Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Authenticated in KeyCloak, yet not Authorized #36

Open
TobenderZephyr opened this issue Aug 21, 2020 · 6 comments
Open

Authenticated in KeyCloak, yet not Authorized #36

TobenderZephyr opened this issue Aug 21, 2020 · 6 comments

Comments

@TobenderZephyr
Copy link

Before I dive too deep in this matter, I want to apologize beforehand, that i stumpled on KeyCloak and therefore your project by accident. I did not yet dig deep enough to know if these projects would exactly fit my needs or if I am doing it all wrong.

My setup currently are three different Docker Hosts (no swarm), each running one of: keycloak + traefik, traefik-forward-auth+ traefik, application + traefik. The plan was to have the application run in a LAN environment (or wherever), while the forward-auth-host is inside a DMZ allowing only HTTP/HTTPS+outgoing LDAP for Authentication against Active Directory.
The KeyCloak Server could either be inside the same DMZ or internal - yet to decide where it makes most sense.

I followed your instructions in #1 and made a few changes here and there to fit my needs.
Now I am at a point where I am unable to progress, because I tried so much beforehand and this is the furthest I achieved.

When I hit the whoami page, I will get redirected to the KeyCloak login page by traefik-forward-auth. After entering username+password, I get redirected again to traefik-forward-auth with /_oauth?.

Yet I receive 401 Not Authenticated. Inspecting the Browser Cookies (F12) I don't see anything in the list.

This is the output of the debug log. I believe the error message appeared after building the latest version (Dockerhub is 6 months old)

time="2020-08-20T20:40:56Z" level=debug msg="Handling callback" headers="map[Accept:[text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9] Accept-Encoding:[gzip, deflate, br] Accept-Language:[de-DE,de;q=0.9,en-US;q=0.8,en;q=0.7] Cookie:[_forward_auth=JVeFDoXTziwDqQVRie7f0BTWWvEykUz0EcB4d1vkphc=|1597978340|<user-email>; _forward_auth_name=\"Marcus Netz\"; _forward_auth_claims=MTU5NzkzNTE0MHxEdi1CQkFFQ180SUFBUkFCRUFBQUt2LUNBQUVHYzNSeWFXNW5EQWdBQm1keWIzVndjd2hiWFhOMGNtbHVaXy1EQWdFQ180UUFBUXdBQUFYX2hBSUFBQT09fC67IXEzpPk-NYaNXp9rA8oHssDd0XMwpAuDClyWFiCq; _forward_auth_csrf=c14e6a963f9feebe255ca56b9b2e53da] Sec-Fetch-Dest:[document] Sec-Fetch-Mode:[navigate] Sec-Fetch-Site:[none] Sec-Fetch-User:[?1] Upgrade-Insecure-Requests:[1] User-Agent:[Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/84.0.4147.127 Safari/537.36] X-Forwarded-For:[172.25.217.3] X-Forwarded-Host:[auth.<example.com>] X-Forwarded-Method:[GET] X-Forwarded-Port:[443] X-Forwarded-Proto:[https] X-Forwarded-Server:[653a6f2df7e7] X-Forwarded-Uri:[/_oauth?state=3e34e70914815040fcc8d9048c838a12%3Ahttp%3A%2F%2Fauth.<example.com>%2F&session_state=65813182-46c8-4ef1-820c-450466d3a9fc&code=a4b90e68-5e06-42ef-a08b-c40e41bea54f.65813182-46c8-4ef1-820c-450466d3a9fc.dd176887-3e47-4319-8337-44b68b520582] X-Real-Ip:[172.25.217.3]]" rule=default source_ip=172.25.217.3
time="2020-08-20T20:40:56Z" level=warning msg="Error validating CSRF cookie: CSRF cookie does not match state" source_ip=172.25.217.3
time="2020-08-20T20:40:56Z" level=debug msg="Authenticate request" headers="map[Accept:[image/webp,image/apng,image/*,*/*;q=0.8] Accept-Encoding:[gzip, deflate, br] Accept-Language:[de-DE,de;q=0.9,en-US;q=0.8,en;q=0.7] Cookie:[_forward_auth=JVeFDoXTziwDqQVRie7f0BTWWvEykUz0EcB4d1vkphc=|1597978340|<user email>; _forward_auth_name=\"Marcus Netz\"; _forward_auth_claims=MTU5NzkzNTE0MHxEdi1CQkFFQ180SUFBUkFCRUFBQUt2LUNBQUVHYzNSeWFXNW5EQWdBQm1keWIzVndjd2hiWFhOMGNtbHVaXy1EQWdFQ180UUFBUXdBQUFYX2hBSUFBQT09fC67IXEzpPk-NYaNXp9rA8oHssDd0XMwpAuDClyWFiCq; _forward_auth_csrf=c14e6a963f9feebe255ca56b9b2e53da] Referer:[https://auth.<example.com>/_oauth?state=3e34e70914815040fcc8d9048c838a12%3Ahttp%3A%2F%2Fauth.<example.com>%2F&session_state=65813182-46c8-4ef1-820c-450466d3a9fc&code=a4b90e68-5e06-42ef-a08b-c40e41bea54f.65813182-46c8-4ef1-820c-450466d3a9fc.dd176887-3e47-4319-8337-44b68b520582] Sec-Fetch-Dest:[image] Sec-Fetch-Mode:[no-cors] Sec-Fetch-Site:[same-origin] User-Agent:[Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/84.0.4147.127 Safari/537.36] X-Forwarded-For:[172.25.217.3] X-Forwarded-Host:[auth.<example.com>] X-Forwarded-Method:[GET] X-Forwarded-Port:[443] X-Forwarded-Proto:[https] X-Forwarded-Server:[653a6f2df7e7] X-Forwarded-Uri:[/favicon.ico] X-Real-Ip:[172.25.217.3]]" rule=default source_ip=172.25.217.3
time="2020-08-20T20:40:56Z" level=error msg="error getting groups from session: error getting session: securecookie: error - caused by: crypto/aes: invalid key size 0" source_ip=172.25.217.3
time="2020-08-20T20:40:56Z" level=warning msg="Non-HTML request: image/webp,image/apng,image/*,*/*;q=0.8" source_ip=172.25.217.3

