-
Notifications
You must be signed in to change notification settings - Fork 828
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Unable to find a valid CSRF token with Keycloak Authentication Switching From Dex #2664
Comments
@zenarcher007: The label(s) In response to this:
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. |
Maybe @kromanow94 can help |
/kind question
Question:
I am trying to switch authentication completely from using Dex to using KeyCloak. After logging in through KeyCloak, I am redirected back to
https://kubeflow.mydomain.org/oauth2/callback?state=[160_chars_omitted]&session_state=77a15975-fa55-496e-8769-d0e45ff624bf&iss=https%3A%2F%2Fmain.mydomain.org%2Fauth%2Frealms%2Fmaster&code=[110_chars_omitted]
, where it says "Error while loading CSRF cookie: http: named cookie not present" in the oauth2-proxy pod logs.I am aware that in the README of istio-external-auth, it states that oauth2-proxy looks for a cookie named "oauth2_proxy_kubeflow". I notice that a cookie called "oidc_state_csrf" is created in the browser after logging in, although the same behavior is observed even when renaming it to "oauth2_proxy_kubeflow" in the browser. At this point, I am not sure what is causing this issue.
Note: based on this issue, I have tried the
--cookie-csrf-per-request=true
and--cookie-csrf-expire=5m
options, along with--cookie-secure=true
(yaml form), none of which changed this.From the oauth2-proxy pod log:
My current setup:
Configuration
File: manifests/common/oidc-client/oidc-authservice/base/params.env:
File: manifests/common/oidc-client/oidc-authservice/base/secret_params.env:
CLIENT_ID=kubeflow
CLIENT_SECRET=<my_keycloak_generated_secret>
File: manifests/common/oidc-client/oauth2-proxy/base/kustomization.yaml
File: manifests/common/oidc-client/oauth2-proxy/components/istio-external-auth/kustomization.yaml
File: manifests/common/oidc-client/oauth2-proxy/base/oauth2-proxy-config.yaml
Network path from Firefox:
https://main.mydomain.org/auth/realms/master/protocol/openid-connect/auth?client_id=kubeflow&redirect_uri=https%3A%2F%2Fkubeflow.knoxds.org%2Foauth2%2Fcallback&response_type=code&scope=openid+acr+address+email+microprofile-jwt+offline_access+phone+profile+roles+web-origins&state=MTcxMTk0NDY0N3xOd3dBTkVsWlJsZEVTMUJGUjFsRFJVcEpTVFpPV1V4U01sUkhTVTVPTmpkVVFVNDNURWd5VUZReldsZEJVRXRSUlVWUE5FOUlRa0U9fIFkV4ZOKtDawkCocUHXiQLGf3CIsCZmBVsx8-xj6JnA
https://main.mydomain.org/auth/realms/master/login-actions/authenticate?session_code=HZUik4W9zB76cd2j28AvOFsXGuNGqLuiZj-r5QG0I4A&execution=97e7b76a-90a2-4de8-b2ae-edbbc0f8d21a&client_id=kubeflow&tab_id=34CDD_rjOpg
https://kubeflow.mydomain.org/oauth2/callback?state=MTcxMTk0NDY0N3xOd3dBTkVsWlJsZEVTMUJGUjFsRFJVcEpTVFpPV1V4U01sUkhTVTVPTmpkVVFVNDNURWd5VUZReldsZEJVRXRSUlVWUE5FOUlRa0U9fIFkV4ZOKtDawkCocUHXiQLGf3CIsCZmBVsx8-xj6JnA&session_state=133b466c-6d49-4e1b-8886-c1f1630f2425&iss=https%3A%2F%2Fmain.mydomain.org%2Fauth%2Frealms%2Fmaster&code=af416245-40f8-4a04-85ad-0408460e709b.133b466c-6d49-4e1b-8886-c1f1630f2425.4dd21bf3-bbf5-4734-8de5-46329c4dddf0
https://main.mydomain.org/auth/realms/master/protocol/openid-connect/auth?client_id=kubeflow&redirect_uri=https%3A%2F%kubeflow.mydomain.org%2Foauth2%2Fcallback&response_type=code&scope=openid+acr+address+email+microprofile-jwt+offline_access+phone+profile+roles+web-origins&state=MTcxMTk0NDY1MnxOd3dBTkVrMldWWldXRlZUUmxoTFExUkRSbGd5V1VOSFJGaEpRVXBGTlZwYVQxRkdTMGxFV2swME16WlRUVTlUVUVoRE5WVXpRbEU9fLVBVjtueQY7Yf_akLheNmfMBWeme_2PZZdJDFTLq_xL
(NS_ERROR_FAILURE)The text was updated successfully, but these errors were encountered: