Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

new provider to support Aliyun iDaas / Alibaba OIDC (userInfo fix, should be easy) #344

Closed
Gourds opened this issue Dec 16, 2020 · 25 comments

Comments

@Gourds
Copy link
Contributor

Gourds commented Dec 16, 2020

here is my vouch proxy config
https://gist.github.com/Gourds/354df4f711d1f394c925a3ddaf8e7754

nginx vouch config: https://gist.github.com/Gourds/ae0fde3ecc24b6e0afd9165eac7e8874
nginx protect app config: https://gist.github.com/Gourds/915f2ddd96c6f6d4729165108d603ee3
here is vouch-proxy debug log
https://gist.github.com/Gourds/844b7c5ed53c8790d7b151733ce4267f

In debug mode,
when i go to my protect site eg: http://test_sso_nginx_a.taiheops.com:2081
it will redirect to http://vouch.taiheops.com:2081/login?url=http://test_sso_nginx_a.taiheops.com:2081/&vouch-failcount=&X-Vouch-Token=&error=
then,
when i click login button , the return code is 400,
click logout button, return msg is /logout you have been logged out,
click validate buttion , return msg is no jwt found in request,

I think there is a problem with my configuration, but I tried many methods, and I also read related issues and instructions and still can’t solve it.

@bnfinet
Copy link
Member

bnfinet commented Dec 16, 2020 via email

@Gourds
Copy link
Contributor Author

Gourds commented Dec 17, 2020

Did you mean add proxy_set_header Host $http_host; to mylocation = /vouch-validate block,
now log is here https://gist.github.com/Gourds/a3bddfed547193f5da51fb1ac8065839
And My idp is Aliyun iDaas service ,Here is their Oauth2 Document
https://www.alibabacloud.com/help/doc-detail/147465.htm?spm=a2c63.l28256.b99.19.507514fc5yig2G

@bnfinet
Copy link
Member

bnfinet commented Dec 18, 2020

@Gourds

Did you mean add proxy_set_header Host $http_host; to mylocation = /vouch-validate block,

Yes

The log you supplied is not a full round trip including startup.

What's there shows a successful authentication and issuing a VP token/cookie.

@Gourds
Copy link
Contributor Author

Gourds commented Dec 21, 2020

I see the following log in the vouch-proxy log, it should be successfully authenticated with idP ?

2020-12-21T06:38:35.530Z INFO |200| 385.063885ms /auth {"statusCode": 200, "request": 9, "latency": "385.063885ms", "avgLatency": "43.071887ms", "ipPort": "172.17.0.1:44419", "method": "GET", "host": "vouch.taiheops.com", "path": "/auth", "referer": "http://vouch.taiheops.com:2081/"}

the vouch-proxy full log is there: https://gist.github.com/5f220728c6829ce8e520d95e0dc68565#file-vouch_log_2-log

@bnfinet
Copy link
Member

bnfinet commented Dec 21, 2020

@Gourds that log appears to show VP working normally

Are you able to navigate to your protected site after logging in at your IdP? Instead of /logout you should click the link at the bottom to your original destination

@bnfinet bnfinet changed the title Invalid session state how to config it "Invalid session state" when configured for Aliyun iDaas / Alibaba OIDC Dec 21, 2020
@Gourds
Copy link
Contributor Author

Gourds commented Dec 22, 2020

when i click the the link at the bottom

client_id=97237f99deaa7c64b099b2709496c472ARO5UZBICAE&redirect_uri=http%3A%2F%2Fvouch.taiheops.com%3A2081%2Fauth&response_type=code&scope=read&state=Iq6euTiMIsv9SER2D8Acsix6rOfcUBt
http://test_sso_nginx_a.taiheops.com:2081/

the vouch-proxy page will be show 302 redirect to: http://test_sso_nginx_a.taiheops.com:2081/
this is right address but the response is 400 Bad Request

