Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

OIDC authorization error: 400 bad request #390

Open
07nava opened this issue Feb 9, 2023 · 4 comments
Open

OIDC authorization error: 400 bad request #390

07nava opened this issue Feb 9, 2023 · 4 comments
Assignees
@yuqiuw

Comments

@07nava
Copy link

07nava commented Feb 9, 2023
edited
Loading

Hi All,

Here are the steps in-details,

Followed the mentioned link to install the skooner,

`kind: Deployment
apiVersion: apps/v1
metadata:
name: skooner
namespace: kube-system
spec:
replicas: 1
selector:
matchLabels:
k8s-app: skooner
template:
metadata:
labels:
k8s-app: skooner
spec:
containers:
- name: skooner
image: ghcr.io/skooner-k8s/skooner:stable
ports:
- containerPort: 4654
livenessProbe:
httpGet:
scheme: HTTP
path: /
port: 4654
initialDelaySeconds: 30
timeoutSeconds: 30
env:
- name: OIDC_URL
valueFrom:
secretKeyRef:
name: skooner
key: url
- name: OIDC_CLIENT_ID
valueFrom:
secretKeyRef:
name: skooner
key: id
- name: OIDC_SECRET
valueFrom:
secretKeyRef:
name: skooner
key: secret
nodeSelector:
'beta.kubernetes.io/os': linux

`apiVersion: v1
kind: Service
metadata:
name: skooner
namespace: kube-system
annotations:
service.beta.kubernetes.io/aws-load-balancer-backend-protocol: http
service.beta.kubernetes.io/aws-load-balancer-internal: "false"
service.beta.kubernetes.io/aws-load-balancer-type: nlb
service.beta.kubernetes.io/aws-load-balancer-ssl-ports: https
service.beta.kubernetes.io/aws-load-balancer-ssl-cert: arn:aws:acm:us-west-2:551934631674:certificate/3f4ac15a-3936-4f69-b393-7d257633beb3
spec:
ports:
- port: 80
protocol: TCP
targetPort: 4654
selector:
k8s-app: skooner
sessionAffinity: None
type: LoadBalancer``

`OIDC_URL=https://cuserskooner.auth.us-west-2.amazoncognito.com/oauth2/token
OIDC_ID=***
OIDC_SECRET=***

kubectl create secret -n kube-system generic skooner
--from-literal=url=$OIDC_URL
--from-literal=id=$OIDC_ID
--from-literal=secret=$OIDC_SECRET`

Pod Error logs,
POST /apis/authorization.k8s.io/v1/selfsubjectrulesreviews -> https://10.100.0.1:4432023-02-07T07:46:03.526Z POST /apis/authorization.k8s.io/v1/selfsubjectrulesreviews 403An error occurred during the request OPError: expected 200 OK, got: 400 Bad Request    at processResponse (/usr/src/app/node_modules/openid-client/lib/helpers/process_response.js:41:11)    at Function.discover (/usr/src/app/node_modules/openid-client/lib/issuer.js:179:18)    at runMicrotasks ()    at processTicksAndRejections (internal/process/task_queues.js:97:5)    at async getOidcProvider (/usr/src/app/index.js:143:20)    at async getOidcEndpoint (/usr/src/app/index.js:132:22)    at async getOidc (/usr/src/app/index.js:80:30) {  error: 'expected 200 OK, got: 400 Bad Request'} GET /oidc

Thanks for reading and supporting.
Navamaniraj.M
@07nava 07nava changed the title POST /apis/authorization.k8s.io/v1/selfsubjectrulesreviews 403An error occurred during the request OPError: expected 200 OK, got: 400 Bad Request OIDC authorization error: 400 bad request Feb 9, 2023
@yuqiuw
Copy link
Collaborator

yuqiuw commented Feb 15, 2023

Not sure about where the issue lies, could you follow the Troubleshooting section in our Readme and attach some screenshots of the errors you saw?

Also make sure your script doesn't end with a `

kubectl create secret -n kube-system generic skooner
--from-literal=url=$OIDC_URL
--from-literal=id=$OIDC_ID
--from-literal=secret=$OIDC_SECRET`

@07nava
Copy link
Author

07nava commented Feb 17, 2023
edited
Loading

Hi @yuqiuw,

Yes, secret are already in place, and values are not ends with a `

OIDC_URL=https://cuserskooner.auth.us-west-2.amazoncognito.com/oauth2/token OIDC_ID=*** OIDC_SECRET=*** kubectl create secret -n kube-system generic skooner \ --from-literal=url=$OIDC_URL \ --from-literal=id=$OIDC_ID \ --from-literal=secret=$OIDC_SECRET
Screenshot 2023-02-17 at 2 02 03 PM

@yuqiuw
Copy link
Collaborator

yuqiuw commented Mar 7, 2023

Could you attach the logs generated on server side by kubectl logs deploy/skooner --namespace=kube-system?

Sorry for the late response, we're also just part-time voluntary maintainers, and I'm recently just too busy with work inside of the team

@sateesh4b
Copy link

sateesh4b commented Mar 24, 2023
edited
Loading

hi
Please find log details

[HPM] POST /apis/authorization.k8s.io/v1/selfsubjectrulesreviews -> https://10.100.0.1:443 2023-03-24T13:00:05.923Z POST /apis/authorization.k8s.io/v1/selfsubjectrulesreviews 201 **An error occurred during the request OPError: expected 200 OK, got: 403 Forbidden** at processResponse (/usr/src/app/node_modules/openid-client/lib/helpers/process_response.js:41:11) at Function.discover (/usr/src/app/node_modules/openid-client/lib/issuer.js:179:18) at runMicrotasks (<anonymous>) at processTicksAndRejections (internal/process/task_queues.js:97:5) at async getOidcProvider (/usr/src/app/index.js:143:20) at async getOidcEndpoint (/usr/src/app/index.js:132:22) at async getOidc (/usr/src/app/index.js:80:30) { error: 'expected 200 OK, got: 403 Forbidden' } GET /oidc

2023-03-24T13:27:45.203Z GET /oidc 500

We added respective clusterrole and cluster bindings as well
@yuqiuw Please help on it

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@yuqiuw yuqiuw

Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@07nava @sateesh4b @yuqiuw