400 Error when logging in from AzureAd with OIDC

[m477r1x]

Describe the bug

This might be related (or not) to issue #2955. We have configured OIDC auth from AzureAD for use with the gitops dashboard, and are receiving the following error on the pod when logging in with OIDC:

2023-06-12T14:29:22.930Z	ERROR	gitops.auth-server	auth/server.go:452	Failed to get cookie from request	{"error": "http: named cookie not present"}
2023-06-12T14:29:22.931Z	INFO	gitops	middleware/middleware.go:61	request error	{"uri": "/oauth2/userinfo", "status": 400}]

Environment

• Weave-Gitops Version
  v0.25.0

• Flux Version

helm-controller: v0.34.1
image-automation-controller: rc-faf265e7
image-reflector-controller: v0.28.0
kustomize-controller: v1.0.0-rc.4
notification-controller: v1.0.0-rc.4
source-controller: v1.0.0-rc.5

• Kubernetes version:

Server Version: version.Info{Major:"1", Minor:"27+", GitVersion:"v1.27.1-eks-2f008fe", GitCommit:"abfec7d7e55d56346a5259c9379dea9f56ba2926", GitTreeState:"clean", BuildDate:"2023-04-14T20:40:28Z", GoVersion:"go1.20.3", Compiler:"gc", Platform:"linux/amd64"}

To Reproduce
Steps to reproduce the behavior:

1. Setup OIDC app in AzureAD with correct scopes and claims which weave-dashboard is expecting
2. set up kubernetes secret named oidc-auth and populate with OIDC connection details which match what are configured on the OIDC app in AzureAD
3. Enable OIDC auth in the helm release
4. Login via OIDC

Expected behavior

Logs in with OIDC and sucessfully impersonate the weave-gitops-admin-cluster-role to see resources

Actual Behavior

No resouerces are shown in the UI and the pod logs the error in the above description

Additional Context (screenshots, logs, etc)

I also tried setting the .impersonationResourceNames to include the exact user I was logging in with but that lead to a different error:

2023-06-12T13:29:02.562Z	ERROR	gitops	clustersmngr/factory.go:566	failed filtering namespaces	{"cluster": "Default", "user": "[email protected]", "error": "user namespace access: groups \"NewRelic_Admin\" is forbidden: User \"system:serviceaccount:weave-gitops:weave-gitops-service-account\" cannot impersonate resource \"groups\" in API group \"\" at the cluster scope"}

This error kept happening for every group that the user is a member of (ideally we do not want to have to create bindings in kubernetes fvor all groups because AD group memberships can change frequently and you don't want to have to keep updating the dashboard manifests every time).

[makkes]

Related Slack thread.

[bigkevmcd]

Do you know how many groups you would expect to see?

It might be that the cookie we're setting is too large.

[m477r1x]

Do you know how many groups you would expect to see?

It might be that the cookie we're setting is too large.

For my user I think it is about 8 groups (I'm not an AD admin at my org so I can't check directly). But for some other users it could be up to 20 groups I suppose (just guessing based on my own).

[bigkevmcd]

Are you authenticating your kubectl clients to Kubernetes successfully?

I can see this:
2023-06-12T14:29:22.930Z ERROR gitops.auth-server auth/server.go:452 Failed to get cookie from request {"error": "http: named cookie not present"}

Which strongly suggests that the browser is dropping the cookie for some reason, I have seen this when it was "too large" for the browser, i.e. around 4096bytes, but based on "8 groups" this feels unlikely.

[m477r1x]

Are you authenticating your kubectl clients to Kubernetes successfully?

I can see this:
2023-06-12T14:29:22.930Z ERROR gitops.auth-server auth/server.go:452 Failed to get cookie from request {"error": "http: named cookie not present"}

Which strongly suggests that the browser is dropping the cookie for some reason, I have seen this when it was "too large" for the browser, i.e. around 4096bytes, but based on "8 groups" this feels unlikely.

So, based on the error I added in the context section, I believe the authentication is happening successfully somewhere, because when I specify the .impersonationResourceNames in the helm chart values, I then get the error which talks about namespace access and it is reading one of the groups which my user is a member of (NewRelic_Admin). So I do think the authentication succeeds as far as being able to see the groups passed from AD at least when resource names are specified. But then as you can see from the slack conversation above, that error seems to be difficult to troubleshoot also .