My service start URL is

https://ynfyvjwiaw.login.aliyunidaas.com/api/bff/v1.2/enduser/portal/sso/go_d501aa5d2d3f30b7b4dd35e44fbe72bap3rsFb9dlFs?access_token=e5710f56-3248-4900-a72c-cc1b941eb646

when i click it,the page will go to

http://vouch.taiheops.com:2081/auth?code=UgHg8K&state=0bbc8f9593afaeb5c18edd0dede2f2b9U2zOT422F72_idp
the page is vouch-proxy page and also display 400 Bad Request

@aaronpk
Copy link
Collaborator

aaronpk commented Dec 22, 2020

That's funny, I was fighting the same issue this evening. Can you check your nginx access logs to see if the browser is making a request to favicon.ico that's getting caught by vouch?

@Gourds
Copy link
Contributor Author

Gourds commented Dec 22, 2020

2020/12/22 02:18:26 [warn] 3231#0: *202 an upstream response is buffered to a temporary file /var/lib/nginx/tmp/proxy/5/00/0000000005 while reading upstream, client: 123.126.87.108, server: vouch.taiheops.com, request: "GET /static/img/favicon.ico HTTP/1.1", upstream: "http://127.0.0.1:9090/static/img/favicon.ico", host: "vouch.taiheops.com:2081", referrer: "http://vouch.taiheops.com:2081/auth?code=HapCEm&state=JB154jsVi6bl98G9e9iaUfhDV5JN0RB"
@aaronpk There are indeed some similar logs, how to solve this problem

@Gourds
Copy link
Contributor Author

Gourds commented Jan 14, 2021

I haven't solved this problem.@aaronpk @bnfinet

@bnfinet
Copy link
Member

bnfinet commented Jan 14, 2021

@Gourds Could you please confirm that your nginx and VP configs have not changed and then upload a full cycle log again.

After that, please adjust your 'oauth.scopes' to be similar to the OIDC example config and then upload a full cycle VP log.

@Gourds
Copy link
Contributor Author

Gourds commented Jan 15, 2021

@Gourds Could you please confirm that your nginx and VP configs have not changed and then upload a full cycle log again.

After that, please adjust your 'oauth.scopes' to be similar to the OIDC example config and then upload a full cycle VP log.

The log of the previous configuration unchanged:https://gist.github.com/Gourds/6e48dd3af121cb44399bbeb7619bfb7a
Looks the same as before.

I tested before that changing the oauth.scopes parameter does not take effect, because according to Aliyun's documentation, only the read parameter should be supported.
when i change the vp scopes config to

...
  scopes:
    #- read
    - openid
    - email
...

log file is below
https://gist.github.com/ef955e8d60c13c493650a0e6c43cbf64

@bnfinet
Copy link
Member

bnfinet commented Jan 21, 2021

@Gourds those logs continue to show VP working as expected. It does appear that multiple requests are coming in at once. There's a fix in the recent v0.20.0 which may be helpful. Could you please pull the most recent code (or Docker image) and see if that improves thing?

@Gourds
Copy link
Contributor Author

Gourds commented Jan 22, 2021

@Gourds those logs continue to show VP working as expected. It does appear that multiple requests are coming in at once. There's a fix in the recent v0.20.0 which may be helpful. Could you please pull the most recent code (or Docker image) and see if that improves thing?

I upgraded the version to 0.20.0, the following is the log of the current VP

https://gist.github.com/Gourds/a9bffa692e9f5c16853d492314682082

In addition, I want to know whether the auth, login, and validata interfaces should be ok in debug mode

@bnfinet
Copy link
Member

bnfinet commented Jan 22, 2021

@Gourds that log seems odd. The typical pattern is..

  • go to the protected URL
  • nginx hits /validate
  • redirect to /login
  • redirect to the IdP (oidc endpoint for alibaba)
  • successful IdP login redirects to /auth
  • /auth makes a requests of the oauth.userinfo_url
  • issues a VP token
  • redirects the user to the original protected URL

But these logs are much more haphazard. Why? What happens if you just try..

