Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Endless loop when using OIDC (cognito) as provider ERR_TOO_MANY_REDIRECTS #362

Open
manurawat opened this issue Dec 29, 2023 · 3 comments
Open

Endless loop when using OIDC (cognito) as provider ERR_TOO_MANY_REDIRECTS #362

manurawat opened this issue Dec 29, 2023 · 3 comments

Comments

@manurawat
Copy link

manurawat commented Dec 29, 2023
edited

Hi Team, I am using cognito as oidc provider and I do get the login page. once authenticated, I get into a loop until browser stops it.

Here is my configuration

auth deployment

apiVersion: apps/v1
kind: Deployment
metadata:
  name: traefik-forward-auth
  namespace: backstage
  labels:
    app: traefik-forward-auth
spec:
  replicas: 1
  selector:
    matchLabels:
      app: traefik-forward-auth
  strategy:
    type: Recreate
  template:
    metadata:
      labels:
        app: traefik-forward-auth
    spec:
      terminationGracePeriodSeconds: 60
      containers:
      - image: thomseddon/traefik-forward-auth:2.1
        args:
          - --log-level=$(LOG_LEVEL)
          - --url-path="/oauth"
          - --default-provider=$(DEFAULT_PROVIDER)
          - --providers.oidc.issuer-url=$(PROVIDERS_OIDC_ISSUER_ID)
          - --providers.oidc.client-id=$(PROVIDERS_OIDC_CLIENT_ID)
          - --providers.oidc.client-secret=$(PROVIDERS_OIDC_CLIENT_SECRET)
        name: traefik-forward-auth
        ports:
        - containerPort: 4181
          protocol: TCP
          name: forward-ports
        env:
        - name: AUTH_HOST
          value: "backstage-dev.tools.resources.example.com"
        - name: COOKIE_DOMAIN
          value: "tools.resources.example.com"
        - name: LOG_LEVEL
          value: "info"
        - name: DOMAIN
          value: "pings.com"
        # INSECURE_COOKIE is required unless using https entrypoint
        - name: INSECURE_COOKIE
          value: "false"
        - name: DEFAULT_PROVIDER
          value: "oidc"
        - name: PROVIDERS_OIDC_ISSUER_ID
          value: "https://cognito-idp.eu-west-1.amazonaws.com/eu-west-1_635dae24"
        - name: PROVIDERS_OIDC_CLIENT_ID
          valueFrom:
            secretKeyRef:
              name: traefik-forward-auth-secrets
              key: traefik-forward-auth-google-client-id
        - name: PROVIDERS_OIDC_CLIENT_SECRET
          valueFrom:
            secretKeyRef:
              name: traefik-forward-auth-secrets
              key: traefik-forward-auth-google-client-secret
        - name: SECRET
          valueFrom:
            secretKeyRef:
              name: traefik-forward-auth-secrets
              key: traefik-forward-auth-secret

auth service

apiVersion: v1
kind: Service
metadata:
  name: traefik-forward-auth
  namespace: backstage
  labels:
    app: traefik-forward-auth
spec:
  type: ClusterIP
  selector:
    app: traefik-forward-auth
  ports:
  - name: auth-http
    port: 4181
    targetPort: forward-ports

auth ingress

kind: IngressRoute
apiVersion: traefik.containo.us/v1alpha1
metadata:
  name: traefik-forward-auth-ingress
  namespace: backstage
  labels:
    app: traefik-forward-auth
  annotations:
    kubernetes.io/ingress.class: "traefik-external"
spec:
  entryPoints:
    - websecure
  routes:
    - kind: Rule
      match: Host(`authenticate.tools.resources.example.com`) 
      services:
        - name: traefik-forward-auth
          port: 4181
      middlewares:
        #- name: traefik-forward-auth
        - name: add-forwarded-headers

application ingress

apiVersion: traefik.containo.us/v1alpha1
kind: IngressRoute
metadata:
  name: backstage-ingress
  namespace: backstage
  annotations:
      kubernetes.io/ingress.class: "traefik-external"
spec:
  entryPoints:
    - websecure
  routes:
    - kind: Rule
      match: Host(`backstage-dev.tools.resources.example.com`)
      priority: 10
      services:
        - name: backstage
          port: 7007
      middlewares:
        - name: traefik-forward-auth

middlewares

apiVersion: traefik.containo.us/v1alpha1
kind: Middleware
metadata:
  name: traefik-forward-auth
  namespace: backstage
spec:
  forwardAuth:
    address: https://authenticate.tools.resources.example.com/
    trustForwardHeader: true
    authResponseHeaders:
      - X-Forwarded-User
---
apiVersion: traefik.containo.us/v1alpha1
kind: Middleware
metadata:
  name: add-forwarded-headers
  namespace: backstage
spec:
  headers:
    customRequestHeaders:
      X-Forwarded-Proto: "https"
      X-Forwarded-Port: "443"

