Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Unable to authenicate via OIDC with console browser #18092

Closed
georgethebeatle opened this issue Aug 31, 2023 · 3 comments
Closed

Unable to authenicate via OIDC with console browser #18092

georgethebeatle opened this issue Aug 31, 2023 · 3 comments
Assignees
@pbochynski

Comments

@georgethebeatle
Copy link

Description

Kyma Version: 2.17.1
Browser Name: w3m
Browser Version: w3m version w3m/0.5.3+git20210102, options lang=en,m17n,image,color,ansi-color,mouse,gpm,menu,cookie,ssl,ssl-verify,external-uri-loader,w3mmailer,nntp,gopher,ipv6,alarm,mark,migemo
Operating System: Ubuntu 22.04.3 LTS

We are trying to perform kubectl operations against a Kyma cluster using the kubeconfig provided by the BTP cockpit. As we are in a no GUI environment we are using the w3m console browser. In order to use this browser we have added the --browser parameter to the oidc cofig section of the kubeconfig as can be seen below:

---
apiVersion: v1
kind: Config
current-context: shoot--kyma--c-97ef3b0
clusters:
- name: shoot--kyma--c-97ef3b0
  cluster:
    certificate-authority-data: <sanitized>
    server: https://api.c-97ef3b0.kyma.ondemand.com
contexts:
- name: shoot--kyma--c-97ef3b0
  context:
    cluster: shoot--kyma--c-97ef3b0
    user: shoot--kyma--c-97ef3b0
users:
- name: shoot--kyma--c-97ef3b0
  user:
    exec:
      apiVersion: client.authentication.k8s.io/v1beta1
      args:
      - get-token
      - "--oidc-issuer-url=https://kyma.accounts.ondemand.com"
      - "--oidc-client-id=12b13a26-d993-4d0c-aa08-5f5852bbdff6"
      - "--oidc-extra-scope=email"
      - "--oidc-extra-scope=openid"
      - "--browser-command=w3m"
      command: kubectl-oidc_login

We are running kubectl get ns with this kubeconfig. The browser opens but gets stuck with the message: Your authentication request has been forwarded to the target system for processing.

Expected result

We are prompted for credentials. Upon entering valid credentials we can see kubectl output

Actual result

The browser opens but gets stuck with the message: Your authentication request has been forwarded to the target system for processing.

Steps to reproduce

Run KUBECONFIG=kyma-kubeconfig.yaml kubectl get ns, where kyma-kubeconfig.yaml is the yaml above.

Troubleshooting

We have trided the same command with several browsers with no success:

  • lynx
  • links
  • links2
  • elinks

Here is the w3m request log:

❯ cat ~/.w3m/request.log
GET / HTTP/1.0
User-Agent: w3m/0.5.3+git20210102
Accept: text/html, text/*;q=0.5, image/*, application/*, x-scheme-handler/*, video/*
Accept-Encoding: gzip, compress, bzip, bzip2, deflate
Accept-Language: en;q=1.0
Host: localhost:8000

HTTP/1.0 302 Found
Content-Type: text/html; charset=utf-8
Location: https://kyma.accounts.ondemand.com/oauth2/authorize?access_type=offline&client_id=12b13a26-d993-4d0c-aa08-5f5852bbdff6&code_challenge=VhjpEadhjO0fysAkueYJfE76tLvvZokijVBrA58mgqg&code_challenge_method=S256&nonce=2erWQnNkbUrTsvEyowZli9rbFG8fObmct2RKxsWK714&redirect_uri=http%3A%2F%2Flocalhost%3A8000&response_type=code&scope=email+openid+openid&state=em96nMnvn_9bmxJqJ4-LYdbO4PB533TKuhrT_HONqwo
Date: Thu, 31 Aug 2023 09:24:21 GMT
Content-Length: 447

HTTPS: request via SSL
GET /oauth2/authorize?access_type=offline&client_id=12b13a26-d993-4d0c-aa08-5f5852bbdff6&code_challenge=VhjpEadhjO0fysAkueYJfE76tLvvZokijVBrA58mgqg&code_challenge_method=S256&nonce=2erWQnNkbUrTsvEyowZli9rbFG8fObmct2RKxsWK714&redirect_uri=http%3A%2F%2Flocalhost%3A8000&response_type=code&scope=email+openid+openid&state=em96nMnvn_9bmxJqJ4-LYdbO4PB533TKuhrT_HONqwo HTTP/1.0
User-Agent: w3m/0.5.3+git20210102
Accept: text/html, text/*;q=0.5, image/*, application/*, x-scheme-handler/*, video/*
Accept-Encoding: gzip, compress, bzip, bzip2, deflate
Accept-Language: en;q=1.0
Host: kyma.accounts.ondemand.com

HTTP/1.1 302
Date: Thu, 31 Aug 2023 09:24:20 GMT
Server: SAP
Strict-Transport-Security: max-age=31536000; includeSubDomains; preload
X-IDS-ID: B4294DCD-50D4-417B-8CDE-1B3CC8408C81
Location: https://kyma.accounts.ondemand.com/saml2/idp/sso?sp=garden-kyma&RelayState=access_type%3Doffline%26client_id%3D12b13a26-d993-4d0c-aa08-5f5852bbdff6%26code_challenge%3DVhjpEadhjO0fysAkueYJfE76tLvvZokijVBrA58mgqg%26code_challenge_method%3DS256%26nonce%3D2erWQnNkbUrTsvEyowZli9rbFG8fObmct2RKxsWK714%26redirect_uri%3Dhttp%253A%252F%252Flocalhost%253A8000%26response_type%3Dcode%26scope%3Demail%2Bopenid%2Bopenid%26state%3Dem96nMnvn_9bmxJqJ4-LYdbO4PB533TKuhrT_HONqwo
Content-Language: en
Content-Length: 0
Vary: X-CSP-STRIP
X-IDS-Node: idp11
X-IDS-Pool: green
X-IDS-Project: prod
X-IDS-Landscape: eu-nl-1
Referrer-Policy: origin
X-Robots-Tag: none
X-Content-Type-Options: nosniff
Cache-Control: private,no-cache,no-store
Connection: close

