How to debug the openid auth plugin ?

Mon, 26 Mar 2018 14:27:07 -0700 

Dear OpenShift Colleagues
I can't get working the OpenID Auth plugin [$], not necessarily because that's broken Origin side since it's involved also the AD layer where I'm not root [%] ; furthermore I don't have very much experience with OpenID. 


I believe I've slavishly followed the manual [$] and I've selected as 
the mappingMethod the option "lookup" since I don't want any automatic 
login from our AD at this stage.


This is my failed login attempt by oc :
################################################
$ oc login --loglevel=10

I0326 22:58:26.698146   38291 loader.go:357] Config loaded from file 
/Users/f_martinelli/.kube/config
I0326 22:58:26.701628   38291 round_trippers.go:386] curl -k -v -XHEAD  
https://hosting.wfp.org:443/
I0326 22:58:26.922676   38291 round_trippers.go:405] HEAD 
https://hosting.wfp.org:443/ 403 Forbidden in 220 milliseconds

I0326 22:58:26.922709   38291 round_trippers.go:411] Response Headers:

I0326 22:58:26.922720   38291 round_trippers.go:414]     Vary: 
Accept-Encoding
I0326 22:58:26.922729   38291 round_trippers.go:414] 
X-Content-Type-Options: nosniff
I0326 22:58:26.922738   38291 round_trippers.go:414]     Date: Mon, 26 
Mar 2018 20:58:26 GMT
I0326 22:58:26.922747   38291 round_trippers.go:414] Content-Type: 
text/plain
I0326 22:58:26.922756   38291 round_trippers.go:414]     Connection: 
keep-alive

I0326 22:58:26.922765   38291 round_trippers.go:414]     Server: nginx
I0326 22:58:26.922774   38291 round_trippers.go:414] Content-Length: 90
I0326 22:58:26.922782   38291 round_trippers.go:414] Cache-Control: no-store

I0326 22:58:26.922889   38291 round_trippers.go:386] curl -k -v -XGET  
-H "X-Csrf-Token: 1" 
https://hosting.wfp.org:443/.well-known/oauth-authorization-server
I0326 22:58:26.965442   38291 round_trippers.go:405] GET 
https://hosting.wfp.org:443/.well-known/oauth-authorization-server 200 
OK in 42 milliseconds

I0326 22:58:26.965686   38291 round_trippers.go:411] Response Headers:
I0326 22:58:26.966184   38291 round_trippers.go:414]     Server: nginx

I0326 22:58:26.966199   38291 round_trippers.go:414]     Date: Mon, 26 
Mar 2018 20:58:26 GMT
I0326 22:58:26.966210   38291 round_trippers.go:414] Content-Type: 
application/json
I0326 22:58:26.966529   38291 round_trippers.go:414]     Connection: 
keep-alive
I0326 22:58:26.966557   38291 round_trippers.go:414]     Vary: 
Accept-Encoding

I0326 22:58:26.966572   38291 round_trippers.go:414] Cache-Control: no-store

I0326 22:58:26.968573   38291 round_trippers.go:386] curl -k -v -XGET  
-H "X-Csrf-Token: 1" 
https://hosting.wfp.org/oauth/authorize?client_id=openshift-challenging-client&code_challenge=kJm9R5VPybDF9QjG-t9EhOAw0CCcLpiVQ2pXxmME08w&code_challenge_method=S256&redirect_uri=https%3A%2F%2Fhosting.wfp.org%2Foauth%2Ftoken%2Fimplicit&response_type=code
I0326 22:58:27.002233   38291 round_trippers.go:405] GET 
https://hosting.wfp.org/oauth/authorize?client_id=openshift-challenging-client&code_challenge=kJm9R5VPybDF9QjG-t9EhOAw0CCcLpiVQ2pXxmME08w&code_challenge_method=S256&redirect_uri=https%3A%2F%2Fhosting.wfp.org%2Foauth%2Ftoken%2Fimplicit&response_type=code 
401 Unauthorized in 33 milliseconds

I0326 22:58:27.002305   38291 round_trippers.go:411] Response Headers:

