kfctl icon indicating copy to clipboard operation
kfctl copied to clipboard
verified publisher icon kubeflow

Issue with Issuer URL for Dex - Google Connector Integration

Open muthurajr opened this issue 5 years ago • 4 comments

I have installed Kubeflow 1.1.0 with Istio & Dex, and exposed it on a public domain (mlapps.example.com). When connecting Dex with any SAML connectors, it provides an option to override issuer URL for AuthnRequest purpose (entityIssuer). https://dexidp.io/docs/connectors/saml/

When Google connector (https://dexidp.io/docs/connectors/google/) is used, is there any approach to override just for the validation purpose without changing the base issuer URL?

Error: time="2020-11-09T18:26:19Z" level=error msg="Connector \"google\" returned error when creating callback: expected callback URL \"http://dex.auth.svc.cluster.local:5556/dex/callback\" did not match the URL in the config \"https://mlapps.example.com/dex/callback\""

Dex Configuration:

issuer: http://dex.auth.svc.cluster.local:5556/dex
storage:
  type: kubernetes
  config:
    inCluster: true
web:
  http: 0.0.0.0:5556
logger:
  level: "debug"
  format: text
oauth2:
  skipApprovalScreen: true
enablePasswordDB: true
staticPasswords:
- email: [email protected]
  hash: *******
  username: admin
  userID: ********
staticClients:
- id: kubeflow-oidc-authservice
  redirectURIs: ["/login/oidc"]
  name: 'Dex Login Application'
  secret: **********
connectors:
- type: google
  id: google
  name: Google
  config:
    clientID: $GOOGLE_CLIENT_ID
    clientSecret: $GOOGLE_CLIENT_SECRET
    redirectURI: https://mlapps.example.com/dex/callback
    serviceAccountFilePath: /etc/dex/gauth/googleAuth.json
    adminEmail: admin@**********
    hostedDomains:
     - **************
    groups:
     - ************

muthurajr avatar Nov 09 '20 18:11 muthurajr

~Is there any solution for this issue? https://github.com/dexidp/dex/issues/927, too.~ [solved] You should update config.issuer to exposed dex URL (e.g. https://mlapps.example.com/dex) Currently, It's set by cluster endpoint

jungrae-prestolabs avatar Mar 15 '21 05:03 jungrae-prestolabs

@tyg03485 I don't see config.issuer in https://dexidp.io/docs/connectors/google/. Is this undocumented functionality?

muthurajr avatar Mar 17 '21 06:03 muthurajr

it means

issuer: { MyEndpointOfDex }
storage:
  type: kubernetes
  config:
    inCluster: true
web:
  http: 0.0.0.0:5556
...
connectors:
- type: google
  id: google
  name: Google
  config:
    clientID: $GOOGLE_CLIENT_ID
    clientSecret: $GOOGLE_CLIENT_SECRET
    redirectURI: https://mlapps.example.com/dex/callback
    serviceAccountFilePath: /etc/dex/gauth/googleAuth.json
    adminEmail: admin@**********
    hostedDomains:
     - **************
    groups:
     - ************

ref. https://dexidp.io/docs/oidc-certification-setup/

jungrae-prestolabs avatar Mar 19 '21 04:03 jungrae-prestolabs

@tyg03485 Thanks! I remember fixing the issue the same way but it has to be done through patch after installation as URL has to accessible. saml connector provides explicit override (entityIssuer) just for this issue which is not available in Google connector.

muthurajr avatar Mar 21 '21 06:03 muthurajr