traefik-forward-auth0 icon indicating copy to clipboard operation
traefik-forward-auth0 copied to clipboard

Published 20 hours ago verified publisher icon dniel

Too many redirect - AuthorizeNonce cookie didnt match the nonce in authorizeState

Open jamesy829 opened this issue 1 year ago • 0 comments
trafficstars

When I use the suggested way of configuring all web apps to forward /oauth2 path to ForwardAuth (thread), the error I get is 400 Bad Request AuthorizeNonce cookie didnt match the nonce in authorizeState.., it then starts another Authorization Grant all over again, at the end Chrome will show ERR_TOO_MANY_REDIRECTS

I am currently running Traefik 2.9.6, deployed with Helm charts and the stripprefix and redirect are implemented using middlewares (thread)

This is my application.yaml

 domain: https://mydomain.auth0.com/
 token-endpoint: https://mydomain.auth0.com/oauth/token
 authorize-url: https://mydomain.auth0.com/authorize
 userinfo-endpoint: https://mydomain.auth0.com/userinfo
 logout-endpoint: https://mydomain.auth0.com/v2/logout
 
 default:
     name: mydomain.com
     client-id: <CLIENT_ID>
     client-secret: <CLIENT_SECRET>
     audience: https://mydomain.com
     scope: "profile openid email"
     redirect-uri: https://auth.preprod.mydomain.com/signin
     token-cookie-domain: mydomain.com
 
 apps:
    - name: traefik.prep.mydomain.com
      required-permissions:
        - read:traefik
    - name: epimetheus-preprod.mydomain.com
      required-permissions:
        - read:epimetheus

This is my middleware

apiVersion: traefik.containo.us/v1alpha1
kind: Middleware
metadata:
  name: oauth2-chain
  namespace: traefik
spec:
  chain:
    middlewares:
      - name: forwardauth-authorize
        namespace: traefik
      - name: oauth2-strip-prefix
        namespace: traefik
      - name: oauth2-redirect
        namespace: traefik
---
apiVersion: traefik.containo.us/v1alpha1
kind: Middleware
metadata:
  name: oauth2-strip-prefix
  namespace: traefik
spec:
  stripPrefix:
    prefixes:
      - /oauth2
---
apiVersion: traefik.containo.us/v1alpha1
kind: Middleware
metadata:
  name: oauth2-redirect
  namespace: traefik
spec:
  redirectRegex:
    regex: ^https?://epimetheus-preprod.mydomain.com/(.*)
    replacement: https://auth.preprod.mydomain.com/${1}

This is the version of docker I'm using.

NAME            NAMESPACE       REVISION        UPDATED                                 STATUS          CHART                   APP VERSION
forwardauth     traefik         19              2024-04-10 02:04:13.347383 +0800 CST    deployed        forwardauth-2.0.13      2.0-rc1
traefik         traefik         1               2022-04-17 23:59:30.260106 +0200 +0200  deployed        traefik-10.14.1         2.6.0

jamesy829 avatar Apr 09 '24 18:04 jamesy829