Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

OIDC Login with AzureAD POST /apis/authorization.k8s.io/v1/selfsubjectrulesreviews 401 #430

Open
tomroberts-srt opened this issue Nov 21, 2023 · 6 comments
Open

OIDC Login with AzureAD POST /apis/authorization.k8s.io/v1/selfsubjectrulesreviews 401 #430

tomroberts-srt opened this issue Nov 21, 2023 · 6 comments

Comments

@tomroberts-srt
Copy link

Has anyone had any luck with setting up OIDC login with AzureAD?

The behaviour we're experiencing is after hitting the base URL of skooner, the application sends us through AAD OIDC, then redirects back to skooner with with invalid credentials and then it loops and redirects back to AAD, and keeps looping

We've set up an app in AAD with a redirect to the base url of our skooner app.

We've added the environment variables for

  • OIDC_URL: https://login.microsoftonline.com/<directory (tenant) id>/v2.0/.well-known/openid-configuration
  • OIDC_CLIENT_ID: <application (client) id>
  • OIDC_SECRET: <client secret>

We've added a cluster role per https://github.com/skooner-k8s/skooner/blob/master/provision/keycloak/skooner-oidc-patch.yaml

Logs sample:

API URL:  https://<redacted>:443
[HPM] Proxy created: /  -> https://<redacted>:443
[HPM] Subscribed to http-proxy events: [ 'error', 'proxyRes', 'close' ]
Server started. Listening on port 4654
Version Info:  {
    "buildDate": "2023-10-20T23:22:38Z",
    "compiler": "gc",
    "gitCommit": "9587e521d190ecb7ce201993ceea41955ed4a556",
    "gitTreeState": "clean",
    "gitVersion": "v1.25.15-eks-4f4795d",
    "goVersion": "go1.20.10",
    "major": "1",
    "minor": "25+",
    "platform": "linux/amd64"
}
Available APIs:  [
    "admissionregistration.k8s.io/v1",
    "apiextensions.k8s.io/v1",
    "apiregistration.k8s.io/v1",
    "apps/v1",
    "argoproj.io/v1alpha1",
    "authentication.k8s.io/v1",
    "authorization.k8s.io/v1",
    "autoscaling/v2",
    "batch/v1",
    "certificates.k8s.io/v1",
    "coordination.k8s.io/v1",
    "crd.k8s.amazonaws.com/v1alpha1",
    "custom.metrics.k8s.io/v1beta1",
    "discovery.k8s.io/v1",
    "elbv2.k8s.aws/v1beta1",
    "events.k8s.io/v1",
    "external-secrets.io/v1beta1",
    "flowcontrol.apiserver.k8s.io/v1beta2",
    "generators.external-secrets.io/v1alpha1",
    "kubernetes-client.io/v1",
    "metrics.k8s.io/v1beta1",
    "monitoring.coreos.com/v1",
    "networking.k8s.aws/v1alpha1",
    "networking.k8s.io/v1",
    "node.k8s.io/v1",
    "policy/v1",
    "rbac.authorization.k8s.io/v1",
    "scheduling.k8s.io/v1",
    "storage.k8s.io/v1",
    "vpcresources.k8s.aws/v1beta1"
]
2023-11-20T23:56:35.818Z GET / 200
2023-11-20T23:56:35.820Z GET / 200
2023-11-20T23:56:35.827Z GET / 200
2023-11-20T23:56:35.828Z GET / 200
2023-11-20T23:56:35.829Z GET / 200
2023-11-20T23:56:35.830Z GET / 200
2023-11-20T23:56:38.235Z GET / 304
2023-11-20T23:56:38.334Z GET /static/css/2.b522e268.chunk.css 304
2023-11-20T23:56:38.336Z GET /static/css/main.c514c7e6.chunk.css 304
2023-11-20T23:56:38.337Z GET /static/js/2.8ecea4b8.chunk.js 304
2023-11-20T23:56:38.377Z GET /static/js/main.3424f39b.chunk.js 304
[HPM] POST /apis/authorization.k8s.io/v1/selfsubjectrulesreviews -> https://<redacted>:443
VERBOSE REQUEST POST http <redacted-skooner-host> /apis/authorization.k8s.io/v1/selfsubjectrulesreviews {
