Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

vouch-proxy with Gitea working on v0.17.4 but stops working on v0.18.0+ #346

Open
layanto opened this issue Dec 23, 2020 · 24 comments
Open
Labels

Comments

@layanto
Copy link

layanto commented Dec 23, 2020

Describe the problem
Getting 400 Bad Request after successful login to Gitea. Using exactly the same nginx, Gitea and vouch config, all working with vouch v0.17.4 (or earlier) but with vouch v0.18.0 (or later), I get 400 Bad Request. I have tried testing: true and all the redirects worked as expected, though still getting 400 Bad Request. It appears that the change between vouch v0.18.0 and v0.17.4 caused Gitea to respond oauth with

2020-12-23T23:22:32.753Z ERROR /auth Error while retreiving user info after successful login at the OAuth provider: oauth2: cannot fetch token: 400 Bad Request

Response: {"error":"unauthorized_client","error_description":"client is not authorized"}

Expected behavior
No 400 Bad Request on vouch v0.18.0 (or later) just like how it was with vouch v0.17.4 (or earlier),

Desktop (please complete the following information):

  • OS: Windows 10
  • Browser: Firefox
  • Version: 84.0.1
@bnfinet
Copy link
Member

bnfinet commented Dec 24, 2020

@layanto thanks for the report. Can you please use the latest version of VP and post a full log to a gist as per the README?

@eldondev
Copy link

I am also seeing this. I will try to get the requested logs. For the record, I am using the latest tag from docker hub for both gitea/gitea and voucher/vouch. Also, if I create a brand new oauth app, and update the vouch config to use that oauth client id/secret it works for a little while. I have the provider configured as "github" in the vouch config, as per a previous issue on gitea/vouch.

@layanto
Copy link
Author

layanto commented Dec 29, 2020

I was also using gitea and vouch latest docker image. As workaround, I now use 0.17.4 tag for vouch docker image.

Trying to figure out how to use the ./do.sh with vouch docker image.

@bnfinet
Copy link
Member

bnfinet commented Dec 29, 2020

@layanto any chance you could supply that log for the most recent version? I'm happy to help work the issue.

wrt to ./do.sh for 0.17.4 you should be able to adjust the IMAGE variable.

https://github.com/vouch/vouch-proxy/blob/master/do.sh#L12

@layanto
Copy link
Author

layanto commented Dec 29, 2020

Will try tonight. I am presently only using the vouch docker image. To use the do.sh, do I need to git checkout this repo and then run the do.sh? Maybe easier just to take the log as is and then change my oauth key in gitea?

@layanto
Copy link
Author

layanto commented Dec 29, 2020

Couldn't figure out how to use the do.sh so I ended up manually sanitizing the debug log. Gists below:
vouch 0.17.4 (working): https://gist.github.com/layanto/13d921fe303bf094cf606d11ce2f268f
vouch 0.19.1 (not working): https://gist.github.com/layanto/7598de4cb54fbb0bd578ae9d5de908ec

I changed my domain to domain.com, gitea URL to gitea.domain.com, vouch URL to vouch.domain.com, application URL protected by vouch to protected.domain.com, username to username, email to [email protected] and various secrets, client_id, token, etc to vvv, www, xxx, etc. Hopefully I haven't messed up the debug log too badly.

@layanto
Copy link
Author

layanto commented Dec 29, 2020

Would be a great feature if via config option, vouch can generate sanitized debug.log as a file in /data. This way the log file can be access in docker's host machine. Vouch already knows all the sensitive information (already in config or environment variables) so should be able to sanitize them without additional info from user (such as via do.sh which I couldn't figure out how to use).

@bnfinet bnfinet added the bug label Dec 30, 2020
@bnfinet
Copy link
Member

bnfinet commented Jan 28, 2021

@eldondev @layanto could you please try adjusting your oauth config with..

code_challenge_method: (blank)
and then
code_challenge_method: plain

I suspect that gitea does not support PKCE which was added to v0.18.0 via #307

@layanto
Copy link
Author

layanto commented Jan 28, 2021

Still not working - exactly the same error. I tried both (blank) and plain for code_challenge_method under oauth config.

@bnfinet
Copy link
Member

bnfinet commented Jan 28, 2021

@layanto looks like gitea supports OIDC, what happens if you try oauth.provider: oidc (with and without code_challenge).

https://docs.gitea.io/en-us/oauth2-provider/

@layanto
Copy link
Author

layanto commented Jan 29, 2021

using oidc as oauth provider, Gitea works with v0.17.4 and latest. I didn't need to add the code_challenge_method. With github as oauth provider, Gitea only works with v0.17.4 or earlier and doesn't work with v0.18.0 or later.

@eldondev Can you check if you observe the same behaviour as above?

@mvivaldi
Copy link

Hi, with gitea 1.13.1 vouch latest and provider oidc everything is working again.

@bnfinet
Copy link
Member

bnfinet commented Feb 3, 2021

@mvivaldi @layanto thanks for testing that out.

In your opinion should we consider this a docu-fix as "always use oauth.provider: oidc for Gitea"? OIDC does not currently support the group features that are in the github provider. Are those important?

My suspicion is that if this line were commented out it might work for Gitea as provider: github
https://github.com/vouch/vouch-proxy/blob/master/pkg/cfg/oauth.go#L205

Would either of you be in a position to test that?

@layanto
Copy link
Author

layanto commented Feb 3, 2021

I am using vouch docker from dockerhub. Not sure how to test commenting out a line in vouch's go code.
I am not sure if Gitea is using or supporting the group features.

@bnfinet
Copy link
Member

bnfinet commented Feb 3, 2021

@layanto understood...

If you cared to build the container locally ./do.sh dbuild would do it.

@eldondev
Copy link

eldondev commented Feb 3, 2021

Just followed up here. The switch to OIDC also seems to work for me. One alternative might be to see if gitea would support that code challenge method (if that is indeed the issue).

@eldondev
Copy link

eldondev commented Feb 4, 2021

@bnfinet Hey, I dug into the gitea source/docs a little bit, it looks like they expect PKCE support to work Also, they mention S256 in the source of the oauth provider , so, while frankly I don't expect them to be critical for my use case, I'd be willing to give diving into this issue a shot, if I could provide some sort of debug output or something that would help.

@bnfinet
Copy link
Member

bnfinet commented Feb 4, 2021

Thanks @eldondev ...

If you could provide conf and logs as described in the README and then take that line out and do it again that would be a solid start towards trying to diagnose the issue.

@FunDeckHermit
Copy link

Hi, I seem to have the same problem and thought the problem originated from Gitea itself.
I therefore opened an issue on their repository. After reading this thread I think I might be wrong with my assumption.

I will try the OIDC route and keep you updated.

@FunDeckHermit
Copy link

FunDeckHermit commented Jun 24, 2021

I got Vouch Proxy + Gitea working again by changing my Vouch Proxy config to:

oauth:
  provider: oidc
  client_id: {id}
  client_secret: {secret}
  auth_url: https://auth.domain.com/login/oauth/authorize
  token_url: https://auth.domain.com/login/oauth/access_token
  user_info_url: https://auth.domain.com/login/oauth/userinfo
  scopes:
    - openid
    - email
    - profile
  callback_url: https://vouch.domain.com/auth

Changing only the provider and the user_info_url.

@bnfinet
Copy link
Member

bnfinet commented Jun 24, 2021

@mindfuucker thanks for the info, glad to have another confirmation that it's working with provider: oidc

The only reason this is still open and flagged as a bug is due to the usage of groups with vouch.teamWhitelist when configured with provider: github

If anyone wants that feature to work (or to just get the provider: github to work with Gitea) I hope they'll take the time to provide a good bug report in the manner described in the README.

@krumelmonster
Copy link

oauth:
  provider: oidc
  client_id: {id}
  client_secret: {secret}
  auth_url: https://auth.domain.com/login/oauth/authorize
  token_url: https://auth.domain.com/login/oauth/access_token
  user_info_url: https://auth.domain.com/login/oauth/userinfo
  scopes:
    - openid
    - email
    - profile
  callback_url: https://vouch.domain.com/auth

This unlike provider: github works for me too and I suggest to update config.yml_example_gitea to oidc for now

krumelmonster added a commit to krumelmonster/vouch-proxy that referenced this issue Feb 14, 2024
the github provider isn't working for gitea on vouch-proxy 0.18+ vouch#346
@D3v01dZA
Copy link

I'm another user that ran into this - when using the GitHub with Gitea provider type Vouch will work for a short time (<20 minutes) and then just stop working with the errors indicated above.

When using oidc it works without any issues so far.

@ultimaterex
Copy link

Ran into this issue today as well, the change in #552 worked great for me.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
Projects
None yet
Development

No branches or pull requests

8 participants