Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Login Redirection Issue for Users in Multiple Microsoft Groups Due to Nonce Mismatch in Dex Integration #6989

Open
mihiragrawal opened this issue Nov 4, 2024 · 2 comments
Open

Login Redirection Issue for Users in Multiple Microsoft Groups Due to Nonce Mismatch in Dex Integration #6989

mihiragrawal opened this issue Nov 4, 2024 · 2 comments
Assignees
@ahmadhamzh
Labels
kind/bug Categorizes issue or PR as related to a bug.
Milestone
KKP 2.27

Comments

@mihiragrawal
Copy link

What happened?

When certain users attempt to log in to Kubermatic, they are redirected back to the dashboard page without successfully logging in. This issue appears to affect users who are members of multiple groups in Microsoft. The setup uses Dex integrated with Microsoft as the authentication connector.

Upon investigation, we observed that the nonce cookie value differs between the one sent from the dashboard and the value present in the ID token, which may be causing authentication failures for these users.

Expected behavior

Affected users should be successfully logged into Kubermatic without being redirected back to the dashboard, with consistent nonce values between the dashboard and the ID token.

How to reproduce the issue?

1.	Set up Dex with Microsoft as an authentication connector in Kubermatic.
2.	Include users who are members of multiple Microsoft groups.
3.	Attempt to log in with these users and observe if they are redirected back to the dashboard instead of being logged in.
4.	Check the nonce cookie values for discrepancies between the dashboard request and the ID token.

How is your environment configured?

  • KKP version: v2.26.0
  • Shared or separate master/seed clusters?: eparate master/seed

Provide your KKP manifest here (if applicable)

# paste manifest here

What cloud provider are you running on?

Vsphere

What operating system are you running in your user cluster?

Ubuntu 20.04

Additional information

The Dex Helm values configuration may be relevant to diagnosing the issue. Below is the relevant configuration:

dex:
  ingress:
    hosts:
      - host: "kubermatic.test.example.com"
        paths:
          - path: /dex
            pathType: ImplementationSpecific
    tls:
      - secretName: dex-tls
        hosts:
          - "kubermatic.test.example.com"
  connectors:
    - type: microsoft
      id: microsoft
      name: Microsoft
      config:
        clientID: $SECRET_clientID
        clientSecret: $SECRET_clientSecret
        redirectURI: https://kubermatic.test.example.com/dex/callback
        tenant: $SECRET_tenant
        groups:
          - abc
          - xyz
@mihiragrawal mihiragrawal added the kind/bug Categorizes issue or PR as related to a bug. label Nov 4, 2024
@Waseem826
Copy link
Contributor

/transfer dashboard

@kubermatic-bot kubermatic-bot transferred this issue from kubermatic/kubermatic Nov 14, 2024
@Waseem826
Copy link
Contributor

Waseem826 commented Nov 14, 2024
edited
Loading

I did some initial investigation and it seems the error occurs when ID token length is longer than 4096 because dashboard saves the ID token in cookie and maximum allowed size for cookies is 4096 bytes.

@ahmadhamzh ahmadhamzh self-assigned this Nov 18, 2024
@Waseem826 Waseem826 added this to the KKP 2.27 milestone Nov 19, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@ahmadhamzh ahmadhamzh

Labels
kind/bug Categorizes issue or PR as related to a bug.
Projects
None yet
Milestone
KKP 2.27
Development

No branches or pull requests
3 participants
@Waseem826 @mihiragrawal @ahmadhamzh