Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Auth style probing results in AWS Cognito invalid grant #259

Open
ghost opened this issue Jun 3, 2021 · 7 comments
Open

Auth style probing results in AWS Cognito invalid grant #259

ghost opened this issue Jun 3, 2021 · 7 comments
Labels
enhancement New feature or request

Comments

@ghost
Copy link

ghost commented Jun 3, 2021

Traefik Forward Auth appears to be utilising the default behaviour of the underlying Golang oauth2 library (https://github.com/golang/oauth2/blob/master/internal/token.go#L188) and attempts to detect the auth style by sending multiple probes. The probing appears to be incompatible with AWS Cognito and results in an invalid grant (HTTP response 400) on the second auth style probe.

Would it be possible to add support for a new environment variable (https://github.com/thomseddon/traefik-forward-auth/blob/master/internal/provider/generic_oauth.go#L42 - auth style parameter) to set the Golang oauth2 auth style (https://github.com/golang/oauth2/blob/f6687ab2804cbebdfdeef385bee94918b1ce83de/clientcredentials/clientcredentials.go#L106)?
@thomseddon thomseddon added the enhancement New feature or request label Jun 24, 2021
@thomseddon
Copy link
Owner

Yes indeed, good idea, we already have "TokenStyle" to "AuthStyle" could work similarly

@thomseddon thomseddon reopened this Jun 24, 2021
@Obirah
Copy link

Obirah commented Jul 21, 2021
edited
Loading

Hey guys, I started working on this issue as I urgently need to use traefik-forward-auth with Cognito OIDC.

This is my first shot: Obirah@7daa87b

However, I'm still a golang newbie and now I'm facing the problem that I'm getting an invalid_client error instead of the invalid_grant error whenever I'm setting one of the two explicit auth styles instead of "auto-detect" (0). It looks like client ID and secret are not sent at all when using those styles.

Do you have any idea what I'm doing wrong? If I get this thing to work, I'll of course happily contribute the change.

@Obirah
Copy link

Obirah commented Jul 23, 2021

Ok, I solved my problem. My changes are working, the error was caused by my redirect URL (I'm using AUTH_HOST) starting with http:// (I think because the traefik-forward-auth service uses http) which Cognito never accepts.

So, I simply had to add this Middleware to my auth host IngressRoute:

---
apiVersion: traefik.containo.us/v1alpha1
kind: Middleware
metadata:
  name: add-https-headers
spec:
  headers:
    customRequestHeaders:
      X-Forwarded-Port: '443'
      X-Forwarded-Proto: https

I will provide a Pull Request for this issue shortly.

@Obirah Obirah mentioned this issue Jul 23, 2021
Open
@MatteoGioioso
Copy link

MatteoGioioso commented Sep 8, 2021
edited
Loading

@Obirah I have your same issue, the callback is http, but I need https, not sure this is a bug happening only with Cognito.
Where did you add that middleware? I have added it in my host as well, but it does not seems to work.

apiVersion: traefik.containo.us/v1alpha1
kind: IngressRoute
metadata:
  name: traefik-dashboard-ingress
spec:
  entryPoints:
    - websecure
  routes:
    - match: Host(`myhost.com`)
      kind: Rule
      services:
        - name: api@internal
          kind: TraefikService
      middlewares:
        - name: traefik-forward-auth
        - name: add-https-headers

I am trying to expose the traefik dashboard

@MatteoGioioso
Copy link

For the time being I have modified the code and upload my own image:

func redirectBase(r *http.Request) string {
	return fmt.Sprintf("%s://%s", "https", r.Host)
}

Unfortunately I could not find any solution other than hard-code the https protocol

@Obirah
Copy link

Obirah commented Sep 9, 2021
edited
Loading

I'm using the following middlewares:

Authentication:

---
apiVersion: traefik.containo.us/v1alpha1
kind: Middleware
metadata:
  name: forward-authentication
spec:
  forwardAuth:
    address: http:/my-forward-auth-service.my-forward-auth-namespace.svc:4181
    authResponseHeaders:
      - "X-Forwarded-User"
    trustForwardHeader: true

HTTPS:

---
apiVersion: traefik.containo.us/v1alpha1
kind: Middleware
metadata:
  name: add-https-headers
spec:
  headers:
    customRequestHeaders:
      X-Forwarded-Port: '443'
      X-Forwarded-Proto: https

Composition of both:

---
apiVersion: traefik.containo.us/v1alpha1
kind: Middleware
metadata:
  name: authenticate
spec:
  chain:
    middlewares:
      # Necessary to consistently stick with HTTPS URIs in the redirect ping-pong with Cognito.
      - name: my-forward-auth-namespace-add-https-headers@kubernetescrd
      - name: my-forward-auth-namespace-forward-authentication@kubernetescrd

I can add the last one (the authenticate Middleware) on any Ingress/IngressRoute and it will authenticate against Cognito. Please note, when working with Cognito this will only work when using my changes from this Pull Request and the <PROVIDER_NAME>_AUTH_STYLE set to header until @thomseddon merges my change. So ideally, you should pull my fork and create your own image, if you need that.

@MatteoGioioso
Copy link

MatteoGioioso commented Sep 9, 2021
edited
Loading

Please note, when working with Cognito this will only work when using my changes from this Pull Request and the <PROVIDER_NAME>_AUTH_STYLE set to header

Aha, gotcha. Thanks man!

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
enhancement New feature or request
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@thomseddon @Obirah @MatteoGioioso