This is my setup:

traefik-forward-auth:

version: '3'
services:
  auth-proxy:
    container_name: auth-proxy
    build: /opt/sources/traefik-forward-auth
    image: mesosphere/traefik-forward-auth
    environment:
      CLIENT_ID: auth-proxy-internal
      CLIENT_SECRET: 51cfe608-6b1a-4698-9d15-02cbca2811ff
      PROVIDER_URI: https://<keycloak>/auth/realms/Internal
      SECRET: 554034e6a2da367916f11b73d385ac99
      AUTH_HOST: auth.<example.com>
      INSECURE_COOKIE: 'true'
      CSRF_COOKIE_NAME: '_forward_auth_csrf'
      LOG_LEVEL: debug
    networks:
      - proxy
    restart: unless-stopped
    volumes:
      - /etc/ssl/certs/ca-bundle.crt:/etc/ssl/certs/ca-certificates.crt:ro
    labels:
      - "traefik.enable=true"
      - "traefik.http.middlewares.forward-auth.forwardauth.address=http://auth-proxy:4181/"
      - "traefik.http.middlewares.forward-auth.forwardauth.trustForwardHeader=true"
      - "traefik.http.middlewares.forward-auth.forwardauth.authResponseHeaders=X-Forwarded-User"
      - "traefik.http.routers.auth-proxy.rule=Host(`auth.<example.com>`)"
      - "traefik.http.routers.auth-proxy.entrypoints=http"
      - "traefik.http.routers.auth-proxy.middlewares=forward-auth"
      - "traefik.http.services.auth-proxy.loadbalancer.server.port=4181"
      - "traefik.http.routers.auth-proxy-secure.entrypoints=https"
      - "traefik.http.routers.auth-proxy-secure.rule=Host(`auth.<example.com>`)"
      - "traefik.http.routers.auth-proxy-secure.middlewares=forward-auth"
      - "traefik.http.routers.auth-proxy-secure.tls=true"
      - "traefik.docker.network=proxy"

networks:
  proxy:
    external: true

whoami:

version: '3'
services:
  test:
    image: mendhak/http-https-echo
    networks:
      - proxy
    labels:
      - "traefik.enable=true"
      - "traefik.http.middlewares.forward-auth.forwardauth.address=https://auth.<example.com>/"
      - "traefik.http.middlewares.forward-auth.forwardauth.trustForwardHeader=true"
      - "traefik.http.middlewares.forward-auth.forwardauth.authResponseHeaders=X-Forwarded-User"
      - "traefik.http.services.test.loadbalancer.server.port=80"
      - "traefik.http.routers.test.entrypoints=http"
      - "traefik.http.routers.test.rule=Host(`whoami.<example.local>`)"
      - "traefik.http.routers.test.middlewares=forward-auth"
      - "traefik.docker.network=proxy"

networks:
  proxy:
    external: true

I guess it comes down to normal Docker Networking now and avoiding traefik at a certain point, so proxy headers won't get mixed up.

