"authenticate_service_url" and upstream routes with the same URL no longer working in 0.16.1

svKr · January 26, 2022, 8:24am

What happened?

When updating from 0.15.8 to 0.16.1 today, I noticed using the same DNS / URL for “authenticate_service_url” and upstream routes is no longer working.
I’m using pomerium to add authentication to a dockerized app running on the same Server.

What did you expect to happen?

Before 0.16.1, I’ve been using “https://appname.mydomain.com/oauth2/callback” as redirect URL in the IDP and “https://appname.mydomain.com/app” to access the actual app.
After 0.16.1, I’m getting " route not found " for the route that uses the same url as configured in " authenticate_service_url ".

How’d it happen?

Updated from 0.15.8 to 0.16.1
Tried to access my upstream app
Got 404 Route not found message in Browser

What’s your environment like?

Pomerium version 0.16.1
docker-compose based deployment on a Ubuntu Instanc

What’s your config.yaml?

# See detailed configuration settings : https://www.pomerium.io/docs/reference/reference/
# this is the domain the identity provider will callback after a user authenticates

authenticate_service_url: https://appname.mydomain.com
authorize_service_url: http://127.0.0.1:5443

headers:
  Cache-Control: no-cache

# certificate settings:  https://www.pomerium.io/docs/reference/certificates.html
# SSL is terminated on Loadbalancer Level
insecure_server: true

# IDP (cognito) settings
idp_provider: oidc
idp_provider_url: https://cognito-idp.region.amazonaws.com/pool
idp_client_id: xxxxxx
idp_client_secret: xxxxxx
idp_scopes: "openid,email"
jwt_claims_headers: "cognito:groups"

signing_key: yyyyyyy
cookie_secret: zzzzzzz

# custom logout url
signout_redirect_url: https://my.signout.url

# https://www.pomerium.io/configuration/#policy
policy:
  - from: https://appname.mydomain.com
    to: my.upstream.url
    allow_websockets: true
    tls_skip_verify: true
    pass_identity_headers: true
    allowed_idp_claims:
      cognito:groups:
        - myGroup

What did you see in the logs?

# Paste your logs here.
# Be sure to scrub any sensitive values

Additional context

Adding a 2nd DNS record pointing to the same server and using this new URL as “authenticate_service_url” seems to work fine in a Sandbox i just created.Is there a way to configure the latest version to work with only one DNS record? Just wanted to clarify before initiating DNS changes.

alex · January 26, 2022, 8:34pm

Hi @svKr! This is an interesting use case. Normally, the authenticate service is on one subdomain domain (ie auth.example.com) and each service is on it’s own separate one (service.example.com). You can do this without making a new DNS record for each domain by creating a CNAME record for *.example.com that points to the A record for example.com.

Alternately, you can use a subdomain space. That is to say, make a CNAME for *.something.example.com and set your Pomerium config to use that sub-subdomain space.

The config you were using with a single domain was something that shouldn’t have worked, but did anyway.

svKr · January 27, 2022, 8:29am

Thanks for the quick clarification Alex.
Will change the records accordingly.

Topic		Replies	Views
OIDC behind pomerium route Support docker , idp	4	728	August 2, 2023
Pomerium / nginx with google Support	11	405	December 20, 2021
Serving with the wrong certificate Support docker	2	19	October 4, 2024
Failed to verify id token signature Support	6	537	January 21, 2022
Deployment architecture Support	5	426	August 26, 2022