Pinniped cli-password flow with dex Failed

[HamzaZo]

Hello,

I'm trying to use the Pinniped upstream identity provider flow cli-password with Dex. I added oauth2.passwordConnector=local to the Dex configuration and enabled allowPasswordGrant: true on the OIDCIdentityProvider

However, I'm getting Error: could not complete Pinniped login: login failed with code "access_denied": The resource owner or authorization server denied the request. Make sure that the request your are making is valid. Maybe the credential or request parameters your are using are limited in scope or otherwise restricted. Unable to connect to the server: getting credentials: exec: executable /usr/local/bin/pinniped failed with exit code 1

Do you have any idea why the provider flow cli-password is not working?

[cfryanr]

Here is how we configure Dex for use in our integration tests, which includes using the CLI password flow. Perhaps this will give some hints. Keep in mind that this is not a production configuration for Dex. You need to enable the resource owner password grant in Dex:

pinniped/test/deploy/tools/dex.yaml

Lines 22 to 23 in b0ea706

	#! Allow the resource owner password grant, which Dex implements to also return ID tokens.
	passwordConnector: local

[HamzaZo]

I attempted to set passwordConnector: local, but unfortunately, it did not work as expected.

[cfryanr]

I'm not expert in Dex, but I found the original PR that enabled the feature in Dex here: dexidp/dex#1621

Maybe you also need to change this setting? This is just a wild guess based on the setting being introduced in the same PR: https://github.com/dexidp/dex/blob/28aaa8f5117d30d6da3cc23b0b1e5da6d3711999/server/server.go#L93-L94

[cfryanr]

Would it be passwordConnector: ldap?

[HamzaZo]

Unfortunately, it does not work

[cfryanr]

I wonder if it is a bug in Dex? Assuming that you are intimately familiar with OIDC, are you able to use curl to perform a resource owner password grant with your Dex server?

I'm sure that this works with Dex when you are using Dex's local user store. I've never actually tried it when using Dex's LDAP connector.

[cfryanr]

@HamzaZo, I tried this and it worked for me. Are you using a recent release of Dex?

Here is my Pinniped Supervisor's OIDCIdentityProvider, which is configured to point to Dex. Dex is running on the same cluster as the Pinniped Supervisor in this example. I am using a Kind cluster for this example.

apiVersion: idp.supervisor.pinniped.dev/v1alpha1
kind: OIDCIdentityProvider
metadata:
  annotations:
  name: my-oidc-provider
  namespace: supervisor
spec:
  authorizationConfig:
    additionalScopes:
    - offline_access
    - email
    - profile
    - groups
    allowPasswordGrant: true
  claims:
    groups: groups
    username: email
  client:
    secretName: my-oidc-provider-client-secret
  issuer: https://dex.tools.svc.cluster.local/dex
  tls:
    certificateAuthorityData: LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSUJkVENDQVJxZ0F3SUJBZ0lVVlFtRTFobFh6S0ZRL1k0bms0NWFuMVN0OElnd0NnWUlLb1pJemowRUF3SXcKR0RFV01CUUdBMVVFQXhNTlVHbHVibWx3WldRZ1ZHVnpkREFlRncweU16QTBNVGt5TURBMk1EQmFGdzB5T0RBMApNVGN5TURBMk1EQmFNQmd4RmpBVUJnTlZCQU1URFZCcGJtNXBjR1ZrSUZSbGMzUXdXVEFUQmdjcWhrak9QUUlCCkJnZ3Foa2pPUFFNQkJ3TkNBQVJuL016eUxkblIrRlh1MlhDNjFhNkdDWTNtT1ozaDF0a2M4dmJkVkd0T2xPMmMKQWxWRVhIbmt6cVZoNGM2TnpTTGc4ajhuT0ozMDQybkxDM2hNRXVhMm8wSXdRREFPQmdOVkhROEJBZjhFQkFNQwpBUVl3RHdZRFZSMFRBUUgvQkFVd0F3RUIvekFkQmdOVkhRNEVGZ1FVN0Iyem5nNUtzb0dsVElqN1ZsSzI4bXhNCkd1SXdDZ1lJS29aSXpqMEVBd0lEU1FBd1JnSWhBS1pTNC9DSk5IZ3JQTmJqbVI2MjhKNjhkVFhydU9zWUIzTjQKTnN2SzVlZGRBaUVBd21EazZWU2VVNGFXcFFyMnpVclFTNkwvaFU1S2Fkd01kSkxNN2ZXUElBOD0KLS0tLS1FTkQgQ0VSVElGSUNBVEUtLS0tLQo=

