Oauth2-Proxy do not pass X-Auth-Request-Groups header - kubernetes

I'm using Azure B2C for authenticate my users. For authentication piece I have oauth2-proxy running in kubernetes cluster. Oauth2-Proxy is running behind ingress-nginx and it's passing most of required headers but I do not get X-Auth-Request-Groups header in my upstream service that is behind oauth2-proxy.
Here is my token that I get from B2C:
{
"typ": "JWT",
"alg": "RS256",
"kid": "kid_value"
}.{
"exp": 1604420825,
"nbf": 1604417225,
"ver": "1.0",
"iss": "iss_value",
"sub": "sub_value",
"aud": "aud_value",
"acr": "acr_name",
"nonce": "defaultNonce",
"iat": 1604417225,
"auth_time": 1604417225,
"groups": [
"group1"
],
"identityProviders": [
"email.com"
],
"firstname": "First Name",
"surname": "Last Name",
"idp": "IDP_VALUE",
"email": "username#email.com",
"preferred_username": "User Name"
}.[Signature]
And here are headers that I get in my upstream service after successful authentication:
{
Accept: "text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9",
Accept-Encoding: "gzip, deflate, br",
Accept-Language: "en-US,en;q=0.9",
Content-Length: "0",
Cookie: "COOKIE",
Sec-Fetch-Dest: "document",
Sec-Fetch-Mode: "navigate",
Sec-Fetch-Site: "none",
Sec-Fetch-User: "?1",
Upgrade-Insecure-Requests: "1",
User-Agent: "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/86.0.4240.111 Safari/537.36",
X-Auth-Request-Access-Token: "ACCESS_TOKEN",
X-Auth-Request-Email: "username#email.com",
X-Auth-Request-Preferred-Username: "User Name",
X-Auth-Request-User: "UserID",
X-B3-Parentspanid: "Parentspanid",
X-B3-Sampled: "0",
X-B3-Spanid: "Spanid",
X-B3-Traceid: "Traceid",
X-Envoy-Attempt-Count: "1",
X-Forwarded-Client-Cert: "CEERT",
X-Forwarded-For: "Forwarded-For",
X-Forwarded-Host: "Forwarded-Host",
X-Forwarded-Port: "443",
X-Forwarded-Proto: "https",
X-Real-Ip: "Real-Ip",
X-Request-Id: "Request-Id",
X-Scheme: "https"
}
all X-Auth-Request-* headers are coming but not the one with Groups. I'm using docker image quay.io/oauth2-proxy/oauth2-proxy:v6.1.1 and I saw in config https://oauth2-proxy.github.io/oauth2-proxy/configuration option "--oidc-groups-claim" but when I try to use it container won't start because this option isn't available in this version.
Any ideas what I'm missing?

It seems that the problem is image that I'm using quay.io/oauth2-proxy/oauth2-proxy:v6.1.1, when I built own image from latest master (3rd of November 2020) everything seems to be working fine and X-Auth-Request-Groups header is passed to upstream service.

Related

Cors blocking me from GET-ing my server endpoint and redirecting

I'm trying to build an Oauth2 flow. Cors keeps blocking my GET request to my own server.
localhost:3000 is the browser.
localhost:3001 is the server.
I have cors setup in NestJS below and it works for every other non-redirecting endpoint:
// main.ts
import { corsConfig } from '#common/config/index';
async function bootstrap() {
const app = await NestFactory.create(AppModule);
app.enableCors({
origin: [
/^https?:\/\/localhost:3000/,
],
methods: ['GET', 'POST'],
credentials: true,
});
await app.listen(process.env.PORT || 3001);
}
bootstrap();
When requesting to my server endpoint... these are the request.headers
{
"host": "localhost:3001",
"connection": "keep-alive",
"sec-ch-ua": "\" Not A;Brand\";v=\"99\", \"Chromium\";v=\"100\"",
"accept": "application/json, text/plain, */*",
"sec-ch-ua-mobile": "?0",
"user-agent": "Mozilla/5.0 (Windows NT 10.0; Win64; x64) SomeStuff",
"sec-ch-ua-platform": "\"Windows\"",
"origin": "http://localhost:3000",
"sec-fetch-site": "same-site",
"sec-fetch-mode": "cors",
"sec-fetch-dest": "empty",
"referer": "http://localhost:3000/",
"accept-encoding": "gzip, deflate, br",
"accept-language": "en-US,en;q=0.9,fr;q=0.8,es;q=0.7,de;q=0.6",
"cookie": "Authentication=someStuff"
}
When responding from my server, these are the response.headers
{
"cross-origin-opener-policy": "same-origin",
"cross-origin-resource-policy": "same-origin",
"x-dns-prefetch-control": "off",
"expect-ct": "max-age=0",
"x-frame-options": "SAMEORIGIN",
"strict-transport-security": "max-age=15552000; includeSubDomains",
"x-download-options": "noopen",
"x-content-type-options": "nosniff",
"origin-agent-cluster": "?1",
"x-permitted-cross-domain-policies": "none",
"referrer-policy": "no-referrer",
"x-xss-protection": "0",
"access-control-allow-origin": "http://localhost:3000",
"vary": "Origin",
"access-control-allow-credentials": "true",
"x-ratelimit-limit": "30",
"x-ratelimit-remaining": "28",
"x-ratelimit-reset": "60"
}
And this is the Cors error in my browser console
Access to XMLHttpRequest at 'https://example.com/' (redirected from
'http://localhost:3001/test') from origin 'http://localhost:3000'
has been blocked by CORS policy: No 'Access-Control-Allow-Origin'
header is present on the requested resource.
What do I need to change to allow a GET request to be redirected in the browser? Or is this not possible and it requires simply visiting the site with window.location?
I know this is not the ideal solution, but for my personal projects in a local environment, I used the "Moesif Origin & CORS Changer" browser extension to combat this annoying issue.
Google Chrome: https://chrome.google.com/webstore/detail/moesif-origin-cors-change/digfbfaphojjndkpccljibejjbppifbc
Firefox: https://addons.mozilla.org/en-US/firefox/addon/moesif-origin-cors-changer1/

Registration of non-Java App following Eureka API Documentation - Issue

I have Eureka running in my localhost:8090 . I have independent Java Apps registered in that Eureka and I am able to access them with my Zuul URL which is registered to that Eureka as well.
Now I am have another Python(3.7.3)+Flask App that I am trying to register in same Eureka and access that through same Zuul URL.
My Python app runs fine in local through a DOCKERFILE with these commands -
EXPOSE 8443
CMD ["python", "PythonFlaskSample.py"]
This opens a web-page with this URL -
http://localhost:8443/home
Then to register this App in Eureka, I followed this documentation -
https://github.com/Netflix/eureka/wiki/Eureka-REST-operations
and
https://automationrhapsody.com/json-format-register-service-eureka/
Also trying same through REST clients with POST URL as -
http://localhost:8090/eureka/v2/apps/PythonFlaskApp
Content-Type: application/json
{
"instance": {
"hostName": "localhost",
"app": "PythonFlaskSample",
"vipAddress": "localhost",
"secureVipAddress": "localhost",
"ipAddr": "<Which IP>????",
"status": "STARTING",
"port": {"$": "8090", "#enabled": "true"},
"securePort": {"$": "8443", "#enabled": "true"},
"healthCheckUrl": "http://localhost:8090/health",
"statusPageUrl": "http://localhost:8090/info",
"homePageUrl": "http://localhost:8090",
"dataCenterInfo": {
"#class": "com.netflix.appinfo.InstanceInfo$DefaultDataCenterInfo",
"name": "MyOwn"
},
}
}
But it is throwing a 405 and no other clue for what happened in Restlet client or Postman.
When I try to put the JSON Payload in python file and use POST from there,
request_body = {
"instance": {
"hostName": "localhost",
"app": "PythonFlaskSample",
"vipAddress": "localhost",
"secureVipAddress": "localhost",
"ipAddr": "<Which IP>????",
"status": "STARTING",
"port": {"$": "8090", "#enabled": "true"},
"securePort": {"$": "8443", "#enabled": "true"},
"healthCheckUrl": "http://localhost:8090/health",
"statusPageUrl": "http://localhost:8090/info",
"homePageUrl": "http://localhost:8090",
"dataCenterInfo": {
"#class": "com.netflix.appinfo.InstanceInfo$DefaultDataCenterInfo",
"name": "MyOwn"
},
}
}
data=json.dumps(request_body)
url="http://localhost:8090"
response = requests.post(url,data=json.dumps(request_body), headers = {'Content-type':'application/json'}).json()
print(response)
it shows following error-
docker run -p 8443:8443 dockerpython {'timestamp': 1555717403333,
'status': 405, 'error': 'Method Not Allowed', 'exception':
'org.springframework.web.HttpRequestMethodNotSupportedException',
'message': "Request method 'POST' not supported", 'path': '/'}
What am I missing ?
This is an error with Eureka API documentation in - https://github.com/Netflix/eureka/wiki/Eureka-REST-operations. Once I tried same REST URLs without "/v2" , everything worked fine.enter image description here