  'x-forwarded-for': '<redacted>',
  'x-forwarded-proto': 'https',
  'x-forwarded-port': '443',
  host: '<redacted-skooner-host>',
  'x-amzn-trace-id': 'Root=1-655bf236-700acf2352f102a93c74d389',
  'content-length': '32',
  'sec-ch-ua': '"Google Chrome";v="119", "Chromium";v="119", "Not?A_Brand";v="24"',
  accept: 'application/json',
  'content-type': 'application/json',
  'sec-purpose': 'prefetch;prerender',
  'sec-ch-ua-mobile': '?0',
  'user-agent': 'Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36',
  'sec-ch-ua-platform': '"macOS"',
  origin: 'https://<redacted-skooner-host>',
  purpose: 'prefetch',
  'sec-fetch-site': 'same-origin',
  'sec-fetch-mode': 'cors',
  'sec-fetch-dest': 'empty',
  referer: 'https://<redacted-skooner-host>/',
  'accept-encoding': 'gzip, deflate, br',
  'accept-language': 'en-GB,en-US;q=0.9,en;q=0.8',
  cookie: '_ga=GA1.2.1218866312.1671164319; _ga_4XJ7PLCNGM=GS1.2.1694048194.1.1.1694048198.0.0.0; mp_9bfb1dea1874f9ea59453846a9ccd7d3_mixpanel=%7B%22distinct_id%22%3A%20%221853c4329224eb-0f2bb96ed0bef1-17525635-384000-1853c432923a61%22%2C%22%24device_id%22%3A%20%221853c4329224eb-0f2bb96ed0bef1-17525635-384000-1853c432923a61%22%2C%22%24initial_referrer%22%3A%20%22%24direct%22%2C%22%24initial_referring_domain%22%3A%20%22%24direct%22%2C%22host%22%3A%20%22<redacted>>%22%2C%22appVersion%22%3A%20%221.105.11%22%2C%22product_tier%22%3A%20%22free%22%2C%22kubecostToken%22%3A%20%22not-applied%22%2C%22__mps%22%3A%20%7B%22%24os%22%3A%20%22Mac%20OS%20X%22%2C%22%24browser%22%3A%20%22Chrome%22%2C%22%24browser_version%22%3A%20114%2C%22%24initial_referrer%22%3A%20%22%24direct%22%2C%22%24initial_referring_domain%22%3A%20%22%24direct%22%2C%22alerts_count%22%3A%200%7D%2C%22__mpso%22%3A%20%7B%7D%2C%22__mpus%22%3A%20%7B%7D%2C%22__mpa%22%3A%20%7B%7D%2C%22__mpu%22%3A%20%7B%7D%2C%22__mpr%22%3A%20%5B%5D%2C%22__mpap%22%3A%20%5B%5D%2C%22uiVersion%22%3A%20%221.106.13%22%2C%22product_server_version%22%3A%20%221.25%2B%22%2C%22product_client_version%22%3A%20%221.106.3%22%7D'
}
VERBOSE RESPONSE 201 {
  'audit-id': '384d2212-53f1-4850-877f-9a28191a5785',
  'cache-control': 'no-cache, private',
  'content-type': 'application/json',
  'x-kubernetes-pf-flowschema-uid': 'ee72ade8-9803-4a34-8fa5-90ec68226b40',
  'x-kubernetes-pf-prioritylevel-uid': 'e020fd40-11cf-4ef3-bd37-667ede24cd04',
  date: 'Mon, 20 Nov 2023 23:56:38 GMT',
  'content-length': '874',
  connection: 'close'
}
2023-11-20T23:56:38.601Z POST /apis/authorization.k8s.io/v1/selfsubjectrulesreviews 201
2023-11-20T23:56:39.345Z GET /oidc 304
2023-11-20T23:56:39.410Z GET /manifest.json 304
2023-11-20T23:56:39.487Z GET /logo.png 304
2023-11-20T23:56:39.845Z GET /?code=<redacted-code>state=https%3a%2f%2f<redacted-skooner-host>%2f&session_state=d695019d-3037-446b-9975-712b3a7560cc 200
2023-11-20T23:56:39.934Z GET /static/css/2.b522e268.chunk.css 304
2023-11-20T23:56:39.936Z GET /static/css/main.c514c7e6.chunk.css 304
2023-11-20T23:56:39.937Z GET /static/js/2.8ecea4b8.chunk.js 304
2023-11-20T23:56:39.954Z GET /static/js/main.3424f39b.chunk.js 304
[HPM] POST /apis/authorization.k8s.io/v1/selfsubjectrulesreviews -> https://<redacted>:443
VERBOSE REQUEST POST http <redacted-skooner-host> /apis/authorization.k8s.io/v1/selfsubjectrulesreviews {
