Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Bearer Token Authentication not responding #8794

Open
KevinDW-Fluxys opened this issue Mar 14, 2024 · 27 comments
Open

Bearer Token Authentication not responding #8794

KevinDW-Fluxys opened this issue Mar 14, 2024 · 27 comments
Labels
kind/bug Categorizes issue or PR as related to a bug.

Comments

@KevinDW-Fluxys
Copy link

What happened?

When trying to login using a Bearer Token the page is not responding.
We can find this in the logs of the auth-pod:

[GIN] 2024/03/14 - 08:58:40 | 200 |       39.46µs |     172.18.1.25 | GET      "/api/v1/csrftoken/login"`
[GIN] 2024/03/14 - 08:58:40 | 200 |    1.978088ms |     172.18.1.25 | POST     "/api/v1/login" 
E0314 08:58:40.077452       1 handler.go:33] "Could not get user" err="MSG_LOGIN_UNAUTHORIZED_ERROR" 
[GIN] 2024/03/14 - 08:58:40 | 500 |      94.718µs |     172.18.1.25 | GET      "/api/v1/me"

in the kong-rpoxy we find this:

172.18.2.5 - - [14/Mar/2024:08:58:40 +0000] "GET /api/v1/csrftoken/login HTTP/1.1" 200 53 "https://kubernetes.qua.***.***.net/" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/122.0.0.0 Safari/537.36 Edg/122.0.0.0" kong_request_id: "6360637dbab53d54d98c240fe426f163"
172.18.2.5 - - [14/Mar/2024:08:58:40 +0000] "POST /api/v1/login HTTP/1.1" 200 4247 "https://kubernetes.qua.***.***.net/" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/122.0.0.0 Safari/537.36 Edg/122.0.0.0" kong_request_id: "d82fd54bde203131d1bbe31660b8c454"
172.18.2.5 - - [14/Mar/2024:08:58:40 +0000] "GET /api/v1/me HTTP/1.1" 500 124 "https://kubernetes.qua.***.***.net/" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/122.0.0.0 Safari/537.36 Edg/122.0.0.0" kong_request_id: "e5431028bc7bf35ccc2573031b444e01"

and in the devtools i can see the response 500 from /api/v1/me is this:

{
    "ErrStatus": {
        "metadata": {},
        "status": "Failure",
        "message": "MSG_LOGIN_UNAUTHORIZED_ERROR",
        "reason": "Unauthorized",
        "code": 401
    }
}

The token is correct because it works for directly authenticating. Also, when i just type some random characters, the UI returns a clear error and in devtools i can see it is returned from api/v1/login instead

What did you expect to happen?

The page responds and you are logged in (or you get an error message about invalid credentials)

How can we reproduce it (as minimally and precisely as possible)?

It is unclear, we have 2 environments where it works, and 2 others where it doesn't work. The environments are programatically deployed, and we can see no difference in configuration between the clusters.
The only difference we find is that the bearer token is much longer on the environment where it doesn't work so our best guess is that it has to do with this.

Anything else we need to know?

We are now running behind an Istio Virtualservice that redirects to Kong Proxy, but that should not be related, as we tried running istio directly without Kong. We also get the same result when using a portforward. (on the kong proxy, port forward does not seem to work since the pods have been split up)

What browsers are you seeing the problem on?

Chrome, Microsoft Edge, Firefox

Kubernetes Dashboard version

7.1.1 (Helm)

Kubernetes version

1.28.3

Dev environment

No response

@KevinDW-Fluxys KevinDW-Fluxys added the kind/bug Categorizes issue or PR as related to a bug. label Mar 14, 2024
@floreks
Copy link
Member

floreks commented Mar 14, 2024

Unfortunately, that sounds like an issue with token size. Most web servers support summary request header sizes up to 4-8 kB. We do not have any logic to detect token length. We could add that, but it would still not solve your issue.

Does kubectl --token ... work with such a big token?

@ToonTijtgat2
Copy link

Dear @floreks, I'm a college of Kevin.

