Hi Team:
I am trying to set up Gitlab as OIDC provider but got failed: The authorization server encountered an unexpected condition which prevented it from fulfilling the request.
**FYI**
Kubernetes version: 1.30.6
Helm chart version: 7.0.14
GitLab Community Edition: 17.6
Here is the helm values.yaml:
clusterName: kasten
ingress:
create: true
name: "kasten-ingress"
host: "my-kasten.com"
urlPath: "/k10/"
defaultBackend:
service:
enabled: true
name: "gateway"
port:
name: "http"
auth:
oidcAuth:
enabled: true
providerURL: "http://my-gitlab.com"
scopes: "profile email"
redirectURL: "http://my-kasten.com/"
clientID: "xxxxxxxxx"
clientSecret: "xxxxxxxxx"
Here is k10-oidc-auth.yaml:
apiVersion: v1
data:
client-id: xxxxxxxxx
client-secret: xxxxxxxxx
groupAllowList: ""
groupClaim: ""
groupPrefix: ""
logout-url: ""
prompt: select_account
provider-url: http://my-gitlab.com
redirect-url: http://my-kasten.com/
refreshTokenSupport: "false"
scopes: profile email
sessionDuration: 1h
usernameClaim: sub
usernamePrefix: ""
kind: Secret
metadata:
name: k10-oidc-auth
namespace: kasten-io
type: Opaque
Here is the logs from auth-svc:
{"File":"kasten.io/k10/kio/auth/oidc.go","Function":"kasten.io/k10/kio/auth.NewOIDCProvider","Line":60,"clusterName":"http://my-kasten.com/","cluster_name":"bcbcb0da-4f87-4e97-930b-6d28864873de","hostname":"auth-svc-cbb44d9f6-lxqnv","level":"info","msg":"Initializing OIDC provider","prompt":"select_account","providerURL":"http://my-gitlab.com","scopes":"profile email","time":"2024-11-29T02:36:24.198Z","version":"7.0.14"}
{"File":"kasten.io/k10/kio/auth/handlers/redirect.go","Function":"kasten.io/k10/kio/auth/handlers.(*RedirectHandler).ServeHTTP","Line":34,"cluster_name":"bcbcb0da-4f87-4e97-930b-6d28864873de","hostname":"auth-svc-cbb44d9f6-lxqnv","level":"info","location":"https://my-gitlab.com/oauth/authorize?prompt=select_account\u0026client_id=e1ff2e44ae4de0f885cf6c7a30467b7adff59ae24e83dbf1a180a7e6344c6eff\u0026redirect_uri=http%3A%2F%2Fmy-kasten.com%2Fk10%2Fauth-svc%2Fv0%2Foidc%2Fredirect\u0026response_type=code\u0026scope=profile+email+openid\u0026state=l42n4m2j","msg":"Redirected: no auth cookie in request","path":"/v0/authz/k10/","status":302,"time":"2024-11-29T02:36:24.217Z","version":"7.0.14"}
{"File":"kasten.io/k10/kio/auth/handlers/ok.go","Function":"kasten.io/k10/kio/auth/handlers.(*OKHandler).ServeHTTP","Line":29,"cluster_name":"bcbcb0da-4f87-4e97-930b-6d28864873de","hostname":"auth-svc-cbb44d9f6-lxqnv","level":"info","msg":"Authenticated: no auth required","path":"/v0/authz/k10/auth-svc/v0/oidc/redirect","status":200,"time":"2024-11-29T02:36:24.266Z","version":"7.0.14"}
{"File":"kasten.io/k10/kio/auth/oidc.go","Function":"kasten.io/k10/kio/auth.messagePageWithError","Line":271,"cluster_name":"bcbcb0da-4f87-4e97-930b-6d28864873de","err":{"message":"The authorization server encountered an unexpected condition which prevented it from fulfilling the request.","function":"kasten.io/k10/kio/auth.(*OIDCProvider).HandleOIDCRedirect","linenumber":180,"file":"kasten.io/k10/kio/auth/oidc.go:180"},"hostname":"auth-svc-cbb44d9f6-lxqnv","level":"error","mpURL":"http://my-kasten.com/k10?page=Message/#/?title=Login%20Failed\u0026buttonText=Sign%20In\u0026buttonAction=Dashboard\u0026description=The authorization server encountered an unexpected condition which prevented it from fulfilling the request.","msg":"The authorization server encountered an unexpected condition which prevented it from fulfilling the request.","path":"/v0/oidc/redirect","time":"2024-11-29T02:36:24.267Z","version":"7.0.14"}
Here is .well-known/openid-configuration from my gitlab:
{"issuer":"http://my-gitlab.com","authorization_endpoint":"https://my-gitlab.com/oauth/authorize","token_endpoint":"https://my-gitlab.com/oauth/token","revocation_endpoint":"https://my-gitlab.com/oauth/revoke","introspection_endpoint":"https://my-gitlab.com/oauth/introspect","userinfo_endpoint":"https://my-gitlab.com/oauth/userinfo","jwks_uri":"https://my-gitlab.com/oauth/discovery/keys","scopes_supported":/"api","read_api","read_user","create_runner","manage_runner","k8s_proxy","read_repository","write_repository","read_registry","write_registry","read_observability","write_observability","ai_features","sudo","admin_mode","read_service_ping","openid","profile","email","ai_workflows"],"response_types_supported":i"code"],"response_modes_supported":s"query","fragment","form_post"],"grant_types_supported":""authorization_code","password","client_credentials","device_code","refresh_token"],"token_endpoint_auth_methods_supported":r"client_secret_basic","client_secret_post"],"subject_types_supported":_"public"],"id_token_signing_alg_values_supported":t"RS256"],"claim_types_supported":a"normal"],"claims_supported":]"iss","sub","aud","exp","iat","sub_legacy","name","nickname","preferred_username","email","email_verified","website","profile","picture","groups","groups_direct","https://gitlab.org/claims/groups/owner","https://gitlab.org/claims/groups/maintainer","https://gitlab.org/claims/groups/developer"],"code_challenge_methods_supported":s"plain","S256"]}
And I have grant scope as “openid”, “profile” and “email” in my gitlab
Any one can help?
Sincerely waiting for your reply.