  'x-forwarded-for': '<redacted>',
  'x-forwarded-proto': 'https',
  'x-forwarded-port': '443',
  host: '<redacted-skooner-host>',
  'x-amzn-trace-id': 'Root=1-655bf238-23706bdd72a670cf378801fb',
  'content-length': '32',
  'sec-ch-ua': '"Google Chrome";v="119", "Chromium";v="119", "Not?A_Brand";v="24"',
  accept: 'application/json',
  'content-type': 'application/json',
  'sec-ch-ua-mobile': '?0',
  'user-agent': 'Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36',
  'sec-ch-ua-platform': '"macOS"',
  origin: 'https://<redacted-skooner-host>',
  'sec-fetch-site': 'same-origin',
  'sec-fetch-mode': 'cors',
  'sec-fetch-dest': 'empty',
  referer: 'https://<redacted-skooner-host>/?code=<redacted-code>&state=https%3a%2f%2f<redacted-skooner-host>%2f&session_state=d695019d-3037-446b-9975-712b3a7560cc',
  'accept-encoding': 'gzip, deflate, br',
  'accept-language': 'en-GB,en-US;q=0.9,en;q=0.8',
  cookie: '_ga=GA1.2.1218866312.1671164319; _ga_4XJ7PLCNGM=GS1.2.1694048194.1.1.1694048198.0.0.0; mp_9bfb1dea1874f9ea59453846a9ccd7d3_mixpanel=%7B%22distinct_id%22%3A%20%221853c4329224eb-0f2bb96ed0bef1-17525635-384000-1853c432923a61%22%2C%22%24device_id%22%3A%20%221853c4329224eb-0f2bb96ed0bef1-17525635-384000-1853c432923a61%22%2C%22%24initial_referrer%22%3A%20%22%24direct%22%2C%22%24initial_referring_domain%22%3A%20%22%24direct%22%2C%22host%22%3A%20%22<redacted>>%22%2C%22appVersion%22%3A%20%221.105.11%22%2C%22product_tier%22%3A%20%22free%22%2C%22kubecostToken%22%3A%20%22not-applied%22%2C%22__mps%22%3A%20%7B%22%24os%22%3A%20%22Mac%20OS%20X%22%2C%22%24browser%22%3A%20%22Chrome%22%2C%22%24browser_version%22%3A%20114%2C%22%24initial_referrer%22%3A%20%22%24direct%22%2C%22%24initial_referring_domain%22%3A%20%22%24direct%22%2C%22alerts_count%22%3A%200%7D%2C%22__mpso%22%3A%20%7B%7D%2C%22__mpus%22%3A%20%7B%7D%2C%22__mpa%22%3A%20%7B%7D%2C%22__mpu%22%3A%20%7B%7D%2C%22__mpr%22%3A%20%5B%5D%2C%22__mpap%22%3A%20%5B%5D%2C%22uiVersion%22%3A%20%221.106.13%22%2C%22product_server_version%22%3A%20%221.25%2B%22%2C%22product_client_version%22%3A%20%221.106.3%22%7D'
}
VERBOSE RESPONSE 201 {
  'audit-id': '7aa08da6-0482-40c4-8354-adc257e437aa',
  'cache-control': 'no-cache, private',
  'content-type': 'application/json',
  'x-kubernetes-pf-flowschema-uid': 'ee72ade8-9803-4a34-8fa5-90ec68226b40',
  'x-kubernetes-pf-prioritylevel-uid': 'e020fd40-11cf-4ef3-bd37-667ede24cd04',
  date: 'Mon, 20 Nov 2023 23:56:40 GMT',
  'content-length': '874',
  connection: 'close'
}
2023-11-20T23:56:40.043Z POST /apis/authorization.k8s.io/v1/selfsubjectrulesreviews 201
2023-11-20T23:56:40.072Z GET /manifest.json 304
2023-11-20T23:56:40.173Z GET /logo.png 304
2023-11-20T23:56:41.416Z POST /oidc 200
[HPM] POST /apis/authorization.k8s.io/v1/selfsubjectrulesreviews -> https://<redacted>:443
[HPM] POST /apis/authorization.k8s.io/v1/selfsubjectrulesreviews -> https://<redacted>:443
VERBOSE REQUEST POST http <redacted-skooner-host> /apis/authorization.k8s.io/v1/selfsubjectrulesreviews {
  'x-forwarded-for': '<redacted>',
  'x-forwarded-proto': 'https',
  'x-forwarded-port': '443',
  host: '<redacted-skooner-host>',
  'x-amzn-trace-id': 'Root=1-655bf239-4eaba9833b54437473f976c3',
  'content-length': '32',
  'sec-ch-ua': '"Google Chrome";v="119", "Chromium";v="119", "Not?A_Brand";v="24"',