[bigkevmcd]

I've pushed a change to log out the sizes of the tokens as we're setting them.

.impersonationResourceNames configures the RBAC to restrict the groups that the service account the pod runs as, can impersonate, with no restrictions, it should be fine.

There seem to be two possible issues, and my sense is that the first Failed to get cookie from request is the real cause of the problem.

[m477r1x]

I've pushed a change to log out the sizes of the tokens as we're setting them.

.impersonationResourceNames configures the RBAC to restrict the groups that the service account the pod runs as, can impersonate, with no restrictions, it should be fine.

There seem to be two possible issues, and my sense is that the first Failed to get cookie from request is the real cause of the problem.

Cool! Helm controller should pick up the latest image tag from the oci repository and deploy it automatically right? Or do I need to specify a specific image tag on my helm repo now for testing?

[bigkevmcd]

Sorry, it'll need to get reviewed and then merged and released.

Might want to track #3785

[m477r1x]

@bigkevmcd i notice that the PR got merged yesterday but my pod is still running the previous release from a few days ago

2023-06-13T14:31:26.502Z	INFO	gitops	cmd/cmd.go:135	Version	{"version": "v0.25.0", "git-commit": "a03af4a9", "branch": "HEAD", "buildtime": "2023-06-07_20:15:00"}

even after deleting and recreating the pod. The helm repo looks like it didnt pick up a change yet

Spec:
  Interval:  1h0m0s
  Provider:  generic
  Timeout:   60s
  Type:      oci
  URL:       oci://ghcr.io/weaveworks/charts
Status:
  Conditions:
    Last Transition Time:  2023-05-11T06:57:41Z
    Message:               Helm repository is ready
    Observed Generation:   1
    Reason:                Succeeded
    Status:                True
    Type:                  Ready
  Observed Generation:     1
Events:                    <none>

am I waiting for something else to happen first?

[bigkevmcd]

Sorry, it'll need to get reviewed and then merged and released.

We haven't yet "released" the change, it's merged but not yet released, you can however build an image from the source if you want to.

We are organising a release which would include this fix.

[m477r1x]

Hey hey, any ETA on that release yet?

I found something which might be relavent today, after clicking around a bit in the UI and then checking the logs, in-amongst the cookie errors, i also got a wrong username as well. Not seen that before:

2023-06-22T14:23:28.195Z	ERROR	gitops.auth-server	auth/server.go:456	failed to get ID Token cookie from request	{"error": "http: named cookie not present"}
2023-06-22T14:23:28.195Z	INFO	gitops	middleware/middleware.go:61	request error	{"uri": "/oauth2/userinfo", "status": 400}
2023-06-22T14:23:28.246Z	ERROR	gitops.auth-server	auth/server.go:456	failed to get ID Token cookie from request	{"error": "http: named cookie not present"}
2023-06-22T14:23:28.246Z	INFO	gitops	middleware/middleware.go:61	request error	{"uri": "/oauth2/userinfo", "status": 400}
2023-06-22T14:26:32.883Z	ERROR	gitops.auth-server	auth/server.go:456	failed to get ID Token cookie from request	{"error": "http: named cookie not present"}
2023-06-22T14:26:32.884Z	INFO	gitops	middleware/middleware.go:61	request error	{"uri": "/oauth2/userinfo", "status": 400}
2023-06-22T14:38:50.123Z	INFO	gitops.auth-server	auth/server.go:412	Wrong username
2023-06-22T14:38:50.123Z	INFO	gitops	middleware/middleware.go:61	request error	{"uri": "/oauth2/sign_in", "status": 401}
2023-06-22T14:42:12.405Z	ERROR	gitops.auth-server	auth/server.go:456	failed to get ID Token cookie from request	{"error": "http: named cookie not present"}
2023-06-22T14:42:12.406Z	INFO	gitops	middleware/middleware.go:61	request error	{"uri": "/oauth2/userinfo", "status": 400}

[bigkevmcd]

The logging went out in yesterday's release https://github.com/weaveworks/weave-gitops/releases/tag/v0.26.0

If it turns out to be the size of the cookie, then we can prioritise a fix, if not, I'm not entirely sure what's going on, except for trying replicate it.