logs from traefik

`{"ClientAddr":"10.1.0.82:32908","ClientHost":"10.1.0.82","ClientPort":"32908","ClientUsername":"-","DownstreamContentSize":0,"DownstreamStatus":307,"Duration":1061483,"OriginContentSize":0,"OriginDuration":974138,"OriginStatus":307,"Overhead":87345,"RequestAddr":"authenticate.tools.resources.example.com","RequestContentSize":0,"RequestCount":269,"RequestHost":"authenticate.tools.resources.example.com","RequestMethod":"GET","RequestPath":"/","RequestPort":"-","RequestProtocol":"HTTP/1.1","RequestScheme":"http","RetryAttempts":0,"RouterName":"backstage-traefik-forward-auth-ingress-5f386ef6609642ab5b7d@kubernetescrd","ServiceAddr":"10.1.0.250:4181","ServiceName":"backstage-traefik-forward-auth-ingress-5f386ef6609642ab5b7d@kubernetescrd","ServiceURL":{"Scheme":"http","Opaque":"","User":null,"Host":"10.1.0.250:4181","Path":"","RawPath":"","OmitHost":false,"ForceQuery":false,"RawQuery":"","Fragment":"","RawFragment":""},"StartLocal":"2023-12-29T12:35:52.990931227Z","StartUTC":"2023-12-29T12:35:52.990931227Z","entryPointName":"websecure","level":"info","msg":"","time":"2023-12-29T12:35:52Z"}
time="2023-12-29T12:35:52Z" level=debug msg="Remote error [https://authenticate.tools.resources.example.com](https://authenticate.tools.resources.example.com/).StatusCode: 307" middlewareName=backstage-traefik-forward-auth@kubernetescrd middlewareType=ForwardedAuthType
{"ClientAddr":"10.1.0.82:7369","ClientHost":"10.1.0.82","ClientPort":"7369","ClientUsername":"-","DownstreamContentSize":0,"DownstreamStatus":307,"Duration":46996994,"OriginContentSize":0,"OriginDuration":0,"OriginStatus":0,"Overhead":46996994,"RequestAddr":"backstage-dev.tools.resources.example.com","RequestContentSize":0,"RequestCount":268,"RequestHost":"backstage-dev.tools.resources.example.com","RequestMethod":"GET","RequestPath":"/","RequestPort":"-","RequestProtocol":"HTTP/1.1","RequestScheme":"http","RetryAttempts":0,"RouterName":"backstage-backstage-ingress-3838c1308de02b28f9a1@kubernetescrd","StartLocal":"2023-12-29T12:35:52.945933677Z","StartUTC":"2023-12-29T12:35:52.945933677Z","entryPointName":"websecure","level":"info","msg":"","time":"2023-12-29T12:35:52Z"}
{"ClientAddr":"10.1.0.82:32908","ClientHost":"10.1.0.82","ClientPort":"32908","ClientUsername":"-","DownstreamContentSize":0,"DownstreamStatus":307,"Duration":525310,"OriginContentSize":0,"OriginDuration":443615,"OriginStatus":307,"Overhead":81695,"RequestAddr":"authenticate.tools.resources.example.com","RequestContentSize":0,"RequestCount":271,"RequestHost":"authenticate.tools.resources.example.com","RequestMethod":"GET","RequestPath":"/","RequestPort":"-","RequestProtocol":"HTTP/1.1","RequestScheme":"http","RetryAttempts":0,"RouterName":"backstage-traefik-forward-auth-ingress-5f386ef6609642ab5b7d@kubernetescrd","ServiceAddr":"10.1.0.250:4181","ServiceName":"backstage-traefik-forward-auth-ingress-5f386ef6609642ab5b7d@kubernetescrd","ServiceURL":{"Scheme":"http","Opaque":"","User":null,"Host":"10.1.0.250:4181","Path":"","RawPath":"","OmitHost":false,"ForceQuery":false,"RawQuery":"","Fragment":"","RawFragment":""},"StartLocal":"2023-12-29T12:35:53.422994401Z","StartUTC":"2023-12-29T12:35:53.422994401Z","entryPointName":"websecure","level":"info","msg":"","time":"2023-12-29T12:35:53Z"}
time="2023-12-29T12:35:53Z" level=debug msg="Remote error [https://authenticate.tools.resources.example.com](https://authenticate.tools.resources.example.com/). StatusCode: 307" middlewareType=ForwardedAuthType middlewareName=backstage-traefik-forward-auth@kubernetescrd
{"ClientAddr":"10.1.0.82:7369","ClientHost":"10.1.0.82","ClientPort":"7369","ClientUsername":"-","DownstreamContentSize":0,"DownstreamStatus":307,"Duration":2663661,"OriginContentSize":0,"OriginDuration":0,"OriginStatus":0,"Overhead":2663661,"RequestAddr":"backstage-dev.tools.resources.example.com","RequestContentSize":0,"RequestCount":270,"RequestHost":"backstage-dev.tools.resources.example.com","RequestMethod":"GET","RequestPath":"/","RequestPort":"-","RequestProtocol":"HTTP/1.1","RequestScheme":"http","RetryAttempts":0,"RouterName":"backstage-backstage-ingress-3838c1308de02b28f9a1@kubernetescrd","StartLocal":"2023-12-29T12:35:53.421803551Z","StartUTC":"2023-12-29T12:35:53.421803551Z","entryPointName":"websecure","level":"info","msg":"","time":"2023-12-29T12:35:53Z"}
 
