client_id-confusion :/ ...

[flypenguin]

Hi fellow Dexians,

First of all: I think my use case is "valid", as in "supported and possible – if I am in fact wrong about this please tell me.

The setup

So I am trying to configure Dex in an authentication chain on Kubernetes as follows:

 (Traefik with OIDC plugin)────┐                                                   
  Client ID: "traefik-oidc"    │           ┌──►Authelia Instance I (user base I)   
                               │           │   Dex client ID: "dex"                
                               ├───(Dex)───┤                                       
                               │           │                                       
                               │           └──►Authelia Instance II (user base II) 
       (any other OIDC app)────┘               Dex client ID: "dex"                
        currently hypothetical                                                     

(I have a repository with a configured playground here, simply go make prepare ; make deploy and you should be set up if you're interested).

Current situation

• Traefik running, and "configured" (incl. the plugin)
  • Dex is configured as OIDC endpoint, client-id traefik-oidc
• dex running, and "configured":
  • one "staticClient" called "traefik-oidc"
  • one "connector" for each Authelia instance, using the same "client-id" out of laziness ("dex"), but different client secrets
• Authelia I & II running, and working (I can authenticate against its respective backend on each one of them)

Now I have deployed a simple nginx, which I intend to authenticate using Traefik OIDC. When I go to the web page, this happens:

• The Traefik OIDC plugin redirects me to Dex (good)
• Dex gives me the choice of my two backends to authenticate against (good)
• I click on one.
• I see the error "Not Found | Invalid client_id ("traefik-oidc")."

I would have expected in my little perfect fantasy world that now I simply authenticate against one of those Authelia instances, and am being redirected back to my nginx page. And to me it seems perfectly straightforward that "Traefik <-> Dex", "Dex <-> Authelia I", and "Dex <-> Authelia II" have separate sets of client IDs and secrets, so I really am lost about how to interpret this error message.

This is, obviously, not the case. And I hope I'm doing something wrong, instead of expecting something "not possible", and in each of both cases, I am pretty desperate for any help now :/ ...

The config files

... for completeness

Details

GitHub permalink

Helm values file for Dex

---
##:CHART dex/dex
##:REPO dex https://charts.dexidp.io

replicaCount: 1
namespaceOverride: "dex"
hostAliases: []
https:
  enabled: false

configSecret:
  create: true
  # name: ""

config:
  # config examples:
  #   - dev config: https://is.gd/pijoRf
  #   - AD connect: https://is.gd/AjKFns

  # required, but weirdly nowhere documented ...
  issuer: https://dex.localhost.traefik.me

  # required
  storage:
    type: kubernetes
    config:
      inCluster: true

  # naturally, required ...
  connectors:
    - type: oidc
      id: authelia-local
      name: Externe Nutzer
      config:
        issuer: http://authelia-local.authelia-local.svc.cluster.local
        clientID: dex
        clientSecret: $CLIENT_SECRET_AUTHELIA_LOCAL
        redirectURI: https://dex.localhost.traefik.me/callback
    - type: oidc
      id: authelia-ldap
      name: LDAP Nutzer (Windows)
      config:
        issuer: http://authelia-ldap.authelia-ldap.svc.cluster.local
        clientID: dex
        clientSecret: $CLIENT_SECRET_AUTHELIA_LDAP
        redirectURI: https://dex.localhost.traefik.me/callback

envVars:
  - name: CLIENT_SECRET_AUTHELIA_LOCAL
    valueFrom:
      secretKeyRef:
        name: dex-client-secret-authelia-local
        key: client_secret
  - name: CLIENT_SECRET_AUTHELIA_LDAP
    valueFrom:
      secretKeyRef:
        name: dex-client-secret-authelia-ldap
        key: client_secret

ingress:
  enabled: true
  # className: ""
  # annotations: {}
  hosts:
    - host: dex.localhost.traefik.me
      paths:
        - path: /
          pathType: ImplementationSpecific
  tls: []

networkPolicy:
  enabled: false

service:
  type: ClusterIP
  ports:
    http:
      port: 5556
    https:
      port: 5554

serviceMonitor:
  enabled: false

# see example config file "config.yaml.dist": https://is.gd/MY10DS
staticClients:
  - id: traefik-oidc
    redirectURIs:
      - ...
    name: Traefik OIDC authentication
    secret: qem80y5no10g7qpz5h0nhjym0j9hawh8qod70ez1ufkjrb2gz3ye455mj8fkrzhc

Details

GitHub permalink

Helm values for "authelia-local" (one of the two)

---
##:CHART authelia/authelia
##:REPO authelia https://charts.authelia.com

rbac:
  enabled: true

ingress:
  enabled: true
  # cert-manager doing its magic, using an internal self-signed ca.

