Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Failed to exchange authorization code with token: oauth2: cannot fetch token: 400 Bad Request Using Azure AD OIDC #93

Open
yphanikumar1995 opened this issue May 24, 2022 · 3 comments
Open

Failed to exchange authorization code with token: oauth2: cannot fetch token: 400 Bad Request Using Azure AD OIDC #93

yphanikumar1995 opened this issue May 24, 2022 · 3 comments
Labels
bug Something isn't working

Comments

@yphanikumar1995
Copy link

Is this a bug report or feature request?

  • Bug Report

Describe the bug
A clear and concise description of what the bug is.

We deploy oidc-authservice for Kubeflow and Integrated with Azure AD

How to Reproduce
Steps to reproduce the behavior:

  1. Deploy AuthService ...
  2. Perform this action ...
  3. See error

Expected behavior
A clear and concise description of what you expected to happen.

Login the Azure AD user successfully and able the access the kubeflow dashboard

Config Files
Please provide all the relevant configuration that you can publicly share. This
includes:

  • AuthService configuration.
  • OIDC Provider configuration.

We used below envs

OIDC_PROVIDER=https://login.microsoftonline.com/<tenant_id>/v2.0
OIDC_AUTH_URL=https://login.microsoftonline.com/<tenant_id>/oauth2/v2.0/authorize
OIDC_SCOPES=profile email
REDIRECT_URL=https://kubeflow-test.mydomain.com/login/oidc
SKIP_AUTH_URI=
USERID_HEADER=kubeflow-userid
USERID_PREFIX=
USERID_CLAIM=email
PORT="8080"
STORE_PATH=/var/lib/authservice/data.db

CLIENT_ID=
CLIENT_SECRET=

added the https://kubeflow-test.mydomain.com/login/oidc as redirection url in azure app registration

If relevant, upload your configuration files here using GitHub, there is no need
to upload them to any 3rd party services

Logs
Please provide all relevant logs (e.g., AuthService logs , OIDC Provider logs,
etc.)

time="2022-05-24T04:47:59Z" level=info msg="Starting readiness probe at 8081"
time="2022-05-24T04:47:59Z" level=info msg="No USERID_TOKEN_HEADER specified, using 'kubeflow-userid-token' as default."
time="2022-05-24T04:47:59Z" level=info msg="No SERVER_HOSTNAME specified, using '' as default."
time="2022-05-24T04:47:59Z" level=info msg="No SERVER_PORT specified, using '8080' as default."
time="2022-05-24T04:47:59Z" level=info msg="No SESSION_MAX_AGE specified, using '86400' as default."
time="2022-05-24T04:47:59Z" level=info msg="Starting web server at :8080"
2022/05/24 04:48:21 http: panic serving 10.244.0.249:57466: interface conversion: interface {} is nil, not string
goroutine 20 [running]:
net/http.(*conn).serve.func1(0xc0000968c0)
/usr/local/go/src/net/http/server.go:1767 +0x139
panic(0x88ee00, 0xc0001ca5d0)
/usr/local/go/src/runtime/panic.go:679 +0x1b2
main.(*server).callback(0xc0000e4100, 0x9b6ce0, 0xc00032f0a0, 0xc0001dc900)
/go/src/oidc-authservice/handlers.go:150 +0x1061
net/http.HandlerFunc.ServeHTTP(0xc0000d4330, 0x9b6ce0, 0xc00032f0a0, 0xc0001dc900)
/usr/local/go/src/net/http/server.go:2007 +0x44
github.com/gorilla/mux.(*Router).ServeHTTP(0xc0000d60c0, 0x9b6ce0, 0xc00032f0a0, 0xc0001dc700)
/go/pkg/mod/github.com/gorilla/mux@v1.7.3/mux.go:212 +0xe2
main.whitelistMiddleware.func1.1(0x9b6ce0, 0xc00032f0a0, 0xc0001dc700)
/go/src/oidc-authservice/handlers.go:225 +0xf2
net/http.HandlerFunc.ServeHTTP(0xc000122040, 0x9b6ce0, 0xc00032f0a0, 0xc0001dc700)
/usr/local/go/src/net/http/server.go:2007 +0x44
github.com/gorilla/handlers.(*cors).ServeHTTP(0xc000130000, 0x9b6ce0, 0xc00032f0a0, 0xc0001dc700)
/go/pkg/mod/github.com/gorilla/handlers@v1.4.2/cors.go:54 +0x1037
net/http.serverHandler.ServeHTTP(0xc0000e80e0, 0x9b6ce0, 0xc00032f0a0, 0xc0001dc700)
/usr/local/go/src/net/http/server.go:2802 +0xa4
net/http.(*conn).serve(0xc0000968c0, 0x9b7ea0, 0xc000122280)
/usr/local/go/src/net/http/server.go:1890 +0x875
created by net/http.(*Server).Serve
/usr/local/go/src/net/http/server.go:2927 +0x38e
time="2022-05-24T04:48:39Z" level=error msg="Failed to exchange authorization code with token: oauth2: cannot fetch token: 400 Bad Request\nResponse: {"error":"invalid_grant","error_description":"AADSTS54005: OAuth2 Authorization code was already redeemed, please retry with a new valid code or use an existing refresh token.\r\nTrace ID: b5d24d9e-76fe-44ca-aced-cce900c16c00\r\nCorrelation ID: e0e1823d-1f9a-4f37-9dbe-85d53bd9ce25\r\nTimestamp: 2022-05-24

Environment:

  • AuthService version: 28c59ef
  • Platform: Azure
  • Kubernetes version: 1.21.9

Additional context
Add any other context about the problem here.
@yphanikumar1995 yphanikumar1995 added the bug Something isn't working label May 24, 2022
@mohamedFaris47
Copy link

Hello,
I have the same configuration as yours but I can get the Microsoft sign in page, but when I sign in it redirects me back the my kubflow website with error 403 "Access denied".
Have you found a solution for this problem?

@subasathees
Copy link

Yes, facing same issue on the on-premise environment with pingid sso integration. when we put user name and password it gives error as Access denied.

@yphanikumar1995
Copy link
Author

yphanikumar1995 commented Jul 17, 2023 via email

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
bug Something isn't working
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@subasathees @yphanikumar1995 @mohamedFaris47