https://www.gooddata.com/ logo
Join Slack
Powered by
Greetings, I am facing an issue configuring <GoodD...
# gooddata-cn
v
Greetings, I am facing an issue configuring GoodData.CN running on EKS for AWS Cognito iDP according to these instructions here: https://www.gooddata.com/developers/cloud-native/doc/cloud/manage-organization/set-up-authentication/aws-cognito/ I must admit that I am not sure where to start, so let me quote actual vs. expected behavior
After following the steps in those instructions, I try to log in... it redirected me to cognito to change my password, and that actually seemed to work fine... Then upon the completion callback to this URL: https://data-dev.skan-dev.io/login/oauth2/code/data-dev.skan-dev.io?code=XXXXXXXX I get a 401 error...
And anytime I try to visit the data-dev.skan-dev.io URL, it redirects me to that same login callback URL, and the browser receives a 401...
I am almost thinking maybe that an EKS ingress is not configured? Like there was with the default dex... which was working
one other thing that I notice... is that the browser states the connection is not secure.
image.png
@Robert Moucha any ideas? Did I miss an instruction step where I should open up some ingress?
...and now I remember about the setting in the helm chart turning dex off... let me try that
still getting the 401 even after removing dex
I think I finally got it... and the issue was... that I did not add the name to the list of required attributes to the user
once they had a name field, everything worked
I think
r
Yes, the name attribute is required and for some reason it's not a part of issued id token by default. So it needs to be added. The redirect url must exactly match the organization hostname and it must have the same url scheme (https or http). You should configure ingress controller to force http->https redirect, so if someone goes to http://your-org.com he will be immediately redirected to http*s*://your-org.com. This can be achieved by adding 
force-ssl-redirect: true
into 
controller.config
section in values passed to ingress-nginx helm chart. If you want to use external auth like cognito, you may disable installation of Dex so save few megabytes of RAM. But keeping that running will not make any harm.
v
the name field seems to have gotten it... for some reason AWS thought it sufficient to leave that field out of the standard properties, at least in the CDK which is kind of aggravating... but it does work ... thanks for all the support... I'm pretty happy with the setup now
👍 1
Open in Slack
PreviousNext
Powered by