Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

[Bug]: v3.7.1 break the OIDC integration with Okta #6812

Closed
hanyouqing opened this issue Nov 15, 2024 · 6 comments · Fixed by #6837
Closed

[Bug]: v3.7.1 break the OIDC integration with Okta #6812

hanyouqing opened this issue Nov 15, 2024 · 6 comments · Fixed by #6837
Labels
bug An issue reporting a potential bug

Comments

@hanyouqing
Copy link
Contributor

hanyouqing commented Nov 15, 2024

Version

edge

What Kubernetes platforms are you running on?

Other

Steps to reproduce

Background

We were running with v3.6.1 before upgrading to v3.7.1. The services integrated with Okta follow the docs below and work well.

Step to Reproduce

  • Deploy ingress v3.6.1 and virtualserver with Okta integration
  • Upgrade to v3.7.1
  • Try login with Okta, got NGINX / OpenID Connect login failure
@hanyouqing hanyouqing added bug An issue reporting a potential bug needs triage An issue that needs to be triaged labels Nov 15, 2024
Copy link

Hi @hanyouqing thanks for reporting!

Be sure to check out the docs and the Contributing Guidelines while you wait for a human to take a look at this 🙂

Cheers!

@j1m-ryan
Copy link
Member

Hi @hanyouqing, thanks for reporting. I have replicated this.
I get this error after upgrading and hitting an endpoint behind oidc.

10.244.0.1 - - [20/Nov/2024:11:38:58 +0000] "GET /coffee HTTP/1.1" 302 145 "-" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:133.0) Gecko/20100101 Firefox/133.0" "-"
2024/11/20 11:38:59 [error] 38#38: *4 js: OIDC error from IdP when sending authorization code: invalid_client, Client authentication failed. Either the client or the client credentials are invalid.
10.244.0.1 - - [20/Nov/2024:11:38:59 +0000] "GET /_codexch?code=_hYrI8BRFHdoj6XB9YheA5_n8TgSNk2XjaGHGXn1g2w&state=0 HTTP/1.1" 502 37 "-" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:133.0) Gecko/20100101 Firefox/133.0" "-"

We are looking into this.

@bj0rn
Copy link

bj0rn commented Nov 21, 2024

It appears that the problem lies in the return value at this location, where an object is returned instead of a string. However, a string is expected at this location.

After modifying the generateTokenRequestParams function to return a string, the OIDC flow started functioning as expected.

@anderius
Copy link

This error was introduced here: #6760

Just to clarify: This means that 3.7.0 works (but without the security fix above), and 3.7.1 does not. And it is not in any way limited to Okta.

@vepatel
Copy link
Contributor

vepatel commented Nov 21, 2024

Hey folks, we've a fix coming

@vepatel vepatel linked a pull request Nov 21, 2024 that will close this issue
6 tasks
@github-project-automation github-project-automation bot moved this from Todo ☑ to Done 🚀 in NGINX Ingress Controller Nov 21, 2024
@vepatel vepatel removed the needs triage An issue that needs to be triaged label Nov 22, 2024
@vepatel
Copy link
Contributor

vepatel commented Nov 26, 2024

Hey @anderius @bj0rn @hanyouqing , the fix is now available in 3.7.2 release.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
bug An issue reporting a potential bug
Projects
Archived in project
Development

Successfully merging a pull request may close this issue.

5 participants