Stuck on an issue?

Lightrun Answers was designed to reduce the constant googling that comes with debugging 3rd party libraries. It collects links to all the places you might be looking at while hunting down a tough bug.

And, if you’re still stuck at the end, we’re happy to hop on a call to see how we can help out.

OIDC authentication - session not persists issue

See original GitHub issue

I’m trying to implement Google OIDC authentication on an existing amundsen. All the micro services (search, metadata, frontend) are deployed with helm on AWS EKS and, without authentication, it works. But when I enable OIDC, as you’ll see below, session information does not persist and frontend starts showing a “Something went wrong…” message.

Here’s the related logs from frontend. (sensitive info replaced with arbitrary number of *'s + I put the ‘test_data’ in session for debugging purposes)

2021-08-13T17:23:20+09:00 /usr/local/lib/python3.7/site-packages/flask/json/__init__.py:179: DeprecationWarning: Importing 'itsdangerous.json' is deprecated and will be removed in ItsDangerous 2.1. Use Python's 'json' module instead.
2021-08-13T17:23:20+09:00   rv = _json.dumps(obj, **kwargs)
2021-08-13T17:23:20+09:00 /usr/local/lib/python3.7/site-packages/flask/json/__init__.py:205: DeprecationWarning: Importing 'itsdangerous.json' is deprecated and will be removed in ItsDangerous 2.1. Use Python's 'json' module instead.
2021-08-13T17:23:20+09:00   return _json.loads(s, **kwargs)
2021-08-13T17:23:20+09:00 2021-08-13T08:23:20+0000.168 [DEBUG] __init__._before_request:23 (11:MainThread) - Whitelisted Endpoint: status,healthcheck,health,logout
2021-08-13T17:23:20+09:00 2021-08-13T08:23:20+0000.169 [ERROR] models._fetch_token:88 (11:MainThread) - Calling _fetch_token(name=google)...
2021-08-13T17:23:20+09:00 2021-08-13T08:23:20+0000.169 [ERROR] models._fetch_token:92 (11:MainThread) - <SecureCookieSession {'test_data': 'test data', 'user': {'__id': '*****@*************.com', 'at_hash': '**************', 'aud': '***********************', 'azp': '*****************', 'display_name': '******************', 'email': '*****************', 'email_verified': True, 'exp': 1628846069, 'family_name': '******', 'given_name': '***********', 'hd': '***************, 'iat': 1628842469, 'iss': 'https://accounts.google.com', 'locale': 'en', 'name': '************', 'nonce': '*************', 'picture': '****************', 'profile_url': '', 'sub': '**********', 'user_id': '*****************'}}>
2021-08-13T17:23:32+09:00 /usr/local/lib/python3.7/site-packages/flask/json/__init__.py:179: DeprecationWarning: Importing 'itsdangerous.json' is deprecated and will be removed in ItsDangerous 2.1. Use Python's 'json' module instead.
2021-08-13T17:23:32+09:00   rv = _json.dumps(obj, **kwargs)
2021-08-13T17:23:32+09:00 /usr/local/lib/python3.7/site-packages/flask/json/__init__.py:179: DeprecationWarning: Importing 'itsdangerous.json' is deprecated and will be removed in ItsDangerous 2.1. Use Python's 'json' module instead.
2021-08-13T17:23:32+09:00   rv = _json.dumps(obj, **kwargs)
2021-08-13T17:23:32+09:00 /usr/local/lib/python3.7/site-packages/flask/json/__init__.py:179: DeprecationWarning: Importing 'itsdangerous.json' is deprecated and will be removed in ItsDangerous 2.1. Use Python's 'json' module instead.
2021-08-13T17:23:32+09:00   rv = _json.dumps(obj, **kwargs)
2021-08-13T17:23:32+09:00 2021-08-13T08:23:32+0000.720 [DEBUG] __init__._before_request:23 (10:MainThread) - Whitelisted Endpoint: status,healthcheck,health,logout
2021-08-13T17:23:32+09:00 2021-08-13T08:23:32+0000.720 [ERROR] models._fetch_token:88 (10:MainThread) - Calling _fetch_token(name=google)...
2021-08-13T17:23:32+09:00 2021-08-13T08:23:32+0000.720 [ERROR] models._fetch_token:92 (10:MainThread) - <SecureCookieSession {'test_data': 'test data'}>
2021-08-13T17:23:32+09:00 2021-08-13T08:23:32+0000.721 [ERROR] models._fetch_token:100 (10:MainThread) - 'user'
2021-08-13T17:23:32+09:00 2021-08-13T08:23:32+0000.721 [ERROR] __init__._before_request:59 (10:MainThread) - User not logged in, redirecting to auth
2021-08-13T17:23:32+09:00 Traceback (most recent call last):
2021-08-13T17:23:32+09:00   File "/usr/local/lib/python3.7/site-packages/flaskoidc/models.py", line 94, in _fetch_token
2021-08-13T17:23:32+09:00     user_id=session["user"]["__id"],
2021-08-13T17:23:32+09:00   File "/usr/local/lib/python3.7/site-packages/flask/sessions.py", line 83, in __getitem__
2021-08-13T17:23:32+09:00     return super(SecureCookieSession, self).__getitem__(key)
2021-08-13T17:23:32+09:00 KeyError: 'user'

My suspicions are:

Google OIDC has different specs, for example, in my setup, OAuth2Token (flaskoidc) saves access token, refresh token and such, instead of name or user_id. So I tweaked the flaskoidc lib to authenticate the current session user using some google apis, but still the error persists.
Metadata also produces suspicious logs. Except the healthcheck signals, it always returns 302. Is it meant to work like this? I’m not sure.

Expected Behavior

meant to work out of the box?

Current Behavior

frontend shows ‘something went wrong’ messages after login when hooked with google oidc

Possible Solution

Steps to Reproduce

deploy amundsen using the helm chart in gith repo using frontend-oidc: 3.11.1, metadata-oidc: 3.5.0, search:2.5.1 with flask OIDC env variables for Google oidc