new provider to support Aliyun iDaas / Alibaba OIDC (userInfo fix, should be easy)

[Gourds]

here is my vouch proxy config
https://gist.github.com/Gourds/354df4f711d1f394c925a3ddaf8e7754

nginx vouch config: https://gist.github.com/Gourds/ae0fde3ecc24b6e0afd9165eac7e8874
nginx protect app config: https://gist.github.com/Gourds/915f2ddd96c6f6d4729165108d603ee3
here is vouch-proxy debug log
https://gist.github.com/Gourds/844b7c5ed53c8790d7b151733ce4267f

In debug mode,
when i go to my protect site eg: http://test_sso_nginx_a.taiheops.com:2081
it will redirect to http://vouch.taiheops.com:2081/login?url=http://test_sso_nginx_a.taiheops.com:2081/&vouch-failcount=&X-Vouch-Token=&error=
then,
when i click login button , the return code is 400,
click logout button, return msg is /logout you have been logged out,
click validate buttion , return msg is no jwt found in request,

I think there is a problem with my configuration, but I tried many methods, and I also read related issues and instructions and still can’t solve it.

[bnfinet]

Try adding the host header to your protected app config /validate block. Which IdP is the provider? Please supply a full log that includes startup of VP.

…

On Wed, Dec 16, 2020, 1:32 AM Guo YaFeng ***@***.***> wrote: here is my vouch proxy config https://gist.github.com/Gourds/354df4f711d1f394c925a3ddaf8e7754 nginx vouch config: https://gist.github.com/Gourds/ae0fde3ecc24b6e0afd9165eac7e8874 nginx protect app config: https://gist.github.com/Gourds/915f2ddd96c6f6d4729165108d603ee3 here is vouch-proxy debug log https://gist.github.com/Gourds/844b7c5ed53c8790d7b151733ce4267f In debug mode, when i go to my protect site eg: http://test_sso_nginx_a.taiheops.com:2081 it will redirect to http://vouch.taiheops.com:2081/login?url=http://test_sso_nginx_a.taiheops.com:2081/&vouch-failcount=&X-Vouch-Token=&error= then, when i click login button , the return code is 400, click logout button, return msg is /logout you have been logged out, click validate buttion , return msg is no jwt found in request, I think there is a problem with my configuration, but I tried many methods, and I also read related issues and instructions and still can’t solve it. — You are receiving this because you are subscribed to this thread. Reply to this email directly, view it on GitHub <#344>, or unsubscribe <https://github.com/notifications/unsubscribe-auth/AAJUV26QCRLGGYC4WYGDFJDSVB5D3ANCNFSM4U5VQ2ZQ> .

[Gourds]

Did you mean add proxy_set_header Host $http_host; to mylocation = /vouch-validate block,
now log is here https://gist.github.com/Gourds/a3bddfed547193f5da51fb1ac8065839
And My idp is Aliyun iDaas service ,Here is their Oauth2 Document
https://www.alibabacloud.com/help/doc-detail/147465.htm?spm=a2c63.l28256.b99.19.507514fc5yig2G

[bnfinet]

@Gourds

Did you mean add proxy_set_header Host $http_host; to mylocation = /vouch-validate block,

Yes

The log you supplied is not a full round trip including startup.

What's there shows a successful authentication and issuing a VP token/cookie.

[Gourds]

I see the following log in the vouch-proxy log, it should be successfully authenticated with idP ?

2020-12-21T06:38:35.530Z INFO |200| 385.063885ms /auth {"statusCode": 200, "request": 9, "latency": "385.063885ms", "avgLatency": "43.071887ms", "ipPort": "172.17.0.1:44419", "method": "GET", "host": "vouch.taiheops.com", "path": "/auth", "referer": "http://vouch.taiheops.com:2081/"}

the vouch-proxy full log is there: https://gist.github.com/5f220728c6829ce8e520d95e0dc68565#file-vouch_log_2-log

[bnfinet]

@Gourds that log appears to show VP working normally

Are you able to navigate to your protected site after logging in at your IdP? Instead of /logout you should click the link at the bottom to your original destination

[Gourds]

when i click the the link at the bottom

client_id=97237f99deaa7c64b099b2709496c472ARO5UZBICAE&redirect_uri=http%3A%2F%2Fvouch.taiheops.com%3A2081%2Fauth&response_type=code&scope=read&state=Iq6euTiMIsv9SER2D8Acsix6rOfcUBt
http://test_sso_nginx_a.taiheops.com:2081/

the vouch-proxy page will be show 302 redirect to: http://test_sso_nginx_a.taiheops.com:2081/
this is right address but the response is 400 Bad Request

My service start URL is

https://ynfyvjwiaw.login.aliyunidaas.com/api/bff/v1.2/enduser/portal/sso/go_d501aa5d2d3f30b7b4dd35e44fbe72bap3rsFb9dlFs?access_token=e5710f56-3248-4900-a72c-cc1b941eb646

when i click it，the page will go to

http://vouch.taiheops.com:2081/auth?code=UgHg8K&state=0bbc8f9593afaeb5c18edd0dede2f2b9U2zOT422F72_idp
the page is vouch-proxy page and also display 400 Bad Request

[aaronpk]

That's funny, I was fighting the same issue this evening. Can you check your nginx access logs to see if the browser is making a request to favicon.ico that's getting caught by vouch?

