new provider to support Aliyun iDaas / Alibaba OIDC (userInfo fix, should be easy)

[Gourds]

here is my vouch proxy config
https://gist.github.com/Gourds/354df4f711d1f394c925a3ddaf8e7754

nginx vouch config: https://gist.github.com/Gourds/ae0fde3ecc24b6e0afd9165eac7e8874
nginx protect app config: https://gist.github.com/Gourds/915f2ddd96c6f6d4729165108d603ee3
here is vouch-proxy debug log
https://gist.github.com/Gourds/844b7c5ed53c8790d7b151733ce4267f

In debug mode,
when i go to my protect site eg: http://test_sso_nginx_a.taiheops.com:2081
it will redirect to http://vouch.taiheops.com:2081/login?url=http://test_sso_nginx_a.taiheops.com:2081/&vouch-failcount=&X-Vouch-Token=&error=
then,
when i click login button , the return code is 400,
click logout button, return msg is /logout you have been logged out,
click validate buttion , return msg is no jwt found in request,

I think there is a problem with my configuration, but I tried many methods, and I also read related issues and instructions and still can’t solve it.

[bnfinet]

Try adding the host header to your protected app config /validate block. Which IdP is the provider? Please supply a full log that includes startup of VP.

…

On Wed, Dec 16, 2020, 1:32 AM Guo YaFeng ***@***.***> wrote: here is my vouch proxy config https://gist.github.com/Gourds/354df4f711d1f394c925a3ddaf8e7754 nginx vouch config: https://gist.github.com/Gourds/ae0fde3ecc24b6e0afd9165eac7e8874 nginx protect app config: https://gist.github.com/Gourds/915f2ddd96c6f6d4729165108d603ee3 here is vouch-proxy debug log https://gist.github.com/Gourds/844b7c5ed53c8790d7b151733ce4267f In debug mode, when i go to my protect site eg: http://test_sso_nginx_a.taiheops.com:2081 it will redirect to http://vouch.taiheops.com:2081/login?url=http://test_sso_nginx_a.taiheops.com:2081/&vouch-failcount=&X-Vouch-Token=&error= then, when i click login button , the return code is 400, click logout button, return msg is /logout you have been logged out, click validate buttion , return msg is no jwt found in request, I think there is a problem with my configuration, but I tried many methods, and I also read related issues and instructions and still can’t solve it. — You are receiving this because you are subscribed to this thread. Reply to this email directly, view it on GitHub <#344>, or unsubscribe <https://github.com/notifications/unsubscribe-auth/AAJUV26QCRLGGYC4WYGDFJDSVB5D3ANCNFSM4U5VQ2ZQ> .

[Gourds]

Did you mean add proxy_set_header Host $http_host; to mylocation = /vouch-validate block,
now log is here https://gist.github.com/Gourds/a3bddfed547193f5da51fb1ac8065839
And My idp is Aliyun iDaas service ,Here is their Oauth2 Document
https://www.alibabacloud.com/help/doc-detail/147465.htm?spm=a2c63.l28256.b99.19.507514fc5yig2G

[bnfinet]

@Gourds

Did you mean add proxy_set_header Host $http_host; to mylocation = /vouch-validate block,

Yes

The log you supplied is not a full round trip including startup.

What's there shows a successful authentication and issuing a VP token/cookie.

[Gourds]

I see the following log in the vouch-proxy log, it should be successfully authenticated with idP ?

2020-12-21T06:38:35.530Z INFO |200| 385.063885ms /auth {"statusCode": 200, "request": 9, "latency": "385.063885ms", "avgLatency": "43.071887ms", "ipPort": "172.17.0.1:44419", "method": "GET", "host": "vouch.taiheops.com", "path": "/auth", "referer": "http://vouch.taiheops.com:2081/"}

the vouch-proxy full log is there: https://gist.github.com/5f220728c6829ce8e520d95e0dc68565#file-vouch_log_2-log

[bnfinet]

@Gourds that log appears to show VP working normally

Are you able to navigate to your protected site after logging in at your IdP? Instead of /logout you should click the link at the bottom to your original destination

[Gourds]

when i click the the link at the bottom

client_id=97237f99deaa7c64b099b2709496c472ARO5UZBICAE&redirect_uri=http%3A%2F%2Fvouch.taiheops.com%3A2081%2Fauth&response_type=code&scope=read&state=Iq6euTiMIsv9SER2D8Acsix6rOfcUBt
http://test_sso_nginx_a.taiheops.com:2081/

the vouch-proxy page will be show 302 redirect to: http://test_sso_nginx_a.taiheops.com:2081/
this is right address but the response is 400 Bad Request

My service start URL is

https://ynfyvjwiaw.login.aliyunidaas.com/api/bff/v1.2/enduser/portal/sso/go_d501aa5d2d3f30b7b4dd35e44fbe72bap3rsFb9dlFs?access_token=e5710f56-3248-4900-a72c-cc1b941eb646

when i click it，the page will go to

http://vouch.taiheops.com:2081/auth?code=UgHg8K&state=0bbc8f9593afaeb5c18edd0dede2f2b9U2zOT422F72_idp
the page is vouch-proxy page and also display 400 Bad Request

[aaronpk]

That's funny, I was fighting the same issue this evening. Can you check your nginx access logs to see if the browser is making a request to favicon.ico that's getting caught by vouch?

[Gourds]

2020/12/22 02:18:26 [warn] 3231#0: *202 an upstream response is buffered to a temporary file /var/lib/nginx/tmp/proxy/5/00/0000000005 while reading upstream, client: 123.126.87.108, server: vouch.taiheops.com, request: "GET /static/img/favicon.ico HTTP/1.1", upstream: "http://127.0.0.1:9090/static/img/favicon.ico", host: "vouch.taiheops.com:2081", referrer: "http://vouch.taiheops.com:2081/auth?code=HapCEm&state=JB154jsVi6bl98G9e9iaUfhDV5JN0RB"
@aaronpk There are indeed some similar logs, how to solve this problem

[Gourds]

I haven't solved this problem.@aaronpk @bnfinet

[bnfinet]

@Gourds Could you please confirm that your nginx and VP configs have not changed and then upload a full cycle log again.

After that, please adjust your 'oauth.scopes' to be similar to the OIDC example config and then upload a full cycle VP log.

[Gourds]

@Gourds Could you please confirm that your nginx and VP configs have not changed and then upload a full cycle log again.

After that, please adjust your 'oauth.scopes' to be similar to the OIDC example config and then upload a full cycle VP log.

The log of the previous configuration unchanged：https://gist.github.com/Gourds/6e48dd3af121cb44399bbeb7619bfb7a
Looks the same as before.

I tested before that changing the oauth.scopes parameter does not take effect, because according to Aliyun's documentation, only the read parameter should be supported.
when i change the vp scopes config to

...
  scopes:
    #- read
    - openid
    - email
...

log file is below
https://gist.github.com/ef955e8d60c13c493650a0e6c43cbf64

[bnfinet]

@Gourds those logs continue to show VP working as expected. It does appear that multiple requests are coming in at once. There's a fix in the recent v0.20.0 which may be helpful. Could you please pull the most recent code (or Docker image) and see if that improves thing?

[Gourds]

@Gourds those logs continue to show VP working as expected. It does appear that multiple requests are coming in at once. There's a fix in the recent v0.20.0 which may be helpful. Could you please pull the most recent code (or Docker image) and see if that improves thing?

I upgraded the version to 0.20.0, the following is the log of the current VP

https://gist.github.com/Gourds/a9bffa692e9f5c16853d492314682082

In addition, I want to know whether the auth, login, and validata interfaces should be ok in debug mode