I'm able to use the token in kubectl --token. so that does not seem to be the problem.
If I check the token of the "not working" environment in https://www.javainuse.com/bytesize then it sais it's 4.1 KB
If I check the token of the "working" environment in https://www.javainuse.com/bytesize then it sais 2.08 KB.

Could maybe be 4 the limit or something?

Thanks for checking

Are there test commands we can try to run in the pod to see if the header is added correctly in the response?
Can we enable extra logging or something?

Thanks
Toon Tijtgat

@floreks
Copy link
Member

floreks commented Mar 16, 2024

I think that kong by default supports summary header sizes up to 8 kB. They are using nginx underneath. Our UI -> API most probably has a 4 kB limit currently. I'd have to debug it on our side to make sure where it gets terminated. If you can configure token content and get rid of unused information it should make it work for now. I know that some providers include lots of unnecessary information that are not required by Kubernetes API server.

@KevinDW-Fluxys
Copy link
Author

Hi @floreks

We are using Azure kubelogin, which does not allow configuring the token content as far as I know.

I have taken a quick glance at the code with my limited go knowledge.
If it is indeed the UI -> API, could it be that we need to specify a MaxHeaderBytes in this function?

func serveTLS(certificates []tls.Certificate) {

@floreks
Copy link
Member

floreks commented Mar 18, 2024

AFAIR azure allows configuring JWT token content, groups, audience, etc. With azure it is usually an issue of configuring too many groups and that all of them are embedded into the token, not only actually used ones.

@floreks
Copy link
Member

floreks commented Mar 18, 2024

Regarding code changes, max header size would need to be checked and increased for both API and Auth modules. If that's the only issue.

@KevinDW-Fluxys
Copy link
Author

AFAIR azure allows configuring JWT token content, groups, audience, etc. With azure it is usually an issue of configuring too many groups and that all of them are embedded into the token, not only actually used ones.

I can indeed see that there are many groups included in the token, but unfortunately i dont find a way to configure the response. We are using kubelogin which does not have the option to do so, but if you know of another way that leverages azure authentication to generate the token, it might help us to (temporarily) overcome this issue.

Regarding code changes, max header size would need to be checked and increased for both API and Auth modules. If that's the only issue.

Given the behavior it does look like that would be the issue, but the only way to be sure is to test it of course. What would be the best course of action to get this tested?

@ToonTijtgat2
Copy link

@floreks Thanks for finding the potential issue.
Would it be possible to fix the issue with a patch?

Thanks for checking

@KevinDW-Fluxys
Copy link
Author

@floreks Did you get the chance to look at this? Or what can we do to make this move forward?

@floreks
Copy link
Member

floreks commented Apr 10, 2024

It's a bit problematic to test locally, unfortunately. From what I have checked header is not trimmed on our side (auth container). It was able to receive headers bigger than 4kB. Configuring API server with a custom OIDC exchange to allow testing custom tokens is time-consuming. I didn't get a chance to do a full end-to-end test to figure out the root cause yet. On our side header size does not seem to be the problem.

image

@thunko
Copy link

thunko commented Apr 14, 2024

I was facing this issue and managed to login to kong-proxy with a regular admin-user token after i recreated it.

@KevinDW-Fluxys
Copy link
Author

I was facing this issue and managed to login to kong-proxy with a regular admin-user token after i recreated it.

This would reduce the length of the token, and as such avoid the issue. Unfortunately when you have no control over the token length (such as with azure generated tokens) this does not help.

@dverzolla
Copy link

My use case is: nginx proxy_pass to kong from default helm installation.
When I tried passing token using web input, I was getting "Invalid Token".
Added proxy_set_header Authorization "Bearer xxx" into nginx config and it worked.

@k8s-triage-robot
Copy link

The Kubernetes project currently lacks enough contributors to adequately respond to all issues.

This bot triages un-triaged issues according to the following rules:

  • After 90d of inactivity, lifecycle/stale is applied
  • After 30d of inactivity since lifecycle/stale was applied, lifecycle/rotten is applied
  • After 30d of inactivity since lifecycle/rotten was applied, the issue is closed

You can:

  • Mark this issue as fresh with /remove-lifecycle stale
  • Close this issue with /close
  • Offer to help out with Issue Triage

Please send feedback to sig-contributor-experience at kubernetes/community.

/lifecycle stale

@k8s-ci-robot k8s-ci-robot added the lifecycle/stale Denotes an issue or PR has remained open with no activity and has become stale. label Jul 28, 2024
@k8s-triage-robot
Copy link

The Kubernetes project currently lacks enough active contributors to adequately respond to all issues.

This bot triages un-triaged issues according to the following rules:

  • After 90d of inactivity, lifecycle/stale is applied
  • After 30d of inactivity since lifecycle/stale was applied, lifecycle/rotten is applied
  • After 30d of inactivity since lifecycle/rotten was applied, the issue is closed

You can:

  • Mark this issue as fresh with /remove-lifecycle rotten
  • Close this issue with /close
  • Offer to help out with Issue Triage

Please send feedback to sig-contributor-experience at kubernetes/community.

/lifecycle rotten

@k8s-ci-robot k8s-ci-robot added lifecycle/rotten Denotes an issue or PR that has aged beyond stale and will be auto-closed. and removed lifecycle/stale Denotes an issue or PR has remained open with no activity and has become stale. labels Aug 27, 2024
@jrabbit
Copy link

jrabbit commented Aug 27, 2024

/remove-lifecycle rotten

@k8s-ci-robot k8s-ci-robot removed the lifecycle/rotten Denotes an issue or PR that has aged beyond stale and will be auto-closed. label Aug 27, 2024
@jrabbit
Copy link

jrabbit commented Aug 27, 2024

This is still a show stopper for many install targets.

@ToonTijtgat2
Copy link

agreed, we are still not able to update because of this issue.

@Netroxen
Copy link

This issue is incredibly frustrating, I have tried everything but can't seem to get this working.
I'm using the nginx-ingress-controller and have the following annotations configured:

# From Terraform ingress deployment

"nginx.ingress.kubernetes.io/auth-response-headers" = "UserID, Authorization"
"nginx.ingress.kubernetes.io/auth-snippet"          = <<-EOT
  proxy_set_header  "Authorization: Bearer ${local.dashboard_token}";
  proxy_pass_header "Authorization";
EOT
"nginx.ingress.kubernetes.io/configuration-snippet" = <<-EOT
  more_set_headers "Authorization: Bearer ${local.dashboard_token}";
EOT

I have created a token for the "default" serviceaccount.
The ingress points to kong-proxy on port 443.

When authenticating using curl directly to /api/v1/me I get:

{"name":"default","authenticated":true}

When I open my browser and navigate to the dashboard I get "401 Unauthorized", dashboard-auth shows:

"Could not get user" err="MSG_LOGIN_UNAUTHORIZED_ERROR"

I have no idea how to get this working.

@jstefankowski
Copy link

@Netroxen Any luck ?

I'm in exactly in the same situation, /api/v1/me returns {"authenticated":true} but the same request in a browser results in error logged in auth pod {"ErrStatus":{"metadata":{},"status":"Failure","message":"MSG_LOGIN_UNAUTHORIZED_ERROR","reason":"Unauthorized","code":401}}

It can't be a token issue. Passing the same token to the cluster API endpoint works.

@floreks
Copy link
Member

floreks commented Dec 27, 2024

What type of token are you using? Service account or provider-specific?

@Sispheor
Copy link

Same here. On my side I'm trying to configure a Github oauth backend.

