Question

Login Failed create signed Token

1 year ago
November 30, 2023
2 comments
63 views

hafesi
Comes here often
2 comments

Hi Team,

I faced issue when try to login using OID, I implement using this helm commands

helm upgrade k10 kasten/k10 --namespace kasten-io --reuse-values \
--set auth.oidcAuth.enabled=true \
--set auth.oidcAuth.providerURL="https://xxxxxxx/auth/realms/xxxx" \
--set auth.oidcAuth.redirectURL="https://kasten-.com/k10/" \
--set auth.oidcAuth.scopes="groups profile email offline_access" \
--set auth.oidcAuth.prompt="select_account" \
--set auth.oidcAuth.clientID="KASTEN-GG" \
--set auth.oidcAuth.clientSecret="xxxxxxxx" \
--set auth.oidcAuth.usernameClaim="email" \
--set auth.oidcAuth.usernamePrefix="-" \
--set auth.oidcAuth.groupClaim="GG-ClusterAdmin" \
--set auth.oidcAuth.groupPrefix=""

also I follow the documentation https://docs.kasten.io/latest/access/authentication.html#token-authentication but still facing this issue.

So glad if you guys can help me to find out the problem is.

Thank you

+2

jaiganeshjk
Experienced User
275 comments
1 year ago
November 30, 2023

Thanks for creating a topic here.

From the quick look, I see that you have mentioned your group name in the groupClaim field.

Groups Claim specifies the name of the claim in the token holding the group names and/or paths.

groupClaim is usually `groups` . You could try changing it and see if it helps.

auth-svc/dex container logs in auth-svc pod might have some useful insights. You can look at the details that we are receiving from the token from your OIDC provider in these container logs.

Jaiganesh

H

hafesi
Author
Comes here often
2 comments
1 year ago
November 30, 2023

jaiganeshjk wrote:

Thanks for creating a topic here.

From the quick look, I see that you have mentioned your group name in the groupClaim field.

Groups Claim specifies the name of the claim in the token holding the group names and/or paths.

groupClaim is usually `groups` . You could try changing it and see if it helps.

auth-svc/dex container logs in auth-svc pod might have some useful insights. You can look at the details that we are receiving from the token from your OIDC provider in these container logs.

Hi,

thanks for the response, I already revised the groupClaim with groups but seems not working, below the pod log of auth-svc

{"File":"kasten.io/k10/kio/auth/handlers/ok.go","Function":"kasten.io/k10/kio/auth/handlers.(*OKHandler).ServeHTTP","Line":29,"cluster_name":"ae8192fb-e58a-4d8b-a0a1-8a191a8d62b9","hostname":"auth-svc-6d854cbb8d-9l6g2","level":"info","msg":"Authenticated: no auth required","path":"/v0/authz/k10/auth-svc/v0/oidc/redirect","status":200,"time":"2023-11-30T08:01:33.352Z","version":"6.0.12"}
{"File":"kasten.io/k10/kio/auth/oidc.go","Function":"kasten.io/k10/kio/auth.NewOIDCProvider","Line":56,"clusterName":"x.x.x.x","cluster_name":"ae8192fb-e58a-4d8b-a0a1-8a191a8d62b9","hostname":"auth-svc-6d854cbb8d-9l6g2","level":"info","msg":"Initializing OIDC provider","prompt":"login","providerURL":"https://x.x.x.x/auth/realms/GG-AUTH","scopes":"groups profile email offline_access","time":"2023-11-30T08:01:33.382Z","version":"6.0.12"}
{"File":"kasten.io/k10/kio/auth/oidc_userinfo.go","Function":"kasten.io/k10/kio/auth.userInfoFromOIDCTokenOrEndpoint","Line":46,"cluster_name":"ae8192fb-e58a-4d8b-a0a1-8a191a8d62b9","endpointErr":{"message":"Failed to get user info from endpoint response","function":"kasten.io/k10/kio/auth.userInfoFromOIDCEndpoint","linenumber":27,"file":"kasten.io/k10/kio/auth/oidc_userinfo.go:27","cause":{"message":"Failed to get the claim value. Value is not of type string","function":"kasten.io/k10/kio/auth.username","linenumber":66,"file":"kasten.io/k10/kio/auth/oidc_userinfo.go:66","fields":[{"name":"claim","value":"email"}]}},"hostname":"auth-svc-6d854cbb8d-9l6g2","level":"error","msg":"Failed to get oidc user info","time":"2023-11-30T08:01:33.429Z","tokenErr":{"message":"Failed to get the claim value. Value is not of type string","function":"kasten.io/k10/kio/auth.username","linenumber":66,"file":"kasten.io/k10/kio/auth/oidc_userinfo.go:66","fields":[{"name":"claim","value":"email"}]},"version":"6.0.12"}
{"File":"kasten.io/k10/kio/auth/oidc.go","Function":"kasten.io/k10/kio/auth.messagePageWithError","Line":255,"cluster_name":"ae8192fb-e58a-4d8b-a0a1-8a191a8d62b9","err":{"message":"missing user info claims OAuth2 token","cause":{"message":"Failed to get claims with user info from endpoint","function":"kasten.io/k10/kio/auth.userInfoFromOIDCTokenOrEndpoint","linenumber":47,"file":"kasten.io/k10/kio/auth/oidc_userinfo.go:47","cause":{"message":"Failed to get user info from endpoint response","function":"kasten.io/k10/kio/auth.userInfoFromOIDCEndpoint","linenumber":27,"file":"kasten.io/k10/kio/auth/oidc_userinfo.go:27","cause":{"message":"Failed to get the claim value. Value is not of type string","function":"kasten.io/k10/kio/auth.username","linenumber":66,"file":"kasten.io/k10/kio/auth/oidc_userinfo.go:66","fields":[{"name":"claim","value":"email"}]}}}},"hostname":"auth-svc-6d854cbb8d-9l6g2","level":"error","mpURL":"x.x.x.x/k10?page=Message/#/?title=Login%20Fai…

Below the output of helm get values k10

$ helm get values k10
USER-SUPPLIED VALUES:
auth:
basicAuth:
enabled: t
htpasswd: admin:$2y$05$u0qpe1kcVJZTfif1DvecdRq779UAAkqZYVaM3cn4bQqDqFWqfy
oidcAuth:
clientID: KASTEN-GG
clientSecret: 1V19KfDLu0uQHPjliWhhPJHvQ5B0riBD
enabled: true
groupClaim: groups
groupPrefix: ""
prompt: login
providerURL: https://x.x.x.x/auth/realms/GG-AUTH
redirectURL: https://y.y.y.y/
refreshTokenSupport: false
scopes: groups profile email offline_access
usernameClaim: email
usernamePrefix: '-'

Thank you

Comment

Related topics

Poorten openzetten klik en klaar

Portforwarding voor RSYNC 873 ZYXEL NR5307 maar volgens poortscanner niet openicon

Port Forwarding op de nieuwe Klik&Klaar modemicon

portforwarden Klik & Klaar moden NR5307

Zyxel NR5307 hoe voorkom ik dagelijkse Internet onderbreking?

Sign up

Login to the community

Scanning file for viruses.

This file cannot be downloaded