  accept: 'application/json',
  'content-type': 'application/json',
  'sec-ch-ua-mobile': '?0',
  'user-agent': 'Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36',
  'sec-ch-ua-platform': '"macOS"',
  origin: 'https://<redacted-skooner-host>',
  'sec-fetch-site': 'same-origin',
  'sec-fetch-mode': 'cors',
  'sec-fetch-dest': 'empty',
  referer: 'https://<redacted-skooner-host>/',
  'accept-encoding': 'gzip, deflate, br',
  'accept-language': 'en-GB,en-US;q=0.9,en;q=0.8',
  cookie: '_ga=GA1.2.1218866312.1671164319; _ga_4XJ7PLCNGM=GS1.2.1694048194.1.1.1694048198.0.0.0; mp_9bfb1dea1874f9ea59453846a9ccd7d3_mixpanel=%7B%22distinct_id%22%3A%20%221853c4329224eb-0f2bb96ed0bef1-17525635-384000-1853c432923a61%22%2C%22%24device_id%22%3A%20%221853c4329224eb-0f2bb96ed0bef1-17525635-384000-1853c432923a61%22%2C%22%24initial_referrer%22%3A%20%22%24direct%22%2C%22%24initial_referring_domain%22%3A%20%22%24direct%22%2C%22host%22%3A%20%22<redacted>>%22%2C%22appVersion%22%3A%20%221.105.11%22%2C%22product_tier%22%3A%20%22free%22%2C%22kubecostToken%22%3A%20%22not-applied%22%2C%22__mps%22%3A%20%7B%22%24os%22%3A%20%22Mac%20OS%20X%22%2C%22%24browser%22%3A%20%22Chrome%22%2C%22%24browser_version%22%3A%20114%2C%22%24initial_referrer%22%3A%20%22%24direct%22%2C%22%24initial_referring_domain%22%3A%20%22%24direct%22%2C%22alerts_count%22%3A%200%7D%2C%22__mpso%22%3A%20%7B%7D%2C%22__mpus%22%3A%20%7B%7D%2C%22__mpa%22%3A%20%7B%7D%2C%22__mpu%22%3A%20%7B%7D%2C%22__mpr%22%3A%20%5B%5D%2C%22__mpap%22%3A%20%5B%5D%2C%22uiVersion%22%3A%20%221.106.13%22%2C%22product_server_version%22%3A%20%221.25%2B%22%2C%22product_client_version%22%3A%20%221.106.3%22%7D'
}
VERBOSE RESPONSE 401 {
  'audit-id': '66fad4cb-afdc-4118-a810-48f1e4a924b1',
  'cache-control': 'no-cache, private',
  'content-type': 'application/json',
  date: 'Mon, 20 Nov 2023 23:56:41 GMT',
  'content-length': '157',
  connection: 'close'
}
2023-11-20T23:56:41.502Z POST /apis/authorization.k8s.io/v1/selfsubjectrulesreviews 401
VERBOSE REQUEST POST http <redacted-skooner-host> /apis/authorization.k8s.io/v1/selfsubjectrulesreviews {
  'x-forwarded-for': '<redacted>',
  'x-forwarded-proto': 'https',
  'x-forwarded-port': '443',
  host: '<redacted-skooner-host>',
  'x-amzn-trace-id': 'Root=1-655bf239-265160947a79c30a2a87c2e1',
  'content-length': '32',
  'sec-ch-ua': '"Google Chrome";v="119", "Chromium";v="119", "Not?A_Brand";v="24"',
  accept: 'application/json',
  'content-type': 'application/json',
  'sec-ch-ua-mobile': '?0',
  'user-agent': 'Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36',
  'sec-ch-ua-platform': '"macOS"',
  origin: 'https://<redacted-skooner-host>',
  'sec-fetch-site': 'same-origin',
  'sec-fetch-mode': 'cors',
  'sec-fetch-dest': 'empty',
  referer: 'https://<redacted-skooner-host>/',
  'accept-encoding': 'gzip, deflate, br',
  'accept-language': 'en-GB,en-US;q=0.9,en;q=0.8',