Here is my config

- name: Setup oauth proxy
  kubernetes.core.k8s:
    kubeconfig: "{{ k8s_kubeconfig_path }}"
    state: present
    definition:
      apiVersion: apps/v1
      kind: Deployment
      metadata:
        labels:
          k8s-app: oauth2-proxy
        name: oauth2-proxy
        namespace: kubernetes-dashboard
      spec:
        replicas: 1
        selector:
          matchLabels:
            k8s-app: oauth2-proxy
        template:
          metadata:
            labels:
              k8s-app: oauth2-proxy
          spec:
            containers:
            - args:
              - --email-domain=*
              - --http-address=0.0.0.0:4180
              env:
              - name: OAUTH2_PROXY_PROVIDER
                value: github
              - name: OAUTH2_PROXY_LOGIN_URL
                value: https://mygithub.enterprise.com/login/oauth/authorize
              - name: OAUTH2_PROXY_REDEEM_URL
                value: https://mygithub.enterprise.com/login/oauth/access_token
              - name: OAUTH2_PROXY_REDIRECT_URL
                value: "https://{{ k8s_dashboard_host }}/oauth2/callback"
              - name: OAUTH2_PROXY_VALIDATE_URL
                value: https://mygithub.enterprise.com/api/v3
              - name: OAUTH2_PROXY_GITHUB_ORG
                value: myorg
              - name: OAUTH2_PROXY_GITHUB_TEAM
                value: myteam
              - name: OAUTH2_PROXY_CLIENT_ID
                value: client_id
              - name: OAUTH2_PROXY_CLIENT_SECRET
                value: secret
              - name: OAUTH2_PROXY_COOKIE_SECRET
                value: secret
              - name: OAUTH2_PROXY_UPSTREAM
                value: "https://{{ k8s_dashboard_host }}"
              - name: OAUTH2_PROXY_SSL_INSECURE_SKIP_VERIFY
                value: "true"
              - name: OAUTH2_PROXY_INSECURE_OIDC_ALLOW_UNVERIFIED_EMAIL
                value: "true"
              - name: OAUTH2_PROXY_PASS_AUTHORIZATION_HEADER
                value: "true"
              - name: OAUTH2_PROXY_SSL_UPSTREAM_INSECURE_SKIP_VERIFY
                value: "true"
              - name: OAUTH2_PROXY_OIDC_EMAIL_CLAIM
                value: email
              - name: OAUTH2_PROXY_GROUPS_CLAIM
                value: groups
              - name: OAUTH2_PROXY_SKIP_PROVIDER_BUTTON
                value: "true"
              - name: OAUTH2_PROXY_SET_AUTHORIZATION_HEADER
                value: "true"
              - name: OAUTH2_PROXY_PASS_ACCESS_TOKEN
                value: "true"
              - name: OAUTH2_PROXY_PASS_USER_HEADERS
                value: "true"
              - name: OAUTH2_PROXY_SET_XAUTHREQUEST
                value: "true"
              image: quay.io/oauth2-proxy/oauth2-proxy:latest
              imagePullPolicy: Always
              name: oauth2-proxy
              ports:
              - containerPort: 4180
                protocol: TCP

- name: Setup oauth proxy service
  kubernetes.core.k8s:
    kubeconfig: "{{ k8s_kubeconfig_path }}"
    state: present
    definition:
      apiVersion: v1
      kind: Service
      metadata:
        labels:
          k8s-app: oauth2-proxy
        name: oauth2-proxy
        namespace: kubernetes-dashboard
      spec:
        ports:
        - name: http
          port: 4180
          protocol: TCP
          targetPort: 4180
        selector:
          k8s-app: oauth2-proxy

- name: Setup oauth proxy ingress
  kubernetes.core.k8s:
    kubeconfig: "{{ k8s_kubeconfig_path }}"
    state: present
    definition:
      apiVersion: networking.k8s.io/v1
      kind: Ingress
      metadata:
        name: oauth2-proxy
        namespace: kubernetes-dashboard
      spec:
        ingressClassName: nginx
        rules:
        - host: "{{ k8s_dashboard_host }}"
          http:
            paths:
            - path: /oauth2
              pathType: Prefix
              backend:
                service:
                  name: oauth2-proxy
                  port:
                    number: 4180