I0326 22:58:27.002333   38291 round_trippers.go:414]     Connection: 
keep-alive
I0326 22:58:27.002343   38291 round_trippers.go:414] Www-Authenticate: 
Basic realm="openshift"

I0326 22:58:27.002352   38291 round_trippers.go:414]     Server: nginx

I0326 22:58:27.002361   38291 round_trippers.go:414]     Date: Mon, 26 
Mar 2018 20:58:26 GMT
I0326 22:58:27.002370   38291 round_trippers.go:414] Content-Type: 
text/plain; charset=utf-8

I0326 22:58:27.002379   38291 round_trippers.go:414] Content-Length: 0
Authentication required for https://hosting.wfp.org:443 (openshift)
Username: MYUSERNAME
Password:  MYPASSWORD

I0326 22:58:32.977080   38291 round_trippers.go:386] curl -k -v -XGET  
-H "Authorization: Basic ZmFiaW8ubWFydGluZWxsaTo=" -H "X-Csrf-Token: 1" 
https://hosting.wfp.org/oauth/authorize?client_id=openshift-challenging-client&code_challenge=kJm9R5VPybDF9QjG-t9EhOAw0CCcLpiVQ2pXxmME08w&code_challenge_method=S256&redirect_uri=https%3A%2F%2Fhosting.wfp.org%2Foauth%2Ftoken%2Fimplicit&response_type=code
I0326 22:58:33.018514   38291 round_trippers.go:405] GET 
https://hosting.wfp.org/oauth/authorize?client_id=openshift-challenging-client&code_challenge=kJm9R5VPybDF9QjG-t9EhOAw0CCcLpiVQ2pXxmME08w&code_challenge_method=S256&redirect_uri=https%3A%2F%2Fhosting.wfp.org%2Foauth%2Ftoken%2Fimplicit&response_type=code 
500 Internal Server Error in 41 milliseconds

I0326 22:58:33.018570   38291 round_trippers.go:411] Response Headers:
I0326 22:58:33.018584   38291 round_trippers.go:414]     Server: nginx

I0326 22:58:33.018595   38291 round_trippers.go:414]     Date: Mon, 26 
Mar 2018 20:58:32 GMT
I0326 22:58:33.018603   38291 round_trippers.go:414] Content-Type: 
text/plain; charset=utf-8

I0326 22:58:33.018611   38291 round_trippers.go:414] Content-Length: 100

I0326 22:58:33.018621   38291 round_trippers.go:414]     Connection: 
keep-alive
error: Internal error occurred: unexpected response: 500 - verify you 
have provided the correct host and port and that the server is currently 
running.

I0326 22:58:33.019129   38291 helpers.go:206] server response object: [{
  "metadata": {},
  "status": "Failure",
  "message": "Internal error occurred: unexpected response: 500",
  "reason": "InternalError",
  "details": {
    "causes": [
      {
        "message": "unexpected response: 500"
      }
    ]
  },
  "code": 500
}]

F0326 22:58:33.019164   38291 helpers.go:120] Error from server 
(InternalError): Internal error occurred: unexpected response: 500

################################################


as you can see nginx is running in front of the OpenShift WebConsole but 
when I use the httpasswd auth plugin this is completely transparent.


OpenShift side logs; AD is running on https://fs.auth.wfp.org :
################################################

