-
Notifications
You must be signed in to change notification settings - Fork 63
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
authservice hanging using an Azure AD application #114
Comments
hi @dippynark did you figure out a solution to this? I'm facing the same issue, and I really can't get my head around it. Setting the token URL to a site that logs the request, and then manually sending the request to login.microsoftonline.com works as expected 🤔 |
@markszabo sorry I didn't in the end, but how did you do the request capture? Is it some open source tool? Sounds like a really strong way of debugging flows like this I went for oauth2-proxy in the end (write-up here: https://www.jetstack.io/blog/istio-oidc/) |
Thanks for the suggestion, I'll take a look! So for the capture I just set the
And this request returned the expected result. I also removed the client secret before setting the |
I managed to setup a proxy that terminates TLS and simply forwards the request to login.microsoftonline.com and that worked. My guess is that authservice doesn't like the certificate of login.microsoftonline.com, but this is just guessing (based on the fact that everything else is the same with the proxy setup). Here is how I set up the proxy:
Now it should work, and you should also see the requests and responses showing up in burp. |
I have deployed authservice as its own Deployment in its own Namespace and am trying to configure authentication to a service using an Azure AD application. The setup is working except that the POST to
login.microsoftonline.com
(I believe to retrieve the ID token) hangs for about 2 minutes when logging in (2m 8s with a stopwatch). Potentially this is related to this issue but I wasn't sure.Potentially this is due to configuration on the Azure AD side, however I am using the same application to authenticate to other separate services using OIDC (e.g. Vault) and everything works as expected, so I believe there is something that can be done on the authservice side to fix this.
I have attached logs for authservice below as well as its sidecar and the sidecar of the service I want to authenticate to (Kiali) as described here.
I am using the following resources to enforce authn/z by Istio:
As well as the following EnvoyFilters to allow authservice to intervene:
My authservice configuration looks like:
I am using the latest version of authservice (0.3.1) and of Istio (1.6.5).
kiali-proxy.log
authservice.log
authservice-proxy.log
The text was updated successfully, but these errors were encountered: