Skip to main content

Hi Team,

I faced issue when try to login using OID, I implement using this helm commands

 

helm upgrade k10 kasten/k10 --namespace kasten-io --reuse-values \
--set auth.oidcAuth.enabled=true \
--set auth.oidcAuth.providerURL="https://xxxxxxx/auth/realms/xxxx" \
--set auth.oidcAuth.redirectURL="https://kasten-.com/k10/" \
--set auth.oidcAuth.scopes="groups profile email offline_access" \
--set auth.oidcAuth.prompt="select_account" \
--set auth.oidcAuth.clientID="KASTEN-GG" \
--set auth.oidcAuth.clientSecret="xxxxxxxx" \
--set auth.oidcAuth.usernameClaim="email" \
--set auth.oidcAuth.usernamePrefix="-" \
--set auth.oidcAuth.groupClaim="GG-ClusterAdmin" \
--set auth.oidcAuth.groupPrefix=""

 

also I follow the documentation https://docs.kasten.io/latest/access/authentication.html#token-authentication but still facing this issue.

 

 

So glad if you guys can help me to find out the problem is. 

 

Thank you

Thanks for creating a topic here.

From the quick look, I see that you have mentioned your group name in the groupClaim field.

Groups Claim specifies the name of the claim in the token holding the group names and/or paths.

groupClaim is usually `groups` . You could try changing it and see if it helps.

auth-svc/dex container logs in auth-svc pod might have some useful insights. You can look at the details that we are receiving from the token from your OIDC provider in these container logs.


Thanks for creating a topic here.

From the quick look, I see that you have mentioned your group name in the groupClaim field.

Groups Claim specifies the name of the claim in the token holding the group names and/or paths.

groupClaim is usually `groups` . You could try changing it and see if it helps.

auth-svc/dex container logs in auth-svc pod might have some useful insights. You can look at the details that we are receiving from the token from your OIDC provider in these container logs.

Hi, 
 

thanks for the response, I already revised the groupClaim with groups but seems not working, below the pod log of auth-svc

 

{"File":"kasten.io/k10/kio/auth/handlers/ok.go","Function":"kasten.io/k10/kio/auth/handlers.(*OKHandler).ServeHTTP","Line":29,"cluster_name":"ae8192fb-e58a-4d8b-a0a1-8a191a8d62b9","hostname":"auth-svc-6d854cbb8d-9l6g2","level":"info","msg":"Authenticated: no auth required","path":"/v0/authz/k10/auth-svc/v0/oidc/redirect","status":200,"time":"2023-11-30T08:01:33.352Z","version":"6.0.12"}
{"File":"kasten.io/k10/kio/auth/oidc.go","Function":"kasten.io/k10/kio/auth.NewOIDCProvider","Line":56,"clusterName":"x.x.x.x","cluster_name":"ae8192fb-e58a-4d8b-a0a1-8a191a8d62b9","hostname":"auth-svc-6d854cbb8d-9l6g2","level":"info","msg":"Initializing OIDC provider","prompt":"login","providerURL":"https://x.x.x.x/auth/realms/GG-AUTH","scopes":"groups profile email offline_access","time":"2023-11-30T08:01:33.382Z","version":"6.0.12"}
{"File":"kasten.io/k10/kio/auth/oidc_userinfo.go","Function":"kasten.io/k10/kio/auth.userInfoFromOIDCTokenOrEndpoint","Line":46,"cluster_name":"ae8192fb-e58a-4d8b-a0a1-8a191a8d62b9","endpointErr":{"message":"Failed to get user info from endpoint response","function":"kasten.io/k10/kio/auth.userInfoFromOIDCEndpoint","linenumber":27,"file":"kasten.io/k10/kio/auth/oidc_userinfo.go:27","cause":{"message":"Failed to get the claim value. Value is not of type string","function":"kasten.io/k10/kio/auth.username","linenumber":66,"file":"kasten.io/k10/kio/auth/oidc_userinfo.go:66","fields":l{"name":"claim","value":"email"}]}},"hostname":"auth-svc-6d854cbb8d-9l6g2","level":"error","msg":"Failed to get oidc user info","time":"2023-11-30T08:01:33.429Z","tokenErr":{"message":"Failed to get the claim value. Value is not of type string","function":"kasten.io/k10/kio/auth.username","linenumber":66,"file":"kasten.io/k10/kio/auth/oidc_userinfo.go:66","fields":l{"name":"claim","value":"email"}]},"version":"6.0.12"}
{"File":"kasten.io/k10/kio/auth/oidc.go","Function":"kasten.io/k10/kio/auth.messagePageWithError","Line":255,"cluster_name":"ae8192fb-e58a-4d8b-a0a1-8a191a8d62b9","err":{"message":"missing user info claims OAuth2 token","cause":{"message":"Failed to get claims with user info from endpoint","function":"kasten.io/k10/kio/auth.userInfoFromOIDCTokenOrEndpoint","linenumber":47,"file":"kasten.io/k10/kio/auth/oidc_userinfo.go:47","cause":{"message":"Failed to get user info from endpoint response","function":"kasten.io/k10/kio/auth.userInfoFromOIDCEndpoint","linenumber":27,"file":"kasten.io/k10/kio/auth/oidc_userinfo.go:27","cause":{"message":"Failed to get the claim value. Value is not of type string","function":"kasten.io/k10/kio/auth.username","linenumber":66,"file":"kasten.io/k10/kio/auth/oidc_userinfo.go:66","fields":l{"name":"claim","value":"email"}]}}}},"hostname":"auth-svc-6d854cbb8d-9l6g2","level":"error","mpURL":"x.x.x.x/k10?page=Message/#/?title=Login%20Fai…

 

Below the output of helm get values k10

$ helm get values k10
USER-SUPPLIED VALUES:
auth:
  basicAuth:
    enabled: t
    htpasswd: admin:$2y$05$u0qpe1kcVJZTfif1DvecdRq779UAAkqZYVaM3cn4bQqDqFWqfy
  oidcAuth:
    clientID: KASTEN-GG
    clientSecret: 1V19KfDLu0uQHPjliWhhPJHvQ5B0riBD
    enabled: true
    groupClaim: groups
    groupPrefix: ""
    prompt: login
    providerURL: https://x.x.x.x/auth/realms/GG-AUTH
    redirectURL: https://y.y.y.y/
    refreshTokenSupport: false
    scopes: groups profile email offline_access
    usernameClaim: email
    usernamePrefix: '-'

 

Thank you


Comment