[Bug]: OIDC Discovery for OAuth2 Proxy not working

Question

[Bug]: OIDC Discovery for OAuth2 Proxy not working

Closed this issue 7 days ago · 2 comments

testgoofy commented a month ago

Preflight Checklist

I could not find a solution in the documentation, the existing issues or discussions
I have joined the ZITADEL chat

Environment

Self-hosted

Version

v2.51.3

Database

PostgreSQL

Database Version

16.3

Describe the problem caused by this bug

I have a OAuth2 Proxy in front of another web application.
The OAuth2 Proxy links to the Zitadel instance.
When deployed the OAuth2 Proxy crashes with the error

[2024/05/16 18:06:01] [main.go:60] ERROR: Failed to initialise OAuth2 Proxy: error intiailising provider: could not create provider data: error building OIDC ProviderVerifier: could not get verifier builder: error while discovery OIDC configuration: failed to discover OIDC configuration: error performing request: Get "http://localhost:8080/.well-known/openid-configuration": dial tcp [::1]:8080: connect: connection refused

When testing the same setup with another identity provider, it works
The issues also persists, when I use a Zitadel Cloud account.

To reproduce

Create a file docker-compose.yaml with the content:

services:

  auth:
    image: quay.io/oauth2-proxy/oauth2-proxy:v7.3.0
    restart: unless-stopped
    command: --http-address 0.0.0.0:4180
    environment:
      - OAUTH2_PROXY_UPSTREAMS=http://app:80/
      - OAUTH2_PROXY_PROVIDER_DISPLAY_NAME=Zitadel
      - OAUTH2_PROXY_PROVIDER=oidc
      - OAUTH2_PROXY_OIDC_ISSUER_URL=http://localhost:8080
      - OAUTH2_PROXY_CLIENT_ID=267404730723008514@development_&_testing
      - OAUTH2_PROXY_CLIENT_SECRET=qY3JnpdgfW6sKPxbKx0fHoPxqbhzDhuXbujI174c33hR6LMoDg4KPlwnwqYxAGC0
      - OAUTH2_PROXY_EMAIL_DOMAINS=*
      - OAUTH2_PROXY_REDIRECT_URL=http://localhost:4180/oauth2/callback
      - OAUTH2_PROXY_COOKIE_SECRET=Ak5Q5kx-Ukg11yxnoPxV1cqi3QtlMhDGZp722GCb840=
      - OAUTH2_PROXY_SHOW_DEBUG_ON_ERROR=true
      - OAUTH2_PROXY_COOKIE_SECURE=false
      # - OAUTH2_PROXY_REDIS_CONNECTION_URL=redis://memory-cache
      # - OAUTH2_PROXY_SESSION_STORE_TYPE=redis
    depends_on:
      - idenitty-provider
      # - memory-cache
    ports:
      - 4180:4180

  # memory-cache:
  #   image: redis:6.2.7
  #   restart: always

  app:
    image: traefik/whoami
    restart: unless-stopped

  idenitty-provider:
    image: ghcr.io/zitadel/zitadel:v2.51.3 
    restart: unless-stopped
    command: start-from-init --masterkeyFromEnv
    environment:
      - 'ZITADEL_LOGSTORE_ACCESS_STDOUT_ENABLED=true'
      - 'ZITADEL_DATABASE_POSTGRES_HOST=database'
      - 'ZITADEL_DATABASE_POSTGRES_PORT=5432'
      - 'ZITADEL_DATABASE_POSTGRES_DATABASE=db_zitadel'
      - 'ZITADEL_DATABASE_POSTGRES_USER_USERNAME=dbu_zitadel'
      - 'ZITADEL_DATABASE_POSTGRES_USER_PASSWORD=DB_USER_PASSWORD'
      - 'ZITADEL_DATABASE_POSTGRES_USER_SSL_MODE=disable'
      - 'ZITADEL_DATABASE_POSTGRES_ADMIN_USERNAME=root'
      - 'ZITADEL_DATABASE_POSTGRES_ADMIN_PASSWORD=DB_ADMIN_PASSWORD'
      - 'ZITADEL_DATABASE_POSTGRES_ADMIN_SSL_MODE=disable'
      - 'ZITADEL_EXTERNALDOMAIN=localhost'
      - 'ZITADEL_EXTERNALPORT=8080'
      - 'ZITADEL_EXTERNALSECURE=false'
      - 'ZITADEL_MASTERKEY=MasterkeyNeedsToHave32Characters'
      - 'ZITADEL_TLS_ENABLED=false'
    depends_on:
      database:
        condition: 'service_healthy'
    ports:
      - 8080:8080

  database:
    image: postgres:16.3
    restart: unless-stopped
    environment:
      - POSTGRES_USER=root
      - POSTGRES_PASSWORD=DB_ADMIN_PASSWORD
      - POSTGRES_DB=db_zitadel
    healthcheck:
      test: ["CMD-SHELL", "pg_isready", "-d", "db_zitadel", "-U", "root"]
      interval: '10s'
      timeout: '30s'
      retries: 5
      start_period: '20s'

Start the stack with docker compose up -d
OAuth2 Proxy crashes

Screenshots

No response

Expected behavior

As written in the Documentation: OAuth2 Proxy starts flawless

Operating System

No response

Relevant Configuration

See docker-compose.yaml

Additional Context

I tried to replace OAUTH2_PROXY_OIDC_ISSUER_URL=http://localhost:8080 with the hardcoded endpoints

- OAUTH2_PROXY_OIDC_ISSUER_URL=NOT_USED
- OAUTH2_PROXY_LOGIN_URL=http://localhost:8080/oauth/v2/authorize
- OAUTH2_PROXY_REDEEM_URL=http://localhost:8080/oauth/v2/token
- OAUTH2_PROXY_OIDC_JWKS_URL=http://localhost:8080/oauth/v2/keys
- OAUTH2_PROXY_SKIP_OIDC_DISCOVERY=true

This gives me another error when logging in.
Same error as in #5267.

Answer 1 · 2024-06-12T07:44:33.000Z

As this is docker (compose) localhost from the proxy resolves against the proxy container. In other words, you try to connect to port 8080 of the auth service.

In docker compose you should use the service name as hostname. Eg. idenitty-provider:8080. Note the you need to tell zitadel about this domain. Either through the ZITADEL_EXTERNALDOMAIN config or as an instance custom domain inside console.

Answer 2 · 2024-06-19T07:16:12.000Z

Closing as it is docker compose related config, not a zitadel bug.