pod:
  extraVolumes:
    - name: users-database
      secret:
        secretName: authelia-local-users-database
        optional: false
    - name: pre-processed-config-values
      emptyDir: {}
    - # to read the "email" notifications
      name: authelia-local-notifications
      emptyDir: {}

  env:
    - # https://is.gd/v9hRop
      # enabled templating ...
      name: X_AUTHELIA_CONFIG_FILTERS
      value: "template"

  extraVolumeMounts:
    - name: users-database
      mountPath: /config/users_database.yml
      readOnly: true
      subPath: users_database.yml
    - name: authelia-local-notifications
      mountPath: /authelia-notifications
    - name: pre-processed-config-values
      mountPath: /ppc

  initContainers:
    - name: pbkdf2-hasher
      image: ghcr.io/authelia/authelia
      command:
        - sh
        - -c
        - |
          set -euo pipefail
          CS=/ppc/client-secrets
          mkdir -p $CS
          cd $CS
          echo "Password SHA256: $(echo "$CLIENT_SECRET" | sha256sum)"
          authelia crypto hash generate --password "$CLIENT_SECRET" | sed -E "s/^([^ ]+ )?//" > dex-authelia-local
          authelia crypto hash validate --password "$CLIENT_SECRET" -- "$(cat dex-authelia-local)"
          echo "Validation successful."

      env:
        - name: CLIENT_SECRET
          valueFrom:
            secretKeyRef:
              name: dex-client-secret-authelia-local
              key: client_secret
      volumeMounts:
        - name: pre-processed-config-values
          mountPath: /ppc

  extraContainers:
    - # to read the "email" notifications
      name: filemanager
      image: filebrowser/filebrowser
      args: ["-p", "28080", "--noauth", "-r", "/authelia-notifications"]
      securityContext:
        runAsUser: 0
      ports:
        - containerPort: 28080
          name: filemanager
      volumeMounts:
        - name: authelia-local-notifications
          mountPath: /authelia-notifications

configMap:
  access_control:
    default_policy: two_factor

  authentication_backend:
    refresh_interval: always
    file:
      enabled: true
      watch: true
      search:
        email: true
        case_insensitive: false
    password_change:
      disable: false
    password_reset:
      disable: false

  identity_providers:
    # for all the secret mounting and usage see this:
    #   - https://is.gd/XeHUqZ (INCOMPLETE!)
    #   - https://is.gd/nq0PHf (full config reference)
    #   - https://is.gd/ZAxz96 (how to use secrets)
    # secrets mounted below under "secret.additionalSecrets.[...]"
    oidc:
      enabled: true
      # NO LONGER A STRING. see here: https://is.gd/zNwgrE
      # we mount that secret below. the config says "use value from '/secrets/authelia-local-hmac-value/hmac'"
      hmac_secret:
        disabled: true
        secret_name: "authelia-local-hmac-value"
        path: hmac
      jwks:
        - key_id: "authelia"
          algorithm: "RS256"
          use: "sig"
          key:
            path: /secrets/authelia-local-cert-private-key/tls.key
          # cert-manager certificate: https://is.gd/vLCkz7
          certificate_chain:
            path: /secrets/authelia-local-cert-private-key/tls.crt

      # config ref: https://is.gd/nq0PHf
      enable_client_debug_messages: false
      cors:
        # https://is.gd/F3YNB8
        allowed_origins:
          - "*" # FOR NOW

        allowed_origins_from_client_redirect_uris: false

      # https://is.gd/FhAB1j
      # copied from the terratgrunt example ...
      clients:
        - # dex ref @ authelia: https://is.gd/N8wzZP
          # dex oidc connector: ref: https://is.gd/gZdGS6
          # we create the pbkdf2 hash from the init container - see above.
          client_name: Dex
          client_id: dex-authelia-local
          client_secret:
            path: /ppc/client-secrets/dex-authelia-local
          redirect_uris:
            - https://dex.localhost.traefik.me/callback
          scopes:
            - openid
            - email
            - profile
          response_types:
            - code
          grant_types:
            - authorization_code
            # - refresh_token # Authelia warning: "refresh_token" _WITH_ "offline_access", or none.
          access_token_signed_response_alg: "none"
          userinfo_signed_response_alg: "none"
          token_endpoint_auth_method: "client_secret_post"
          response_modes:
            - form_post
            - query
            - fragment

  notifier:
    filesystem:
      enabled: true
      filename: /authelia-notifications/notification.txt

  password_policy:
    zxcvbn:
      enabled: true
      min_score: 3

  session:
    cookies:
      - domain: localhost.traefik.me
        subdomain: auth-local

  storage:
    postgres:
      enabled: true
      deploy: true
      address: "tcp://authelia-local-postgresql.authelia-local.svc.cluster.local:5432"
      database: "authelia-local"
      schema: "public"
      username: "authelia-local"
      password:
        secret_name: ~
        value: "authelia-local"
        path: "storage.postgres.password.txt"

postgresql:
  # default values, but here to see how we configure this.
  auth:
    postgresPassword: authelia-local
    username: authelia-local
    password: authelia-local
    database: authelia-local

secret:
  additionalSecrets:
    authelia-local-hmac-value:
      path: ""
      items:
        - key: hmac
    authelia-local-cert-private-key:
      path: ""
      items:
        # https://is.gd/vLCkz7
        - key: ca.crt
        - key: tls.crt
        - key: tls.key