 
{"ClientAddr":"10.1.0.82:32908","ClientHost":"10.1.0.82","ClientPort":"32908","ClientUsername":"-","DownstreamContentSize":0,"DownstreamStatus":307,"Duration":995049,"OriginContentSize":0,"OriginDuration":916186,"OriginStatus":307,"Overhead":78863,"RequestAddr":"authenticate.tools.resources.example.com","RequestContentSize":0,"RequestCount":277,"RequestHost":"authenticate.tools.resources.example.com","RequestMethod":"GET","RequestPath":"/","RequestPort":"-","RequestProtocol":"HTTP/1.1","RequestScheme":"http","RetryAttempts":0,"RouterName":"backstage-traefik-forward-auth-ingress-5f386ef6609642ab5b7d@kubernetescrd","ServiceAddr":"10.1.0.250:4181","ServiceName":"backstage-traefik-forward-auth-ingress-5f386ef6609642ab5b7d@kubernetescrd","ServiceURL":{"Scheme":"http","Opaque":"","User":null,"Host":"10.1.0.250:4181","Path":"","RawPath":"","OmitHost":false,"ForceQuery":false,"RawQuery":"","Fragment":"","RawFragment":""},"StartLocal":"2023-12-29T12:36:11.355063574Z","StartUTC":"2023-12-29T12:36:11.355063574Z","entryPointName":"websecure","level":"info","msg":"","time":"2023-12-29T12:36:11Z"}
time="2023-12-29T12:36:11Z" level=debug msg="Remote error [https://authenticate.tools.resources.example.com](https://authenticate.tools.resources.example.com/).StatusCode: 307" middlewareName=backstage-traefik-forward-auth@kubernetescrd middlewareType=ForwardedAuthType
{"ClientAddr":"10.1.0.82:7369","ClientHost":"10.1.0.82","ClientPort":"7369","ClientUsername":"-","DownstreamContentSize":0,"DownstreamStatus":307,"Duration":3356018,"OriginContentSize":0,"OriginDuration":0,"OriginStatus":0,"Overhead":3356018,"RequestAddr":"backstage-dev.tools.resources.example.com","RequestContentSize":0,"RequestCount":276,"RequestHost":"backstage-dev.tools.resources.example.com","RequestMethod":"GET","RequestPath":"/oauth?code=88a007d2-11c5-46ba-9e29-3f99d0dc5d04\u0026state=ed59527371c0ec61ab20f4414b1624ae:oidc:https://authenticate.tools.resources.example.com","RequestPort":"-","RequestProtocol":"HTTP/1.1","RequestScheme":"http","RetryAttempts":0,"RouterName":"backstage-backstage-ingress-3838c1308de02b28f9a1@kubernetescrd","StartLocal":"2023-12-29T12:36:11.353784628Z","StartUTC":"2023-12-29T12:36:11.353784628Z","entryPointName":"websecure","level":"info","msg":"","time":"2023-12-29T12:36:11Z"}
{"ClientAddr":"10.1.0.82:32908","ClientHost":"10.1.0.82","ClientPort":"32908","ClientUsername":"-","DownstreamContentSize":0,"DownstreamStatus":307,"Duration":512959,"OriginContentSize":0,"OriginDuration":437126,"OriginStatus":307,"Overhead":75833,"RequestAddr":"authenticate.tools.resources.example.com","RequestContentSize":0,"RequestCount":279,"RequestHost":"authenticate.tools.resources.example.com","RequestMethod":"GET","RequestPath":"/","RequestPort":"-","RequestProtocol":"HTTP/1.1","RequestScheme":"http","RetryAttempts":0,"RouterName":"backstage-traefik-forward-auth-ingress-5f386ef6609642ab5b7d@kubernetescrd","ServiceAddr":"10.1.0.250:4181","ServiceName":"backstage-traefik-forward-auth-ingress-5f386ef6609642ab5b7d@kubernetescrd","ServiceURL":{"Scheme":"http","Opaque":"","User":null,"Host":"10.1.0.250:4181","Path":"","RawPath":"","OmitHost":false,"ForceQuery":false,"RawQuery":"","Fragment":"","RawFragment":""},"StartLocal":"2023-12-29T12:36:11.59199596Z","StartUTC":"2023-12-29T12:36:11.59199596Z","entryPointName":"websecure","level":"info","msg":"","time":"2023-12-29T12:36:11Z"}
