[go: nahoru, domu]
Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Unable to authenticate using Gitlab OIDC Provider #20006

Closed
Poulpatine opened this issue Jun 27, 2024 · 9 comments
Closed

Unable to authenticate using Gitlab OIDC Provider #20006

Poulpatine opened this issue Jun 27, 2024 · 9 comments
Labels
community working as intended

Comments

@Poulpatine
Copy link
Poulpatine commented Jun 27, 2024
edited
Loading

I'm trying to use Gitlab as OIDC Provider for minio.
The setup seems to be fine but when I click on the SSO button, I'm redirected to Gitlab login as expected and after that I'm redirected back to Minio Console but still not logged and no errors message are appearing.

Expected Behavior

I expect to be logged in with rights from the appropriate policy

Current Behavior

I'm not logged in.

Steps to Reproduce (for bugs)

    • Install minio (my installation is a docker compose installation with Traefik as reverse proxy / SSL Termination). The installation is fully functional except for that problem.
  2. Add a new application in Gitlab with:
  1. Configure the provider in minio configuration:
identity_openid:gitlab
display_name="My Gitlab"
config_url=https://gitlab.mydomain.com/.well-known/openid-configuration
client_id=xxx
client_secret=yyy
claim_name=groups_direct
claim_userinfo=on
role_policy=
claim_prefix=
redirect_uri=
redirect_uri_dynamic=on
scopes=openid,profile,email
vendor=
keycloak_realm=
keycloak_admin_url=
  1. Configure a policy with one of the groups my user is in Gitlab
  2. Try to login

With mc admin trace I can see the following error:

minio.mydomain.com [REQUEST admin.AccountInfo] [2024-06-26T17:24:27.499] [Client IP: 192.168.7.2]
minio.mydomain.com GET /minio/admin/v3/accountinfo
minio.mydomain.com Proto: HTTP/1.1
minio.mydomain.com Host: minio.mydomain.com
minio.mydomain.com Accept-Encoding: gzip
minio.mydomain.com Content-Length: 0
minio.mydomain.com User-Agent: MinIO (linux; amd64) madmin-go/2.0.0 MinIO Console/(dev)
minio.mydomain.com X-Forwarded-Host: minio.mydomain.com
minio.mydomain.com X-Forwarded-Port: 443
minio.mydomain.com X-Amz-Content-Sha256: e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
minio.mydomain.com X-Forwarded-For: 192.168.7.2
minio.mydomain.com X-Forwarded-Proto: https
minio.mydomain.com X-Forwarded-Server: myhostname
minio.mydomain.com X-Real-Ip: 192.168.7.2
minio.mydomain.com
minio.mydomain.com [RESPONSE] [2024-06-26T17:24:27.499] [ Duration 120µs  ↑ 165 B  ↓ 199 B ]
minio.mydomain.com 403 Forbidden
minio.mydomain.com X-Amz-Id-2: dd9025bab4ad464b049177c95eb6ebf374d3b3fd1af9251148b658df7ac2e3e8
minio.mydomain.com X-Xss-Protection: 1; mode=block
minio.mydomain.com Accept-Ranges: bytes
minio.mydomain.com Strict-Transport-Security: max-age=31536000; includeSubDomains
minio.mydomain.com Server: MinIO
minio.mydomain.com Vary: Origin,Accept-Encoding
minio.mydomain.com X-Amz-Request-Id: 17DC9742019E1730
minio.mydomain.com X-Content-Type-Options: nosniff
minio.mydomain.com Content-Length: 199
minio.mydomain.com Content-Type: application/json
minio.mydomain.com {"Code":"AccessDenied","Message":"Access Denied.","Resource":"/minio/admin/v3/accountinfo","RequestId":"17DC9742019E1730","HostId":"dd9025bab4ad464b049177c95eb6ebf374d3b3fd1af9251148b658df7ac2e3e8"}

