NeerajSinha
04/22/2024, 11:26 PMUnregistered redirect_uri ("<http://k8s-ingressn-ingressn-888888888888888.elb.us-east-2.amazonaws.com/login/oauth2/code/k8s-ingressn-ingressn-888888888888888.elb.us-east-2.amazonaws.com>").
Joseph Heun
04/23/2024, 7:32 AMNeerajSinha
04/23/2024, 5:35 PMNeerajSinha
04/23/2024, 6:10 PM# helm-charts/helmfile-values/values-ingress.yaml
controller:
allowSnippetAnnotations: true
config:
# This resolves possible issue with big headers
proxy-buffer-size: '16k'
# Improve performance of requests with large body
client-body-buffer-size: '1m'
# use X-Forwarded-* received from ELB - important for proper propagation
# of LoadBalancer host, port, and schema
use-forwarded-headers: 'true'
I got that from here. https://www.gooddata.com/docs/cloud-native/3.3/deploy-and-install/cloud-native/considerations/ingress-aws/Radek Novacek
04/25/2024, 8:57 AMRobert Moucha
04/25/2024, 11:20 AMuse-forwarded-headers
set to 'true'
• Created organization with hostname matching your SSL certificate, resolvable to IP address(es) of your ELB.
• You kept default value in gooddata-cn helm chart deployDexIdP: true
), so you're using Dex as identity provider
• You configured dex.ingress.authHost in values to something like <http://auth.example.com|auth.example.com>
When you navigate to your ogranization url (e.g. <https://organization-1.example.com/>
), you get redirected to <https://auth.example.com/dex/auth/local/login>
but error occurs "Unregistered redirect_uri" mentioning the loadbalancer hostname and http:// schema (not https://), instead of being redirected to <https://organization-1.example.com/login/oauth2/code/organization-1.example.com>
Is that correct?NeerajSinha
04/25/2024, 5:37 PMdeployDexIdP: true
since it was mentioned in docs that default is true for internal OIDC.
https://www.gooddata.com/docs/cloud-native/3.3/deploy-and-install/cloud-native/considerations/oidc/#OIDCProviderSetup-Usin[…]nalOIDCIdentityProviderNeerajSinha
04/25/2024, 6:04 PMdeployDexIdP: true
. still the same error.
However one thing I have been noticing since yesterday that when I enter the host url, it redirects to auth url.. but in the redirection url , if I edit the url in browser bar, to https, I get login page ( though login does not work.. I get 401 error). see the example of the URL that gives direct uri error ( I have masked the url for our company/env part)
<https://gooddata-test-auth.myenv.mycompany.net/dex/auth/local?client_id=9d5c4d19-df5c-4735-abf0-04f6d608a0d2&nonce=kk5shN0reDjSruylmUydQ8fQ90yW9qSYCK36QnoeVp0&redirect_uri=http%3A%2F%2Fgooddata-test.myenv.mycompany.net%2Flogin%2Foauth2%2Fcode%2Fgooddata-test.myenv.mycompany.net&response_type=code&scope=openid+profile&state=eB10R9uwXOUkjhJ1pFFcvffsQQ_p9_IvsUeOPcL2PFQf>
But below one gives me login page
<https://gooddata-test-auth.myenv.mycompany.net/dex/auth/local?client_id=9d5c4d19-df5c-4735-abf0-04f6d608a0d2&nonce=kk5shN0reDjSruylmUydQ8fQ90yW9qSYCK36QnoeVp0&redirect_uri=https%3A%2F%2Fgooddata-test.myenv.mycompany.net%2Flogin%2Foauth2%2Fcode%2Fgooddata-test.myenv.mycompany.net&response_type=code&scope=openid+profile&state=eB10R9uwXOUkjhJ1pFFcvffsQQ_p9_IvsUeOPcL2PFQf>
Notice the diffrence in above uri for this part redirect_uri=https
Robert Moucha
04/26/2024, 10:40 AMdeployDexIdP: true
is the default value in our helm chart. You don't need to set it explicitly. I just wanted to make sure you didn't disable it.Robert Moucha
04/26/2024, 11:15 AMredirect_uri
is generated by Spring framework library based on information received in the incoming request. In this particular case, header "X-Forwarded-Proto" is not set to "https" or is not set at all. It's LoadBalancer's or Ingress controller's responsibility to set this header.
As you have SSL terminated on ELB, Load balancer should set this header (along with other X-Forwarded-*
headers) when passing your request donwstream to ingress controller. Controller's setting "use-forwarded-headers" guarantees these headers are sent unmodified to internal services.
Can you please check the headers are properly set when leaving your load balancer?Robert Moucha
04/26/2024, 11:55 AMNeerajSinha
04/26/2024, 3:56 PMNeerajSinha
04/26/2024, 4:07 PMNeerajSinha
04/26/2024, 6:07 PMNeerajSinha
04/26/2024, 6:26 PMNeerajSinha
04/26/2024, 10:15 PMRobert Moucha
04/28/2024, 7:59 PM