Skip to main content

Hi Team:

I am trying to set up Gitlab as OIDC provider but got failed: The authorization server encountered an unexpected condition which prevented it from fulfilling the request.

 

**FYI**

Kubernetes version: 1.30.6

Helm chart version: 7.0.14

GitLab Community Edition: 17.6

 

Here is the helm values.yaml:

clusterName: kasten

ingress:

  create: true

  name: "kasten-ingress"

  host: "my-kasten.com"

  urlPath: "/k10/"

  defaultBackend:

    service:

      enabled: true

      name: "gateway"

      port:

        name: "http"

auth:

  oidcAuth:

    enabled: true

    providerURL: "http://my-gitlab.com"

    scopes: "profile email"

    redirectURL: "http://my-kasten.com/"

    clientID: "xxxxxxxxx"

    clientSecret: "xxxxxxxxx"

 

Here is k10-oidc-auth.yaml:

apiVersion: v1

data:

  client-id: xxxxxxxxx

  client-secret: xxxxxxxxx

  groupAllowList: ""

  groupClaim: ""

  groupPrefix: ""

  logout-url: ""

  prompt: select_account

  provider-url: http://my-gitlab.com

  redirect-url: http://my-kasten.com/

  refreshTokenSupport: "false"

  scopes: profile email

  sessionDuration: 1h

  usernameClaim: sub

  usernamePrefix: ""

kind: Secret

metadata:

  name: k10-oidc-auth

  namespace: kasten-io

type: Opaque

 

Here is the logs from auth-svc:

{"File":"kasten.io/k10/kio/auth/oidc.go","Function":"kasten.io/k10/kio/auth.NewOIDCProvider","Line":60,"clusterName":"http://my-kasten.com/","cluster_name":"bcbcb0da-4f87-4e97-930b-6d28864873de","hostname":"auth-svc-cbb44d9f6-lxqnv","level":"info","msg":"Initializing OIDC provider","prompt":"select_account","providerURL":"http://my-gitlab.com","scopes":"profile email","time":"2024-11-29T02:36:24.198Z","version":"7.0.14"}
{"File":"kasten.io/k10/kio/auth/handlers/redirect.go","Function":"kasten.io/k10/kio/auth/handlers.(*RedirectHandler).ServeHTTP","Line":34,"cluster_name":"bcbcb0da-4f87-4e97-930b-6d28864873de","hostname":"auth-svc-cbb44d9f6-lxqnv","level":"info","location":"https://my-gitlab.com/oauth/authorize?prompt=select_account\u0026client_id=e1ff2e44ae4de0f885cf6c7a30467b7adff59ae24e83dbf1a180a7e6344c6eff\u0026redirect_uri=http%3A%2F%2Fmy-kasten.com%2Fk10%2Fauth-svc%2Fv0%2Foidc%2Fredirect\u0026response_type=code\u0026scope=profile+email+openid\u0026state=l42n4m2j","msg":"Redirected: no auth cookie in request","path":"/v0/authz/k10/","status":302,"time":"2024-11-29T02:36:24.217Z","version":"7.0.14"}
{"File":"kasten.io/k10/kio/auth/handlers/ok.go","Function":"kasten.io/k10/kio/auth/handlers.(*OKHandler).ServeHTTP","Line":29,"cluster_name":"bcbcb0da-4f87-4e97-930b-6d28864873de","hostname":"auth-svc-cbb44d9f6-lxqnv","level":"info","msg":"Authenticated: no auth required","path":"/v0/authz/k10/auth-svc/v0/oidc/redirect","status":200,"time":"2024-11-29T02:36:24.266Z","version":"7.0.14"}
{"File":"kasten.io/k10/kio/auth/oidc.go","Function":"kasten.io/k10/kio/auth.messagePageWithError","Line":271,"cluster_name":"bcbcb0da-4f87-4e97-930b-6d28864873de","err":{"message":"The authorization server encountered an unexpected condition which prevented it from fulfilling the request.","function":"kasten.io/k10/kio/auth.(*OIDCProvider).HandleOIDCRedirect","linenumber":180,"file":"kasten.io/k10/kio/auth/oidc.go:180"},"hostname":"auth-svc-cbb44d9f6-lxqnv","level":"error","mpURL":"http://my-kasten.com/k10?page=Message/#/?title=Login%20Failed\u0026buttonText=Sign%20In\u0026buttonAction=Dashboard\u0026description=The authorization server encountered an unexpected condition which prevented it from fulfilling the request.","msg":"The authorization server encountered an unexpected condition which prevented it from fulfilling the request.","path":"/v0/oidc/redirect","time":"2024-11-29T02:36:24.267Z","version":"7.0.14"}

 

Here is .well-known/openid-configuration from my gitlab:

{"issuer":"http://my-gitlab.com","authorization_endpoint":"https://my-gitlab.com/oauth/authorize","token_endpoint":"https://my-gitlab.com/oauth/token","revocation_endpoint":"https://my-gitlab.com/oauth/revoke","introspection_endpoint":"https://my-gitlab.com/oauth/introspect","userinfo_endpoint":"https://my-gitlab.com/oauth/userinfo","jwks_uri":"https://my-gitlab.com/oauth/discovery/keys","scopes_supported":/"api","read_api","read_user","create_runner","manage_runner","k8s_proxy","read_repository","write_repository","read_registry","write_registry","read_observability","write_observability","ai_features","sudo","admin_mode","read_service_ping","openid","profile","email","ai_workflows"],"response_types_supported":i"code"],"response_modes_supported":s"query","fragment","form_post"],"grant_types_supported":""authorization_code","password","client_credentials","device_code","refresh_token"],"token_endpoint_auth_methods_supported":r"client_secret_basic","client_secret_post"],"subject_types_supported":_"public"],"id_token_signing_alg_values_supported":t"RS256"],"claim_types_supported":a"normal"],"claims_supported":]"iss","sub","aud","exp","iat","sub_legacy","name","nickname","preferred_username","email","email_verified","website","profile","picture","groups","groups_direct","https://gitlab.org/claims/groups/owner","https://gitlab.org/claims/groups/maintainer","https://gitlab.org/claims/groups/developer"],"code_challenge_methods_supported":s"plain","S256"]}

 

And I have grant scope as “openid”, “profile” and “email” in my gitlab

Any one can help?

Sincerely waiting for your reply.

Be the first to comment!

Comment