  • one protected URL
  • then click through to the IdP
  • then login
  • then click through to the original URL

There's something fundamentally wrong here. It doesn't feel as if ali is responding with bad information. I suspect something is wrong with your ngxin or VP config or your general networking setup.

Why is that log showing a VP request 1 to /auth?

Why is /auth being forwarded to /validate??

2021-01-15T02:31:46.508Z DEBUG Login url param normalized to 'http://test_sso_nginx_a.taiheops.com:2081/auth?code=KzaBeU&state=VtIrLMiJdepstkwuM6lYOgyGxfrs8jNt'

Please post a current Nginx configuration. Every time you change a configuration, please post it.

In addition, I want to know whether the auth, login, and validata interfaces should be ok in debug mode

Yes they're all fine. Why do you ask?

@Gourds
Copy link
Contributor Author

Gourds commented Jan 22, 2021

@bnfinet
Sorry,My operation may not be standardized before

Now vp config is https://gist.github.com/Gourds/7f3bedc07f20ab7d6eaa147ff5b9ffee
Nginx vouch config is also https://gist.github.com/Gourds/ae0fde3ecc24b6e0afd9165eac7e8874
Nginx protect app config is https://gist.github.com/Gourds/915f2ddd96c6f6d4729165108d603ee3

My step is as followin debug mode

  • go to protected url: http://test_sso_nginx_a.taiheops.com:2081/
  • then i click vp test mode page https://ynfyvjwiaw.login.aliyunidaas.com/oauth/authorize?client_id=97237f99deaa7c64b099b2709496c472ARO5UZBICAE&redirect_uri=http%3A%2F%2Fvouch.taiheops.com%3A2081%2Fauth&response_type=code&scope=read&state=M8c0QxEdtP4QGgKIE5BhWE5TES2BFv
  • Now will jump to IdP login page
  • when i login IdP the page is redirect to http://vouch.taiheops.com:2081/auth?code=4jGiNr&state=M8c0QxEdtP4QGgKIE5BhWE5TES2BFv
  • then i click /auth/M8c0QxEdtP4QGgKIE5BhWE5TES2BFv/?code=4jGiNr&state=M8c0QxEdtP4QGgKIE5BhWE5TES2BFv
  • then click http://test_sso_nginx_a.taiheops.com:2081/

when turn off debug mode
the page will display too many redirect

the vp log is https://gist.github.com/Gourds/cc426999accf50ec29c8a0797548c162
the nginx log is

123.126.87.108 - - [22/Jan/2021:03:20:55 +0000] "GET / HTTP/1.1" 302 145 "-" "Mozilla/5.0 (Macintosh; Intel Mac OS X 11_1_0) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/88.0.4324.96 Safari/537.36" "-"
123.126.87.108 - - [22/Jan/2021:03:20:55 +0000] "GET /login?url=http://test_sso_nginx_a.taiheops.com:2081/&vouch-failcount=&X-Vouch-Token=&error= HTTP/1.1" 200 2528 "-" "Mozilla/5.0 (Macintosh; Intel Mac OS X 11_1_0) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/88.0.4324.96 Safari/537.36" "-"

And My Aliyun Idp config

Redirect URL: http://vouch.taiheops.com:2081/auth
SP HomePageURL: http://vouch.taiheops.com:2081

@bnfinet
Copy link
Member

bnfinet commented Jan 26, 2021

@Gourds Okay, now we're getting somewhere...

2021-01-22T03:39:11.502Z ERROR no User found in jwt

That's good to see in this case if only because it tells us that the cookie is missing the user information.

Upon further inspection I don't think that the user_info_url is returning the proper information...

this shows

{"success":true,"code":"200","message":null,"requestId":"C28014DF-9407-4CE2-A974-2E57E5C35CF3","data":{"sub":"3884468577942292116","ou_id":"5711823617764658328","nickname":"xxxx","phone_number":null,"ou_name":"xxxx","email":"[email protected]","username":"xxxx"}}

Instead of the userinfo being provided in the top level it is being sent in a second level data element.