List all the regions using the azure api

I am trying get all the possible regions to which a vm can be provisioned using the azure rest api.
The end point which i found is
https://management.core.windows.net/<subscription-id>/locations
which is documented here
but i am getting an error.
<Error xmlns="http://schemas.microsoft.com/windowsazure" xmlns:i="http://www.w3.org/2001/XMLSchema-instance"><Code>ForbiddenError</Code><Message>The server failed to authenticate the request. Verify that the certificate is valid and is associated with this subscription.</Message></Error>
Also i tried using the query param ?api-version=2016-04-01 and header x-ms-version: 2016-04-01 without any luck.
According to your error code ForbiddenError, it seems that there is no authorization or incorrect authorization in the header. If it is that case, please have a try to add the authorization in the header. Authorization format is starting with "Bearer" like "Bearer eyJ0eXAiOiJKV1QiLCJhbGciOiJSUzI1NiIā€¦..." . More info about how to get the access token please refer to the document. It works for me correctly, and I use the x-ms-version: 2014-10-01, details please refer to the snapshot.
You're using an ancient management endpoint.
Here's the query for ARM (using ARMClient):
C:\>armclient.exe get https://management.azure.com/subscriptions/
xxxxx-xxxxx-xxxxx-xxxxx/locations?api-version=2016-09-01 -verbose
---------- Request -----------------------
GET /subscriptions/xxxx-xxxx-xxxxx-xxxxx/locations?api-version=2016-09-01 HTTP/1.1
Host: management.azure.com
Authorization: Bearer eyJ0eXAiOiJKV...
User-Agent: ARMClient/1.1.1.0
Accept: application/json
x-ms-request-id: xxxxxxxxxxxx
---------- Response (326 ms) ------------
HTTP/1.1 200 OK
Pragma: no-cache
x-ms-ratelimit-remaining-subscription-reads: 14999
x-ms-request-id: xxxxxxxxxxxxx
x-ms-correlation-request-id: xxxxxxxxxxx
x-ms-routing-request-id: NORTHEUROPE:20170109T094615Z:exxxxxxxxxxxxxx
Strict-Transport-Security: max-age=31536000; includeSubDomains
Cache-Control: no-cache
Date: Mon, 09 Jan 2017 09:46:15 GMT
{
"value": [
{
"id": "/subscriptions/xxxx-xxxx-xxxx-xxxx/locations/eastasia",
"name": "eastasia",
"displayName": "East Asia",
"longitude": "114.188",
"latitude": "22.267"
},
{
"id": "/subscriptions/xxxx-xxxx-xxxx-xxxx/locations/southeastasia",
"name": "southeastasia",
"displayName": "Southeast Asia",
"longitude": "103.833",
"latitude": "1.283"
},
{
"id": "/subscriptions/xxxx-xxxx-xxxx-xxxx/locations/centralus",
"name": "centralus",
"displayName": "Central US",
"longitude": "-93.6208",
"latitude": "41.5908"
},
{
"id": "/subscriptions/xxxx-xxxx-xxxx-xxxx/locations/eastus",
"name": "eastus",
"displayName": "East US",
"longitude": "-79.8164",
"latitude": "37.3719"
},
...
If you intentionally want to query the old RDFE management API you'll need to include the management certificate in your call.
I think you can use a token with RDFE too, but not a Bearer token. Just sniff whatever Get-AzureLocation -debug in PowerShell is doing.

