hvac icon indicating copy to clipboard operation
hvac copied to clipboard
verified publisher icon hvac

OIDC Auth returns Internal Server Error

Open nniehoff opened this issue 3 years ago • 2 comments

I am trying to use OIDC auth with HVAC. I have OIDC working successfully from both the UI and the vault CLI so I am confident in that configuration. However, when I implement the code from the example https://hvac.readthedocs.io/en/stable/usage/auth_methods/jwt-oidc.html#oidc-authorization-url-request I get an InternalServerError exception for an invalid token. I have done some debugging and can copy the token from the UI and authenticate using the hvac library just fine with that token. So I'm thinking this is somewhere in the hvac module code. Here is the traceback:

Traceback (most recent call last):
  File "./utils.py", line 151, in <module>
    update_kube_config()
  File "./utils.py", line 136, in update_kube_config
    if hvac_client.is_authenticated():
  File "/Users/nniehoff/Library/Caches/pypoetry/virtualenvs/testproj-drOvRCZZ-py3.10/lib/python3.10/site-packages/hvac/v1/__init__.py", line 661, in is_authenticated
    self.lookup_token()
  File "/Users/nniehoff/Library/Caches/pypoetry/virtualenvs/testproj-drOvRCZZ-py3.10/lib/python3.10/site-packages/hvac/v1/__init__.py", line 450, in lookup_token
    return self._adapter.get(path, wrap_ttl=wrap_ttl)
  File "/Users/nniehoff/Library/Caches/pypoetry/virtualenvs/testproj-drOvRCZZ-py3.10/lib/python3.10/site-packages/hvac/adapters.py", line 113, in get
    return self.request("get", url, **kwargs)
  File "/Users/nniehoff/Library/Caches/pypoetry/virtualenvs/testproj-drOvRCZZ-py3.10/lib/python3.10/site-packages/hvac/adapters.py", line 365, in request
    response = super(JSONAdapter, self).request(*args, **kwargs)
  File "/Users/nniehoff/Library/Caches/pypoetry/virtualenvs/testproj-drOvRCZZ-py3.10/lib/python3.10/site-packages/hvac/adapters.py", line 331, in request
    utils.raise_for_error(
  File "/Users/nniehoff/Library/Caches/pypoetry/virtualenvs/testproj-drOvRCZZ-py3.10/lib/python3.10/site-packages/hvac/utils.py", line 49, in raise_for_error
    raise exceptions.InternalServerError(
hvac.exceptions.InternalServerError: token mac for token_version:1 hmac:"e\xe6\xa8g\xe1~\x17\x1e\x92\x8f&\x87\xa2\x11\xf0\x04\x9f\xf7n\xaa\x98\xbdv\xd4\xf6\xd7\t\xe9\x14\xfc\x88R" token:"\n\x1chvs.CoM1hOgI69pOfUTELxEPycmE" is incorrect: err %!w(<nil>), on get https://vault.example.com/v1/auth/token/lookup-self

nniehoff avatar Jun 20 '22 15:06 nniehoff

Hi @nniehoff

Sorry for the late response, if you are still having this problem, I'd be happy to help.

Looking at the error message the token looks like it has some extra invalid characters prepended to the string.

I see "\n\x1chvs.CoM1hOgI69pOfUTELxEPycmE", but I think the token should look like "hvs.CoM1hOgI69pOfUTELxEPycmE". How are you setting the token? Are you using one of the hvac auth methods to obtain the token or are you manually setting it yourself? If you are manually setting the token, can you make sure that you aren't prepending "\n\x1c" to the token?

colin-pm avatar Sep 14 '22 15:09 colin-pm