-
Notifications
You must be signed in to change notification settings - Fork 327
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
new provider to support Aliyun iDaas / Alibaba OIDC (userInfo fix, should be easy) #344
Comments
Try adding the host header to your protected app config /validate block.
Which IdP is the provider?
Please supply a full log that includes startup of VP.
…On Wed, Dec 16, 2020, 1:32 AM Guo YaFeng ***@***.***> wrote:
here is my vouch proxy config
https://gist.github.com/Gourds/354df4f711d1f394c925a3ddaf8e7754
nginx vouch config:
https://gist.github.com/Gourds/ae0fde3ecc24b6e0afd9165eac7e8874
nginx protect app config:
https://gist.github.com/Gourds/915f2ddd96c6f6d4729165108d603ee3
here is vouch-proxy debug log
https://gist.github.com/Gourds/844b7c5ed53c8790d7b151733ce4267f
In debug mode,
when i go to my protect site eg: http://test_sso_nginx_a.taiheops.com:2081
it will redirect to
http://vouch.taiheops.com:2081/login?url=http://test_sso_nginx_a.taiheops.com:2081/&vouch-failcount=&X-Vouch-Token=&error=
then,
when i click login button , the return code is 400,
click logout button, return msg is /logout you have been logged out,
click validate buttion , return msg is no jwt found in request,
I think there is a problem with my configuration, but I tried many
methods, and I also read related issues and instructions and still can’t
solve it.
—
You are receiving this because you are subscribed to this thread.
Reply to this email directly, view it on GitHub
<#344>, or unsubscribe
<https://github.com/notifications/unsubscribe-auth/AAJUV26QCRLGGYC4WYGDFJDSVB5D3ANCNFSM4U5VQ2ZQ>
.
|
Did you mean add |
Yes The log you supplied is not a full round trip including startup. What's there shows a successful authentication and issuing a VP token/cookie. |
I see the following log in the vouch-proxy log, it should be successfully authenticated with idP ?
the vouch-proxy full log is there: https://gist.github.com/5f220728c6829ce8e520d95e0dc68565#file-vouch_log_2-log |
@Gourds that log appears to show VP working normally Are you able to navigate to your protected site after logging in at your IdP? Instead of |
when i click the the link at the bottom
the vouch-proxy page will be show My service start URL is
when i click it,the page will go to
|
That's funny, I was fighting the same issue this evening. Can you check your nginx access logs to see if the browser is making a request to |
|
@Gourds Could you please confirm that your nginx and VP configs have not changed and then upload a full cycle log again. After that, please adjust your 'oauth.scopes' to be similar to the OIDC example config and then upload a full cycle VP log. |
The log of the previous configuration unchanged:https://gist.github.com/Gourds/6e48dd3af121cb44399bbeb7619bfb7a I tested before that changing the
log file is below |
@Gourds those logs continue to show VP working as expected. It does appear that multiple requests are coming in at once. There's a fix in the recent |
I upgraded the version to 0.20.0, the following is the log of the current VP https://gist.github.com/Gourds/a9bffa692e9f5c16853d492314682082 In addition, I want to know whether the |
@Gourds that log seems odd. The typical pattern is..
But these logs are much more haphazard. Why? What happens if you just try..
There's something fundamentally wrong here. It doesn't feel as if Why is that log showing a VP request Why is
Please post a current Nginx configuration. Every time you change a configuration, please post it.
Yes they're all fine. Why do you ask? |
@bnfinet Now vp config is https://gist.github.com/Gourds/7f3bedc07f20ab7d6eaa147ff5b9ffee My step is as follow
when turn off debug mode the vp log is https://gist.github.com/Gourds/cc426999accf50ec29c8a0797548c162
And My Aliyun Idp config
|
@Gourds Okay, now we're getting somewhere...
That's good to see in this case if only because it tells us that the cookie is missing the user information. Upon further inspection I don't think that the this shows
Instead of the userinfo being provided in the top level it is being sent in a second level It should be like this.. In order to support Aliyun iDaas / Alibaba OIDC a new |
@bnfinet
But I don’t know how to config vp when there are multiple apps that need to be protected behind nginx. Is there any good way? In addition, I want to know the specific usage of the callback parameter |
@Gourds ...
That's great to hear. Please submit a PR with the working code. It'd be great to bring
yes there is... WRT the error you are seeing please post full logs and configs in the manner described in the README.
That is evading security, that is not what you want. The |
@bnfinet
If I start a request from |
@Gourds thank you for submitting #356!
I'm not certain that I understand correctly but aliyun should be configured for the This VP log shows VP working correctly. The |
My test result is that the If I don't use Alibaba Cloud's navigation jump, there is no problem now. |
@Gourds that all sounds favorable, but just to be clear you're saying it's working or you now? :) |
@bnfinet |
@Gourds this has been merged in Thanks again for working through that and the fine contribution to VP! |
here is my vouch proxy config
https://gist.github.com/Gourds/354df4f711d1f394c925a3ddaf8e7754
nginx vouch config: https://gist.github.com/Gourds/ae0fde3ecc24b6e0afd9165eac7e8874
nginx protect app config: https://gist.github.com/Gourds/915f2ddd96c6f6d4729165108d603ee3
here is vouch-proxy debug log
https://gist.github.com/Gourds/844b7c5ed53c8790d7b151733ce4267f
In debug mode,
when i go to my protect site eg:
http://test_sso_nginx_a.taiheops.com:2081
it will redirect to
http://vouch.taiheops.com:2081/login?url=http://test_sso_nginx_a.taiheops.com:2081/&vouch-failcount=&X-Vouch-Token=&error=
then,
when i click login button , the return code is 400,
click logout button, return msg is
/logout you have been logged out
,click validate buttion , return msg is
no jwt found in request
,I think there is a problem with my configuration, but I tried many methods, and I also read related issues and instructions and still can’t solve it.
The text was updated successfully, but these errors were encountered: