Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

oauth2 (cc) block does not use referenced backend #321

Closed
johakoch opened this issue Sep 28, 2021 · 0 comments · Fixed by #322
Closed

oauth2 (cc) block does not use referenced backend #321

johakoch opened this issue Sep 28, 2021 · 0 comments · Fixed by #322
Labels
bug Something isn't working

Comments

@johakoch
Copy link
Collaborator

johakoch commented Sep 28, 2021
edited
Loading

Describe the bug
The oauth2 (cc) block does not use the referenced but a default backend

To Reproduce
Steps to reproduce the behavior:

  1. Which Couper version? Run couper version or docker run avenga/couper version
$ couper version
0 2021-09-28 dev
  1. Provide your configuration file *.hcl. Remove sensitive data.
# OAuth2 client
server "oauth2-cc-client" {
  hosts = ["*:8080"]
  api {
    endpoint "/**" {
      proxy {
        backend = "rs"
      }
    }
  }
}

# OAuth2 resource server
server "oauth2-rs" {
  hosts = ["*:8081"]
  api {
    access_control = ["jwt"]

    endpoint "/**" {
      response {
        json_body = request.context.jwt
      }
    }
  }
}

# OAuth2 authorization server
server "oauth2-as" {
  hosts = ["*:8082"]
  api {
    endpoint "/token" {
      response {
        json_body = {
          access_token = jwt_sign("jwt", { foo = request.headers.x-foo })
          expires_in = 120
        }
      }
    }
  }
}

definitions {
  # backend for resource server
  backend "rs" {
    origin = "http://localhost:8081"
    oauth2 {
      token_endpoint = "http://localhost:8082/token"
      backend = "as"
      client_id      = "id"
      client_secret  = "secret"
      grant_type     = "client_credentials"
    }
  }

  # backend for authorization server
  backend "as" {
    origin = "http://localhost:8082"
    add_request_headers = {
      x-foo = "bar"
    }
  }

  # jwt for signing (at authorization server) and signature validation (at resource server)
  jwt "jwt" {
    signature_algorithm = "HS256"
    header = "authorization"
    key = "$e(rEt"
    signing_ttl = "120s"
    claims = {
      foo = "bar"
    }
  }
}
  1. Provide a curl call for reproduction
$ curl -si localhost:8080/foo
  1. See an error response or error log.
$ curl -si localhost:8080/foo
HTTP/1.1 502 Bad Gateway
Content-Type: application/json
Couper-Error: backend error
Couper-Request-Id: c59enjl916bmb43dn3tg
Server: couper.io
Vary: Accept-Encoding
Date: Tue, 28 Sep 2021 10:17:50 GMT
Content-Length: 134

{
  "error": {
    "id":      "c59enjl916bmb43dn3tg",
    "message": "backend error",
    "path":    "/foo",
    "status":  502
  }
}

ERRO[0006] expression evaluation error: couper.hcl:29,65-71: Missing map element; This map does not have an element with the key "x-foo".  auth_user=id build=dev client_ip=127.0.0.1 endpoint=/token error_type=evaluation handler=api method=POST port=8082 request="map[bytes:29 headers:map[accept:application/json] host:localhost method:POST origin:localhost:8082 path:/token proto:http status:500 tls:false]" response="map[bytes:150 headers:map[content-type:application/json]]" server=oauth2-as status=500 timings="map[total:0.631]" type=couper_access uid=c59enjl916bmb43dn3u0 url="http://localhost:8082/token" version=0
INFO[0006]                                               auth_user=id backend=default build=dev method=POST request="map[bytes:29 headers:map[accept:application/json] host:localhost method:POST name:default origin:localhost:8082 path:/token port:8082 proto:]" response="map[headers:map[content-type:application/json] status:500]" status=500 timings="map[dns:5.014 tcp:0.658 total:12.556 ttfb:5.763]" token_request=oauth2 type=couper_backend uid=c59enjl916bmb43dn3tg url="http://localhost:8082/token" version=0
ERRO[0006] backend error: as: token request error: error=  build=dev client_ip=127.0.0.1 endpoint="/**" handler=api method=GET port=8080 request="map[headers:map[accept:*/* user-agent:curl/7.67.0] host:localhost method:GET origin:localhost:8080 path:/foo proto:http status:502 tls:false]" response="map[bytes:134 headers:map[content-type:application/json]]" server=oauth2-cc-client status=502 timings="map[total:14.752]" type=couper_access uid=c59enjl916bmb43dn3tg url="http://localhost:8080/foo" version=0
  • The error message shows that there is no x-foo header.
  • The upstream log of the token request shows that the used backed is a default backend, not the one labelled as.

Expected behavior

  • The oauth2 cc client should use the as backend which adds a x-foo request header which is then used at the token endpoint to add an extra foo claim:
$ curl -si localhost:8080/foo
HTTP/1.1 200 OK
...

{"exp":...,"foo":"bar"}
  • The log entry in the upstream log should have backend=as.
@johakoch johakoch added the bug Something isn't working label Sep 28, 2021
@johakoch johakoch linked a pull request Sep 29, 2021 that will close this issue
OAuth2 CC backend #322
Merged
@johakoch johakoch changed the title oauth2 (cc) block does not use specified backend oauth2 (cc) block does not use referenced backend Sep 29, 2021
@alex-schneider alex-schneider mentioned this issue Nov 9, 2021
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
bug Something isn't working
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

OAuth2 CC backend coupergateway/couper
1 participant
@johakoch