  cookie: '_ga=GA1.2.1218866312.1671164319; _ga_4XJ7PLCNGM=GS1.2.1694048194.1.1.1694048198.0.0.0; mp_9bfb1dea1874f9ea59453846a9ccd7d3_mixpanel=%7B%22distinct_id%22%3A%20%221853c4329224eb-0f2bb96ed0bef1-17525635-384000-1853c432923a61%22%2C%22%24device_id%22%3A%20%221853c4329224eb-0f2bb96ed0bef1-17525635-384000-1853c432923a61%22%2C%22%24initial_referrer%22%3A%20%22%24direct%22%2C%22%24initial_referring_domain%22%3A%20%22%24direct%22%2C%22host%22%3A%20%22<redacted>>%22%2C%22appVersion%22%3A%20%221.105.11%22%2C%22product_tier%22%3A%20%22free%22%2C%22kubecostToken%22%3A%20%22not-applied%22%2C%22__mps%22%3A%20%7B%22%24os%22%3A%20%22Mac%20OS%20X%22%2C%22%24browser%22%3A%20%22Chrome%22%2C%22%24browser_version%22%3A%20114%2C%22%24initial_referrer%22%3A%20%22%24direct%22%2C%22%24initial_referring_domain%22%3A%20%22%24direct%22%2C%22alerts_count%22%3A%200%7D%2C%22__mpso%22%3A%20%7B%7D%2C%22__mpus%22%3A%20%7B%7D%2C%22__mpa%22%3A%20%7B%7D%2C%22__mpu%22%3A%20%7B%7D%2C%22__mpr%22%3A%20%5B%5D%2C%22__mpap%22%3A%20%5B%5D%2C%22uiVersion%22%3A%20%221.106.13%22%2C%22product_server_version%22%3A%20%221.25%2B%22%2C%22product_client_version%22%3A%20%221.106.3%22%7D'
}
VERBOSE RESPONSE 401 {
  'audit-id': '59f760f1-1a33-4673-8e69-dd1e2c5479a7',
  'cache-control': 'no-cache, private',
  'content-type': 'application/json',
  date: 'Mon, 20 Nov 2023 23:56:41 GMT',
  'content-length': '157',
  connection: 'close'
}
2023-11-20T23:56:41.505Z POST /apis/authorization.k8s.io/v1/selfsubjectrulesreviews 401
[HPM] POST /apis/authorization.k8s.io/v1/selfsubjectrulesreviews -> https://<redacted>:443
[HPM] POST /apis/authorization.k8s.io/v1/selfsubjectrulesreviews -> https://<redacted>:443
2023-11-20T23:56:41.644Z GET / 304
VERBOSE REQUEST POST http <redacted-skooner-host> /apis/authorization.k8s.io/v1/selfsubjectrulesreviews {
  'x-forwarded-for': '<redacted>',
  'x-forwarded-proto': 'https',
  'x-forwarded-port': '443',
  host: '<redacted-skooner-host>',
  'x-amzn-trace-id': 'Root=1-655bf239-702417af7dbe754d715b9b34',
  'content-length': '32',
  'sec-ch-ua': '"Google Chrome";v="119", "Chromium";v="119", "Not?A_Brand";v="24"',
  accept: 'application/json',
  'content-type': 'application/json',
  'sec-ch-ua-mobile': '?0',
  'user-agent': 'Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36',
  'sec-ch-ua-platform': '"macOS"',
  origin: 'https://<redacted-skooner-host>',
  'sec-fetch-site': 'same-origin',
  'sec-fetch-mode': 'cors',
  'sec-fetch-dest': 'empty',
  referer: 'https://<redacted-skooner-host>/',
  'accept-encoding': 'gzip, deflate, br',
  'accept-language': 'en-GB,en-US;q=0.9,en;q=0.8',
  cookie: '_ga=GA1.2.1218866312.1671164319; _ga_4XJ7PLCNGM=GS1.2.1694048194.1.1.1694048198.0.0.0; mp_9bfb1dea1874f9ea59453846a9ccd7d3_mixpanel=%7B%22distinct_id%22%3A%20%221853c4329224eb-0f2bb96ed0bef1-17525635-384000-1853c432923a61%22%2C%22%24device_id%22%3A%20%221853c4329224eb-0f2bb96ed0bef1-17525635-384000-1853c432923a61%22%2C%22%24initial_referrer%22%3A%20%22%24direct%22%2C%22%24initial_referring_domain%22%3A%20%22%24direct%22%2C%22host%22%3A%20%22<redacted>>%22%2C%22appVersion%22%3A%20%221.105.11%22%2C%22product_tier%22%3A%20%22free%22%2C%22kubecostToken%22%3A%20%22not-applied%22%2C%22__mps%22%3A%20%7B%22%24os%22%3A%20%22Mac%20OS%20X%22%2C%22%24browser%22%3A%20%22Chrome%22%2C%22%24browser_version%22%3A%20114%2C%22%24initial_referrer%22%3A%20%22%24direct%22%2C%22%24initial_referring_domain%22%3A%20%22%24direct%22%2C%22alerts_count%22%3A%200%7D%2C%22__mpso%22%3A%20%7B%7D%2C%22__mpus%22%3A%20%7B%7D%2C%22__mpa%22%3A%20%7B%7D%2C%22__mpu%22%3A%20%7B%7D%2C%22__mpr%22%3A%20%5B%5D%2C%22__mpap%22%3A%20%5B%5D%2C%22uiVersion%22%3A%20%221.106.13%22%2C%22product_server_version%22%3A%20%221.25%2B%22%2C%22product_client_version%22%3A%20%221.106.3%22%7D'
