• EN
Solved

Login Failed after upgrade to 6.0.6 (Error: The requested scope is invalid, unknown, malformed, or exceeds that which the client is permitted to request.)

  • 1 September 2023
  • 7 comments
  • 110 views
D
Userlevel 2

Hello dear community,

 

Today I upgraded one of our lab instances to 6.0.6 and am not able to login anymore.
We use OIDC to handle logins, and I just receive this error now when opening the dashboard:

 

I have the same version with the exact same configuration running on another instance, without any issue.

 

Here is the partly redacted k10_val.yaml:

 

auth:
  oidcAuth:
    clientID: [redacted]
    clientSecret: [redacted]
    enabled: true
    groupClaim: roles
    prompt: none
    providerURL: [redacted]
    redirectURL: [redacted]
    scopes: groups profile email
    usernameClaim: username
cacertconfigmap:
  name: custom-ca-bundle-store
global:
  persistence:
    storageClass: vcenter-ssd-sc
ingress:
  class: nginx
  create: true
  host: [redacted]
  tls:
    enabled: true
    secretName: [redacted]

 

What could be the issue here? The auth-svc log says the following:

{"File":"kasten.io/k10/kio/auth/oidc.go","Function":"kasten.io/k10/kio/auth.NewOIDCProvider","Line":56,"clusterName":"[redacted]","cluster_name":"2d37f2ce-7748-404f-8241-95c705f6fcc4","hostname":"auth-svc-67ffb7894b-w9gxr","level":"info","msg":"Initializing OIDC provider","prompt":"none","providerURL":"[redacted]","scopes":"groups profile email openid","time":"2023-09-01T09:30:59.848Z","version":"6.0.6"}
{"File":"kasten.io/k10/kio/auth/oidc.go","Function":"kasten.io/k10/kio/auth.messagePageWithError","Line":255,"cluster_name":"2d37f2ce-7748-404f-8241-95c705f6fcc4","err":{"message":"The requested scope is invalid, unknown, malformed, or exceeds that which the client is permitted to request.","function":"kasten.io/k10/kio/auth.(*OIDCProvider).HandleOIDCRedirect","linenumber":165,"file":"kasten.io/k10/kio/auth/oidc.go:165"},"hostname":"auth-svc-67ffb7894b-w9gxr","level":"error","mpURL":"[redacted]/k10?page=Message/#/?title=Login%20Failed\u0026buttonText=Sign%20In\u0026buttonAction=Dashboard\u0026description=The requested scope is invalid, unknown, malformed, or exceeds that which the client is permitted to request.","msg":"The requested scope is invalid, unknown, malformed, or exceeds that which the client is permitted to request.","path":"/v0/oidc/redirect","time":"2023-09-01T09:30:59.850Z","version":"6.0.6"}

Best regards,

Daniel

icon

Best answer by jaiganeshjk 12 September 2023, 06:28

View original

7 comments

jaiganeshjk
Userlevel 6
Badge +2

@Daniel Moes Thanks for posting your question here.
I understand that an upgrade to UI broke your OIDC auth workflow.

We have enabled support for refresh tokens from 6.0.6. It seems that it requires more scope than what you have currently set(groups profile email).

Let me check the exact scope that is needed for making this work

Jaiganesh
jaiganeshjk
Userlevel 6
Badge +2

Also, Would you mind if I ask what provider you use for OIDC?

Jaiganesh
D
Userlevel 2

Hello jaiganeshjk,

Thank you for your interest in this issue. We use PingID as our OIDC provider.

jaiganeshjk
Userlevel 6
Badge +2

Thanks for the info Daniel.

There are two ways to go about this issue.

  • Disable refresh token support in k10 so that you could continue using the old workflow. Below upgrade command will help you disable refresh token support in k10 
helm get values k10 --output yaml --namespace=kasten-io > k10_val.yaml && \
    helm upgrade k10 kasten/k10 --namespace=kasten-io -f k10_val.yaml \
    --set auth.oidcAuth.refreshTokenSupport="false"
  • Or leave the refresh token support enabled in K10 and configure your provider to make sure that refresh tokens are granted for k10. K10 uses `offline_access` scope to get the refresh tokens from the provider. However, in case of pingIdentity, I observed that they don’t support `offline_access` scope yet.(https://support.pingidentity.com/s/question/0D51W00007pjEwvSAE/does-pingfederate-support-the-offlineaccess-scope). From the above page, it seems that you will have to explicitly allow grants to provide refresh tokens for the client you are using for k10. 
Jaiganesh
jaiganeshjk
Userlevel 6
Badge +2

@Daniel Moes We have disabled the refresh token support by default from 6.0.7 version of K10 released yesterday.

Customer who needs support for refresh tokens can enable it by following the documentation https://docs.kasten.io/latest/access/authentication.html#openid-connect-authentication

Jaiganesh
D
Userlevel 2

Hello @jaiganeshjk,

 

Sorry for the late reply, I had been out of office.

Thank you very much for the proposed solutions and explanations.

 

I just upgraded to 6.0.7 and with the refresh token disabled it’s all good now.

 

Thanks so much, have a great week! 😀

jaiganeshjk
Userlevel 6
Badge +2

Thanks @Daniel Moes for confirming.

Glad that your issue is sorted. 

Please mark my response as the answer to this topic if you think it will help the community.

Jaiganesh

Comment


Terms & Conditions