[Gourds]

2020/12/22 02:18:26 [warn] 3231#0: *202 an upstream response is buffered to a temporary file /var/lib/nginx/tmp/proxy/5/00/0000000005 while reading upstream, client: 123.126.87.108, server: vouch.taiheops.com, request: "GET /static/img/favicon.ico HTTP/1.1", upstream: "http://127.0.0.1:9090/static/img/favicon.ico", host: "vouch.taiheops.com:2081", referrer: "http://vouch.taiheops.com:2081/auth?code=HapCEm&state=JB154jsVi6bl98G9e9iaUfhDV5JN0RB"
@aaronpk There are indeed some similar logs, how to solve this problem

[Gourds]

I haven't solved this problem.@aaronpk @bnfinet

[bnfinet]

@Gourds Could you please confirm that your nginx and VP configs have not changed and then upload a full cycle log again.

After that, please adjust your 'oauth.scopes' to be similar to the OIDC example config and then upload a full cycle VP log.

[Gourds]

@Gourds Could you please confirm that your nginx and VP configs have not changed and then upload a full cycle log again.

After that, please adjust your 'oauth.scopes' to be similar to the OIDC example config and then upload a full cycle VP log.

The log of the previous configuration unchanged：https://gist.github.com/Gourds/6e48dd3af121cb44399bbeb7619bfb7a
Looks the same as before.

I tested before that changing the oauth.scopes parameter does not take effect, because according to Aliyun's documentation, only the read parameter should be supported.
when i change the vp scopes config to

...
  scopes:
    #- read
    - openid
    - email
...

log file is below
https://gist.github.com/ef955e8d60c13c493650a0e6c43cbf64

[bnfinet]

@Gourds those logs continue to show VP working as expected. It does appear that multiple requests are coming in at once. There's a fix in the recent v0.20.0 which may be helpful. Could you please pull the most recent code (or Docker image) and see if that improves thing?

[Gourds]

@Gourds those logs continue to show VP working as expected. It does appear that multiple requests are coming in at once. There's a fix in the recent v0.20.0 which may be helpful. Could you please pull the most recent code (or Docker image) and see if that improves thing?

I upgraded the version to 0.20.0, the following is the log of the current VP

https://gist.github.com/Gourds/a9bffa692e9f5c16853d492314682082

In addition, I want to know whether the auth, login, and validata interfaces should be ok in debug mode

[bnfinet]

@Gourds that log seems odd. The typical pattern is..

• go to the protected URL
• nginx hits /validate
• redirect to /login
• redirect to the IdP (oidc endpoint for alibaba)
• successful IdP login redirects to /auth
• /auth makes a requests of the oauth.userinfo_url
• issues a VP token
• redirects the user to the original protected URL

But these logs are much more haphazard. Why? What happens if you just try..

• one protected URL
• then click through to the IdP
• then login
• then click through to the original URL

There's something fundamentally wrong here. It doesn't feel as if ali is responding with bad information. I suspect something is wrong with your ngxin or VP config or your general networking setup.

Why is that log showing a VP request 1 to /auth?

Why is /auth being forwarded to /validate??

2021-01-15T02:31:46.508Z DEBUG Login url param normalized to 'http://test_sso_nginx_a.taiheops.com:2081/auth?code=KzaBeU&state=VtIrLMiJdepstkwuM6lYOgyGxfrs8jNt'

Please post a current Nginx configuration. Every time you change a configuration, please post it.

In addition, I want to know whether the auth, login, and validata interfaces should be ok in debug mode

Yes they're all fine. Why do you ask?