No Notification from Orion Context Broker

I am working with the Orion Context Broker and wanna get notifications for the following subscription, added to orion.lab.fiware.org:1026:
curl -v orion.lab.fiware.org:1026/v2/subscriptions -X POST -s -S --header 'Content-Type: application/json' --header "X-Auth-Token: <myToken>" -d #- <<EOF
{
"description": "A subscription to get info about Room1",
"subject": {
"entities": [
{
"id": "11582",
"type": "User"
}
],
"condition": {
"attrs": [
"temperature"
]
}
},
"notification": {
"http": {
"url": "http://<myIPAddress>:8080"
},
"attrs": [
"temperature"
]
},
"expires": "2040-01-01T14:00:00.00Z",
"throttling": 5
}
EOF
myToken: the token generated by the FIWARE server
myIPAddress: the IP address of my PC
However, in my sample HTTP server program (Node.js) on port 8080 I do not receive any notifications. I should note that after adding the above subscription, I add the entity with id 11582 through another POST request to orion.lab.fiware.org:1026/v2/entities.
When I read later the added subscription, it confirms that the notification has been sent (through lastNotification):
{
"id": "5768088c70dce43aa351cf9b",
"description": "A subscription to get info about Room1",
"expires": "2040-01-01T14:00:00.00Z",
"status": "active",
"subject": {
"entities": [
{
"id": "11582",
"idPattern": "",
"type": "User"
}
],
"condition": {
"attrs": [
"temperature"
]
}
},
"notification": {
"timesSent": 1,
"lastNotification": "2016-06-20T15:16:04.00Z",
"attrs": [
"temperature"
],
"attrsFormat": "normalized",
"http": {
"url": "http://<myIPAddress>:8080"
}
},
"throttling": 5
}
Any idea why I do not receive the notification i my HTTP server program? My firewall is also off.
Thanks!
The following test has been donde in orion.lab.fiware.org. The termina1l.txt file shows the subscriptions and entity creation request sent to Orion (note we use localhost:10026, as the test has been done in the orion.lab.fiware.org host itself) and terminal2.txt file shows the notification received at the listener process (nc).
We have also done the same test (using UserTest2 type this time) running the listener on a VM machine at FIWARE Lab (which IP cannot be disclosed for security reasons) with the 1028 port openend in the Security Group and everything worked fine again, getting:
POST / HTTP/1.1
user-agent: orion/1.2.1 libcurl/7.19.7
host: 130.206.112.29:1028
accept: application/json
content-length: 146
content-type: application/json; charset=utf-8
fiware-correlator: 0870b41c-378d-11e6-910f-52540003a38e
ngsiv2-attrsformat: normalized
X-Forwarded-For: 127.0.0.1
Connection: keep-alive
{"subscriptionId":"5768ff6a70dce43aa351cfaa","data":[{"id":"11582","type":"UserTest2","temperature":{"type":"Float","value":23.5,"metadata":{}}}]}
Thus, I understand that something between orion.lab.fiware.org and your process is blocking the traffic. Note that apart for the firewall running in your machine (which you mention is off) another firewall layer could be blocking (e.g. FIWARE cloud or AWS cloud security group, coorporate firewalls, etc.)

What are all the Tritium environment variables?

Where can I find a full list of the Tritium variables (such as $host, $path, $content_type, etc.)?
You can find all the accessible environment variables by looking at your tmp/messages/.../final-env.json file.
According to the doc:
All the environment variables available are listed in the
final-env.json file. This file can be found in the {Moovweb Project
Path}/tmp/messages/{Folder ID} directory. To use one of these
environment variables in Tritium, you need to add a dollar sign before
it: $variable.
They provide a sample final-env.json file there:
{
"0": "https://www.dropbox.com",
"1": "https://www.dropbox.com",
"2": "SAMEORIGIN",
"3": "HTTP/1.0",
"Content-Type-Charset": "UTF-8",
"__catch_all__": ".moovapp.com",
"accept_encoding": "gzip,deflate",
"asset_host": "http://localhost:3003/",
"body": "true",
"body_length": "1195",
"cache_control": "no-cache",
"canonical_found": "false",
"charset_determined": "UTF-8",
"connection": "close",
"content_type": "text/html; charset=utf-8",
"cookie": "gvc=Mjg1NjE0NTk0MjAxMDUyNjY4MTc1NjYyMDE3OTAxNjU0NDk4NTc2",
"date": "Fri, 07 Sep 2012 01:57:35 GMT",
"device_stylesheet": "main",
"found_conn": "true",
"header_hh": "Host: ",
"host": "mlocal.dropbox.com",
"host_hh": "https://mlocal.dropbox.com",
"key": "x_frame_options",
"location": "https://www.dropbox.com/",
"method": "GET",
"path": "/",
"pragma": "no-cache",
"rewriter_url": "false",
"secure": "false",
"server": "nginx/1.0.14",
"set_cookie": "flash=; Domain=dropbox.com; expires=Fri, 07-Sep-2012 01:57:35 GMT; Path=/; httponly",
"slash_path": "/",
"source_host": "www.dropbox.com",
"status": "302",
"use_global_replace_vars": "true",
"user_agent": "Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.54.16 (KHTML, like Gecko) Version/5.0.5 Safari/533.21.1",
"value": "SAMEORIGIN",
"x_frame_options": "SAMEORIGIN"
}