[m477r1x]

The logging went out in yesterday's release https://github.com/weaveworks/weave-gitops/releases/tag/v0.26.0

If it turns out to be the size of the cookie, then we can prioritise a fix, if not, I'm not entirely sure what's going on, except for trying replicate it.

So it did! i actually didnt notice the new version on the bottom of my UI. So currently it's running on version 0.26.0. So my understanding is that it should now be logging the size of the cookie somewhere for me to check, is that correct?

[m477r1x]

OK so it actually looks like things are working as expected? The missing cookie error seems to have dissapeared however i still dont see any data in the dashboard when i log in with OIDC:

2023-06-22T15:21:08.270Z	DEBUG	gitops.auth-server	auth/jwt.go:77	attempt to read token from auth header
2023-06-22T15:21:08.270Z	DEBUG	gitops.auth-server	auth/jwt.go:54	parsing cookie JWT token	{"claimsConfig": {"Username":"email","Groups":"groups"}}
2023-06-22T15:21:08.271Z	DEBUG	gitops.auth-server	auth/jwt.go:107	parsed JWT token	{"expires": "2023-06-22T16:20:59.000Z"}
2023-06-22T15:21:08.271Z	DEBUG	gitops.auth-server	auth/jwt.go:162	Found principal	{"user": "[email protected]", "groups": [], "tokenLength": 0, "method": "*auth.JWTCookiePrincipalGetter"}
2023-06-22T15:21:08.271Z	DEBUG	gitops	middleware/middleware.go:57	request success	{"uri": "/v1/objects", "status": 200}
2023-06-22T15:21:08.271Z	DEBUG	gitops.auth-server	auth/jwt.go:77	attempt to read token from auth header
2023-06-22T15:21:08.271Z	DEBUG	gitops.auth-server	auth/jwt.go:54	parsing cookie JWT token	{"claimsConfig": {"Username":"email","Groups":"groups"}}
2023-06-22T15:21:08.272Z	DEBUG	gitops.auth-server	auth/jwt.go:107	parsed JWT token	{"expires": "2023-06-22T16:20:59.000Z"}
2023-06-22T15:21:08.272Z	DEBUG	gitops.auth-server	auth/jwt.go:162	Found principal	{"user": "[email protected]", "groups": [], "tokenLength": 0, "method": "*auth.JWTCookiePrincipalGetter"}
2023-06-22T15:21:08.272Z	DEBUG	gitops	middleware/middleware.go:57	request success	{"uri": "/v1/objects", "status": 200}

Only thing that confuses me is the token length says 0?

[bigkevmcd]

You should be seeing setting ID token cookie and setting access token cookie

https://github.com/weaveworks/weave-gitops/pull/3785/files

The thinking there is that we log out as we send it, and if the browser drops it, we'll be able to tell?

Those are parsing it, perhaps earlier in the logs when you're authing that will be logged?

[m477r1x]

Yep, just found it. And also, i found some other errors which seemed to go away magically.. originally it seemed like it was looking for the wrong provider and then all of a sudden it kicked into gear and worked...

