Getting access denied 403 from OIDC login with Azure AD in Kubeflow

[mohamedFaris47]

Is this a bug report or feature request?

• Bug Report

Describe the bug
When trying to use Azure AD as an OIDC provider in Kubeflow v1.6.1 as mentioned in the documentation here, I get redirected to Microsoft login. However, after successful login I get redirected back to my kubeflow website getting a page with error 403 access denied, and I get panic error in the logs of the OIDC service pod

How to Reproduce
Steps to reproduce the behavior:

1. Download the kubeflow v1.6.1 manifest here
2. Edit the manifest to use Azure AD OIDC provider as mentioned here
3. Deploy Kubeflow on Azure AKS using this guide

Expected behavior
After successful login in the Microsoft sign in page, I should be redirected back to kubeflow's dashboard and use the UI directly.

Config Files

• Kubeflow manifests here
• OIDC configuration as mentioned here

# parameters for the OIDC service
OIDC_PROVIDER=https://login.microsoftonline.com/<my-tenant-id>/v2.0
OIDC_AUTH_URL=https://login.microsoftonline.com/<my-tenant-id>/oauth2/v2.0/authorize
OIDC_SCOPES=profile email
REDIRECT_URL=https://my-kubeflow-domain.com/login/oidc
SKIP_AUTH_URI=
USERID_HEADER=kubeflow-userid
USERID_PREFIX=
USERID_CLAIM=email
PORT="8080"
STORE_PATH=/var/lib/authservice/data.db

# secret parameters for the OIDC service
CLIENT_ID=<my-Azure-AD-app-ID>
CLIENT_SECRET=<my-Azure-AD-app-secret>

Logs
These are the error logs that appear in the OIDC service pod after signing in with Microsoft

http: panic serving 10.248.0.13:42486: interface conversion: interface {} is nil, not string
goroutine 164 [running]:
net/http.(*conn).serve.func1(0xc0002f4e60)
/usr/local/go/src/net/http/server.go:1767 +0x139
panic(0x88ee00, 0xc000102d20)
/usr/local/go/src/runtime/panic.go:679 +0x1b2
main.(*server).callback(0xc0000f8100, 0x9b6ce0, 0xc0000fe1c0, 0xc0000a0300) 
/go/src/oidc-authservice/handlers.go:150 +0x1061  
net/http.HandlerFunc.ServeHTTP(0xc0000e8340, 0x9b6ce0, 0xc0000fe1c0, 0xc0000a0300)  
/usr/local/go/src/net/http/server.go:2007 +0x44 
github.com/gorilla/mux.(*Router).ServeHTTP(0xc0000ea0c0, 0x9b6ce0, 0xc0000fe1c0, 0xc0000a0e00)                       
/go/pkg/mod/github.com/gorilla/mux@v1.7.3/mux.go:212 +0xe2      
main.whitelistMiddleware.func1.1(0x9b6ce0, 0xc0000fe1c0, 0xc0000a0e00)              
/go/src/oidc-authservice/handlers.go:225 +0xf2        
net/http.HandlerFunc.ServeHTTP(0xc00013c040, 0x9b6ce0, 0xc0000fe1c0, 0xc0000a0e00)                              
/usr/local/go/src/net/http/server.go:2007 +0x44      
github.com/gorilla/handlers.(*cors).ServeHTTP(0xc000140000, 0x9b6ce0, 0xc0000fe1c0, 0xc0000a0e00)        
/go/pkg/mod/github.com/gorilla/handlers@v1.4.2/cors.go:54 +0x1037      
net/http.serverHandler.ServeHTTP(0xc0000fe0e0, 0x9b6ce0, 0xc0000fe1c0, 0xc0000a0e00)    
/usr/local/go/src/net/http/server.go:2802 +0xa4                                                      
net/http.(*conn).serve(0xc0002f4e60, 0x9b7ea0, 0xc000282500)           
/usr/local/go/src/net/http/server.go:1890 +0x875                      
created by net/http.(*Server).Serve                           
/usr/local/go/src/net/http/server.go:2927 +0x38e 

Environment:

• Platform: (Azure AKS)
• Kubernetes version: 1.24.9
• Kubeflow v1.6.1

[subasathees]

Hi , I am also facing same issue on the user login.
Platform: Onpremise
Kubernetes version: 1.23.5
Kubeflow v1.7.0