Skip to main content

Hello dear community,

 

Today I upgraded one of our lab instances to 6.0.6 and am not able to login anymore.
We use OIDC to handle logins, and I just receive this error now when opening the dashboard:

 

I have the same version with the exact same configuration running on another instance, without any issue.

 

Here is the partly redacted k10_val.yaml:

 

auth:
oidcAuth:
clientID: Iredacted]
clientSecret: eredacted]
enabled: true
groupClaim: roles
prompt: none
providerURL: Rredacted]
redirectURL: Rredacted]
scopes: groups profile email
usernameClaim: username
cacertconfigmap:
name: custom-ca-bundle-store
global:
persistence:
storageClass: vcenter-ssd-sc
ingress:
class: nginx
create: true
host: sredacted]
tls:
enabled: true
secretName: mredacted]

 

What could be the issue here? The auth-svc log says the following:

{"File":"kasten.io/k10/kio/auth/oidc.go","Function":"kasten.io/k10/kio/auth.NewOIDCProvider","Line":56,"clusterName":"mredacted]","cluster_name":"2d37f2ce-7748-404f-8241-95c705f6fcc4","hostname":"auth-svc-67ffb7894b-w9gxr","level":"info","msg":"Initializing OIDC provider","prompt":"none","providerURL":"Rredacted]","scopes":"groups profile email openid","time":"2023-09-01T09:30:59.848Z","version":"6.0.6"}
{"File":"kasten.io/k10/kio/auth/oidc.go","Function":"kasten.io/k10/kio/auth.messagePageWithError","Line":255,"cluster_name":"2d37f2ce-7748-404f-8241-95c705f6fcc4","err":{"message":"The requested scope is invalid, unknown, malformed, or exceeds that which the client is permitted to request.","function":"kasten.io/k10/kio/auth.(*OIDCProvider).HandleOIDCRedirect","linenumber":165,"file":"kasten.io/k10/kio/auth/oidc.go:165"},"hostname":"auth-svc-67ffb7894b-w9gxr","level":"error","mpURL":"Rredacted]/k10?page=Message/#/?title=Login%20Failed\u0026buttonText=Sign%20In\u0026buttonAction=Dashboard\u0026description=The requested scope is invalid, unknown, malformed, or exceeds that which the client is permitted to request.","msg":"The requested scope is invalid, unknown, malformed, or exceeds that which the client is permitted to request.","path":"/v0/oidc/redirect","time":"2023-09-01T09:30:59.850Z","version":"6.0.6"}

Best regards,

Daniel

@Daniel Moes Thanks for posting your question here.
I understand that an upgrade to UI broke your OIDC auth workflow.

We have enabled support for refresh tokens from 6.0.6. It seems that it requires more scope than what you have currently set(groups profile email).

Let me check the exact scope that is needed for making this work


Also, Would you mind if I ask what provider you use for OIDC?


Hello jaiganeshjk,

Thank you for your interest in this issue. We use PingID as our OIDC provider.


Thanks for the info Daniel.

There are two ways to go about this issue.

  • Disable refresh token support in k10 so that you could continue using the old workflow. Below upgrade command will help you disable refresh token support in k10 
helm get values k10 --output yaml --namespace=kasten-io > k10_val.yaml && \
helm upgrade k10 kasten/k10 --namespace=kasten-io -f k10_val.yaml \
--set auth.oidcAuth.refreshTokenSupport="false"
  • Or leave the refresh token support enabled in K10 and configure your provider to make sure that refresh tokens are granted for k10. K10 uses `offline_access` scope to get the refresh tokens from the provider. However, in case of pingIdentity, I observed that they don’t support `offline_access` scope yet.(https://support.pingidentity.com/s/question/0D51W00007pjEwvSAE/does-pingfederate-support-the-offlineaccess-scope). From the above page, it seems that you will have to explicitly allow grants to provide refresh tokens for the client you are using for k10. 

@Daniel Moes We have disabled the refresh token support by default from 6.0.7 version of K10 released yesterday.

Customer who needs support for refresh tokens can enable it by following the documentation https://docs.kasten.io/latest/access/authentication.html#openid-connect-authentication


Hello @jaiganeshjk,

 

Sorry for the late reply, I had been out of office.

Thank you very much for the proposed solutions and explanations.

 

I just upgraded to 6.0.7 and with the refresh token disabled it’s all good now.

 

Thanks so much, have a great week! 😀


Thanks @Daniel Moes for confirming.

Glad that your issue is sorted. 

Please mark my response as the answer to this topic if you think it will help the community.


Comment