}
VERBOSE RESPONSE 401 {
  'audit-id': 'b70c28b8-3908-41be-822e-695f0474dc71',
  'cache-control': 'no-cache, private',
  'content-type': 'application/json',
  date: 'Mon, 20 Nov 2023 23:56:41 GMT',
  'content-length': '157',
  connection: 'close'
}
2023-11-20T23:56:41.651Z POST /apis/authorization.k8s.io/v1/selfsubjectrulesreviews 401
VERBOSE REQUEST POST http <redacted-skooner-host> /apis/authorization.k8s.io/v1/selfsubjectrulesreviews {
  'x-forwarded-for': '<redacted>',
  'x-forwarded-proto': 'https',
  'x-forwarded-port': '443',
  host: '<redacted-skooner-host>',
  'x-amzn-trace-id': 'Root=1-655bf239-106378b726128eb96ec628fc',
  'content-length': '32',
  'sec-ch-ua': '"Google Chrome";v="119", "Chromium";v="119", "Not?A_Brand";v="24"',
  accept: 'application/json',
  'content-type': 'application/json',
  'sec-ch-ua-mobile': '?0',
  'user-agent': 'Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36',
  'sec-ch-ua-platform': '"macOS"',
  origin: 'https://<redacted-skooner-host>',
  'sec-fetch-site': 'same-origin',
  'sec-fetch-mode': 'cors',
  'sec-fetch-dest': 'empty',
  referer: 'https://<redacted-skooner-host>/',
  'accept-encoding': 'gzip, deflate, br',
  'accept-language': 'en-GB,en-US;q=0.9,en;q=0.8',
  cookie: '_ga=GA1.2.1218866312.1671164319; _ga_4XJ7PLCNGM=GS1.2.1694048194.1.1.1694048198.0.0.0; mp_9bfb1dea1874f9ea59453846a9ccd7d3_mixpanel=%7B%22distinct_id%22%3A%20%221853c4329224eb-0f2bb96ed0bef1-17525635-384000-1853c432923a61%22%2C%22%24device_id%22%3A%20%221853c4329224eb-0f2bb96ed0bef1-17525635-384000-1853c432923a61%22%2C%22%24initial_referrer%22%3A%20%22%24direct%22%2C%22%24initial_referring_domain%22%3A%20%22%24direct%22%2C%22host%22%3A%20%22<redacted>>%22%2C%22appVersion%22%3A%20%221.105.11%22%2C%22product_tier%22%3A%20%22free%22%2C%22kubecostToken%22%3A%20%22not-applied%22%2C%22__mps%22%3A%20%7B%22%24os%22%3A%20%22Mac%20OS%20X%22%2C%22%24browser%22%3A%20%22Chrome%22%2C%22%24browser_version%22%3A%20114%2C%22%24initial_referrer%22%3A%20%22%24direct%22%2C%22%24initial_referring_domain%22%3A%20%22%24direct%22%2C%22alerts_count%22%3A%200%7D%2C%22__mpso%22%3A%20%7B%7D%2C%22__mpus%22%3A%20%7B%7D%2C%22__mpa%22%3A%20%7B%7D%2C%22__mpu%22%3A%20%7B%7D%2C%22__mpr%22%3A%20%5B%5D%2C%22__mpap%22%3A%20%5B%5D%2C%22uiVersion%22%3A%20%221.106.13%22%2C%22product_server_version%22%3A%20%221.25%2B%22%2C%22product_client_version%22%3A%20%221.106.3%22%7D'
}
VERBOSE RESPONSE 401 {
  'audit-id': 'a65be752-ea91-403d-bd72-97a5c2ce2186',
  'cache-control': 'no-cache, private',
  'content-type': 'application/json',
  date: 'Mon, 20 Nov 2023 23:56:41 GMT',
  'content-length': '157',
  connection: 'close'
}
2023-11-20T23:56:41.657Z POST /apis/authorization.k8s.io/v1/selfsubjectrulesreviews 401
2023-11-20T23:56:41.731Z GET /static/css/2.b522e268.chunk.css 304
2023-11-20T23:56:41.734Z GET /static/css/main.c514c7e6.chunk.css 304
2023-11-20T23:56:41.734Z GET /static/js/2.8ecea4b8.chunk.js 304
2023-11-20T23:56:41.735Z GET /static/js/main.3424f39b.chunk.js 304
[HPM] POST /apis/authorization.k8s.io/v1/selfsubjectrulesreviews -> https://<redacted>:443
2023-11-20T23:56:41.841Z GET /manifest.json 304
2023-11-20T23:56:41.845Z GET /favicon.ico 304

