helm-charts
helm-charts copied to clipboard
rowanruseler
[pgadmin4] OAuth2 with AWS Cognito - redirect_mismatch error
Hello, I encountered an issue when using pgAdmin4 behind a Traefik reverse-proxy with AWS Cognito OAuth2 configured.
Describe the bug The redirect_uri returned by pgAdmin when trying to connect with Cognito isn't secured with HTTPS, which causes AWS Cognito to refuse the operation with "error=redirect_mismatch".
I can't find which variable I should set in the helm values to let pgAdmin know I use HTTPS in front of the reverse-proxy.
In the value file, I have tried the variables SCHEME, HTTP_X_SCHEME, wsgi.url_scheme, to set the internal wsgi.url_scheme to "https", without success.
Version of Helm and Kubernetes: Terraform Helm provider v2.2.0 K8s v1.19
Which chart: pgadmin4
What happened: On the pgAdmin4 login page, when the Cognito login option is clicked, the HTTP response header (which is a redirection) given by pgAdmin4 contains:
location = https://<obfuscated cognito domain>.auth.<AWS Region>.amazoncognito.com/oauth2/authorize?response_type=code&client_id=<obfuscated client id>&redirect_uri=http%3A%2F%2Fpgadmin.example.org%2Foauth2%2Fauthorize&[...]
What you expected to happen: The expected value should be:
location = https://<obfuscated cognito domain>.auth.<AWS Region>.amazoncognito.com/oauth2/authorize?response_type=code&client_id=<obfuscated client id>&redirect_uri=https%3A%2F%2Fpgadmin.example.org%2Foauth2%2Fauthorize&[...]
Notes:
- In the redirect_uri parameter, the uri uses
https - When accessing this "crafted" location url (with "https" in redirect_uri), the Cognito service works as expected
How to reproduce it (as minimally and precisely as possible):
- Setup an AWS Cognito user pool and App Integration (may be reproducible with other OAuth2 providers which enforce redirect_uri matching with HTTPS scheme)
- Deploy pgAdmin4 with OAuth2 configuration in a Secret Object (see example here)
- Setup a reverse-proxy (here Traefik) using HTTPS in front of the pgAdmin4 instance
Our OAuth2 config template:
MASTER_PASSWORD_REQUIRED = False
AUTHENTICATION_SOURCES = ['oauth2', 'internal']
OAUTH2_AUTO_CREATE_USER = True
OAUTH2_CONFIG = [
{
'OAUTH2_NAME': 'cognito',
'OAUTH2_DISPLAY_NAME': 'Cognito',
'OAUTH2_CLIENT_ID': '${COGNITO_CLIENT_ID}',
'OAUTH2_CLIENT_SECRET': '${COGNITO_CLIENT_SECRET}',
'OAUTH2_TOKEN_URL': 'https://${COGNITO_USER_POOL_NAME}.auth.${AWS_REGION}.amazoncognito.com/oauth2/token',
'OAUTH2_AUTHORIZATION_URL': 'https://${COGNITO_USER_POOL_NAME}.auth.${AWS_REGION}.amazoncognito.com/oauth2/authorize',
'OAUTH2_API_BASE_URL': 'https://${COGNITO_USER_POOL_NAME}.auth.${AWS_REGION}.amazoncognito.com/oauth2/',
'OAUTH2_USERINFO_ENDPOINT': 'https://${COGNITO_USER_POOL_NAME}.auth.${AWS_REGION}.amazoncognito.com/oauth2/userInfo',
'OAUTH2_ICON': 'fa-aws',
'OAUTH2_BUTTON_COLOR': '#ff9900',
'OAUTH2_SCOPE': 'openid email profile',
}
]
@eTimS I'm joining to this issue, we need to integrate our pgadmin4 with AWS SSO, we're using this exact chart and didn't find where to put these parameters above it's not clear to me.