HTTPS: request via SSL
GET /saml2/idp/sso?sp=garden-kyma&RelayState=access_type%3Doffline%26client_id%3D12b13a26-d993-4d0c-aa08-5f5852bbdff6%26code_challenge%3DVhjpEadhjO0fysAkueYJfE76tLvvZokijVBrA58mgqg%26code_challenge_method%3DS256%26nonce%3D2erWQnNkbUrTsvEyowZli9rbFG8fObmct2RKxsWK714%26redirect_uri%3Dhttp%253A%252F%252Flocalhost%253A8000%26response_type%3Dcode%26scope%3Demail%2Bopenid%2Bopenid%26state%3Dem96nMnvn_9bmxJqJ4-LYdbO4PB533TKuhrT_HONqwo HTTP/1.0
User-Agent: w3m/0.5.3+git20210102
Accept: text/html, text/*;q=0.5, image/*, application/*, x-scheme-handler/*, video/*
Accept-Encoding: gzip, compress, bzip, bzip2, deflate
Accept-Language: en;q=1.0
Host: kyma.accounts.ondemand.com

HTTP/1.1 200
Date: Thu, 31 Aug 2023 09:24:20 GMT
Server: SAP
Strict-Transport-Security: max-age=31536000; includeSubDomains; preload
X-IDS-ID: 401626A3-F91E-406E-95F9-6E1DB5CBF97A
Pragma: no-cache
Expires: Thu, 01 Jan 1970 00:00:00 GMT
Cache-Control: private,no-cache,no-store
P3P: CP="IDC DSP COR ADM DEVi TAIi PSA PSD IVAi IVDi CONi HIS OUR IND CNT"
Content-Security-Policy: script-src 'self' consent.trustarc.com 'nonce-Wqs1BkqfY9lhIaCOQ+I1I72R23LQY9ci/wKgYOFCKs0='
x-xss-protection: 1; mode=block
vary: accept-encoding,X-CSP-STRIP
Content-Encoding: gzip
Content-Type: text/html;charset=utf-8
Content-Language: en
Set-Cookie: arcf94499=<sanitized>; Path=/; HttpOnly; Secure
Set-Cookie: XSRF_COOKIE=<sanitized>; Path=/; Secure; HttpOnly
Set-Cookie: JSESSIONID=<sanitized>; Path=/; Secure; HttpOnly
X-IDS-Node: idp05
X-IDS-Pool: green
X-IDS-Project: prod
X-IDS-Landscape: eu-nl-1
Referrer-Policy: origin
X-Robots-Tag: none
X-Content-Type-Options: nosniff
Connection: close

@danail-branekov
@kyma-bot
Copy link
Contributor

This issue or PR has been automatically marked as stale due to the lack of recent activity.
Thank you for your contributions.

This bot triages issues and PRs according to the following rules:

  • After 60d of inactivity, lifecycle/stale is applied
  • After 7d of inactivity since lifecycle/stale was applied, the issue is closed

You can:

  • Mark this issue or PR as fresh with /remove-lifecycle stale
  • Close this issue or PR with /close

If you think that I work incorrectly, kindly raise an issue with the problem.

/lifecycle stale

@kyma-bot kyma-bot added the lifecycle/stale Denotes an issue or PR has remained open with no activity and has become stale. label Oct 30, 2023
@pbochynski pbochynski removed the lifecycle/stale Denotes an issue or PR has remained open with no activity and has become stale. label Nov 3, 2023
@kyma-bot
Copy link
Contributor

kyma-bot commented Jan 2, 2024

This issue or PR has been automatically marked as stale due to the lack of recent activity.
Thank you for your contributions.

This bot triages issues and PRs according to the following rules:

  • After 60d of inactivity, lifecycle/stale is applied
  • After 7d of inactivity since lifecycle/stale was applied, the issue is closed

You can:

  • Mark this issue or PR as fresh with /remove-lifecycle stale
  • Close this issue or PR with /close

If you think that I work incorrectly, kindly raise an issue with the problem.

/lifecycle stale

@kyma-bot kyma-bot added the lifecycle/stale Denotes an issue or PR has remained open with no activity and has become stale. label Jan 2, 2024
@tobiscr tobiscr removed the lifecycle/stale Denotes an issue or PR has remained open with no activity and has become stale. label Jan 3, 2024
@pbochynski pbochynski self-assigned this Jan 4, 2024
@pbochynski
Copy link
Contributor

I assume that the goal is to interact with the kyma cluster in the automated way (script, ci/cd). We are working on alternative solution that you can get kubeconfig without OIDC plugin:

@danail-branekov danail-branekov mentioned this issue Jan 23, 2024
Closed
13 tasks
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@pbochynski pbochynski

Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
4 participants
@pbochynski @georgethebeatle @kyma-bot @tobiscr