Screenshot 2023-11-21 at 11 17 06 am

Any ideas for troubleshooting are much appreciated.
Thank you
@harrybaker-srt
Copy link

Just adding to this, it appears to be 401'ing on the k8 SelfSubjectRulesReview call (the testAuth portion) after successfully posting to OIDC & setting localStorage.authToken to the response token, due to the client then adding this on every request here on apiProxy.ts. Is this the intended behaviour?

@marcelhorner
Copy link

I am facing the same issue. Do we have any feedback on this? Thank you!

@paulwitt
Copy link

paulwitt commented May 2, 2024

Is this product still being developed? I'm having the same issue and not only are the "fixes" not working but they don't make any sense. I'm using Okta, not keycloak but it seems that there's no way to get the selfsubjectrulesreviews piece to not error and retry auth in a loop.

@2bomb
Copy link

2bomb commented Jun 20, 2024

I'm also facing the same issue. Can anyone confirm if this product is still being worked on?

@kkashyap1707
Copy link

Still same issue. any update ??

[HPM] POST /apis/authorization.k8s.io/v1/selfsubjectrulesreviews -> https://172.20.0.1:443
[HPM] POST /apis/authorization.k8s.io/v1/selfsubjectrulesreviews -> https://172.20.0.1:443
2024-10-10T08:28:47.122Z POST /apis/authorization.k8s.io/v1/selfsubjectrulesreviews 401
2024-10-10T08:28:47.125Z POST /apis/authorization.k8s.io/v1/selfsubjectrulesreviews 401
[HPM] POST /apis/authorization.k8s.io/v1/selfsubjectrulesreviews -> https://172.20.0.1:443
2024-10-10T08:28:47.465Z POST /apis/authorization.k8s.io/v1/selfsubjectrulesreviews 401

@cadu1982
Copy link

I am facing the same issue. Do we have any feedback on this? Thank you!

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
7 participants
@kkashyap1707 @paulwitt @marcelhorner @2bomb @cadu1982 @tomroberts-srt @harrybaker-srt