkce
, they provide the best security - (this is likely your primary issue) the
config_token
as returned using the command above is not url encoded. Run the token through your encoder of choice or something like https://www.urlencoder.org/ to get the values as it should be in your traefik config (ie:address = "https://eas.mydomain.com/verify?config_token=<THE ENCODED STRING HERE>"
- ensure that the
eas
is not protected by theeas
middleware configuration...that will not end well :)
from external-auth-server.
Thanks for the quick feedback.
I ripped the config_token straight from an example in HOWTO.md (https://github.com/travisghansen/external-auth-server/blob/master/HOWTO.md#generage-config_token) but at a late hour I clearly mistook Javascript for JSON. But then I expected the generate-config-token command to detect that and produce an error instead of providing a token back.
I've corrected that now, and used https://www.urlencoder.org/ and now it is working as expected.
Regarding PKCE/Nonce, I'm still new to Keycloak (latest version) and not even sure how to enable these yet on the realm? client? server?
from external-auth-server.
With the advice given I've almost got this working. The end service is expecting the email address in a single header containing only an email address. But X-Auth-Email and X-Auth-Username are empty, X-Userinfo (I added this as a forwarded header to Traefik) is passed along, but the end service needs just the email.
So the only challenge is figuring out how to get just the Email into a header via Traefik/Keycloak/EAS. Still new to SSO so learning lot's here.
from external-auth-server.
Yup! This project is super powerful but also takes a minute to grok all the config. I can send you exact syntax but I'll need you to send over samples of the id_token/userinfo data so I know exactly where in the data the relevant datapoints reside. The mechanism for doing this is the custom_service_headers
feature.
from external-auth-server.
This is super powerful, but definitely takes some time to understand the configuration. Just found custom_service_headers and reading some examples.
The X-Userinfo being passed looks something like this:
{"sub":"991fed2d-f5ed-490e-88b5-268100b63ebe","email_verified":true,"name":"FirstName LastName","preferred_username":"firstname","given_name":"FirstName","family_name":"LastName","email":"[email protected]"}
So I'm thinking something like this might work:
"custom_service_headers": {
"X-Auth-Email": {
"source": "userinfo",
"encoding": "plain",
"query_engine": "jq",
"query": "[ .emails[].email ] | first",
},
"X-Auth-Username": {
"source": "userinfo",
"encoding": "plain",
"query_engine": "jq",
"query": "[ .preferred_username ]",
}
}
from external-auth-server.
For best performance use jp
query_engine
:
Something like this should make it all work:
"custom_service_headers": {
"X-Auth-Email": {
"source": "userinfo",
"encoding": "plain",
"query_engine": "jp",
"query": "$.email",
"query_opts": {
"single_value": true
}
},
"X-Auth-Username": {
"source": "userinfo",
"encoding": "plain",
"query_engine": "jp",
"query": "$.preferred_username",
"query_opts": {
"single_value": true
}
}
}
from external-auth-server.
That works perfectly too. Thanks ever so much with the help in getting this up and running.
from external-auth-server.
No problem! Enjoy!
Another possibility is to include email
in your scopes and use the data from the id_token
instead of userinfo
as userinfo
requires an api call to the provider to get the extra data. eas
can/will cache userinfo
data to keep the overhead down but if the needs are very slim it may make sense to go that route.
from external-auth-server.
Related Issues (20)
- Bump jsonwebtoken from 8.5.0+ to 9.0.0+ to patch several moderate security vulnerabilities HOT 5
- GitHub Oauth Permission Write? HOT 13
- [BUG] uncaughtException: Cannot read properties of undefined (reading 'match') HOT 37
- Oauth2 support for Azure provider HOT 1
- Semi colons are replaced by ampersands after logout HOT 10
- Crash due to ERR_UNHANDLED_REJECTION HOT 2
- Question about cookie lifetime? HOT 2
- custom_service_headers not being injected HOT 8
- /metrics end point still available to access after set disabled HOT 9
- Crash at startup due to "unable to determine boolean value" HOT 1
- Using variable in redirect_uri HOT 6
- Environment variables HOT 12
- using yaml for token config HOT 27
- Fetch config_token like a Kubernetes Secret from Vault HOT 1
- Architectural question: does Traefik receive the token issued by eas? HOT 2
- No OIDC frontchannel logout when session_state is missing in the ID token HOT 5
- Limit number of concurrent OIDC sessions per user HOT 11
- Image vulnerabilities HOT 2
- EAS does not work with readOnlyRootFilesystem HOT 2
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from external-auth-server.