OIDC Errors with Traefik

Pydio Cells
1

I have my Cells install running successfully behind Traefik, on Docker (in swarm mode).
One persistent error which I can’t solve, though, is this:

2019-01-26T22:19:35.171Z	ERROR	cannot init oidc provider	{"error": "oidc: issuer did not match the issuer returned by provider,     expected \"https://files.example.com/auth/dex\" got \"http://cells:8080/auth/dex\""}

2019-01-26T22:19:35.171Z	ERROR	pydio.gateway.websocket	invalid jwt received from websocket connection

This recurs every 30 seconds or so, but so far doesn’t seem to cause any obvious issues. Is this something I can (or should) fix?

My Docker environment variables:

environment:
  CELLS_BIND: '0.0.0.0:8080'
  CELLS_EXTERNAL: 'cells:8080'
  CELLS_NO_SSL: '1'
deploy:
    labels:
      traefik.enable: 'true'
      traefik.backend: 'cells'
      traefik.docker.network: 'webgateway'
      # traefik.entrypoints: 'http'
      traefik.frontend.passHostHeader: 'true'
      traefik.frontend.rule: 'Host:files.example.com'
      traefik.port: '8080'

All I can think of is that Traefik is failing to translate something, but I’m lost as to where to start looking for it.

Any help appreciated!

2

Hi,
i will try to reproduce your setup to understand those errors.

3

Thanks! If there’s any other info I can provide, let me know.

4

Small bump on this one - is there anything I can try?

Is anyone else running a on Docker/Traefik - if so, do you get the same errors in the log?

5

Not sure if this helps, but when I visit https://files.mydomain.com/auth/dex/.well-known/openid-configuration from the outside world I get:

{
  "issuer": "http://cells:8080/auth/dex",
  "authorization_endpoint": "http://cells:8080/auth/dex/auth",
  "token_endpoint": "http://cells:8080/auth/dex/token",
  "jwks_uri": "http://cells:8080/auth/dex/keys",
  "response_types_supported": [
    "code",
    "id_token",
    "token"
  ],
  "subject_types_supported": [
    "public"
  ],
  "id_token_signing_alg_values_supported": [
    "RS256"
  ],
  "scopes_supported": [
    "openid",
    "email",
    "groups",
    "profile",
    "offline_access",
    "pydio"
  ],
  "token_endpoint_auth_methods_supported": [
    "client_secret_basic"
  ],
  "claims_supported": [
    "aud",
    "email",
    "email_verified",
    "exp",
    "iat",
    "iss",
    "locale",
    "name",
    "sub"
  ]
}

Contrasting this against what I get from https://demo.pydio.com/auth/dex/.well-known/openid-configuration:

{
  "issuer": "https://demo.pydio.com/auth/dex",
  "authorization_endpoint": "https://demo.pydio.com/auth/dex/auth",
  "token_endpoint": "https://demo.pydio.com/auth/dex/token",
  "jwks_uri": "https://demo.pydio.com/auth/dex/keys",
  "response_types_supported": [
    "code",
    "id_token",
    "token"
  ],
  "subject_types_supported": [
    "public"
  ],
  "id_token_signing_alg_values_supported": [
    "RS256"
  ],
  "scopes_supported": [
    "openid",
    "email",
    "groups",
    "profile",
    "offline_access",
    "pydio"
  ],
  "token_endpoint_auth_methods_supported": [
    "client_secret_basic"
  ],
  "claims_supported": [
    "aud",
    "email",
    "email_verified",
    "exp",
    "iat",
    "iss",
    "locale",
    "name",
    "sub"
  ]
}

Should issuer and/or authorization_endpoint be actually showing my public https endpoint?

Thanks,
Geoff

6

I’m still hopelessly lost with all this.

I reset everything back to scratch, and now I can’t log in.

I managed to make my .well-known/openid-configuration look like the demo one at least, by editing the pydio.json file and changing the Web and Issuer entries (under pydio.grpc.auth) to point to my domain:

"issuer": "https://files.wanderingcarbon.com/auth/dex",
[...]
"web": {
      "http": "https://files.wanderingcarbon.com/auth/dex"
}

To compare, here’s mine now. Here’s the demo one.
But I’m still getting errors when I try to log in:

2019-02-05T18:56:14.788Z	ERROR	pydio.rest.frontend	cannot init oidc provider	{"error": "Get https://files.wanderingcarbon.com/auth/dex/.well-known/openid-configuration: dial tcp 71.136.153.141:443: connect: connection timed out"}
2019-02-05T18:56:25.028Z	ERROR	pydio.rest.frontend	Rest Error 401	{"error": "Post https://files.wanderingcarbon.com/auth/dex/token: dial tcp 71.136.153.141:443: connect: connection timed out"}

So I then changed the Web line:

"web": {
      "http": "http://0.0.0.0/auth/dex"
}

And now, the online .well-known/openid-configuration still looks good but I get different errors:

2019-02-05T19:20:09.182Z	INFO	pydio.web.auth	Login	{"identity": {"UserID":"b1cde705-c271-4da4-9bc0-dca04f360682","Username":"geoff","Email":"","EmailVerified":true,"Groups":[],"AuthSource":"pydioapi","DisplayName":"","Profile":"admin","Roles":["ROOT_GROUP","ADMINS","ADMINS","b1cde705-c271-4da4-9bc0-dca04f360682"],"GroupPath":"/","ConnectorData":null}},
2019-02-05T19:21:18.428Z	INFO	http: proxy error: context canceled,
2019-02-05T19:21:18.429Z	ERROR	pydio.rest.frontend	cannot init oidc provider	{"error": "Get https://files.wanderingcarbon.com/auth/dex/.well-known/openid-configuration: context canceled"}

What am I doing wrong? Is it because I’m running in Docker? Or because I’m running behind a reverse proxy?

Thanks for any help,
Geoff

7

Hi,
sorry i could not test that yet,
there is some specifics when you run behind a proxy we are going to post a long article (guide) on it which will make it clear.

8

Thanks Zayn! Looking forward to it, and if there’s anything I can contribute to the article let me know.
Cheers,
Geoff

9

Hi @zayn - any update on this proxy guide? I’m still stuck with external logins not working.

What works: I can connect locally from the host machine as long as I turn on a local VPN (my router doesn’t support NAT hairpinning). In this situation I can log in and use the server locally.

What doesn’t work: I can connect from an external box, fill in the login dialog, it goes away, then nothing. The server logs the “login” entry, followed two minutes later by a “cannot init OIDC provider”.

Cheers,
Geoff

10

Hi,
the traefik guide should be the next on the line, i had my hands full so i did not get to understand the extent of traefik but i’ll get to it whenever i can (it is one of my tasks).