- when: (expose_k8s_dashboard_with_ingress | default(false)) and k8s_dashboard_tls is not defined
  name: Create dashboard route
  kubernetes.core.k8s:
    kubeconfig: "{{ k8s_kubeconfig_path }}"
    state: present
    definition:
      apiVersion: networking.k8s.io/v1
      kind: Ingress
      metadata:
        name: dashboard-ingress
        namespace: kubernetes-dashboard
        annotations:
          kubernetes.io/ingress.class: "nginx"
          nginx.ingress.kubernetes.io/auth-url: "https://$host/oauth2/auth"
          nginx.ingress.kubernetes.io/auth-signin: "https://$host/oauth2/start?rd=$escaped_request_uri"
          # nginx.ingress.kubernetes.io/auth-response-headers: "Authorization"
          ingress.kubernetes.io/ssl-redirect: "true"
          nginx.ingress.kubernetes.io/backend-protocol: "HTTPS"
          nginx.ingress.kubernetes.io/auth-response-headers: >-
            X-Auth-Request-Email,X-Auth-Request-Preferred-,X-Auth-Request-Access-Token,
            X-Auth-Request-Roles,X-Auth-Request-User,X-Auth-Request-Groups,X-Forwarded-Groups,
            Authorization

      spec:
        rules:
          - host: "{{ k8s_dashboard_host }}"
            http:
              paths:
                - pathType: Prefix
                  path: "/"
                  backend:
                    service:
                      name: kubernetes-dashboard-kong-proxy
                      port:
                        number: 443

oauth is working fine, I get redirected to my Github enterprise instance. But in the kubernetes-dashboard-auth:

|  E0110 08:35:26.203231       1 handler.go:33] "Could not get user" err="MSG_LOGIN_UNAUTHORIZED_ERROR"                                                                                                                                                                                                                                               │
│ [GIN] 2025/01/10 - 08:35:26 | 401 |    1.069048ms |    10.233.64.27 | GET      "/api/v1/me"                                                                                                                                                                                                                                                        │
│ [GIN] 2025/01/10 - 08:35:56 | 401 |     214.196µs |    10.233.64.27 | GET      "/api/v1/me"                                                                                                                                                                                                                                                        │
│ E0110 08:35:56.251122       1 handler.go:33] "Could not get user" err="MSG_LOGIN_UNAUTHORIZED_ERROR"                                                                                                                                                                                                                                               │
│ E0110 08:36:31.739172       1 handler.go:33] "Could not get user" err="MSG_LOGIN_UNAUTHORIZED_ERROR"                                                                                                                                                                                                                                               │
│ [GIN] 2025/01/10 - 08:36:31 | 401 |    1.061071ms |    10.233.64.27 | GET      "/api/v1/me"                                                                                                                                                                                                                                                        │
│ E0110 08:37:02.166391       1 handler.go:33] "Could not get user" err="MSG_LOGIN_UNAUTHORIZED_ERROR"                                                                                                                                                                                                                                               │
│ [GIN] 2025/01/10 - 08:37:02 | 401 |     924.103µs |    10.233.64.27 | GET      "/api/v1/me"   

@Sispheor
Copy link

Still trying to figure out where the Authorization token is lost.
I've redirected the nginx ingress config to an http-echo server to check received headers. I don't have any "Authorization" header.

The oauth process seems to work as expected. I'm redirected to Github to allow the app. In the browser logs I can see that the callback URL has been called.
I have a "cookie" header set. This one should not be then updated by oauth-proxy pod?