And here is my Dex ConfigMap, which configures Dex to use my openldap server as an LDAP provider. My openldap server is running on the same cluster in this example.

apiVersion: v1
kind: ConfigMap
metadata:
  labels:
    app: dex
  name: dex-config
  namespace: tools
data:
  config.yaml: |
    issuer: https://dex.tools.svc.cluster.local/dex
    storage:
      type: sqlite3
      config:
        file: ':memory:'
    web:
      https: 0.0.0.0:8443
      tlsCert: /var/certs/dex.pem
      tlsKey: /var/certs/dex-key.pem
    expiry:
      idTokens: 20m
    oauth2:
      skipApprovalScreen: true
      passwordConnector: ldap # This line is important! It tells Dex that password grants should use the ldap connector.
    staticClients:
    - id: pinniped-cli
      name: Pinniped CLI
      public: true
      redirectURIs:
      - http://127.0.0.1:48095/callback
      - http://[::1]:48095/callback
    - id: pinniped-supervisor
      name: Pinniped Supervisor
      secret: pinniped-supervisor-secret
      redirectURIs:
      - https://pinniped-supervisor-clusterip.supervisor.svc.cluster.local/some/path/callback
    connectors:
    - type: ldap
      id: ldap
      name: LDAP
      config:
        host: ldap.tools.svc.cluster.local:636
        insecureSkipVerify: true # please do not do this for production! I was just being lazy for this experiment!
        bindDN: cn=admin,dc=pinniped,dc=dev
        bindPW: password
        usernamePrompt: SSO Username
        userSearch:
          baseDN: ou=users,dc=pinniped,dc=dev
          username: uid
          idAttr: uidNumber
          emailAttr: mail
          nameAttr: sn
        groupSearch:
          baseDN: ou=groups,dc=pinniped,dc=dev
          userMatchers:
          - userAttr: DN
            groupAttr: member
          nameAttr: cn

Then I was able to log in using Pinniped's CLI flow:

❯ https_proxy="http://127.0.0.1:12346" no_proxy="127.0.0.1" kubectl --kubeconfig ./kubeconfig get pods -A
Username: pinny
Password:
Error from server (Forbidden): pods is forbidden: User "[email protected]" cannot list resource "pods" in API group "" at the cluster scope

❯ https_proxy="http://127.0.0.1:12346" no_proxy="127.0.0.1" ./pinniped whoami --kubeconfig ./kubeconfig
Current cluster info:

Name: kind-pinniped-pinniped
URL: https://127.0.0.1:50213

Current user info:

Username: [email protected]
Groups: seals, ball-game-players, system:authenticated

Ignore the proxy settings in the above commands. They are only needed because of the way that I configured ingress on my Kind cluster. You can see from the above output that my identity and group memberships were taken from my openldap server.

[cfryanr]

By the way, for anyone else following along, @HamzaZo is only trying to use Dex here because they believe that their LDAP server is using a very old/insecure version of TLS which is incompatible with the Pinniped Supervisor. Otherwise, they could use the Pinniped Supervisor's LDAPIdentityProvider and not need to use Dex at all. See #1483 (reply in thread).

[cfryanr]

Also note that, as documented here, using the Dex password grant requires Dex v2.31.0 or later.

[HamzaZo]

I appreciate your help I upgrade my dex version and it works, thanks again! @cfryanr

[cfryanr]

Glad to hear it!