Mar 26 22:59:14 wfpromshap22 journal: I0326 20:59:14.505682       1 
wrap.go:42] GET 
/apis/oauth.openshift.io/v1/oauthclients/openshift-web-console: 
(1.873926ms) 200 [[openshift/v1.7.6+a08f5eeb62 (linux/amd64) 
kubernetes/c84beff] 127.0.0.1:34518]
Mar 26 22:59:14 wfpromshap22 origin-master-api: I0326 
20:59:14.505682       1 wrap.go:42] GET 
/apis/oauth.openshift.io/v1/oauthclients/openshift-web-console: 
(1.873926ms) 200 [[openshift/v1.7.6+a08f5eeb62 (linux/amd64) 
kubernetes/c84beff] 127.0.0.1:34518]
Mar 26 22:59:14 wfpromshap22 origin-master-api: I0326 
20:59:14.506054       1 handler.go:66] Authentication needed for 
&{{my_openid_connect 0xf28d5e0 {5b176f53-e0cb-410a-ad7c-5a6f60b4c38e 
bsJyJ3VNfReAj7sq1L785Yh2cPcImlFcTcY18HbR [openid] map[] 
https://fs.auth.wfp.org/adfs/oauth2/authorize 
https://fs.auth.wfp.org/adfs/oauth2/token 
https://fs.auth.wfp.org/adfs/userinfo [sub] [preferred_username] [email] 
[name] <nil>}} 0xc4217c20f0 0xc421777400 0xc4216ab950 [0xc4217c70e0 
0xc4217c20f0] [0xc4217c2090 0xc4217c20f0] 0xc42175d840}
Mar 26 22:59:14 wfpromshap22 origin-master-api: I0326 
20:59:14.506131       1 handler.go:78] redirect to 
https://fs.auth.wfp.org/adfs/oauth2/authorize?client_id=5b176f53-e0cb-410a-ad7c-5a6f60b4c38e&redirect_uri=https%3A%2F%2Fhosting.wfp.org%2Foauth2callback%2Fmy_openid_connect&response_type=code&scope=openid&state=Y3NyZj1kMjIyNWJjMC0zMTBkLTExZTgtYjlhZi0wMDUwNTZhNjZmNGImdGhlbj0lMkZvYXV0aCUyRmF1dGhvcml6ZSUzRmNsaWVudF9pZCUzRG9wZW5zaGlmdC13ZWItY29uc29sZSUyNnJlc3BvbnNlX3R5cGUlM0Rjb2RlJTI2c3RhdGUlM0RleUowYUdWdUlqb2lMeUlzSW01dmJtTmxJam9pTVRVeU1qQTVOemsxTlRFek9TMHpPRFV6T1RFNU5qWXhNelU0T1RJMk9UYzVNekkyTmpJeU5UTXdOVGt4TkRJek5qazROVFkwTVRNNE5UZzVPVGM0TWpNek1qWXhNekF4TnpjeU5Ea3dOVE0xTVRFeU9EVTNNVEEwTWpjNEluMCUyNnJlZGlyZWN0X3VyaSUzRGh0dHBzJTI1M0ElMjUyRiUyNTJGaG9zdGluZy53ZnAub3JnJTI1MkZjb25zb2xlJTI1MkZvYXV0aA%3D%3D
Mar 26 22:59:14 wfpromshap22 origin-master-api: I0326 
20:59:14.506185       1 wrap.go:42] GET 
/oauth/authorize?client_id=openshift-web-console&response_type=code&state=eyJ0aGVuIjoiLyIsIm5vbmNlIjoiMTUyMjA5Nzk1NTEzOS0zODUzOTE5NjYxMzU4OTI2OTc5MzI2NjIyNTMwNTkxNDIzNjk4NTY0MTM4NTg5OTc4MjMzMjYxMzAxNzcyNDkwNTM1MTEyODU3MTA0Mjc4In0&redirect_uri=https%3A%2F%2Fhosting.wfp.org%2Fconsole%2Foauth: 
(2.865321ms) 302 [[Mozilla/5.0 (Macintosh; Intel Mac OS X 10_11_6) 
AppleWebKit/537.36 (KHTML, like Gecko) Chrome/63.0.3239.132 
Safari/537.36] 10.11.40.34:34290]
Mar 26 22:59:14 wfpromshap22 journal: I0326 20:59:14.506054       1 
handler.go:66] Authentication needed for &{{my_openid_connect 0xf28d5e0 
{5b176f53-e0cb-410a-ad7c-5a6f60b4c38e 
bsJyJ3VNfReAj7sq1L785Yh2cPcImlFcTcY18HbR [openid] map[] 
https://fs.auth.wfp.org/adfs/oauth2/authorize 
https://fs.auth.wfp.org/adfs/oauth2/token 
