Login Redirection Issue for Users in Multiple Microsoft Groups Due to Nonce Mismatch in Dex Integration

Question

Login Redirection Issue for Users in Multiple Microsoft Groups Due to Nonce Mismatch in Dex Integration

Closed this issue 2 months ago · 3 comments

What happened?

When certain users attempt to log in to Kubermatic, they are redirected back to the dashboard page without successfully logging in. This issue appears to affect users who are members of multiple groups in Microsoft. The setup uses Dex integrated with Microsoft as the authentication connector.

Upon investigation, we observed that the nonce cookie value differs between the one sent from the dashboard and the value present in the ID token, which may be causing authentication failures for these users.

Expected behavior

Affected users should be successfully logged into Kubermatic without being redirected back to the dashboard, with consistent nonce values between the dashboard and the ID token.

How to reproduce the issue?

1.	Set up Dex with Microsoft as an authentication connector in Kubermatic.
2.	Include users who are members of multiple Microsoft groups.
3.	Attempt to log in with these users and observe if they are redirected back to the dashboard instead of being logged in.
4.	Check the nonce cookie values for discrepancies between the dashboard request and the ID token.

How is your environment configured?

KKP version: v2.26.0
Shared or separate master/seed clusters?: eparate master/seed

Provide your KKP manifest here (if applicable)

# paste manifest here

What cloud provider are you running on?

Vsphere

What operating system are you running in your user cluster?

Ubuntu 20.04

Additional information

The Dex Helm values configuration may be relevant to diagnosing the issue. Below is the relevant configuration:

dex:
  ingress:
    hosts:
      - host: "kubermatic.test.example.com"
        paths:
          - path: /dex
            pathType: ImplementationSpecific
    tls:
      - secretName: dex-tls
        hosts:
          - "kubermatic.test.example.com"
  connectors:
    - type: microsoft
      id: microsoft
      name: Microsoft
      config:
        clientID: $SECRET_clientID
        clientSecret: $SECRET_clientSecret
        redirectURI: https://kubermatic.test.example.com/dex/callback
        tenant: $SECRET_tenant
        groups:
          - abc
          - xyz

Answer 1 · 2024-11-14T08:46:40.000Z

/transfer dashboard

Answer 2 · 2024-11-14T08:49:08.000Z

I did some initial investigation and it seems the error occurs when ID token length is longer than 4096 because dashboard saves the ID token in cookie and maximum allowed size for cookies is 4096 bytes.

Answer 3 · 2025-01-07T11:04:07.000Z

Not planned to be fixed as discussed with the customer and relevant people