pomerium: OKTA IDP doesn't work for version 0.10.2

Hello,

What happened?

We follow this documentation to deploy pomerium on a K8S cluster (rancher RKE) -> https://github.com/pomerium/pomerium/tree/v0.10.2/examples/kubernetes.

Our configuration works with version 0.8.x and we tried to upgrade to the last version v0.10.2. The OKTA authentication works, but the access to the backend application defined in the policy is denied.

We saw a change between these version on the idp_service_account , now it’s seems that we have to use a json base64 encode. So we did that:

cat api_key.json

{
    "api_token": "XXXX OKTA IDP TOKEN XXXX"
}

cat api_key.json | base64
ewogICAgImFwaV90b2tlbiI6ICIiWFhYWCBPS1RBIElEUCBUT0tFTiBYWFhYCn0K

We use this in the pomerium config.yml file (we also try with “api_key” format with no success, we find this kind of key in a commit).

The authentication works but we have a denied message, we are pretty sure that the call API to OKTA doesn’t work but we don’t find a log linked to this behavior (excepted the log below) on all pomerium services (we use separated services).

image

What did you expect to happen?

Pomerium regarding the defined policy should accept the connection (we have the same configuration on each component in 0.8.X and it’s works).

What’s your environment like?

  • Pomerium version -> 0.10.2
  • Server Operating System/Architecture/Cloud: Centos8 / K8S by RKE rancher

What’s your config.yaml?

Our kubernetes-config.yaml is:

insecure_server: true
grpc_insecure: true
grpc_address: ":80"

pomerium_debug: true
authenticate_service_url: https://authenticate.sso.domain.tld
authorize_service_url: http://pomerium-authorize-service.namespace.svc.cluster.local
cache_service_url: http://pomerium-cache-service.namespace.svc.cluster.local

override_certificate_name: "*.sso.domain.tld"

idp_provider: okta
idp_client_id: <OKTA_APP_CLIENT_ID>
idp_client_secret: <OKTA_APP_CLIENT_SECRET>
idp_provider_url: https://ourdomain.okta.com
idp_service_account: ewogICAgImFwaV90b2tlbiI6ICIiWFhYWCBPS1RBIElEUCBUT0tFTiBYWFhYCn0K

policy:
    - from: https://hello.sso.domain.tld
      to: http://hello.namespace.svc.cluster.local
      allowed_groups:
        - <OKTA_GROUP_ID>

What did you see in the logs?

I don’t know if it’s link but we have this kind of log during the authentication:

7:14PM INF authenticate: session load error error="Bad Request: internal/sessions: session is not found" X-Forwarded-For=["10.42.32.0,10.42.32.11"] X-Forwarded-Host=["authenticate.sso.domain.tld"] X-Forwarded-Port=["443"] X-Forwarded-Proto=["http"] X-Forwarded-Server=["traefik-ingress-controller-external-68c79c4f8-p8w4x"] X-Real-Ip=["10.42.32.0"] ip=127.0.0.1 request-id=XXXXX user_agent="Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/81.0.4044.138 Safari/537.36"
7:14PM INF authenticate: session load error error="Bad Request: internal/sessions: session is not found" X-Forwarded-For=["10.42.32.0,10.42.32.11"] X-Forwarded-Host=["authenticate.sso.domain.tld"] X-Forwarded-Port=["443"] X-Forwarded-Proto=["http"] X-Forwarded-Server=["traefik-ingress-controller-external-68c79c4f8-p8w4x"] X-Real-Ip=["10.42.32.0"] ip=127.0.0.1 request-id=YYYYY user_agent="Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/81.0.4044.138 Safari/537.36"

Thanks for your help,

About this issue

  • Original URL
  • State: closed
  • Created 4 years ago
  • Reactions: 1
  • Comments: 24 (10 by maintainers)

Most upvoted comments

@devstein / @KevDBG – Are you able to test this on v0.10.6?

+1
desimone on Oct 16, 2020

I am seeing a similar, possibly the same issue, in 0.10.2 with Okta where Pomerium is getting empty groups for all new users. It seems like it could be caching related. Is this a separate issue?

+1
devstein on Sep 18, 2020
Read more comments on GitHub
← pomerium: OCSP staple sometimes missing
pomerium: Pomerium docker image fails to start when supplied with non-letsencrypt wildcard cert →