Stuck on an issue?
Lightrun Answers was designed to reduce the constant googling that comes with debugging 3rd party libraries. It collects links to all the places you might be looking at while hunting down a tough bug.
And, if you’re still stuck at the end, we’re happy to hop on a call to see how we can help out.
ambassador and oidc (identity server 4)
See original GitHub issueReference https://github.com/travisghansen/external-auth-server/issues/16#issuecomment-515455702
Here are my eas logs (basically empty):
kubectl logs eas-external-auth-server-7479497c4c-lfr2q
> external-auth-server@0.1.0 start /home/eas/app
> node --nouse-idle-notification --expose-gc --max-old-space-size=8192 src/server.js
{"service":"external-auth-server","level":"debug","message":"cache opts: {\"store\":\"memory\",\"max\":0,\"ttl\":0}"}
{"service":"external-auth-server","level":"info","message":"revoked JTIs: []"}
{"service":"external-auth-server","level":"info","message":"starting server on port 8080"}
Could it be that token is wrong in a way and that’s why ambassador can’t talk to eas service?
here is my token config:
const jwt = require("jsonwebtoken");
const utils = require("../src/utils");
const config_token_sign_secret =
process.env.EAS_CONFIG_TOKEN_SIGN_SECRET ||
utils.exit_failure("missing EAS_CONFIG_TOKEN_SIGN_SECRET env variable");
const config_token_encrypt_secret =
process.env.EAS_CONFIG_TOKEN_ENCRYPT_SECRET ||
utils.exit_failure("missing EAS_CONFIG_TOKEN_ENCRYPT_SECRET env variable");
let config_token = {
/**
* future feature: allow blocking certain token IDs
*/
//jti: <some known value>
/**
* using the same aud for multiple tokens allows sso for all services sharing the aud
*/
//aud: "some application id", //should be unique to prevent cookie/session hijacking, defaults to a hash unique to the whole config
eas: {
plugins: [{
type: "oidc",
issuer: {
/**
* via discovery (takes preference)
*/
discover_url: "https://dev.hal24k.nl/.well-known/openid-configuration",
/**
* via manual definition
*/
//issuer: 'https://accounts.google.com',
//authorization_endpoint: 'https://accounts.google.com/o/oauth2/v2/auth',
//token_endpoint: 'https://www.googleapis.com/oauth2/v4/token',
//userinfo_endpoint: 'https://www.googleapis.com/oauth2/v3/userinfo',
//jwks_uri: 'https://www.googleapis.com/oauth2/v3/certs',
},
client: {
/**
* manually defined (preferred)
*/
client_id: "k8s_ambassador",
client_secret: "secretsecret"
/**
* via client registration
*/
//registration_client_uri: "",
//registration_access_token: "",
},
scopes: ["openid", "email", "profile"], // must include openid
/**
* static redirect URI
* if your oauth provider does not support wildcards place the URL configured in the provider (that will return to this proper service) here
*/
redirect_uri: "https://eas.hal24k.nl:8443/oauth/callback",
features: {
/**
* how to expire the cookie
* true = cookies expire will expire with tokens
* false = cookies will be 'session' cookies
* num seconds = expire after given number of seconds
*/
cookie_expiry: false,
/**
* how frequently to refresh userinfo data
* true = refresh with tokens (assuming they expire)
* false = never refresh
* num seconds = expire after given number of seconds
*/
userinfo_expiry: true,
/**
* how long to keep a session (server side) around
* true = expire with tokenSet (if applicable)
* false = never expire
* num seconds = expire after given number of seconds (enables sliding window)
*
* sessions become a floating window *if*
* - tokens are being refreshed
* or
* - userinfo being refreshed
* or
* - session_expiry_refresh_window is a positive number
*/
session_expiry: true,
/**
* window to update the session window based on activity if
* nothing else has updated it (ie: refreshing tokens or userinfo)
*
* should be a positive number less than session_expiry
*
* For example, if session_expiry is set to 60 seconds and session_expiry_refresh_window value is set to 20