It should be like this..
https://openid.net/specs/openid-connect-core-1_0.html#UserInfo

In order to support Aliyun iDaas / Alibaba OIDC a new provider will need to be developed with a custom GetUserInfo method. This is an easy and typical fix. If you're comfortable with basic coding you should be able to do it yourself using the already existing examples.

@bnfinet bnfinet changed the title "Invalid session state" when configured for Aliyun iDaas / Alibaba OIDC new provider Aliyun iDaas / Alibaba OIDC (userInfo fix, should be easy) Jan 26, 2021
@bnfinet bnfinet changed the title new provider Aliyun iDaas / Alibaba OIDC (userInfo fix, should be easy) new provider to support Aliyun iDaas / Alibaba OIDC (userInfo fix, should be easy) Jan 26, 2021
@Gourds
Copy link
Contributor Author

Gourds commented Jan 27, 2021

@bnfinet
thank. I added alibaba's provider and it works now. But there are other problems.
when i go to http://test_sso_nginx_a.taiheops.com:2081 is successful.
in Aibaba‘IDaas service.The normal step is to jump from Alibaba'IDaas to http://test_sso_nginx_a.taiheops.com:2081,now
it will be jump to http://vouch.taiheops.com:2081/auth?code=FHL9L9&state=9b436bc41865d4cee67563c60825b226RO05YDdK9Ke_idp, and get error response.
It works when I modify the nginx configuration to redirect the auth request

server {
  listen 2081;
  server_name vouch.taiheops.com;
  #ssl_certificate /etc/letsencrypt/live/login.avocado.lol/fullchain.pem;
  #ssl_certificate_key /etc/letsencrypt/live/login.avocado.lol/privkey.pem;
  # Proxy to your Vouch instance
  location / {
    proxy_set_header  Host  vouch.taiheops.com;
    #proxy_set_header  X-Forwarded-Proto https;
    proxy_pass        http://127.0.0.1:9090;
  }
  location /auth/ {
    rewrite ^ http://test_sso_nginx_a.taiheops.com:2081;
  }
}

But I don’t know how to config vp when there are multiple apps that need to be protected behind nginx. Is there any good way? In addition, I want to know the specific usage of the callback parameter

@bnfinet
Copy link
Member

bnfinet commented Jan 27, 2021

@Gourds ...

I added alibaba's provider and it works now.

That's great to hear. Please submit a PR with the working code. It'd be great to bring ali support to VP.

I don’t know how to config vp when there are multiple apps that need to be protected behind nginx. Is there any good way?

yes there is...
https://github.com/vouch/vouch-proxy/tree/master/examples/nginx/multi-file

WRT the error you are seeing please post full logs and configs in the manner described in the README.

  location /auth/ {
    rewrite ^ http://test_sso_nginx_a.taiheops.com:2081;
  }

That is evading security, that is not what you want. The vouch.taiheops.com config should be just as the README.

@Gourds
Copy link
Contributor Author

Gourds commented Jan 28, 2021

@bnfinet
Yesterday may be the browser cache problem. Now I have tested that two protected apps can log in normally. However, the problem of ali redirection still exists. Alibaba Cloud has an IDaas console. From this console, there is a navigation page to jump to the address, This address should be the Redirect URL: http://vouch.taiheops.com:2081/auth what i configured on aliyun
http://vouch.taiheops.com:2081/auth/0141cb0a0d5b4ebaf5db923e0ff17afaO2sY4djk8Xn_idp/?code=lsuiyp&state=0141cb0a0d5b4ebaf5db923e0ff17afaO2sY4djk8Xn_idp it will be return 400 and vp log is there