Details

GitHub permalink

Traefik OIDC plugin config

---
apiVersion: traefik.io/v1alpha1
kind: Middleware
metadata:
  name: oidc
  namespace: {{ .Values.traefik.namespace }}
spec:
  plugin:
    traefikoidc:
      providerURL: http://dex.dex.svc.cluster.local:5556
      clientID: traefik-oidc
      clientSecret: qem80y5no10g7qpz5h0nhjym0j9hawh8qod70ez1ufkjrb2gz3ye455mj8fkrzhc
      sessionEncryptionKey: d6ydbjrkt5go3vxmuzxm7vp8vb6qtzekinx1wiwekxg8xlp7
      callbackURL: /oauth2/callback
      logoutURL: /oauth2/logout
      scopes:
        - roles

Details

GitHub permalink

Helm values for Traefik

---
##:CHART traefik/traefik
##:REPO traefik https://traefik.github.io/charts

# Default values for Traefik
# This is a YAML-formatted file.
# Declare variables to be passed into templates

ingressClass:
  enabled: true
  isDefaultClass: true
  name: "traefik"

experimental:
  abortOnPluginFailure: true
  fastProxy:
    enabled: false
    debug: false
  kubernetesGateway:
    enabled: false
  plugins:
    traefikoidc:
      moduleName: "github.com/lukaszraczylo/traefikoidc"
      version: "v0.7.5-rc.1"
  localPlugins: {}

gateway:
  enabled: false
  name: "traefik-default"
  listeners:
    web:
      port: 9080
      hostname: "host.localhost.traefik.me"
      protocol: HTTP
    websecure:
      port: 9443
      hostname: "host.localhost.traefik.me"
      protocol: HTTPS

gatewayClass:
  enabled: false
  name: "traefik-default"
  labels: {}

ingressRoute:
  dashboard:
    enabled: true
    matchRule: Host(`traefik.localhost.traefik.me`)
    services:
      - name: api@internal
        kind: TraefikService
    entryPoints: ["web"]
    tls: {}
  healthcheck:
    enabled: true
    matchRule: Host(`traefik.localhost.traefik.me`) && PathPrefix(`/ping`)
    services:
      - name: ping@internal
        kind: TraefikService
    entryPoints: ["websecure"]
    middlewares: []
    tls: {}

providers: # @schema additionalProperties: false
  kubernetesCRD:
    enabled: true
    allowCrossNamespace: false
    allowExternalNameServices: true
    allowEmptyServices: true

  kubernetesIngress:
    enabled: true
    allowExternalNameServices: true
    allowEmptyServices: true
    nativeLBByDefault: false

  kubernetesGateway:
    enabled: false

  file:
    enabled: false

logs:
  access:
    enabled: true
    addInternals: true

metrics:
  addInternals: true
  ## Prometheus is enabled by default.
  ## It can be disabled by setting "prometheus: null"
  prometheus:
    entryPoint: metrics

ports:
  traefik:
    port: 9081
    hostPort: 9081
    expose:
      default: false
    exposedPort: 9081
    protocol: TCP
  web:
    port: 9080
    hostPort: 9080 # IMPORTANT
    asDefault: false
    protocol: TCP
    exposedPort: 80
    # this does not work, because it uses :8443 in the redirected url.
    # let's _rewrite_ this instead.
    redirections:
      entryPoint:
        to: websecure
        scheme: https
        permanent: true
        port: 443 # https://is.gd/vXqGqm
    # containerPort: 8080 # no effect?
    # targetPort: 8080 # no effect?
    # nodePort: 8080 # not the correct port range ...
    #expose:
    #  default: true
    #exposedPort: 8080
    #forwardedHeaders:
    #  # -- Trust forwarded headers information (X-Forwarded-*).
    #  trustedIPs: []
    #  insecure: false
    #proxyProtocol:
    #  # -- Enable the Proxy Protocol header parsing for the entry point
    #  trustedIPs: []
    #  insecure: false
  websecure:
    asDefault: true
    port: 9443
    hostPort: 9443 # IMPORTANT
    exposedPort: 443
    # containerPort:
    # targetPort:
    # nodePort:
    # allowACMEByPass: false
    expose:
      default: true
    protocol: TCP
    forwardedHeaders:
      trustedIPs: []
      insecure: false
    proxyProtocol:
      trustedIPs: []
      insecure: false
    tls:
      enabled: true
      options: ""
      certResolver: ""
      domains: []
  metrics:
    port: 9100
    expose:
      default: false
    protocol: TCP

tlsOptions: {}
tlsStore: {}

service:
  enabled: true
  single: true
  type: LoadBalancer
  # type: NodePort

rbac:
  enabled: true
  namespaced: false