Comments (3)
olzemal
commented on June 3, 2024
I suspect this might be an issue with dex' oidc config. I tried adding the documented okta IDP and got the expected error message of an invalid id / secret:
$ infra providers add fail --url "infrahq.okta.com" --client-id infra --client-secret infra-secret --kind oidc --log-level debug
DEBUG call server: create provider named "fail"
Error: validation failed: clientID: invalid provider clientIDThe output of my dex' /.wellknown/openid-configuration is:
{
"issuer": "https://dex.10.10.110.96.nip.io",
"authorization_endpoint": "https://dex.10.10.110.96.nip.io/auth",
"token_endpoint": "https://dex.10.10.110.96.nip.io/token",
"jwks_uri": "https://dex.10.10.110.96.nip.io/keys",
"userinfo_endpoint": "https://dex.10.10.110.96.nip.io/userinfo",
"device_authorization_endpoint": "https://dex.10.10.110.96.nip.io/device/code",
"grant_types_supported": [
"authorization_code",
"refresh_token",
"urn:ietf:params:oauth:grant-type:device_code"
],
"response_types_supported": [
"code"
],
"subject_types_supported": [
"public"
],
"id_token_signing_alg_values_supported": [
"RS256"
],
"code_challenge_methods_supported": [
"S256",
"plain"
],
"scopes_supported": [
"openid",
"email",
"groups",
"profile",
"offline_access"
],
"token_endpoint_auth_methods_supported": [
"client_secret_basic",
"client_secret_post"
],
"claims_supported": [
"iss",
"sub",
"aud",
"iat",
"exp",
"email",
"email_verified",
"locale",
"name",
"preferred_username",
"at_hash"
]
}The OIDC Requirements from the docs are fulfilled by this as far as i can tell.
from infra.
olzemal
commented on June 3, 2024
Thanks to this comment i found the error gets generated here
After cranking the log level to debug i found that the error is indeed related to my dex (ssl) config.
{"level":"debug","time":1681461078356,"caller":"server/middleware.go:260","message":"Host: infra.10.10.110.96.nip.io"}
{"level":"debug","time":1681461078356,"caller":"server/middleware.go:269","message":"Host not found: infra.10.10.110.96.nip.io"}
{"level":"debug","time":1681461078389,"caller":"providers/oidc.go:99","message":"error validating oidc provider: get provider openid info: Get \"https://dex.10.10.110.96.nip.io/.well-known/openid-configuration\": x509: certificate signed by unknown authority"}
{"level":"debug","error":"validation failed: url: invalid provider url","method":"POST","path":"/api/providers","statusCode":400,"remoteAddr":"192.168.4.10:54778","time":1681461078390,"caller":"server/routes.go:208","message":"api request error"}
Is there any way of configuring a private certificate authority for oidc providers?
from infra.
olzemal
commented on June 3, 2024
...turns out you can just inject the ca into the server container.
I created a secret from the ca file like this:
$ kubectl create secret generic --from-file=ca.crt -n infra-server ca-crtand added the following lines to my values.yaml:
server:
...
volumes:
- name: ca-crt
secret:
secretName: ca-crt
volumeMounts:
- name: ca-crt
mountPath: /etc/ssl/certs/ca.crt
subPath: ca.crt
readOnly: trueAfter this i could successfully add my oidc provider.
from infra.
Related Issues (20)
- Find better wording for "Remove Infra user"
- Invite sent even though user exists
- Connector keys removed unexpectedly HOT 1
- In-repo CLI client must use the same API version as the server
- logging in from cli is broken if logged in as wrong user HOT 1
- An access key expiring due to inactivity timeout should return a different error message
- Inactivity Timeout may not be Updated in concurrent requests HOT 1
- Self hosted infra server on K8s ubuntu fails scheduling postgres pod. HOT 13
- Display OIDC configuration errors to the end user
- self host without k8 ? HOT 4
- got error after install connector infra version 0.21.0 HOT 3
- An error occurred while logging in: unauthorized after connect with company Google workspace HOT 3
- More granular grants HOT 2
- Restart needed every 90 days HOT 3
- Easier to use SSH access HOT 3
- Unable to log in to Linux servers via ssh due to password expiration HOT 2
- OIDC login not working on self hosted env HOT 2
- OIDC provider with .well-known/openid-configuration under some path HOT 3
- Is this project maintained? HOT 6
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from infra.