{"level":"debug","ts":1611802404.4400449,"msg":"/auth"}
{"level":"debug","ts":1611802404.440106,"msg":"CaptureWriter.Write set w.StatusCode 302"}
{"level":"info","ts":1611802404.4402049,"msg":"|302|   84.794µs /auth","statusCode":302,"request":113,"latency":0.000084794,"avgLatency":0.006405381,"ipPort":"127.0.0.1:19407","method":"GET","host":"vouch.taiheops.com","path":"/auth","referer":""}
{"level":"debug","ts":1611802404.4819818,"msg":"/auth/{state}/"}
{"level":"error","ts":1611802404.4820254,"msg":"/auth Invalid session state: stored %!s(<nil>), returned 345df7be563fb3d3fac6802fe3d3447eB97iZ7u9ErC_idp"}
{"level":"debug","ts":1611802404.4820335,"msg":"setting the cookie domain to taiheops.com"}
{"level":"debug","ts":1611802404.4820383,"msg":"CaptureWriter.Write set w.StatusCode 400"}
{"level":"debug","ts":1611802404.4820473,"msg":"rendering error for user: 400 Bad Request"}
{"level":"info","ts":1611802404.4821837,"msg":"|400|  132.524µs /auth/345df7be563fb3d3fac6802fe3d3447eB97iZ7u9ErC_idp/","statusCode":400,"request":114,"latency":0.000132524,"avgLatency":0.006350356,"ipPort":"127.0.0.1:19409","method":"GET","host":"vouch.taiheops.com","path":"/auth/345df7be563fb3d3fac6802fe3d3447eB97iZ7u9ErC_idp/","referer":""}

If I start a request from http://test_sso_nginx_a.taiheops.com:2081, there is no problem
now infomation is there
vp config https://gist.github.com/Gourds/7f3bedc07f20ab7d6eaa147ff5b9ffee
nginx vp config https://gist.github.com/Gourds/ae0fde3ecc24b6e0afd9165eac7e8874
nginx protect config https://gist.github.com/Gourds/915f2ddd96c6f6d4729165108d603ee3
normal vp log https://gist.github.com/Gourds/cc426999accf50ec29c8a0797548c162
nginx access log https://gist.github.com/Gourds/f11e10927b295956c8f477e0558bb538

@Gourds
Copy link
Contributor Author

Gourds commented Jan 28, 2021

@bnfinet
Aliabab/Aliyun provider support is there #356

@bnfinet
Copy link
Member

bnfinet commented Feb 2, 2021

@Gourds thank you for submitting #356!

This address should be the Redirect URL: http://vouch.taiheops.com:2081/auth what i configured on aliyun
http://vouch.taiheops.com:2081/auth/0141cb0a0d5b4ebaf5db923e0ff17afaO2sY4djk8Xn_idp/?code=lsuiyp&state=0141cb0a0d5b4ebaf5db923e0ff17afaO2sY4djk8Xn_idp it will be return 400 and vp log is there

I'm not certain that I understand correctly but aliyun should be configured for the callback_url
http://vouch.taiheops.com:2081/auth
see #349

This VP log shows VP working correctly. The 404s in the nginx log look like normal behaviour. It's unlikely that VP is responsible for those.

@Gourds
Copy link
Contributor Author

Gourds commented Feb 4, 2021

My test result is that the redirect url configured on Aliyun must be consistent with the callback_url configured in vp. If it is inconsistent, it will throw a URL mismatch error and cannot be redirected.

If I don't use Alibaba Cloud's navigation jump, there is no problem now.
Because vp protects multiple addresses, I think it is unreasonable to jump from a single link on the Alibaba Cloud navigation page to multiple protected addresses, so I decided not to use the navigation page provided by Alibaba Cloud.

@Gourds Gourds closed this as completed Feb 4, 2021
@bnfinet
Copy link
Member

bnfinet commented Feb 4, 2021

@Gourds that all sounds favorable, but just to be clear you're saying it's working or you now? :)

@Gourds
Copy link
Contributor Author

Gourds commented Feb 4, 2021

@bnfinet
Now it can work normally. If I directly access the VP protected URLs, it can jump to login page then redirect normally.

bnfinet added a commit that referenced this issue Feb 19, 2021
@bnfinet
Copy link
Member

bnfinet commented Feb 19, 2021

@Gourds this has been merged in v0.23.0

Thanks again for working through that and the fine contribution to VP!

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
Development

No branches or pull requests

3 participants