Error 500 When Creating Organization with LDAP or Microsoft Azure AD Authentication

[Shubham-Jawkar1]

Description:
I have deployed Terrakube with a self-signed certificate. After logging in, I am encountering an issue when trying to create an organization. The operation fails, and in the browser's inspect section, I can see that a 500 error is being returned.
I am facing this issue with both OpenLDAP and Azure AD authentication methods

Steps to Reproduce:
Deploy Terrakube with a self-signed certificate.
Configure LDAP or Microsoft Azure AD authentication.
Log in using LDAP or Azure AD credentials.
Attempt to create an organization.

Expected Behavior:
The organization should be created successfully without any errors.

Actual Behavior:
The operation fails, and a 500 error is returned in the browser.

Additional Information:

Browser Console Errors: 500 Internal Server Error
API Container Logs: (See attached log file for reference)

Environment:

Terrakube version: [3.17.6]
Deployment method: [e.g, Azure Kubernetes Service]
Authentication method: [OpenLDAP, Microsoft Azure AD]
Browser: [e.g., Chrome, Edge]

Please let me know if you need any additional information or if there are any steps I can take to help diagnose this issue further.

terrakube-api.log

[alfespa17]

You need to upgrade your ingress setup by default is using "https://terrakube-api.minikube.net" that is just for testing

java.lang.IllegalArgumentException: Unable to resolve the Configuration with the provided Issuer of "https://terrakube-api.minikube.net/dex"
	at org.springframework.security.oauth2.jwt.JwtDecoderProviderConfigurationUtils.getConfiguration(JwtDecoderProviderConfigurationUtils.java:168) ~[spring-security-oauth2-jose-6.1.9.jar:6.1.9]

You can check the following link.

https://docs.terrakube.io/getting-started/deployment/ingress-configuration

[alfespa17]

To use self signed certificats you will also need to read the following:

https://docs.terrakube.io/getting-started/deployment/custom-ca-certs

[Shubham-Jawkar1]

@alfespa17 , Thank you for the response.
I've referred to the following link for using Dex with Azure AD
https://docs.terrakube.io/getting-started/user-management/azure-active-directory

As per the documentation, the Dex DNS is derived from the API DNS, i.e., https:///dex. Could you please confirm if I need to create a separate DNS entry for the Dex DNS as well? and how to configure DEX issuer

[alfespa17]

@alfespa17 , Thank you for the response. I've referred to the following link for using Dex with Azure AD https://docs.terrakube.io/getting-started/user-management/azure-active-directory

As per the documentation, the Dex DNS is derived from the API DNS, i.e., https:///dex. Could you please confirm if I need to create a separate DNS entry for the Dex DNS as well? and how to configure DEX issuer

You don't need a different domain you can have DEX in the following URL for example https://terrakube-api.minikube.net/dex ant it should work correctly, so you can reuse the API domain to expose DEX too

[Shubham-Jawkar1]

Hi @alfespa17 , How can I ensure that Dex is working correctly?
Additionally, when I hit the following URL >> https://terrakube-api.minikube.net/dex/.well-known/openid-configuration), I get the response shown below. Is this expected?

{
"issuer": "https://terrakube-api.minikube.net/dex",
"authorization_endpoint": "https://terrakube-api.minikube.net/dex/auth",
"token_endpoint": "https://terrakube-api.minikube.net/dex/token",
"jwks_uri": "https://terrakube-api.minikube.net/dex/keys",
"userinfo_endpoint": "https://terrakube-api.minikube.net/dex/userinfo",
"device_authorization_endpoint": "https://terrakube-api.minikube.net/dex/device/code",
"grant_types_supported": [
"authorization_code",
"implicit",
"refresh_token",
"urn:ietf:params:oauth:grant-type:device_code",
"urn:ietf:params:oauth:grant-type:token-exchange"
],
"response_types_supported": [
"code",
"id_token",
"token"
],
"subject_types_supported": [
"public"
],
"id_token_signing_alg_values_supported": [
"RS256"
],
"code_challenge_methods_supported": [
"S256",
"plain"
],
"scopes_supported": [
"openid",
"email",
"groups",
"profile",
"offline_access"
],
"token_endpoint_auth_methods_supported": [
"client_secret_basic",
"client_secret_post"
],
"claims_supported": [
"iss",
"sub",
"aud",
"iat",
"exp",
"email",
"email_verified",
"locale",
"name",
"preferred_username",
"at_hash"
]
}

[alfespa17]

That is correct if you are using https://terrakube-api.minikube.net you can use that endpoint /dex/.well-known/openid-configuration just to check if dex is returning information correctly, now you only need to test from the UI if you are able to login.

[Shubham-Jawkar1]

@alfespa17 , thanks for the confirmation.
Endpoint [/dex/.well-known/openid-configuration] is responding but still faced the same issue and same error logs which I shared earlier

[alfespa17]

hello @Shubham-Jawkar1 can you share the example yaml file that you are using for the deployment (without any sensitive information)

[alfespa17]

Just to confirm you are using minikube to test right?