Headers received by the http-echo:

{
  "path": "/",
  "headers": {
    "host": "dashboard.kubespray-dev.lab.net",
    "x-request-id": "65d14d649252dcdaca339f08d1601ecb",
    "x-real-ip": "10.233.65.27",
    "x-forwarded-for": "10.233.65.27",
    "x-forwarded-host": "dashboard.kubespray-dev.lab.net",
    "x-forwarded-port": "443",
    "x-forwarded-proto": "https",
    "x-forwarded-scheme": "https",
    "x-scheme": "https",
    "cache-control": "max-age=0",
    "sec-ch-ua": "\"Google Chrome\";v=\"131\", \"Chromium\";v=\"131\", \"Not_A Brand\";v=\"24\"",
    "sec-ch-ua-mobile": "?0",
    "sec-ch-ua-platform": "\"Windows\"",
    "upgrade-insecure-requests": "1",
    "user-agent": "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/131.0.0.0 Safari/537.36",
    "accept": "text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7",
    "sec-fetch-site": "none",
    "sec-fetch-mode": "navigate",
    "sec-fetch-user": "?1",
    "sec-fetch-dest": "document",
    "accept-encoding": "gzip, deflate, br, zstd",
    "accept-language": "fr-FR,fr;q=0.9,en-US;q=0.8,en;q=0.7",
    "dnt": "1",
    "sec-gpc": "1",
    "priority": "u=0, i",
    "cookie": "_oauth2_proxy=JM_yArn54Xc--TRUNCATED--LrACBOQ="
  },
  "method": "GET",
  "body": "",
  "fresh": false,
  "hostname": "dashboard.kubespray-dev.lab.net",
  "ip": "10.233.65.27",
  "ips": [
    "10.233.65.27"
  ],
  "protocol": "https",
  "query": {},
  "subdomains": [
    "glabs",
    "k8s",
    "kubespray-dev",
    "dashboard"
  ],
  "xhr": false,
  "os": {
    "hostname": "echo-server"
  },
  "connection": {}
}

@floreks
Copy link
Member

floreks commented Jan 14, 2025

If the token size is too big it might not work as it will be trimmed to fit max header size.

@Sispheor
Copy link

It works only if I set the token in the nginx header like described above.

      apiVersion: networking.k8s.io/v1
      kind: Ingress
      metadata:
        name: dashboard-ingress
        namespace: kubernetes-dashboard
        annotations:
          kubernetes.io/ingress.class: "nginx"
          ingress.kubernetes.io/ssl-redirect: "true"
          nginx.ingress.kubernetes.io/backend-protocol: "HTTPS"
          nginx.ingress.kubernetes.io/auth-url: "https://$host/oauth2/auth"
          nginx.ingress.kubernetes.io/auth-signin: "https://$host/oauth2/start?rd=$escaped_request_uri"
          nginx.ingress.kubernetes.io/auth-response-headers: "Authorization"
          nginx.ingress.kubernetes.io/large-client-header-buffers: "4 16k"
          nginx.ingress.kubernetes.io/configuration-snippet: |
            proxy_pass_header "Authorization";
            proxy_set_header Authorization "Bearer XXXXX";
      spec:
        ingressClassName: nginx
        rules:
          - host: "{{ k8s_dashboard_host }}"
            http:
              paths:
                - pathType: Prefix
                  path: "/"
                  backend:
                    service:
                      name: kubernetes-dashboard-kong-proxy
                      port:
                        number: 443

Is that normal? I don't have the same behavior on Openshift.
In the top right corner of the UI in Openshift the identified user is my Github email.
In K8S I'm connected as the service account behind the token. Not sure if it's a good pratice.

Image

@floreks
Copy link
Member

floreks commented Jan 15, 2025

You can test whether the K8S API server accepts the access token you are getting from the OIDC with kubectl --token "XYZ" get pod. For it to be accepted, K8S API server has to be configured with the OIDC args in the first place. Dashboard only acts as a proxy here and forwards all headers to the API server. Openshift might have some internal auth layer that can accept OIDC tokens and then i.e. impersonate with specific permissions to access K8S API.

@Sispheor
Copy link

Thanks @floreks for all the info. I'll try to update the API server config and give update here in case it help other Googlers.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
kind/bug Categorizes issue or PR as related to a bug.
Projects
None yet
Development

No branches or pull requests