* then activity in the last 20 seconds (40-60) of the window will 'slide' the window
* out session_expiry time from whenever the activity occurred
*/
session_expiry_refresh_window: 86400,
/**
* will re-use the same id (ie: same cookie) for a particular client if a session has expired
*/
session_retain_id: true,
/**
* if the access token is expired and a refresh token is available, refresh
*/
refresh_access_token: true,
/**
* fetch userinfo and include as X-Userinfo header to backing service
*/
fetch_userinfo: true,
/**
* check token validity with provider during assertion process
*/
introspect_access_token: false,
/**
* which token (if any) to send back to the proxy as the Authorization Bearer value
* note the proxy must allow the token to be passed to the backend if desired
*
* possible values are id_token, access_token, or refresh_token
*/
authorization_token: "id_token"
},
assertions: {
/**
* assert the token(s) has not expired
*/
exp: true,
/**
* assert the 'not before' attribute of the token(s)
*/
nbf: true,
/**
* assert the correct issuer of the token(s)
*/
iss: true,
/**
* custom userinfo assertions
*/
userinfo: [
// {
// ...
// see ASSERTIONS.md for details
// },
// {
// ...
// }
],
/**
* custom id_token assertions
*/
id_token: [
// {
// ...
// see ASSERTIONS.md for details
// },
// {
// ...
// }
]
},
cookie: {
//name: "_my_company_session",//default is _oeas_oauth_session
//domain: "example.com", //defaults to request domain, could do sso with more generic domain
//path: "/",
},
// see HEADERS.md for details
headers: {},
},], // list of plugin definitions, refer to PLUGINS.md for details
}
};
config_token = jwt.sign(config_token, config_token_sign_secret);
const conifg_token_encrypted = utils.encrypt(
config_token_encrypt_secret,
config_token
);
//console.log("token: %s", config_token);
//console.log("");
console.log("encrypted token (for server-side usage): %s", conifg_token_encrypted);
console.log("");
console.log(
"URL safe config_token: %s",
encodeURIComponent(conifg_token_encrypted)
);
console.log("");
Issue Analytics
- State:
- Created 4 years ago
- Comments:24 (24 by maintainers)
Top Results From Across the Web
Implementing Authentication with the Ambassador API Gateway
How Ambassador Integrates with OAuth and OIDC. Many people are starting to implement authentication at the edge using Ambassador Pro and an identity...
Read more >Configure ASP.NETCore Identity with Identity Server 4.1
I want to use ASP NET Identity (Core 3.1) with IdentityServer4. I am trying to store, users credentials in AspNet... tables and use...
Read more >Adding User Authentication with OpenID Connect
In this quickstart we want to add support for interactive user authentication via the OpenID Connect protocol to our IdentityServer. Once that is...
Read more >Token Service IdentityServer4 Sign in with GitHub - Medium
Part 1: Register Token Service IdentityServer4 as oAuth app in GitHub. To enable login from GitHub, you first need to register your app...
Read more >ID Token and Access Token: What Is the Difference? - Auth0
An ID token is an artifact that proves that the user has been authenticated. It was introduced by OpenID Connect (OIDC), an open...
Read more >
Top Related Medium Post
No results found
Top Related StackOverflow Question
No results found
Troubleshoot Live Code
Lightrun enables developers to add logs, metrics and snapshots to live code - no restarts or redeploys required.
Start Free
Top Related Reddit Thread
No results found
Top Related Hackernoon Post
No results found
Top Related Tweet
No results found
Top Related Dev.to Post
No results found
Top Related Hashnode Post
No results found
It worked! Multiple OIDC plugins with the same credentials worked, yoohoo!
versus
Now, I can loging to ambassador.hal24k.nl and my colleague
robertcan login to demo.hal24k.nlCrude ambassador documentation and support for url and header based envoy setups snapped in
v0.5.0.