Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

OAuth redirect url not working #11

Closed
feelepxyz opened this issue Feb 21, 2022 · 5 comments · Fixed by #14
Closed

OAuth redirect url not working #11

feelepxyz opened this issue Feb 21, 2022 · 5 comments · Fixed by #14
Labels
bug Something isn't working

Comments

@feelepxyz
Copy link

feelepxyz commented Feb 21, 2022

👋 I've been trying to follow the instructions but getting stuck on the final hurdle, actually signing things with cosign.

When I run COSIGN_EXPERIMENTAL=1 cosign sign -oidc-issuer "https://oauth2.feelep.xyz/auth" -fulcio-url "https://fulcio.feelep.xyz" -rekor-url "https://rekor.feelep.xyz" ghcr.io/feelepxyz/code-signer:latest it opens a url that seems to include a randomly generated port in the redirect_uri, so when I follow the URL and try signing in, Dex errors with:

Unregistered redirect_uri ("http://localhost:$PORT/auth/callback").

This seems expected as this particular host + port hasn't been configured in /etc/dex/dex-config.yaml under staticClients[0].redrirectURIs.

This is my dex config:

issuer: https://oauth2.feelep.xyz/auth

storage:
  type: sqlite3
  config:
    file: /var/dex/dex.db
web:
  http: 0.0.0.0:5556
frontend:
  issuer: sigstore
  theme: light

# Configuration for telemetry
telemetry:
  http: 0.0.0.0:5558

# Options for controlling the logger.
logger:
  level: "debug"
  format: "json"

# Default values shown below
oauth2:
  responseTypes: [ "code" ]
  skipApprovalScreen: false
  alwaysShowLoginScreen: true

staticClients:
  - id: sigstore
    public: true
    name: 'sigstore'
    redirectURIs:
    - 'http://localhost:5556/auth/callback'
    - 'https://oauth2.feelep.xyz/auth/callback'

connectors:
- type: google
  id: google-sigstore-test
  name: Google
  config:
    clientID: $GCLIENT_ID
    clientSecret: $GCLIENT_SECRET
    redirectURI: https://oauth2.feelep.xyz/auth/callback

If I manually change the port before visiting the page to 5556, it gets to the approval page but then fails to load http://localhost:5556/auth/callback?code=yyy&state=xx.

If I change this to https://oauth2.feelep.xyz/auth/callback?code=yyy&state=xx I get a 400 back, saying the "Requested resource does not exist".

@feelepxyz feelepxyz added the bug Something isn't working label Feb 21, 2022
@feelepxyz
Copy link
Author

After a bit more digging, I think this change in cosign is the culprit here: sigstore/sigstore#120

My understanding is that cosign launches a temp local server bound to a random (available) port, and sets the redirect_uri to this. This change makes sense as this port might be taken on the developers machine.

Is there a way to configure dex to allow a port range? How have you made it work on public sigstore with dex?
Possibly related fix proposed in dex but looks inactive: dexidp/dex#1783

@rebelopsio
Copy link
Contributor

@feelepxyz Hi! I hope you're doing well. I actually just resolved this issue for myself.

If you log into your oauth2 server, edit your /etc/dex/dex-config.yaml file and remove the following from the staticClients:

    redirectURIs:
    - 'http://localhost:5556/auth/callback'
    - 'https://oauth2.feelep.xyz/auth/callback'

Then restart dex.service and try again.

This allowed me to get prompted for my Google account and receive a successful Sigstore response.

Sigstore Auth Successful
You may now close this page.

I've run into a different issue, but at least this allowed me to move on. I'll continue looking at the error I get now. I hope this helps!

@feelepxyz
Copy link
Author

@rebelopsio 👋 thanks will give that a go when I get things set up again. I have since deleted my GCP setup as it was costing me money. I'd like to port this tutorial to azure where I have a bunch of free credits.

@lukehinds
Copy link
Contributor

Sorry for radio silence, let me know if that works @feelepxyz and thanks for the support @rebelopsio

@tuananh
Copy link

tuananh commented Mar 24, 2022

@feelepxyz Hi! I hope you're doing well. I actually just resolved this issue for myself.

If you log into your oauth2 server, edit your /etc/dex/dex-config.yaml file and remove the following from the staticClients:

    redirectURIs:
    - 'http://localhost:5556/auth/callback'
    - 'https://oauth2.feelep.xyz/auth/callback'

Then restart dex.service and try again.

This allowed me to get prompted for my Google account and receive a successful Sigstore response.

Sigstore Auth Successful
You may now close this page.

I've run into a different issue, but at least this allowed me to move on. I'll continue looking at the error I get now. I hope this helps!

when i try removing redirectURIs, i got this error

Bad Request

Unregistered redirect_uri ("http://localhost:52394/auth/callback").

i tested with this command

COSIGN_EXPERIMENTAL=1 cosign sign \
    --oidc-issuer https://<my-dex-instance>/dex \
    --rekor-url https://rekor.sigstore.dev \
    --fulcio-url https://fulcio.sigstore.dev \
    --oidc-client-id cosign \
    --verbose \
    README.md

my config

staticClients:
      - id: cosign
        secret: __CHANGE_ME__
        name: 'cosign'
        # Where the app will be running.
        # redirectURIs:
        # - 'http://localhost:56921/auth/callback'
        # - 'http://127.0.0.1:5555/callback'

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
bug Something isn't working
Projects
None yet
Development

Successfully merging a pull request may close this issue.

4 participants