Logs

2023-06-22T15:20:58.508Z	DEBUG	gitops	middleware/middleware.go:57	request success	{"uri": "/v1/featureflags?", "status": 200}
2023-06-22T15:20:58.509Z	ERROR	gitops.auth-server	auth/server.go:482	failed to parse user ID token	{"error": "oidc: id token issued by a different provider, expected \"https://login.microsoftonline.com/7aed272c-2c29-4bb0-832b-eec7122ac2df/v2.0\" got \"\""}
2023-06-22T15:20:58.509Z	INFO	gitops	middleware/middleware.go:61	request error	{"uri": "/oauth2/userinfo", "status": 401}
2023-06-22T15:20:58.600Z	ERROR	gitops.auth-server	auth/server.go:482	failed to parse user ID token	{"error": "oidc: id token issued by a different provider, expected \"https://login.microsoftonline.com/7aed272c-2c29-4bb0-832b-eec7122ac2df/v2.0\" got \"\""}
2023-06-22T15:20:58.600Z	INFO	gitops	middleware/middleware.go:61	request error	{"uri": "/oauth2/userinfo", "status": 401}
2023-06-22T15:20:59.506Z	DEBUG	gitops	middleware/middleware.go:57	request success	{"uri": "/oauth2?return_url=https%3A%2F%2Fweave-gitops.eng-dev.company.global", "status": 303}
2023-06-22T15:20:59.972Z	DEBUG	gitops.auth-server	auth/server.go:369	setting ID token cookie	{"size": 1247}
2023-06-22T15:20:59.972Z	DEBUG	gitops.auth-server	auth/server.go:371	setting access token cookie	{"size": 2151}
2023-06-22T15:20:59.972Z	DEBUG	gitops.auth-server	auth/server.go:376	setting refresh token cookie	{"size": 0}
2023-06-22T15:20:59.972Z	DEBUG	gitops	middleware/middleware.go:57	request success	{"uri": "/oauth2/callback?code=0.<REDACTED>", "status": 303}
2023-06-22T15:21:00.010Z	DEBUG	gitops	middleware/middleware.go:57	request success	{"uri": "/", "status": 200}
2023-06-22T15:21:00.240Z	DEBUG	gitops	middleware/middleware.go:57	request success	{"uri": "/v1/featureflags?", "status": 200}
2023-06-22T15:21:00.242Z	DEBUG	gitops	middleware/middleware.go:57	request success	{"uri": "/oauth2/userinfo", "status": 200}
2023-06-22T15:21:00.283Z	DEBUG	gitops.auth-server	auth/jwt.go:77	attempt to read token from auth header
2023-06-22T15:21:00.283Z	DEBUG	gitops	middleware/middleware.go:57	request success	{"uri": "/oauth2/userinfo", "status": 200}
2023-06-22T15:21:00.283Z	DEBUG	gitops.auth-server	auth/jwt.go:54	parsing cookie JWT token	{"claimsConfig": {"Username":"email","Groups":"groups"}}
2023-06-22T15:21:00.284Z	DEBUG	gitops.auth-server	auth/jwt.go:107	parsed JWT token	{"expires": "2023-06-22T16:20:59.000Z"}
2023-06-22T15:21:00.284Z	DEBUG	gitops.auth-server	auth/jwt.go:162	Found principal	{"user": "[email protected]", "groups": [], "tokenLength": 0, "method": "*auth.JWTCookiePrincipalGetter"}
2023-06-22T15:21:00.291Z	DEBUG	gitops.auth-server	auth/jwt.go:77	attempt to read token from auth header
2023-06-22T15:21:00.291Z	DEBUG	gitops.auth-server	auth/jwt.go:54	parsing cookie JWT token	{"claimsConfig": {"Username":"email","Groups":"groups"}}
2023-06-22T15:21:00.291Z	DEBUG	gitops.auth-server	auth/jwt.go:77	attempt to read token from auth header
2023-06-22T15:21:00.291Z	DEBUG	gitops.auth-server	auth/jwt.go:54	parsing cookie JWT token	{"claimsConfig": {"Username":"email","Groups":"groups"}}
2023-06-22T15:21:00.292Z	DEBUG	gitops.auth-server	auth/jwt.go:107	parsed JWT token	{"expires": "2023-06-22T16:20:59.000Z"}
2023-06-22T15:21:00.292Z	DEBUG	gitops.auth-server	auth/jwt.go:162	Found principal	{"user": "[email protected]", "groups": [], "tokenLength": 0, "method": "*auth.JWTCookiePrincipalGetter"}
2023-06-22T15:21:00.292Z	DEBUG	gitops.auth-server	auth/jwt.go:107	parsed JWT token	{"expires": "2023-06-22T16:20:59.000Z"}
2023-06-22T15:21:00.292Z	DEBUG	gitops.auth-server	auth/jwt.go:162	Found principal	{"user": "[email protected]", "groups": [], "tokenLength": 0, "method": "*auth.JWTCookiePrincipalGetter"}

[bigkevmcd]