https://fs.auth.wfp.org/adfs/userinfo [sub] [preferred_username] [email] 
[name] <nil>}} 0xc4217c20f0 0xc421777400 0xc4216ab950 [0xc4217c70e0 
0xc4217c20f0] [0xc4217c2090 0xc4217c20f0] 0xc42175d840}
Mar 26 22:59:14 wfpromshap22 journal: I0326 20:59:14.506131       1 
handler.go:78] redirect to 
https://fs.auth.wfp.org/adfs/oauth2/authorize?client_id=5b176f53-e0cb-410a-ad7c-5a6f60b4c38e&redirect_uri=https%3A%2F%2Fhosting.wfp.org%2Foauth2callback%2Fmy_openid_connect&response_type=code&scope=openid&state=Y3NyZj1kMjIyNWJjMC0zMTBkLTExZTgtYjlhZi0wMDUwNTZhNjZmNGImdGhlbj0lMkZvYXV0aCUyRmF1dGhvcml6ZSUzRmNsaWVudF9pZCUzRG9wZW5zaGlmdC13ZWItY29uc29sZSUyNnJlc3BvbnNlX3R5cGUlM0Rjb2RlJTI2c3RhdGUlM0RleUowYUdWdUlqb2lMeUlzSW01dmJtTmxJam9pTVRVeU1qQTVOemsxTlRFek9TMHpPRFV6T1RFNU5qWXhNelU0T1RJMk9UYzVNekkyTmpJeU5UTXdOVGt4TkRJek5qazROVFkwTVRNNE5UZzVPVGM0TWpNek1qWXhNekF4TnpjeU5Ea3dOVE0xTVRFeU9EVTNNVEEwTWpjNEluMCUyNnJlZGlyZWN0X3VyaSUzRGh0dHBzJTI1M0ElMjUyRiUyNTJGaG9zdGluZy53ZnAub3JnJTI1MkZjb25zb2xlJTI1MkZvYXV0aA%3D%3D
Mar 26 22:59:14 wfpromshap22 journal: I0326 20:59:14.506185       1 
wrap.go:42] GET 
/oauth/authorize?client_id=openshift-web-console&response_type=code&state=eyJ0aGVuIjoiLyIsIm5vbmNlIjoiMTUyMjA5Nzk1NTEzOS0zODUzOTE5NjYxMzU4OTI2OTc5MzI2NjIyNTMwNTkxNDIzNjk4NTY0MTM4NTg5OTc4MjMzMjYxMzAxNzcyNDkwNTM1MTEyODU3MTA0Mjc4In0&redirect_uri=https%3A%2F%2Fhosting.wfp.org%2Fconsole%2Foauth: 
(2.865321ms) 302 [[Mozilla/5.0 (Macintosh; Intel Mac OS X 10_11_6) 
AppleWebKit/537.36 (KHTML, like Gecko) Chrome/63.0.3239.132 
Safari/537.36] 10.11.40.34:34290]
Mar 26 22:59:14 wfpromshap22 journal: I0326 20:59:14.634186       1 
handler.go:160] Got auth data
Mar 26 22:59:14 wfpromshap22 origin-master-api: I0326 
20:59:14.634186       1 handler.go:160] Got auth data
Mar 26 22:59:14 wfpromshap22 origin-master-api: I0326 
20:59:14.642600       1 openid.go:216] identity=&{my_openid_connect 
l8M167PMNqOtC+i49V4K5wAiVhlnNY7Tax//O0l0Bm8= map[]}

################################################

please can I somehow debug step by step what Origin is doing here ?


I've got I should get a JWT from AD during the authentication, did I get 
it ? I read "Got auth data" in the logs.


I've no access to the AD logs but I can dialog F2F with our AD Admin.

many thanks in advance,
Fabio Martinelli





[$] 
https://docs.openshift.com/container-platform/3.7/install_config/configuring_authentication.html#OpenID
[%] 
https://docs.microsoft.com/en-us/azure/active-directory/develop/active-directory-protocols-openid-connect-code 


_______________________________________________
users mailing list
[email protected]
http://lists.openshift.redhat.com/openshiftmm/listinfo/users






















					Reply via email to