-
Notifications
You must be signed in to change notification settings - Fork 54
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Improper backend Auth config error handling #394
Comments
What improve that can be applied? |
Did you expect the error to return
or, is there any additional info that error return? |
Hello! Right now I believe the error comes from these lines. I think we should include more clear information such as what URL was attempted, and a hint to check the issuer field so something like:
|
Did you mean add IssuerURL information? Edit: Solved |
Thank you, I think i can work on it. Edit: I'll try to reproduce the issue first. Be right back. |
Great! So i think the amount of code that must change is quite minimal, but getting everything up and running may take some time. Please let me know if you'd like any help or have any questions 😄 I think to reproduce the error, you need only run the quickstart with the UserManagement plugin config with some URL for |
Thanks. |
This is apiVersion: v1
kind: ConfigMap
metadata:
name: tornjak-agent
namespace: spire
data:
server.conf: |
server {
# location of SPIRE socket
# here, set to default SPIRE socket path
spire_socket_path = "unix:///tmp/spire-server/private/api.sock"
# configure HTTP connection to Tornjak server
http {
port = 10000 # opens at port 10000
}
}
plugins {
DataStore "sql" { # local database plugin
plugin_data {
drivername = "sqlite3"
filename = "/run/spire/data/tornjak.sqlite3" # stores locally in this file
}
}
UserManagement "KeycloakAuth" {
plugin_data {
# issuer - Issuer URL for OIDC
# here is a sample for Keycloak running locally on Minikube
# issuer = "http://host.docker.internal:8080/realms/tornjak"
# for cloud deployment it would be something like:
issuer = "http://localhost"
}
}
}
|
I decided to use clean up guide and start over again. This time, i use When I do
|
This is when I do NAME READY STATUS RESTARTS AGE
spire-server-0 1/2 CrashLoopBackOff 10 (102s ago) 27m |
Found this log instead. 2024/04/06 15:37:20 Cannot Configure: Cannot configure auth plugin: Couldn't configure Auth: Could not create Keyfunc for url : Get "": unsupported protocol scheme "" |
tornjak/pkg/agent/auth/keycloak.go Line 95 in f762363
I believe the error is in here. It means, OIDC have been created without any errors. |
Hello! So actually this issue is related to very recent work relating to our unreleased tornjak v1.6. So you will need to use an updated image to reproduce the error above. Explanation of the error you're seeing:
How to reproduce the error of this issue:
Does this help and/or make sense? |
Seem's like i'm using - name: tornjak-backend
image: ghcr.io/spiffe/tornjak-backend:v1.4.2 Gonna try again with |
Got this log after changing to 2024/04/08 07:28:12 Cannot Configure: Cannot configure auth plugin: Couldn't configure Auth: Could not set up OIDC Discovery client: error fetching host/.well-known/openid-configuration: Get "host/.well-known/openid-configuration": unsupported protocol scheme "" After changing 2024/04/08 07:35:08 Cannot Configure: Cannot configure auth plugin: Couldn't configure Auth: Could not set up OIDC Discovery client: error fetching http://localhost/.well-known/openid-configuration: Get "http://localhost/.well-known/openid-configuration": dial tcp 127.0.0.1:80: connect: connection refused After changing 2024/04/08 07:45:27 Cannot Configure: Cannot configure auth plugin: Couldn't configure Auth: Could not set up OIDC Discovery client: error fetching http://host.docker.internal:8080/.well-known/openid-configuration: Get "http://host.docker.internal:8080/.well-known/openid-configuration": dial tcp 192.168.65.254:8080: connect: connection refused After changing 2024/04/08 07:47:39 Cannot Configure: Cannot configure auth plugin: Couldn't configure Auth: Could not set up OIDC Discovery client: error decoding provider metadata response: invalid character '<' looking for beginning of value Can't reproduce error |
Hm, you're right, I can't seem to reproduce it either. Let me ask the person that first got this error offline for more details But thank you for the PR! as far as I'm concerned, this will fix the issue; let me run the tests |
Thank you for guiding me to resolve this issue. By the way, when I try to run Is there any better way to run tornjak backend locally without manually retrieve |
Hm, you shouldn't need to retrieve the file - if it doesn't exist it should be initialized properly. Try running the backend locally with the db filename set to a local file that doesn't exist. Do you get errors doing this? |
When the backend is set up with issuer at
localhost
incorrectly, it returns an errorWe need to improve this error handling.
The text was updated successfully, but these errors were encountered: