Authenticated in KeyCloak, yet not Authorized
TobenderZephyr opened this issue · 6 comments
Before I dive too deep in this matter, I want to apologize beforehand, that i stumpled on KeyCloak and therefore your project by accident. I did not yet dig deep enough to know if these projects would exactly fit my needs or if I am doing it all wrong.
My setup currently are three different Docker Hosts (no swarm), each running one of: keycloak + traefik, traefik-forward-auth+ traefik, application + traefik. The plan was to have the application run in a LAN environment (or wherever), while the forward-auth-host is inside a DMZ allowing only HTTP/HTTPS+outgoing LDAP for Authentication against Active Directory.
The KeyCloak Server could either be inside the same DMZ or internal - yet to decide where it makes most sense.
I followed your instructions in #1 and made a few changes here and there to fit my needs.
Now I am at a point where I am unable to progress, because I tried so much beforehand and this is the furthest I achieved.
When I hit the whoami page, I will get redirected to the KeyCloak login page by traefik-forward-auth. After entering username+password, I get redirected again to traefik-forward-auth with /_oauth?.
Yet I receive 401 Not Authenticated. Inspecting the Browser Cookies (F12) I don't see anything in the list.
This is the output of the debug log. I believe the error message appeared after building the latest version (Dockerhub is 6 months old)
time="2020-08-20T20:40:56Z" level=debug msg="Handling callback" headers="map[Accept:[text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9] Accept-Encoding:[gzip, deflate, br] Accept-Language:[de-DE,de;q=0.9,en-US;q=0.8,en;q=0.7] Cookie:[_forward_auth=JVeFDoXTziwDqQVRie7f0BTWWvEykUz0EcB4d1vkphc=|1597978340|<user-email>; _forward_auth_name=\"Marcus Netz\"; _forward_auth_claims=MTU5NzkzNTE0MHxEdi1CQkFFQ180SUFBUkFCRUFBQUt2LUNBQUVHYzNSeWFXNW5EQWdBQm1keWIzVndjd2hiWFhOMGNtbHVaXy1EQWdFQ180UUFBUXdBQUFYX2hBSUFBQT09fC67IXEzpPk-NYaNXp9rA8oHssDd0XMwpAuDClyWFiCq; _forward_auth_csrf=c14e6a963f9feebe255ca56b9b2e53da] Sec-Fetch-Dest:[document] Sec-Fetch-Mode:[navigate] Sec-Fetch-Site:[none] Sec-Fetch-User:[?1] Upgrade-Insecure-Requests:[1] User-Agent:[Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/84.0.4147.127 Safari/537.36] X-Forwarded-For:[172.25.217.3] X-Forwarded-Host:[auth.<example.com>] X-Forwarded-Method:[GET] X-Forwarded-Port:[443] X-Forwarded-Proto:[https] X-Forwarded-Server:[653a6f2df7e7] X-Forwarded-Uri:[/_oauth?state=3e34e70914815040fcc8d9048c838a12%3Ahttp%3A%2F%2Fauth.<example.com>%2F&session_state=65813182-46c8-4ef1-820c-450466d3a9fc&code=a4b90e68-5e06-42ef-a08b-c40e41bea54f.65813182-46c8-4ef1-820c-450466d3a9fc.dd176887-3e47-4319-8337-44b68b520582] X-Real-Ip:[172.25.217.3]]" rule=default source_ip=172.25.217.3
time="2020-08-20T20:40:56Z" level=warning msg="Error validating CSRF cookie: CSRF cookie does not match state" source_ip=172.25.217.3