[Gourds]

@bnfinet
Sorry,My operation may not be standardized before

Now vp config is https://gist.github.com/Gourds/7f3bedc07f20ab7d6eaa147ff5b9ffee
Nginx vouch config is also https://gist.github.com/Gourds/ae0fde3ecc24b6e0afd9165eac7e8874
Nginx protect app config is https://gist.github.com/Gourds/915f2ddd96c6f6d4729165108d603ee3

My step is as followin debug mode

• go to protected url: http://test_sso_nginx_a.taiheops.com:2081/
• then i click vp test mode page https://ynfyvjwiaw.login.aliyunidaas.com/oauth/authorize?client_id=97237f99deaa7c64b099b2709496c472ARO5UZBICAE&redirect_uri=http%3A%2F%2Fvouch.taiheops.com%3A2081%2Fauth&response_type=code&scope=read&state=M8c0QxEdtP4QGgKIE5BhWE5TES2BFv
• Now will jump to IdP login page
• when i login IdP the page is redirect to http://vouch.taiheops.com:2081/auth?code=4jGiNr&state=M8c0QxEdtP4QGgKIE5BhWE5TES2BFv
• then i click /auth/M8c0QxEdtP4QGgKIE5BhWE5TES2BFv/?code=4jGiNr&state=M8c0QxEdtP4QGgKIE5BhWE5TES2BFv
• then click http://test_sso_nginx_a.taiheops.com:2081/

when turn off debug mode
the page will display too many redirect

the vp log is https://gist.github.com/Gourds/cc426999accf50ec29c8a0797548c162
the nginx log is

123.126.87.108 - - [22/Jan/2021:03:20:55 +0000] "GET / HTTP/1.1" 302 145 "-" "Mozilla/5.0 (Macintosh; Intel Mac OS X 11_1_0) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/88.0.4324.96 Safari/537.36" "-"
123.126.87.108 - - [22/Jan/2021:03:20:55 +0000] "GET /login?url=http://test_sso_nginx_a.taiheops.com:2081/&vouch-failcount=&X-Vouch-Token=&error= HTTP/1.1" 200 2528 "-" "Mozilla/5.0 (Macintosh; Intel Mac OS X 11_1_0) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/88.0.4324.96 Safari/537.36" "-"

And My Aliyun Idp config

Redirect URL: http://vouch.taiheops.com:2081/auth
SP HomePageURL: http://vouch.taiheops.com:2081

[bnfinet]

@Gourds Okay, now we're getting somewhere...

2021-01-22T03:39:11.502Z ERROR no User found in jwt

That's good to see in this case if only because it tells us that the cookie is missing the user information.

Upon further inspection I don't think that the user_info_url is returning the proper information...

this shows

{"success":true,"code":"200","message":null,"requestId":"C28014DF-9407-4CE2-A974-2E57E5C35CF3","data":{"sub":"3884468577942292116","ou_id":"5711823617764658328","nickname":"xxxx","phone_number":null,"ou_name":"xxxx","email":"xxxx@taiyouxi.cn","username":"xxxx"}}

Instead of the userinfo being provided in the top level it is being sent in a second level data element.

It should be like this..
https://openid.net/specs/openid-connect-core-1_0.html#UserInfo

In order to support Aliyun iDaas / Alibaba OIDC a new provider will need to be developed with a custom GetUserInfo method. This is an easy and typical fix. If you're comfortable with basic coding you should be able to do it yourself using the already existing examples.

[Gourds]

@bnfinet
thank. I added alibaba's provider and it works now. But there are other problems.
when i go to http://test_sso_nginx_a.taiheops.com:2081 is successful.
in Aibaba‘IDaas service.The normal step is to jump from Alibaba'IDaas to http://test_sso_nginx_a.taiheops.com:2081,now
it will be jump to http://vouch.taiheops.com:2081/auth?code=FHL9L9&state=9b436bc41865d4cee67563c60825b226RO05YDdK9Ke_idp, and get error response.
It works when I modify the nginx configuration to redirect the auth request

server {
  listen 2081;
  server_name vouch.taiheops.com;
  #ssl_certificate /etc/letsencrypt/live/login.avocado.lol/fullchain.pem;
  #ssl_certificate_key /etc/letsencrypt/live/login.avocado.lol/privkey.pem;
  # Proxy to your Vouch instance
  location / {
    proxy_set_header  Host  vouch.taiheops.com;
    #proxy_set_header  X-Forwarded-Proto https;
    proxy_pass        http://127.0.0.1:9090;
  }
  location /auth/ {
    rewrite ^ http://test_sso_nginx_a.taiheops.com:2081;
  }
}

But I don’t know how to config vp when there are multiple apps that need to be protected behind nginx. Is there any good way? In addition, I want to know the specific usage of the callback parameter

[bnfinet]

@Gourds ...

I added alibaba's provider and it works now.

That's great to hear. Please submit a PR with the working code. It'd be great to bring ali support to VP.

I don’t know how to config vp when there are multiple apps that need to be protected behind nginx. Is there any good way?

yes there is...
https://github.com/vouch/vouch-proxy/tree/master/examples/nginx/multi-file

WRT the error you are seeing please post full logs and configs in the manner described in the README.

  location /auth/ {
    rewrite ^ http://test_sso_nginx_a.taiheops.com:2081;
  }

That is evading security, that is not what you want. The vouch.taiheops.com config should be just as the README.