minio.mydomain.com
127.0.0.1:9000  [OS os.Lstat] [2024-06-26T17:24:28.558] /data/.minio.sys/format.json 7.711µs
127.0.0.1:9000  [STORAGE storage.DiskInfo] [2024-06-26T17:24:28.558] /data total-errs-availability=0 total-errs-timeout=0 67.666µs
localhost:9000 [REQUEST health.Cluster] [2024-06-26T17:24:28.558] [Client IP: 127.0.0.1]
localhost:9000 GET /minio/health/cluster
localhost:9000 Proto: HTTP/1.1
localhost:9000 Host: localhost:9000
localhost:9000 X-Amz-Content-Sha256: e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
localhost:9000 Content-Length: 0
localhost:9000 User-Agent: Go-http-client/1.1
localhost:9000
localhost:9000 [RESPONSE] [2024-06-26T17:24:28.558] [ Duration 211µs  ↑ 52 B  ↓ 0 B ]
localhost:9000 200 OK
localhost:9000 Vary: Origin
localhost:9000 X-Amz-Id-2: dd9025bab4ad464b049177c95eb6ebf374d3b3fd1af9251148b658df7ac2e3e8
localhost:9000 X-Content-Type-Options: nosniff
localhost:9000 X-Minio-Storage-Class-Defaults: false
localhost:9000 X-Minio-Write-Quorum: 1
localhost:9000 Accept-Ranges: bytes
localhost:9000 Content-Length: 0
localhost:9000 Server: MinIO
localhost:9000 Strict-Transport-Security: max-age=31536000; includeSubDomains
localhost:9000 X-Amz-Request-Id: 17DC974240B6CBFE
localhost:9000 X-Xss-Protection: 1; mode=block
localhost:9000
localhost:9000

Your Environment

  • Version used (minio --version): Version: RELEASE.2024-06-26T01-06-18Z (go1.22.4 linux/amd64)
  • Server setup and configuration: Docker compose on Linux
  • Operating System and version (uname -a): Debian 11 - Linux myhostname 5.10.0-30-amd64 #1 SMP Debian 5.10.218-1(2024-06-01) x86_64 GNU/Linux
@harshavardhana
Copy link
Member

what is the policy and can you share the JWT that you obtain from GitLab?

@Poulpatine
Copy link
Author

Well, I don't really know how to find the JWT using developer tools in my browser but I can find one using mc admin trace.

For confidentiality reasons I've truncated it but here it is:

{
  "accessKey": "P42G9ZAWAAGW8JB8NRB5",
  "aud": "e2933107cffc1ec03661586cff2ad94c8ed3bcc110a405a80b0a3a619d6048cb",
  "auth_time": 1719397509,
  "email": "poulp.atine@mydomain.com",
  "email_verified": true,
  "exp": 1719422666,
  "groups": [
  ...
    "backend",
  ...
  ],
  "groups_direct": "backend",
  "https://gitlab.org/claims/groups/developer": [
    "backend",
    ...
  ],
  "https://gitlab.org/claims/groups/maintainer": [
    ...
  ],
  "https://gitlab.org/claims/groups/owner": [
  ...
  ],
  "iat": 1719415467,
  "iss": "https://gitlab.mydomain",
  "name": "poulp atine",
  "nickname": "poulpatine",
  "picture": "https://gitlab.mydomain/uploads/-/system/user/avatar/93/avatar.png",
  "preferred_username": "poulpatine",
  "profile": "https://gitlab.mydomain/poulpatine",
  "sub": "93",
  "sub_legacy": "25c94bb472e0f6c1e65ccb30d5a01e55a7e633b80fa8dff7d02688a7c0b0a368"
}

The whole token is ~ 3867 bytes.

Here is the policy (for test purpose, it's the same content as consoleAdmin :

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Action": [
                "admin:*"
            ]
        },
        {
            "Effect": "Allow",
            "Action": [
                "kms:*"
            ]
        },
        {
            "Effect": "Allow",
            "Action": [
                "s3:*"
            ],
            "Resource": [
                "arn:aws:s3:::*"
            ]
        }
    ]
}

While digging for my JWT, I've seen a message in my firefox console with : Cookie “token” is invalid because its size is too big. Max size is 4096 B.

It may be a good lead ?

Thanks.

@harshavardhana
Copy link
Member

And your policy name is called backend ?

@Poulpatine
Copy link
Author
Poulpatine commented Jun 27, 2024 via email
edited
Loading

@harshavardhana
Copy link
Member

Please test with the latest release

@Poulpatine
Copy link
Author

Hi,

the problem is still present with the version RELEASE.2024-06-29T01-20-47Z.

I've asked my colleagues to make some tests too.
Some of them are able to connect with OIDC.
The trend seems to be that those with the fewest groups can connect whereas those with more groups can't.

@harshavardhana
Copy link
Member

The trend seems to be that those with the fewest groups can connect whereas those with more groups can't.

yeah that is because your browser is not allowing cookie sizes beyond 4k

@harshavardhana
Copy link
Member

Which would happen to be big if you are part of say 1000s of groups, you should perhaps limit that on the GitLab side to avoid being included

"groups": [
...
"backend",
...
],
"groups_direct": "backend",

By reducing the scope of the OpenID JWT size.

@Poulpatine
Copy link
Author

@harshavardhana I've just sent you an email with the list of groups available in my JWT.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
community working as intended
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@harshavardhana @Poulpatine