traefik-forward-auth icon indicating copy to clipboard operation
traefik-forward-auth copied to clipboard

Published 20 hours ago verified publisher icon thomseddon

Email address no longer saved in cookie with Google OAUTH

Open shockwaver opened this issue 4 years ago • 11 comments
trafficstars

I'm not entirely sure when this started - but it appears that the cookie that is being saved after authorizing against google is missing the email address.

New cookie: _forward_auth: zz_XXXXXXXXXXXXXXXXXXXXXXX=|1629926137|

old cookie (still valid for now): _forward_auth: V-XXXXXXXXXXXXXXXXXXXXX=|1629741627|[email protected]

Error wjhen trying to authenticate with a new sessions:

2021-07-29T14:55:23.028931103Z time="2021-07-29T14:55:23Z" level=debug msg="Authenticating request" cookies="[_forward_auth=(SNIP)=|1629926137|]" handler=Auth host=(SNIP) method=GET proto=https rule=default source_ip=192.168.2.1 uri=/
2021-07-29T14:55:23.029162933Z time="2021-07-29T14:55:23Z" level=warning msg="Invalid email" email= handler=Auth host=(SNIP) method=GET proto=https rule=default source_ip=192.168.2.1 uri=/
2021-07-29T14:55:23.050788611Z time="2021-07-29T14:55:23Z" level=debug msg="Authenticating request" cookies="[_forward_auth=(SNIP)=|1629926137|]" handler=Auth host=(SNIP) method=GET proto=https rule=default source_ip=192.168.2.1 uri=/favicon.ico
2021-07-29T14:55:23.050936054Z time="2021-07-29T14:55:23Z" level=warning msg="Invalid email" email= handler=Auth host=(SNIP) method=GET proto=https rule=default source_ip=192.168.2.1 uri=/favicon.ico

Since the email field is empty, naturally it can't find it on the whitelist. Any idea what could have caused this? Config:

cookie-domain="domain.tld"
insecure-cookie=false
auth-host="oauth.domain.tld"
whitelist=email1,email2,email3
url-path="/_oauth"
log-level=trace
log-format=pretty
lifetime=2592000
default-action="auth"
default-provider="google"

Secrets:

providers.google.client-id="XXXXXXXXXXXXXXXX.apps.googleusercontent.com"
ClientIdLegacy="XXXXXXXXXXXXXXXX.apps.googleusercontent.com"
providers.google.client-secret="XXXXXXXXXXXXXXXX"
secret=XXXXXXXXXXXXXXXX

Docker-compose:

  oauth:
    image: thomseddon/traefik-forward-auth:latest
    # Allow apps to bypass OAuth. Radarr example below will by pass OAuth if API key is present in the request (eg. from NZB360 mobile app).
    # While this is one way, the recommended way is to bypass authentication using Traefik labels shown in some of hte apps later.
    # command: --rule.radarr.action=allow --rule.radarr.rule="Headers(`X-Api-Key`, `$RADARR_API_KEY`)"
    #command: --rule.sabnzbd.action=allow --rule.sabnzbd.rule="HeadersRegexp(`X-Forwarded-Uri`, `$SABNZBD_API_KEY`)"

    # The files below contain secrets and configs from docker swarm - these files will hide the sensitive information and allow it
    #   to start at boot without losing environmental information
    configs:
      - source: oauth_config
        target: /oauth_config.ini
    secrets:
      - source: oauth_secret
        target: /oauth_secret.ini
    command:
      - --config=/oauth_config.ini
      - --config=/oauth_secret.ini
    networks:
      - traefik-overlay-net-v2
    deploy:
      mode: global
      #replicas: 1
      placement:
        constraints:
          #- node.labels.ingress == true
          - node.labels.ingress-oauth == true
      labels:
        - "traefik.enable=true"
#        ## HTTP Routers
        - "traefik.http.routers.oauth-rtr.entrypoints=https"
        - "traefik.http.routers.oauth-rtr.rule=Host(`oauth.domain.tld`)"
        - "traefik.http.routers.oauth-rtr.tls=true"
        ## Middlewares
        - "traefik.http.routers.oauth-rtr.middlewares=chain-oauth@file"
        ## HTTP Services
        - "traefik.http.routers.oauth-rtr.service=oauth-svc"
        - "traefik.http.services.oauth-svc.loadbalancer.server.port=4181"

shockwaver avatar Jul 29 '21 15:07 shockwaver

I'm seeing this as well -- new logins in the last week or so don't get the email in the cookie, so they don't match the domain names...

zero-below avatar Aug 10 '21 21:08 zero-below

Dug a bit deeper -- not super familiar with the codebase, but added some prints, and it looks like the GetUser function to fetch the email address, is getting a bad reply from google, which isn't getting caught. So, when it returns, User.Email is unset, and empty.

zero-below avatar Aug 12 '21 08:08 zero-below

And deeper yet -- it looks like the token fetch process is broken, and the GetUser is receiving an empty token and failing auth because of that.

zero-below avatar Aug 12 '21 18:08 zero-below

same issue here

bigverm23 avatar Sep 30 '21 14:09 bigverm23

^^ Probably won't be merged, but if you do docker build of my fork you can at least get it working again.

dza89 avatar Mar 20 '22 15:03 dza89

Can confirm that @dza89 's fork fixes the issue, and google oauth works again.

shidarin avatar Sep 06 '22 03:09 shidarin

same issue

AMD-NICK avatar Aug 06 '23 21:08 AMD-NICK

I've moved to oauth2-proxy, which can do the same and is a living project. I can send you my config.

dza89 avatar Aug 06 '23 22:08 dza89

@dza89

I can send you my config

Yes, please write the config here or send it to me on Telegram (link in profile). I've been struggling for several hours already 😢

AMD-NICK avatar Aug 06 '23 22:08 AMD-NICK

I've moved to oauth2-proxy, which can do the same and is a living project. I can send you my config.

Can you send your config to me as well?

Daniel-dev22 avatar Aug 27 '23 09:08 Daniel-dev22

@AMD-NICK @Daniel-dev22 try it with this: https://gist.github.com/dza89/f652a3e0af705bf3865b26d83c774ba2

dza89 avatar Aug 27 '23 13:08 dza89