louketo/louketo-proxy

access forbidden with working keycloak-gatekeeper-10.0.1 configuration

gunterze opened this issue · 1 comments

gunterze commented

Title

access forbidden with working keycloak-gatekeeper-10.0.1 configuration

Summary

Get access forbidden with same ENV/CLI params which works with keycloak-gatekeeper-10.0.1

Environment

docker-compose.yml:

services:
  kibana-gatekeeper:
    image: quay.io/louketo/louketo-proxy:1.0.0
    ports:
      - "8643:8643"
    environment:
      PROXY_LISTEN: 0.0.0.0:8643
      PROXY_REDIRECTION_URL: http://test-ng:8643
      PROXY_UPSTREAM_URL: http://kibana:5601
      PROXY_DISCOVERY_URL: https://test-ng:8843/auth/realms/dcm4che
      PROXY_CLIENT_ID: kibana
      PROXY_CLIENT_SECRET: f02e8c1b-97be-42d3-bf9a-926ff6004234
      PROXY_ENCRYPTION_KEY: AgXa7xRcoClDEU0ZDSH4X0XhL5Qy2Z2j
    command:
      - "--openid-provider-timeout=120s"
      - "--skip-openid-provider-tls-verify=true"
      - "--enable-refresh-tokens=true"
      - "--enable-token-header=false"
      - "--enable-authorization-header=false"
      - "--enable-authorization-cookies=false"
      - "--resources=uri=/*|methods=GET|roles=auditlog"
      - "--forbidden-page=/opt/louketo/templates/forbidden.html.tmpl"
      - "--secure-cookie=false"
      - "--verbose=true"
    depends_on:
      - kibana
      - keycloak
  • Keycloak client kibana with audience-mapper with Included Client Audience: kibana.
  • User has required role auditlog.

Expected Results

Redirect http://test-ng:8643 to Keycloak Login and after successful login, forward request to http://kibana:5601

Actual Results

Redirect http://test-ng:8643 to Keycloak Login, but return forbidden-page after successful login.

Steps to reproduce

Additional Information

$ docker-compose logs kibana-gatekeeper
Attaching to dcm4cheearc_kibana-gatekeeper_1
kibana-gatekeeper_1         | 2020-07-22T11:38:04.695Z	info	src/server.go:86	starting the service	{"prog": "louketo-proxy", "author": "Louketo", "version": "v2.3.0 (git+sha: 9eca196-dirty, built: 01-07-2020)"}
kibana-gatekeeper_1         | 2020-07-22T11:38:04.695Z	info	src/server.go:700	attempting to retrieve configuration discovery url	{"url": "https://test-ng:8843/auth/realms/dcm4che", "timeout": "2m0s"}
kibana-gatekeeper_1         | 2020-07-22T11:38:04.740Z	info	src/server.go:716	successfully retrieved openid configuration from the discovery
kibana-gatekeeper_1         | 2020-07-22T11:38:04.743Z	info	src/server.go:161	enabled reverse proxy mode, upstream url	{"url": "http://kibana:5601"}
kibana-gatekeeper_1         | 2020-07-22T11:38:04.743Z	info	src/server.go:236	using session cookies only for access and refresh tokens
kibana-gatekeeper_1         | 2020-07-22T11:38:04.743Z	debug	src/server.go:650	loading the custom sign forbidden page	{"page": "/opt/louketo/templates/forbidden.html.tmpl"}
kibana-gatekeeper_1         | 2020-07-22T11:38:04.743Z	info	src/server.go:655	loading the custom templates	{"templates": "/opt/louketo/templates/forbidden.html.tmpl"}
kibana-gatekeeper_1         | 2020-07-22T11:38:04.743Z	info	src/server.go:268	protecting resource	{"resource": "uri: /*, methods: GET, required: auditlog"}
kibana-gatekeeper_1         | 2020-07-22T11:38:04.743Z	info	src/server.go:393	Louketo proxy service starting	{"interface": "0.0.0.0:8643"}
kibana-gatekeeper_1         | 2020-07-22T11:39:12.831Z	error	src/middleware.go:174	no session found in request, redirecting for authorization	{"error": "authentication session not found"}
kibana-gatekeeper_1         | 2020-07-22T11:39:12.839Z	debug	src/handlers.go:85	incoming authorization request from client address	{"access_type": {}, "auth_url": "https://test-ng:8843/auth/realms/dcm4che/protocol/openid-connect/auth?access_type=online&client_id=kibana&redirect_uri=http%3A%2F%2Ftest-ng%3A8643%2Foauth%2Fcallback&response_type=code&scope=openid+email+profile&state=d042623a-3dc4-46e0-84ac-1b351d52d27b", "client_ip": "192.168.2.131:38018"}
kibana-gatekeeper_1         | 2020-07-22T11:39:18.605Z	error	src/handlers.go:120	unable to exchange code for access token	{"error": "Post \"https://test-ng:8843/auth/realms/dcm4che/protocol/openid-connect/token\": x509: certificate is valid for PACS_J4C, not test-ng"}
kibana-gatekeeper_1         | 2020-07-22T11:39:18.736Z	error	src/middleware.go:174	no session found in request, redirecting for authorization	{"error": "authentication session not found"}
kibana-gatekeeper_1         | 2020-07-22T11:39:18.778Z	debug	src/handlers.go:85	incoming authorization request from client address	{"access_type": {}, "auth_url": "https://test-ng:8843/auth/realms/dcm4che/protocol/openid-connect/auth?access_type=online&client_id=kibana&redirect_uri=http%3A%2F%2Ftest-ng%3A8643%2Foauth%2Fcallback&response_type=code&scope=openid+email+profile&state=d7630a45-5b99-4b82-9b38-dc7d733cd209", "client_ip": "192.168.2.131:38018"}
kibana-gatekeeper_1         | 2020-07-22T11:39:18.904Z	error	src/handlers.go:120	unable to exchange code for access token	{"error": "Post \"https://test-ng:8843/auth/realms/dcm4che/protocol/openid-connect/token\": x509: certificate is valid for PACS_J4C, not test-ng"}