time="2023-12-29T12:36:11Z" level=debug msg="Remote error [https://authenticate.tools.resources.example.com](https://authenticate.tools.resources.example.com/).StatusCode: 307" middlewareName=backstage-traefik-forward-auth@kubernetescrd middlewareType=ForwardedAuthType
{"ClientAddr":"10.1.0.82:7369","ClientHost":"10.1.0.82","ClientPort":"7369","ClientUsername":"-","DownstreamContentSize":0,"DownstreamStatus":307,"Duration":3147681,"OriginContentSize":0,"OriginDuration":0,"OriginStatus":0,"Overhead":3147681,"RequestAddr":"backstage-dev.tools.resources.example.com","RequestContentSize":0,"RequestCount":278,"RequestHost":"backstage-dev.tools.resources.example.com","RequestMethod":"GET","RequestPath":"/oauth?code=3f448d77-45f7-44ea-aa63-428f057ed9af\u0026state=3035ee52838a74844ca5f0c139c78c62%3Aoidc%3Ahttps%3A%2F%2Fauthenticate.tools.resources.example.com","RequestPort":"-","RequestProtocol":"HTTP/1.1","RequestScheme":"http","RetryAttempts":0,"RouterName":"backstage-backstage-ingress-3838c1308de02b28f9a1@kubernetescrd","StartLocal":"2023-12-29T12:36:11.590849246Z","StartUTC":"2023-12-29T12:36:11.590849246Z","entryPointName":"websecure","level":"info","msg":"","time":"2023-12-29T12:36:11Z"}
{"ClientAddr":"10.1.0.82:32908","ClientHost":"10.1.0.82","ClientPort":"32908","ClientUsername":"-","DownstreamContentSize":0,"DownstreamStatus":307,"Duration":582717,"OriginContentSize":0,"OriginDuration":494794,"OriginStatus":307,"Overhead":87923,"RequestAddr":"authenticate.tools.resources.example.com","RequestContentSize":0,"RequestCount":281,"RequestHost":"authenticate.tools.resources.example.com","RequestMethod":"GET","RequestPath":"/","RequestPort":"-","RequestProtocol":"HTTP/1.1","RequestScheme":"http","RetryAttempts":0,"RouterName":"backstage-traefik-forward-auth-ingress-5f386ef6609642ab5b7d@kubernetescrd","ServiceAddr":"10.1.0.250:4181","ServiceName":"backstage-traefik-forward-auth-ingress-5f386ef6609642ab5b7d@kubernetescrd","ServiceURL":{"Scheme":"http","Opaque":"","User":null,"Host":"10.1.0.250:4181","Path":"","RawPath":"","OmitHost":false,"ForceQuery":false,"RawQuery":"","Fragment":"","RawFragment":""},"StartLocal":"2023-12-29T12:36:11.736648187Z","StartUTC":"2023-12-29T12:36:11.736648187Z","entryPointName":"websecure","level":"info","msg":"","time":"2023-12-29T12:36:11Z"}
time="2023-12-29T12:36:11Z" level=debug msg="Remote error [https://authenticate.tools.resources.example.com](https://authenticate.tools.resources.example.com/). StatusCode: 307" middlewareType=ForwardedAuthType middlewareName=backstage-traefik-forward-auth@kubernetescrd`
@Paladin-F
Copy link

In auth ingress, keep - name: traefik-forward-auth in middleware.
I've been struggling with this for a long time too.

@AfrazHussain
Copy link

@manurawat Did you ever find a solution for this issue? I want to implement Traefik with Cognito's user pool too, so I was just looking at resources on how to do that.

@clambin
Copy link

clambin commented May 9, 2024

Did you ever find a solution for this issue? I want to implement Traefik with Cognito's user pool too, so I was just looking at resources on how to do that.

@AfrazHussain: It's a configuration issue: you need to specify the traefik-forward-auth middleware on the ingress for the auth flow. It's commented out in the example above.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
4 participants
@AfrazHussain @Paladin-F @clambin @manurawat