I'm right now stuck with some configuration I have in my kubernetes. In my lab I want to configure oauth2-proxy to use keycloak as an identity provider. I've everything ready but when trying to login using keycloak it shows a 403 Forbidden error "Login Failed: The upstream identity provider returned an error: invalid_scope"
Pod logs:
[2022/11/03 08:49:31] [oauthproxy.go:752] Error while parsing OAuth2 callback: invalid_scope
08:30:38,734 WARN [org.keycloak.events] (default task-43) type=LOGIN_ERROR, realmId=test, clientId=oauth2-proxy, userId=null, ipAddress=10.50.21.171, error=invalid_request, response_type=code, redirect_uri=https://oauth.test.dev/oauth2/callback, response_mode=query
08:34:11,933 ERROR [org.keycloak.services] (default task-41) KC-SERVICES0093: Invalid parameter value for: scope
I've look for documentation and I don't see why is complaining about the scopes as I've them right.
This is my oauth2-proxy values:
provider = "keycloak-oidc"
provider_display_name = "Keycloak"
cookie_domains = ".test.dev"
oidc_issuer_url = "https://keycloak.test.dev/auth/realms/test"
reverse_proxy = true
email_domains = [ "*" ]
scope = "openid profile email groups"
whitelist_domains = ["test.dev",".test.dev"]
pass_authorization_header = true
pass_access_token = true
pass_user_headers = true
set_authorization_header = true
set_xauthrequest = true
cookie_refresh = "1m"
cookie_expire = "30m"`
And in keycloak I have the oauth2-proxy client created with Groups and Audience mappers.
I see these errors in keycloak:
LOGIN_ERROR
Client oauth2-proxy
Error invalid_request
response_type code
redirect_uri https://oauth.test.dev/oauth2/callback
response_mode query
If someone has experience with this and can point me to the right direction and tell me what I'm doing wrong I would be very grateful
Thank you
I've tried different configurations and overwriting the scope parameter in the container but still the same issue. I expect to login correctly using keycloak.
Related
Getting this error in IntelliJ:
Exception in thread "main" java.util.concurrent.ExecutionException: com.google.api.gax.rpc.UnauthenticatedException: io.grpc.StatusRuntimeException: UNAUTHENTICATED: Request had invalid authentication credentials. Expected OAuth 2 access token, login cookie or other valid authentication credential. See https://developers.google.com/identity/sign-in/web/devconsole-project.
at com.google.common.util.concurrent.AbstractFuture.getDoneValue(AbstractFuture.java:588)
at com.google.common.util.concurrent.AbstractFuture.get(AbstractFuture.java:567)
at com.google.common.util.concurrent.FluentFuture$TrustedFuture.get(FluentFuture.java:91)
at com.google.common.util.concurrent.ForwardingFuture.get(ForwardingFuture.java:66)
at com.google.api.gax.longrunning.OperationFutureImpl.get(OperationFutureImpl.java:125)
Code:
HiveJob hiveJob = HiveJob.newBuilder()
.setQueryList(queryList)
.build();
Credentials credentials = GoogleCredentials.fromStream(new FileInputStream(credentialFilePath));
JobControllerSettings jobControllerSettings = JobControllerSettings.newBuilder()
.setCredentialsProvider(FixedCredentialsProvider.create(credentials))
.setEndpoint(myEndpoint)
.build();
try (JobControllerClient jobControllerClient =
JobControllerClient.create(jobControllerSettings)) {
JobPlacement jobPlacement = JobPlacement.newBuilder().setClusterName(clusterName).build();
Job job = Job.newBuilder().setPlacement(jobPlacement).setHiveJob(hiveJob).build();
OperationFuture<Job, JobMetadata> submitJobAsOperationAsyncRequest =
jobControllerClient.submitJobAsOperationAsync(projectId, region, job);
Job response = submitJobAsOperationAsyncRequest.get();
}
If you're getting the following error when you're trying to deploy an API Gateway (in particular the Stage), you'll need to ensure you have a CloudWatch ern set up against your Account.
