Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Error: Unrecognized scope when using external idp #579

Closed
ssharma2089 opened this issue Apr 12, 2021 · 13 comments
Closed

Error: Unrecognized scope when using external idp #579

ssharma2089 opened this issue Apr 12, 2021 · 13 comments
Labels

Comments

@ssharma2089
Copy link

ssharma2089 commented Apr 12, 2021

Expected Behavior

When I am clicking on welcome screen, it should redirect to ldap login page and after successful login it should reditect to console dashboard page.

Current Behavior

When I am click on welcome button, its stays on the same page. When I tried inspecting it, I could see "unrecognized scope : app_metadata and state_metadata".
https://console.mwsdev.tri.int/oauth_callback?error=invalid_scope&error_description=Unrecognized+scope%28s%29+%5B%22app_metadata%22+%22user_metadata%22%5D&state=TDBJRURIMElWWEhaTFlITExCTjJPRE4yUDpsT2V0em95bUkzaDVQdUlRVnhlU09Bd1ZuZENkWnpjemNmcDJXaGdMd2wwPQ%3D%3D

Steps to Reproduce (for bugs)

  1. Installed minIO operator in minio-operator namespace by using this link "https://github.com/minio/operator#create-a-minio-instance"
  2. Created certificate by using the link " https://github.com/minio/operator/blob/master/docs/tls.md#using-cert-manager ". I am using cert-manager for issuing certificate
  3. Deployed minIO console in minio namespace by using the link "https://github.com/minio/operator/blob/master/examples/tenant-with-external-idp.yaml" Changed requestAutoCert from true to false and added externalCertSecret.
  4. Login to console ui page

Context

I am unable to login console dashboard page.

Your Environment

  • Version used (minio-operator): v4.0.5 and console: v0.6.3
  • Environment name and version (e.g. kubernetes v1.17.2): v1.20.4+k3s1 (using k3s)
  • Server type and version:
  • Operating System and version (uname -a): Linux mwsdev01.tri.int 4.18.0-240.1.1.el8_3.x86_64 Add Minio operator  #1 SMP Fri Oct 16 13:36:46 EDT 2020 x86_64 x86_64 x86_64 GNU/Linux
  • Link to your deployment file:
    tenant.txt
@ZouhairBear
Copy link

@ssharma2089 Hello, to solve your problem you will need to add 2 scopes(client scopes) : app_metadata,user_metadata to your openId app

@ssharma2089
Copy link
Author

@ZouhairBear I am using dexip/dex for authentication. These two scopes are not supported by dex.

@ZouhairBear
Copy link

@ssharma2089 I think that you should add an env variable to the tenant as shown in the below exmple :

  • Kubectl edit tenant -n namespace
  • add the following env var in the spec.env :
spec:
  env:
  - name: MINIO_IDENTITY_OPENID_SCOPES
    value: openid,profile,email,app_metadata,user_metadata  

I have given an exemple for keycloack and I'm surtenly that it will work for you, you should adapt the values withe your scope values

@ssharma2089
Copy link
Author

@ZouhairBear Getting same error after adding the above scope. I tried to add the scope in console env also but didn't work.

@ZouhairBear
Copy link

@ssharma2089 these variable are in the minio env var.
If you want to change the console,then you should edit the deployement and add this env var

@ssharma2089
Copy link
Author

@ZouhairBear I tried it but it didn't work

@ssharma2089
Copy link
Author

Like this
spec:
containers:
- args:
- server
- --certs-dir=/tmp/certs
env:
- name: CONSOLE_MINIO_SERVER
value: https://minio.minio.svc.cluster.local:443
- name: CONSOLE_IDP_URL
value: https://login.mwsdev.tri.int/dex
- name: CONSOLE_IDP_CLIENT_ID
value: d4795fb0ca5d24e02f4
- name: CONSOLE_IDP_SECRET
value: 17fce3a32b4ad7fab65bf3572ec8eb26713b7592
- name: CONSOLE_IDP_SCOPES
value: openid,profile,email,app_metadata,user_metadata
- name: CONSOLE_IDP_CALLBACK
value: https://console.mwsdev.tri.int/oauth_callback

@ZouhairBear
Copy link

@ssharma2089 the console does not have a variable for scope, it's the minio who has it.
I have an other question, why do you disable the minio deployment?

@ssharma2089
Copy link
Author

@ZouhairBear I didn't disable it. I have deployed as per documentation by using below link
https://github.com/minio/operator/blob/master/examples/tenant-with-external-idp.yaml

And I want to use external idp from the console.

@ZouhairBear
Copy link

@ssharma2089
I tryed the file and it didn't work for me,
The console does not work,
If you try to get your pods, you will not see the tenant( not the headless ) ...
I created created a minio-tenant using the command line in the officiel documentation of the operator.
I recommand you to create it using the cli or the user interface,then edit the tenant
Using the command line
kubectl edit tenant -n namesapce
And add the variables in the tenant

@ssharma2089
Copy link
Author

@ZouhairBear I have tried with new minio release v0.6.8 and scope part is resolved now. But I am facing below token issue

error.go:46: original error: invalid Login
debugging error: Post "https://login.mwsdev.tri.int/dex/token": x509: certificate signed by unknown authority

@stale
Copy link

stale bot commented Jul 22, 2021

This issue has been automatically marked as stale because it has not had recent activity. It will be closed after 21 days if no further activity occurs. Thank you for your contributions.

@stale stale bot added the stale label Jul 22, 2021
@kannappanr
Copy link

@ssharma2089 closing this issue as resolved. Please open a new one for the certificate issue

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
Projects
None yet
Development

No branches or pull requests

3 participants