time="2020-08-20T20:40:56Z" level=debug msg="Authenticate request" headers="map[Accept:[image/webp,image/apng,image/*,*/*;q=0.8] Accept-Encoding:[gzip, deflate, br] Accept-Language:[de-DE,de;q=0.9,en-US;q=0.8,en;q=0.7] Cookie:[_forward_auth=JVeFDoXTziwDqQVRie7f0BTWWvEykUz0EcB4d1vkphc=|1597978340|<user email>; _forward_auth_name=\"Marcus Netz\"; _forward_auth_claims=MTU5NzkzNTE0MHxEdi1CQkFFQ180SUFBUkFCRUFBQUt2LUNBQUVHYzNSeWFXNW5EQWdBQm1keWIzVndjd2hiWFhOMGNtbHVaXy1EQWdFQ180UUFBUXdBQUFYX2hBSUFBQT09fC67IXEzpPk-NYaNXp9rA8oHssDd0XMwpAuDClyWFiCq; _forward_auth_csrf=c14e6a963f9feebe255ca56b9b2e53da] Referer:[https://auth.<example.com>/_oauth?state=3e34e70914815040fcc8d9048c838a12%3Ahttp%3A%2F%2Fauth.<example.com>%2F&session_state=65813182-46c8-4ef1-820c-450466d3a9fc&code=a4b90e68-5e06-42ef-a08b-c40e41bea54f.65813182-46c8-4ef1-820c-450466d3a9fc.dd176887-3e47-4319-8337-44b68b520582] Sec-Fetch-Dest:[image] Sec-Fetch-Mode:[no-cors] Sec-Fetch-Site:[same-origin] User-Agent:[Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/84.0.4147.127 Safari/537.36] X-Forwarded-For:[172.25.217.3] X-Forwarded-Host:[auth.<example.com>] X-Forwarded-Method:[GET] X-Forwarded-Port:[443] X-Forwarded-Proto:[https] X-Forwarded-Server:[653a6f2df7e7] X-Forwarded-Uri:[/favicon.ico] X-Real-Ip:[172.25.217.3]]" rule=default source_ip=172.25.217.3
time="2020-08-20T20:40:56Z" level=error msg="error getting groups from session: error getting session: securecookie: error - caused by: crypto/aes: invalid key size 0" source_ip=172.25.217.3
time="2020-08-20T20:40:56Z" level=warning msg="Non-HTML request: image/webp,image/apng,image/*,*/*;q=0.8" source_ip=172.25.217.3
This is my setup:
traefik-forward-auth:
version: '3'
services:
auth-proxy:
container_name: auth-proxy
build: /opt/sources/traefik-forward-auth
image: mesosphere/traefik-forward-auth
environment:
CLIENT_ID: auth-proxy-internal
CLIENT_SECRET: 51cfe608-6b1a-4698-9d15-02cbca2811ff
PROVIDER_URI: https://<keycloak>/auth/realms/Internal
SECRET: 554034e6a2da367916f11b73d385ac99
AUTH_HOST: auth.<example.com>
INSECURE_COOKIE: 'true'
CSRF_COOKIE_NAME: '_forward_auth_csrf'
LOG_LEVEL: debug
networks:
- proxy
restart: unless-stopped
volumes:
- /etc/ssl/certs/ca-bundle.crt:/etc/ssl/certs/ca-certificates.crt:ro
labels:
- "traefik.enable=true"
- "traefik.http.middlewares.forward-auth.forwardauth.address=http://auth-proxy:4181/"
- "traefik.http.middlewares.forward-auth.forwardauth.trustForwardHeader=true"
- "traefik.http.middlewares.forward-auth.forwardauth.authResponseHeaders=X-Forwarded-User"
- "traefik.http.routers.auth-proxy.rule=Host(`auth.<example.com>`)"
- "traefik.http.routers.auth-proxy.entrypoints=http"
- "traefik.http.routers.auth-proxy.middlewares=forward-auth"
- "traefik.http.services.auth-proxy.loadbalancer.server.port=4181"
- "traefik.http.routers.auth-proxy-secure.entrypoints=https"
- "traefik.http.routers.auth-proxy-secure.rule=Host(`auth.<example.com>`)"
- "traefik.http.routers.auth-proxy-secure.middlewares=forward-auth"
- "traefik.http.routers.auth-proxy-secure.tls=true"
- "traefik.docker.network=proxy"
networks:
proxy:
external: true
whoami:
version: '3'
services:
test:
image: mendhak/http-https-echo
networks:
- proxy
labels:
- "traefik.enable=true"
- "traefik.http.middlewares.forward-auth.forwardauth.address=https://auth.<example.com>/"
- "traefik.http.middlewares.forward-auth.forwardauth.trustForwardHeader=true"
- "traefik.http.middlewares.forward-auth.forwardauth.authResponseHeaders=X-Forwarded-User"
- "traefik.http.services.test.loadbalancer.server.port=80"
- "traefik.http.routers.test.entrypoints=http"
- "traefik.http.routers.test.rule=Host(`whoami.<example.local>`)"
- "traefik.http.routers.test.middlewares=forward-auth"
- "traefik.docker.network=proxy"
networks:
proxy:
external: true
I guess it comes down to normal Docker Networking now and avoiding traefik at a certain point, so proxy headers won't get mixed up.
