kiali: Kiali not working with OIDC for 1.19

Describe the bug Configuring OIDC with Kiali configmap , i am not able to login to UI

Versions used Kiali: 1.19 Istio: 1.65 Kubernetes flavour and version: (e.g. OpenShift Origin 3.9) - 1.17 EKS

To Reproduce Steps to reproduce the behavior:

Configure Configmap of Kiali to point to dex

auth:
  strategy: openid
  openid:
    client_id: example-app
    issuer_uri: https://dex.xxxx.xxxxx.com/dex
    username_claim: email
    scopes: ["openid", "profile", "email", "groups"]

Create a ClusterRoleBinding to add user to have access to Kiali
Login to Kiali Console and Click on “LogIn with OpenId”
It will throw error as “Unauthorised”

Expected behavior

I should be able to login to the UI console with OIDC

About this issue

Original URL
State: closed
Created 4 years ago
Reactions: 1
Comments: 53 (16 by maintainers)

Commits related to this issue

Add support for cluster API proxies on OpenId strategy Since some cloud providers won't support configuring OpenID integration in the managed Kubernetes, users may want to use workarounds. One of the... — committed to kiali/kiali by israel-hdez 4 years ago
Add defaults for API proxy attributes (openid auth) Also, add comments to the kiali_cr.yaml file to describe the new attributes. Related to kiali/kiali#3042 — committed to israel-hdez/kiali-operator by israel-hdez 4 years ago
Feedback Don't require specifying port when using the default HTTPS port, for the remote API server config. Related kiali/kiali#3042 — committed to israel-hdez/swscore by israel-hdez 4 years ago
Add support for cluster API proxies on OpenId strategy Since some cloud providers won't support configuring OpenID integration in the managed Kubernetes, users may want to use workarounds. One of the... — committed to israel-hdez/swscore by israel-hdez 4 years ago
Feedback Don't require specifying port when using the default HTTPS port, for the remote API server config. Related kiali/kiali#3042 — committed to israel-hdez/swscore by israel-hdez 4 years ago
Add docs for OpenID API proxy and general reorg of auth docs This is adding documentation for kiali/kiali#3142. However, since the authentication-related docs are now quite large, this is also re-org... — committed to israel-hdez/kiali.io by israel-hdez 4 years ago
Add support for cluster API proxies on OpenId strategy (#3142) * Add support for cluster API proxies on OpenId strategy Since some cloud providers won't support configuring OpenID integration in t... — committed to kiali/kiali by israel-hdez 4 years ago
Add docs for OpenID API proxy and general reorg of auth docs (#297) * Add docs for OpenID API proxy and general reorg of auth docs This is adding documentation for kiali/kiali#3142. However, since... — committed to kiali/kiali.io by israel-hdez 4 years ago
Add support for cluster API proxies on OpenId strategy (#3142) * Add support for cluster API proxies on OpenId strategy Since some cloud providers won't support configuring OpenID integration in t... — committed to cfcosta/kiali by israel-hdez 4 years ago
Add docs for OpenID API proxy and general reorg of auth docs (#297) * Add docs for OpenID API proxy and general reorg of auth docs This is adding documentation for kiali/kiali#3142. However, since... — committed to mtho11/kiali.io by israel-hdez 4 years ago

Most upvoted comments

Hi @widdix123

I’ve created a PR fixing this issue in #3142. Assuming you still have a cluster with this kube-oidc-proxy setup. Would you help me to try the fix?

I would upload a patched Kiali image to my personal Quay.io account to let you try and confirm that works correctly.

israel-hdez on Aug 20, 2020

@israel-hdez - It works with Groups as you stated . I have no issue at all with the fix 😃 . Nice work !!!

I will check on X-Forwarded-Port separately .

widdix123 on Aug 25, 2020

Hi, I have similar config to what @widdix123 has, but instead of dex I am using keycloak as IdP. I am getting a wrong authorization endpoint after redirect. My config: Version: v1.21.0

auth:
  strategy: openid
  openid:
    client_id: "kubernetes"
    issuer_uri: "https://y.x.x.x.com/auth/realms/master"
    username_claim: "groups"
    insecure_skip_verify_tls: true
    scopes: ["openid", "profile", "email", "groups"]

expected behaviour:

Configure configmap of kiali with above config
Create a ClusterRoleBinding to add group to have access to Kiali
Login to Kiali Console(https://x.x.x.x.x.com) and Click on “LogIn with OpenId”
It should redirect to issue_uri(https://y.x.x.x.com/auth/realms/master) in order to login(as per docs, if authorization_endpoint is not specified, issuer_uri is used, I even tried with authorization_endpoint but got same behaviour)

Actual behaviour At step 4,(instead of redirecting to issuer_uri or authorization_endpoint) it redirects to: “https://x.x.x.x.x.com:20001/kiali/api/auth/openid_redirect”

With F12 devloper tools in Chrome, even before clicking on “Log in with OpenId”, I see the wrong authorization_endpoint in Network-> XHR -> preview

authorizationEndpoint: "https://x.x.x.x.x.com:20001/kiali/api/auth/openid_redirect"
sessionInfo: {}
strategy: "openid"

Please consider this scenario as well.

khankth on Jul 29, 2020