[Gourds]

@bnfinet
Yesterday may be the browser cache problem. Now I have tested that two protected apps can log in normally. However, the problem of ali redirection still exists. Alibaba Cloud has an IDaas console. From this console, there is a navigation page to jump to the address, This address should be the Redirect URL: http://vouch.taiheops.com:2081/auth what i configured on aliyun
http://vouch.taiheops.com:2081/auth/0141cb0a0d5b4ebaf5db923e0ff17afaO2sY4djk8Xn_idp/?code=lsuiyp&state=0141cb0a0d5b4ebaf5db923e0ff17afaO2sY4djk8Xn_idp it will be return 400 and vp log is there

{"level":"debug","ts":1611802404.4400449,"msg":"/auth"}
{"level":"debug","ts":1611802404.440106,"msg":"CaptureWriter.Write set w.StatusCode 302"}
{"level":"info","ts":1611802404.4402049,"msg":"|302|   84.794µs /auth","statusCode":302,"request":113,"latency":0.000084794,"avgLatency":0.006405381,"ipPort":"127.0.0.1:19407","method":"GET","host":"vouch.taiheops.com","path":"/auth","referer":""}
{"level":"debug","ts":1611802404.4819818,"msg":"/auth/{state}/"}
{"level":"error","ts":1611802404.4820254,"msg":"/auth Invalid session state: stored %!s(<nil>), returned 345df7be563fb3d3fac6802fe3d3447eB97iZ7u9ErC_idp"}
{"level":"debug","ts":1611802404.4820335,"msg":"setting the cookie domain to taiheops.com"}
{"level":"debug","ts":1611802404.4820383,"msg":"CaptureWriter.Write set w.StatusCode 400"}
{"level":"debug","ts":1611802404.4820473,"msg":"rendering error for user: 400 Bad Request"}
{"level":"info","ts":1611802404.4821837,"msg":"|400|  132.524µs /auth/345df7be563fb3d3fac6802fe3d3447eB97iZ7u9ErC_idp/","statusCode":400,"request":114,"latency":0.000132524,"avgLatency":0.006350356,"ipPort":"127.0.0.1:19409","method":"GET","host":"vouch.taiheops.com","path":"/auth/345df7be563fb3d3fac6802fe3d3447eB97iZ7u9ErC_idp/","referer":""}

If I start a request from http://test_sso_nginx_a.taiheops.com:2081, there is no problem
now infomation is there
vp config https://gist.github.com/Gourds/7f3bedc07f20ab7d6eaa147ff5b9ffee
nginx vp config https://gist.github.com/Gourds/ae0fde3ecc24b6e0afd9165eac7e8874
nginx protect config https://gist.github.com/Gourds/915f2ddd96c6f6d4729165108d603ee3
normal vp log https://gist.github.com/Gourds/cc426999accf50ec29c8a0797548c162
nginx access log https://gist.github.com/Gourds/f11e10927b295956c8f477e0558bb538

[Gourds]

@bnfinet
Aliabab/Aliyun provider support is there #356

[bnfinet]

@Gourds thank you for submitting #356!

This address should be the Redirect URL: http://vouch.taiheops.com:2081/auth what i configured on aliyun
http://vouch.taiheops.com:2081/auth/0141cb0a0d5b4ebaf5db923e0ff17afaO2sY4djk8Xn_idp/?code=lsuiyp&state=0141cb0a0d5b4ebaf5db923e0ff17afaO2sY4djk8Xn_idp it will be return 400 and vp log is there

I'm not certain that I understand correctly but aliyun should be configured for the callback_url
http://vouch.taiheops.com:2081/auth
see #349

This VP log shows VP working correctly. The 404s in the nginx log look like normal behaviour. It's unlikely that VP is responsible for those.

[Gourds]

My test result is that the redirect url configured on Aliyun must be consistent with the callback_url configured in vp. If it is inconsistent, it will throw a URL mismatch error and cannot be redirected.

If I don't use Alibaba Cloud's navigation jump, there is no problem now.
Because vp protects multiple addresses, I think it is unreasonable to jump from a single link on the Alibaba Cloud navigation page to multiple protected addresses, so I decided not to use the navigation page provided by Alibaba Cloud.

[bnfinet]

@Gourds that all sounds favorable, but just to be clear you're saying it's working or you now? :)

[Gourds]

@bnfinet
Now it can work normally. If I directly access the VP protected URLs, it can jump to login page then redirect normally.

[bnfinet]

@Gourds this has been merged in v0.23.0

Thanks again for working through that and the fine contribution to VP!