Blah_V1Stage (V1Stage) CloudWatch Logs role ARN must be set in account settings to enable logging (Service: AmazonApiGateway; Status Code: 400; Error Code: BadRequestException; Request ID: a855c5c5-b64b-4b22-85e8-703909b4c850)
const cloudWatchRole = new iam.Role(this, this.prefix + "_cloudwatchrole",
{
assumedBy: new iam.CompositePrincipal(new iam.ServicePrincipal("apigateway.amazonaws.com")),
roleName: this.prefix + "_cloudwatchrole"
});
cloudWatchRole.addManagedPolicy(
iam.ManagedPolicy.fromAwsManagedPolicyName('service-role/AmazonAPIGatewayPushToCloudWatchLogs'))
const account = new apigateway.CfnAccount(this, "account",
{
cloudWatchRoleArn: cloudWatchRole.roleArn
});
Just as an update, if you are using the RestApi construct, you now just need to set cloudWatchRole: true in the Construct Props and CDK will do the rest.
I have authenticated against a Cognito user pool, using the API "InitiateAuth" and received back an id token:
{
sub: "8aec..." ,
aud:"2gr0fdlr647skqqghtau04vuct",
iss:"https://cognito-idp.us-east-1.amazonaws.com/us-east-1_LzM42GX6Q",
....
}
Then I try to get an ID through the API "GetId":
{
AccountId: "345745834314"
IdentityPoolId: "us-east-1:fb4d5209-33b1-46e2-923a-8aa206d5c7aa"
Logins: {
"cognito-idp.us-east-1.amazonaws.com/us-east-1_LzM42GX6Q": "eyJr...."
}
}
I have set up an identity pool, and correctly set the Cognito user pool as a provider. But I always get back the response form getId:
"Invalid login token. Issuer doesn't match providerName"
I have tried also changing the provider name in the Logins list to:
https://cognito-idp.us-east-1.amazonaws.com/us-east-1_LzM42GX6Q
so it exactly matches what the token has in the iss field, but that does not solve the problem, still the same message about the issuer not matching provider name.
Any idea what I am doing wrong here?
Ok figured it out, there is actually an extra set of quotes around the provider name: "cognito-idp.us-east-1.amazonaws.com/us-east-1_LzM42GX6Q"
In the developer console it shows:
{
AccountId: "345745834314"
IdentityPoolId: "us-east-1:fb4d5209-33b1-46e2-923a-8aa206d5c7aa"
Logins: {
"cognito-idp.us-east-1.amazonaws.com/us-east-1_LzM42GX6Q": "eyJr...."
}
}
Which only has quotes around the provider name, and not other fields, which made me suspicious. I clicked "view source" to see the actual json sent and it was like this:
"\"cognito-idp.us-east-1.amazonaws.com/us-east-1_LzM42GX6Q\""
I removed the extra quotes and it works.
For me the issue was an incorrect Region value.
If you're using an Amazon provided region in a concatenated string, make sure to use the System version of it:
public static Amazon.RegionEndpoint Region = Amazon.RegionEndpoint.USEast1;
string providerUrl = "cognito-idp." + Region.System + ".amazonaws.com/us-east-1_XYZ1234";
Following the docs on how to restrict sign in to G Suite domains, it says to verify the ID tokens 'hd' claims, and the existence thereof.
I have the following specified in my Firebase Auth UI config client side:
signInOptions: [
{
provider: firebase.auth.GoogleAuthProvider.PROVIDER_ID,
customParameters: { hd: "*" }
},
...
],
Which correctly show the login options for all G Suite domains. But when checking the idToken server side with admin.auth().verifyIdToken(token) the response returned does not include a hd claim. Can someone point me in the right direction here?
This code is from the google oauth example.
const config = {
issuer: 'https://accounts.google.com',
clientId: 'GOOGLE_OAUTH_APP_GUID.apps.googleusercontent.com',
redirectUrl: 'com.googleusercontent.apps.GOOGLE_OAUTH_APP_GUID:/oauth2redirect/google',
scopes: ['openid', 'profile']
};
// Log in to get an authentication token
const authState = await authorize(config);
However, after signing in and being redirected to the app, I get an error:
client_secret is missing
Adding clientSecret to the config fixes the problem on iOS. However, on android, adding clientSecret does not allow me to log in with google and instead loads this error page saying that client_secret is not allowed.
So it's a little bit of a catch-22. If I provide the clientSecret, I get an invalid request error from google and can't authenticate. If I don't provide it, I get "client_secret is missing" error after authenticating.
Add the SHA1 key in the firebase and make sure there is support email present.
Put the following in the config:
clientSecret: 'YOUR_SECRET_KEY',