With working keycloak-gatekeeper:10.0.1:

kibana-gatekeeper_1         | 1.5954192258886871e+09	info	keycloak-gatekeeper/server.go:84	starting the service	{"prog": "keycloak-gatekeeper", "author": "Keycloak", "version": "10.0.1 (git+sha: 691bc4c, built: 08-05-2020)"}
kibana-gatekeeper_1         | 1.595419225888778e+09	info	keycloak-gatekeeper/server.go:694	attempting to retrieve configuration discovery url	{"url": "https://test-ng:8843/auth/realms/dcm4che", "timeout": "2m0s"}
kibana-gatekeeper_1         | 1.5954192259393873e+09	info	keycloak-gatekeeper/server.go:710	successfully retrieved openid configuration from the discovery
kibana-gatekeeper_1         | 1.5954192259412553e+09	info	keycloak-gatekeeper/server.go:157	enabled reverse proxy mode, upstream url	{"url": "http://kibana:5601"}
kibana-gatekeeper_1         | 1.5954192259413161e+09	info	keycloak-gatekeeper/server.go:229	using session cookies only for access and refresh tokens
kibana-gatekeeper_1         | 1.5954192259413319e+09	debug	keycloak-gatekeeper/server.go:644	loading the custom sign forbidden page	{"page": "/templates/forbidden_page.html.tmpl"}
kibana-gatekeeper_1         | 1.59541922594134e+09	info	keycloak-gatekeeper/server.go:649	loading the custom templates	{"templates": "/templates/forbidden_page.html.tmpl"}
kibana-gatekeeper_1         | 1.5954192259414353e+09	info	keycloak-gatekeeper/server.go:261	protecting resource	{"resource": "uri: /*, methods: GET, required: auditlog"}
kibana-gatekeeper_1         | 1.5954192259415472e+09	info	keycloak-gatekeeper/server.go:386	keycloak proxy service starting	{"interface": "0.0.0.0:8643"}
kibana-gatekeeper_1         | 1.5954192666286752e+09	error	keycloak-gatekeeper/middleware.go:108	no session found in request, redirecting for authorization	{"error": "authentication session not found"}
kibana-gatekeeper_1         | 1.5954192666322625e+09	debug	keycloak-gatekeeper/handlers.go:89	incoming authorization request from client address	{"access_type": "", "auth_url": "https://test-ng:8843/auth/realms/dcm4che/protocol/openid-connect/auth?client_id=kibana&redirect_uri=http%3A%2F%2Ftest-ng%3A8643%2Foauth%2Fcallback&response_type=code&scope=openid+email+profile&state=931077cc-ff5a-4fc4-9ce3-5212077dcf89", "client_ip": "192.168.2.131:38230"}
kibana-gatekeeper_1         | 1.5954192722838438e+09	info	keycloak-gatekeeper/handlers.go:180	issuing access token for user	{"email": "", "expires": "2020-07-22T12:06:12Z", "duration": "4m59.716157366s"}
kibana-gatekeeper_1         | 1.5954192722839189e+09	debug	keycloak-gatekeeper/misc.go:130	parsed refresh token with new duration	{"new duration": 1799.71608143}
kibana-gatekeeper_1         | 1.5954192722882106e+09	debug	keycloak-gatekeeper/session.go:51	found the user identity	{"id": "35636f1e-1595-48c7-883f-549ef5185249", "name": "admin", "email": "", "roles": "ADMINISTRATOR,auditlog,admin,user,account:manage-account,account:manage-account-links,account:view-profile,realm-management:view-realm,realm-management:view-identity-providers,realm-management:manage-identity-providers,realm-management:impersonation,realm-management:realm-admin,realm-management:create-client,realm-management:manage-users,realm-management:query-realms,realm-management:view-authorization,realm-management:query-clients,realm-management:query-users,realm-management:manage-events,realm-management:manage-realm,realm-management:view-events,realm-management:view-users,realm-management:view-clients,realm-management:manage-authorization,realm-management:manage-clients,realm-management:query-groups", "groups": ""}
kibana-gatekeeper_1         | 1.5954192722883925e+09	debug	keycloak-gatekeeper/middleware.go:369	access permitted to resource	{"access": "permitted", "email": "", "expires": 299.711608252, "resource": "/*"}

... unable to exchange code for access token {"error": "Post "https://test-ng:8843/auth/realms/dcm4che/protocol/openid-connect/token\": x509: certificate is valid for PACS_J4C, not test-ng"}

=> seems --skip-openid-provider-tls-verify=true is not fully applied by louketo-proxy:1.0.0

jangaraj commented

That looks like #657