Any help on this is appreciated,
Thanks
Marcus
error - caused by: crypto/aes: invalid key size 0
I think you need to pass --encryption-key or set ENCRYPTION_KEY.
here a working example docker-compose.yml
version: '2.4'
networks:
web:
external: true
services:
traefik:
image: traefik
command:
- "--accesslog"
- "--api.insecure=true"
- "--providers.docker=true"
- "--providers.docker.exposedbydefault=false"
- "--entrypoints.web.address=:80"
ports:
- 80:80
networks:
- web
volumes:
- "/var/run/docker.sock:/var/run/docker.sock"
labels:
traefik.enable: true
traefik.docker.network: web
#v2
traefik.http.routers.traefik.rule: Host(`traefik.localtest.me`)
traefik.http.services.traefik.loadbalancer.server.port: 8080
whoami:
image: traefik/whoami
networks:
- web
labels:
traefik.enable: true
treafik.docker.network: web
#v2
traefik.http.routers.php-test-router.rule: Host(`whoami.localtest.me`)
traefik.http.services.php-test-service.loadbalancer.server.port: 80
traefik.http.routers.php-test-router.middlewares: traefik-forward-auth-middleware
traefik-forward-auth:
image: mesosphere/traefik-forward-auth:3.1.0
networks:
- web
- default
environment:
#options https://github.com/mesosphere/traefik-forward-auth/blob/master/internal/configuration/config.go
INSECURE_COOKIE: 1
ENCRYPTION_KEY: 45659373957778734945638459467936 #32 character encryption key
COOKIE_DOMAIN: whoami.localtest.me
SCOPE: profile email openid # scope openid is necessary for keycloak...
SECRET: abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789
PROVIDER_URI: https://my-keycloak.com/auth/realms/my-realm
CLIENT_ID: myclient
CLIENT_SECRET: mysecret
LOG_LEVEL: debug
labels:
traefik.enable: true
traefik.docker.network: web
traefik.http.services.traefik-forward-auth.loadbalancer.server.port: 4181
traefik.http.routers.traefik-forward-auth.entrypoints: web
traefik.http.routers.traefik-forward-auth.rule: Path(`/_oauth`)
traefik.http.routers.traefik-forward-auth.middlewares: traefik-forward-auth
traefik.http.middlewares.traefik-forward-auth-middleware.forwardauth.address: http://traefik-forward-auth:4181
traefik.http.middlewares.traefik-forward-auth-middleware.forwardauth.authResponseHeaders: X-Forwarded-User
traefik.http.middlewares.traefik-forward-auth-middleware.forwardauth.trustForwardHeader: "true"
COOKIE_DOMAIN: whoami.localtest.me
I try with the wildcard *.localtest.me that doen't work but without dot works *localtest.me 😕
I am using the latest/22.00 keycloak with this config. Getting the following error
time="2023-08-13T17:48:57Z" level=error msg="error generating secure session cookie: securecookie: error - caused by: crypto/aes: invalid key size 22" source_ip=172.27.0.1
To generate cookie used this github.com/gorilla/securecookie module.
Refer
Refer
Refer https://go.dev/src/crypto/aes/cipher.go#25
The error crypto/aes: invalid key size 22 coming from cipher.go.
How to fix this?
Anyone around here, who can shed some light upon this? I'm having the same issues. I can't find a valid key size. What is a valid key size anyway? How do I generate a valid key?
In my config, I have a SECRET with a length of 32 chars, and an --encryption-key with a length of 16 chars.
They can be generated, e.g., with pwgen 32 1 and pwgen 16 1, respectively.