abp icon indicating copy to clipboard operation
abp copied to clipboard
verified publisher icon abpframework

Swagger Authentication problem on K8s production

Open gterdem opened this issue 3 years ago • 4 comments

image

eShopOnAbp is the main sample for this problem.

We are running all the application/microservices on pods.

When we are making a login request the issuer, it is set to dns name (https://auth.eshoponabp.com) so it is redirected back to the issuer (dns). The internal requests like /.well-known/openid-configuration is made to the pod (http://eshop-az-authserver). We have an OpenIdConnectOptions configuration to separate the internal and web requests.

However, the AddAbpSwaggerGenWithOAuth configuration to authenticate the swagger user doesn't have this kind of configurations so we can not authenticate the swagger user using authorization code.

We need to find a way to add OpenIdConnectOptions or similar configuration to set whenever redirect to dns and whenever redirect to pod.

gterdem avatar Sep 05 '22 15:09 gterdem

image

I think we just need to replace authority: http://eshop-az-authserver with https://auth.eshoponabp.com

Or consider this:

authServer:
  authority: http://eshop-az-authserver
  dnsAuthority: https://auth.eshoponabp.com
  isOnProd: "true"
  requireHttpsMetadata: "false"
  swaggerClientId: WebGateway_Swagger
  swaggerClientSecret: "1q2w3e*"

var authority = Convert.ToBoolean(configuration["AuthServer:IsOnProd"])? configuration["AuthServer:Authority"]: configuration["AuthServer:DnsAuthority"];
SwaggerConfigurationHelper.ConfigureWithAuth(
    context: context,
    authority: authority,
    scopes: new
        Dictionary<string, string> /* Requested scopes for authorization code request and descriptions for swagger UI only */
        {
            { "CatalogService", "Catalog Service API" }
        },
    apiTitle: "Catalog Service API"
);

realLiangshiwei avatar Sep 06 '22 06:09 realLiangshiwei

Normally authority should be the DNS yes. But then, the application will try to reach to the DND for /.well-known endpoints and it won't be found.

var authority = Convert.ToBoolean(configuration["AuthServer:IsOnProd"])? configuration["AuthServer:Authority"]: configuration["AuthServer:DnsAuthority"];

It doesn't matter by the way, it will end up using https://auth.eshoponabp.com and it will fail when trying to reach it internally.

gterdem avatar Sep 06 '22 06:09 gterdem

Swagger OAuth2 Authentication don't need a /.well-known endpoints.

It doesn't matter by the way, it will end up using https://auth.eshoponabp.com and it will fail when trying to reach it internally.

I think there is no problem because Swagger always sends a request from the browser. I guess there is no internal request here

realLiangshiwei avatar Sep 08 '22 02:09 realLiangshiwei

@skoc10 can you publish catalogService using https://auth.eshoponabp.com as issuer and share the error log with us please?

gterdem avatar Sep 08 '22 06:09 gterdem

This issue has been automatically marked as stale because it has not had recent activity. It will be closed if no further activity occurs. Thank you for your contributions.

stale[bot] avatar Nov 12 '22 05:11 stale[bot]

This should remain open until we find a solution

gterdem avatar Nov 22 '22 23:11 gterdem

Moved to https://github.com/abpframework/eShopOnAbp/issues/157

gterdem avatar Dec 27 '22 17:12 gterdem