I wonder if these log entries are one of the issues here coreos/go-oidc#344

2023-06-22T15:20:58.509Z ERROR gitops.auth-server auth/server.go:482 failed to parse user ID token {"error": "oidc: id token issued by a different provider, expected "[https://login.microsoftonline.com/7aed272c-2c29-4bb0-832b-eec7122ac2df/v2.0\](https://login.microsoftonline.com/7aed272c-2c29-4bb0-832b-eec7122ac2df/v2.0%5C)" got """}
2023-06-22T15:20:58.509Z INFO gitops middleware/middleware.go:61 request error {"uri": "/oauth2/userinfo", "status": 401}
2023-06-22T15:20:58.600Z ERROR gitops.auth-server auth/server.go:482 failed to parse user ID token {"error": "oidc: id token issued by a different provider, expected "[https://login.microsoftonline.com/7aed272c-2c29-4bb0-832b-eec7122ac2df/v2.0\](https://login.microsoftonline.com/7aed272c-2c29-4bb0-832b-eec7122ac2df/v2.0%5C)" got """}

Gives us something to go on, at least we can rule out the size of the token!

[m477r1x]

Ok cool, so i'll leave this with you guys for now then? I guess it really is a possibility that AzureAD just isnt supported right now. In the mean-time we will figure out an alternative auth method to front the dashboard with. Is it possible to disable all auth? So you don't even see the login screen? So that we can put our own auth method in front of the URL instead?

[bigkevmcd]

Not currently, please feel free to open an issue.

Support for something like https://github.com/oauth2-proxy/oauth2-proxy doesn't feel unreasonable.

[angelbarrera92]

Another one having the same issue with Azure.

2023-07-03T10:32:30.756Z	DEBUG	gitops.auth-server	auth/server.go:369	setting ID token cookie	{"size": 7252}
2023-07-03T10:32:30.756Z	DEBUG	gitops.auth-server	auth/server.go:371	setting access token cookie	{"size": 2342}
2023-07-03T10:32:30.756Z	DEBUG	gitops.auth-server	auth/server.go:376	setting refresh token cookie	{"size": 957}
2023-07-03T10:32:31.413Z	ERROR	gitops.auth-server	auth/server.go:456	failed to get ID Token cookie from request	{"error": "http: named cookie not present"}

[bigkevmcd]

@angelbarrera92 thanks, that looks like the cookie is too big, it likely includes all the groups that you're a member of.

We need to shift to a session-store based approach for storing cookies, which is non-trivial, but it would mean that we'd issue shorter cookies, and store the details in-browser, it's not currently scheduled, but this is an indication that we need to bump it up the priority list.

[adamshawvipps]

Hi @bigkevmcd

I can confirm we are having the same issue and the cookie is definitely too big. From the devtools in MS Edge:

Malformed response cookie:
 This attempt to set a cookie via a set-cookie header was blocked because the cookie was too large. The combined size of the name and value must be less than or equal to 4096 characters

logs from our deployment:

2023-07-05T19:51:11.030Z        INFO    gitops  cmd/cmd.go:135  Version {"version": "v0.26.0", "git-commit": "e97d8ae4", "branch": "HEAD", "buildtime": "2023-06-21_14:11:02"}
2023-07-05T19:51:12.689Z        DEBUG   gitops  auth/init.go:17 Registering authentication methods      {"methods": ["oidc"]}
2023-07-05T19:51:12.695Z        DEBUG   gitops  auth/init.go:49 OIDC config     {REDACTED}
2023-07-05T19:51:12.832Z        INFO    gitops  cmd/cmd.go:186  Registering auth routes
2023-07-05T19:51:12.859Z        INFO    gitops  cmd/cmd.go:223  Using cached clients    {"enabled": false}
2023-07-05T19:51:12.859Z        INFO    gitops  clustersmngr/factory.go:223     Use user client for namespaces  {"enabled": false}
2023-07-05T19:51:12.861Z        INFO    gitops  cmd/cmd.go:284  Starting server {"address": "0.0.0.0:9001"}
2023-07-05T19:51:12.861Z        INFO    gitops  cmd/cmd.go:341  TLS connections disabled
2023-07-05T19:51:12.934Z        INFO    gitops  clustersmngr/factory.go:398     Clearing namespace caches
2023-07-05T19:51:13.185Z        DEBUG   gitops  middleware/middleware.go:57     request success {"uri": "/", "status": 200}
2023-07-05T19:51:20.404Z        DEBUG   gitops  middleware/middleware.go:57     request success {"uri": "/", "status": 200}
2023-07-05T19:52:00.905Z        ERROR   gitops.auth-server      auth/server.go:456      failed to get ID Token cookie from request      {"error": "http: named cookie not present"}
2023-07-05T19:52:00.905Z        INFO    gitops  middleware/middleware.go:61     request error   {"uri": "/oauth2/userinfo", "status": 400}
2023-07-05T19:52:00.913Z        DEBUG   gitops  middleware/middleware.go:57     request success {"uri": "/v1/featureflags?", "status": 200}
2023-07-05T19:52:01.066Z        ERROR   gitops.auth-server      auth/server.go:456      failed to get ID Token cookie from request      {"error": "http: named cookie not present"}
2023-07-05T19:52:01.066Z        INFO    gitops  middleware/middleware.go:61     request error   {"uri": "/oauth2/userinfo", "status": 400}
2023-07-05T19:52:05.241Z        DEBUG   gitops  middleware/middleware.go:57     request success {"uri": "/oauth2?return_url=http%3A%2F%2Flocalhost%3A9001", "status": 303}
2023-07-05T19:52:06.312Z        DEBUG   gitops.auth-server      auth/server.go:369      setting ID token cookie {"size": 4710}
2023-07-05T19:52:06.313Z        DEBUG   gitops.auth-server      auth/server.go:371      setting access token cookie     {"size": 2272}
2023-07-05T19:52:06.313Z        DEBUG   gitops.auth-server      auth/server.go:376      setting refresh token cookie    {"size": 1124}
2023-07-05T19:52:06.313Z        DEBUG   gitops  middleware/middleware.go:57     request success {"uri": "/oauth2/callback?code=0.REDACTED, "status": 303}
2023-07-05T19:52:06.357Z        DEBUG   gitops  middleware/middleware.go:57     request success {"uri": "/", "status": 200}
2023-07-05T19:52:07.469Z        DEBUG   gitops  middleware/middleware.go:57     request success {"uri": "/v1/featureflags?", "status": 200}
2023-07-05T19:52:07.470Z        ERROR   gitops.auth-server      auth/server.go:456      failed to get ID Token cookie from request      {"error": "http: named cookie not present"}
2023-07-05T19:52:07.470Z        INFO    gitops  middleware/middleware.go:61     request error   {"uri": "/oauth2/userinfo", "status": 400}
2023-07-05T19:52:07.655Z        ERROR   gitops.auth-server      auth/server.go:456      failed to get ID Token cookie from request      {"error": "http: named cookie not present"}
2023-07-05T19:52:07.655Z        INFO    gitops  middleware/middleware.go:61     request error   {"uri": "/oauth2/userinfo", "status": 400}
2023-07-05T19:52:10.403Z        DEBUG   gitops  middleware/middleware.go:57     request success {"uri": "/", "status": 200}

We didn't see this on "version": "v0.22.0". Not sure if something changed with the app or the token was just smaller at that stage.

Using Azure AD with these extra secret configs:

  --from-literal=customScopes='openid,offline_access,email' 
  --from-literal=claimGroups=roles 

[bigkevmcd]

Hi @adamshawvipps ahh...ok, I can't think of anything that would've changed in between v0.22.0 other than we added debug logging to try and find out if this was the issue.

We'll discuss it internally, and see what we can do to prioritise a solution to this.

2023-07-05T19:52:06.312Z DEBUG gitops.auth-server auth/server.go:369 setting ID token cookie {"size": 4710}

Thanks for providing the data for this.

[adamshawvipps]

@bigkevmcd thanks for looking into it
I just tried a few more versions. I had to go back to v0.17.0 to get a successful login so we were probably just lucky with the token size previously

[oarset]

We are seeing the exact same issue (size between 5k and 10k)

[bigkevmcd]

We have a fix that's being tested just now before release that will hopefully get this solved.

[bigkevmcd]

@oarset @angelbarrera92 @m477r1x We have released a change that should solve this.

https://github.com/weaveworks/weave-gitops/releases/tag/v0.31.0

Please feel free to reopen this issue if you are still experiencing the problem.

We are looking to add support for external session storage, so if this is something that you want support for, please feel free to open an issue.

[angelbarrera92]

Quick test, it works :) I'll keep you posted!
Thanks for the quick response!