Any help on this is appreciated,

Thanks
Marcus
@thmo
Copy link

thmo commented Mar 22, 2022

error - caused by: crypto/aes: invalid key size 0

I think you need to pass --encryption-key or set ENCRYPTION_KEY.

@tgerakitis
Copy link

here a working example docker-compose.yml

version: '2.4'
networks:
  web:
    external: true
    
services:
  traefik:
    image: traefik
    command:
      - "--accesslog"
      - "--api.insecure=true"
      - "--providers.docker=true"
      - "--providers.docker.exposedbydefault=false"
      - "--entrypoints.web.address=:80"
    ports:
      - 80:80
    networks:
      - web
    volumes:
      - "/var/run/docker.sock:/var/run/docker.sock"
    labels:
      traefik.enable: true
      traefik.docker.network: web
      #v2
      traefik.http.routers.traefik.rule: Host(`traefik.localtest.me`)
      traefik.http.services.traefik.loadbalancer.server.port: 8080

  whoami:
    image: traefik/whoami
    networks:
      - web
    labels:
      traefik.enable: true
      treafik.docker.network: web
      #v2
      traefik.http.routers.php-test-router.rule: Host(`whoami.localtest.me`)
      traefik.http.services.php-test-service.loadbalancer.server.port: 80
      traefik.http.routers.php-test-router.middlewares: traefik-forward-auth-middleware

  traefik-forward-auth:
    image: mesosphere/traefik-forward-auth:3.1.0
    networks:
      - web
      - default
    environment:
      #options https://github.com/mesosphere/traefik-forward-auth/blob/master/internal/configuration/config.go
      INSECURE_COOKIE: 1
      ENCRYPTION_KEY: 45659373957778734945638459467936 #32 character encryption key
      COOKIE_DOMAIN: whoami.localtest.me
      SCOPE: profile email openid # scope openid is necessary for keycloak...
      SECRET: abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789
      PROVIDER_URI: https://my-keycloak.com/auth/realms/my-realm
      CLIENT_ID: myclient
      CLIENT_SECRET: mysecret
      LOG_LEVEL: debug
    labels:
      traefik.enable: true
      traefik.docker.network: web
      traefik.http.services.traefik-forward-auth.loadbalancer.server.port: 4181
      traefik.http.routers.traefik-forward-auth.entrypoints: web
      traefik.http.routers.traefik-forward-auth.rule: Path(`/_oauth`)
      traefik.http.routers.traefik-forward-auth.middlewares: traefik-forward-auth
      traefik.http.middlewares.traefik-forward-auth-middleware.forwardauth.address: http://traefik-forward-auth:4181
      traefik.http.middlewares.traefik-forward-auth-middleware.forwardauth.authResponseHeaders: X-Forwarded-User
      traefik.http.middlewares.traefik-forward-auth-middleware.forwardauth.trustForwardHeader: "true"

@suikast42
Copy link

COOKIE_DOMAIN: whoami.localtest.me

I try with the wildcard *.localtest.me that doen't work but without dot works *localtest.me 😕

@arulrajnet
Copy link

I am using the latest/22.00 keycloak with this config. Getting the following error

time="2023-08-13T17:48:57Z" level=error msg="error generating secure session cookie: securecookie: error - caused by: crypto/aes: invalid key size 22" source_ip=172.27.0.1

To generate cookie used this github.com/gorilla/securecookie module.

Refer

traefik-forward-auth/internal/handlers/server.go

Line 344 in 057c6d4

logger.Errorf("error generating secure session cookie: %v", err)

Refer

traefik-forward-auth/internal/authentication/auth.go

Line 111 in 057c6d4

encoded, err := a.secureCookie.Encode(a.config.CookieName, data)

Refer https://go.dev/src/crypto/aes/cipher.go#25

The error crypto/aes: invalid key size 22 coming from cipher.go.

How to fix this?

@HWiese1980
Copy link

Anyone around here, who can shed some light upon this? I'm having the same issues. I can't find a valid key size. What is a valid key size anyway? How do I generate a valid key?

@thmo
Copy link

thmo commented Oct 27, 2023

In my config, I have a SECRET with a length of 32 chars, and an --encryption-key with a length of 16 chars.

They can be generated, e.g., with pwgen 32 1 and pwgen 16 1, respectively.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
6 participants
@thmo @HWiese1980 @arulrajnet @suikast42 @TobenderZephyr @tgerakitis