Connecting OICD server

Support
,
1

What happened?

Pomerium v0.25.0 deployed on GKE.

On the server side, the setup as described in(https://openid.net/) includes https://example.com/.well-known/openid-configuration endpoint

First, I am reaching authorization_endpoint https://example.com/authorize to get the access code and it works. Then I need to turn that access code into an access token, by making a request to the token endpoint and getting error 500 from the OIDC server. The second request, sent by Pomerium includes only the code and the state and missing grant_type=authorization, redirect_url, client_id and client_secret

What did you expect to happen?

To get the access token`and getting error 500 instead

What’s your environment like?

  • Pomerium version: v0.25.0
  • Cloud: GCP, Container-Optimized OS with containerd (cos_containerd)

What’s your config.yaml?

# Identity provider secret
---
apiVersion: v1
kind: Secret
metadata:
  name: webapp
  namespace: pomerium
type: Opaque
stringData:
  client_id: <client_id>
  client_secret: <client_secret>


# Pomerium settings
---
apiVersion: ingress.pomerium.io/v1
kind: Pomerium
metadata:
  name: global
spec:
  secrets: pomerium/bootstrap
  authenticate:
    url: https://pomerium.authenticate.com
  identityProvider:
    url: https://idp.example.com
    provider: oidc
    secret: pomerium/webapp
    scopes:
    - "email"
  certificates:
    - pomerium/certificate-tls
  jwtClaimHeaders:
    X-Email: email

What did you see in the logs?

    {"level":"info","syncer_id":"databroker","syncer_type":"type.googleapis.com/pomerium.config.Config","service":"all","config_id":"ingress-controller","version":2,"err_count":0,"time":"2024-08-06T22:15:30Z","message":"set db config info"}
{"level":"info","Algorithm":"ES256","KeyID":"a65eae3827af93a415d76c2336c0efb5b15321c4772a85f0dff56fd8abbc72ca","Public Key":{"use":"sig","kty":"EC","kid":"a65eae3827af93a415d76c2336c0efb5b15321c4772a85f0dff56fd8abbc72ca","crv":"P-256","alg":"ES256","x":"LX5KSkKnEcGgU2ksEsfmQrmiLtm9u1YbAwC8_sla86k","y":"iuPfcsQkY83jFQ9-GDIB8IKJ2YqGQLLilTQIG8iz9Hw"},"time":"2024-08-06T22:15:31Z","message":"authorize: signing key"}
{"level":"info","service":"envoy","name":"upstream","time":"2024-08-06T22:15:31Z","message":"cds: add 3 cluster(s), remove 0 cluster(s)"}
{"level":"info","service":"envoy","name":"upstream","time":"2024-08-06T22:15:31Z","message":"cds: added/updated 3 cluster(s), skipped 0 unmodified cluster(s)"}
{"level":"info","time":"2024-08-06T22:15:31Z","message":"service registry reporter stopping"}
{"level":"info","syncer_id":"databroker","syncer_type":"type.googleapis.com/pomerium.config.Config","service":"all","config":"databroker","checksum":"318d58dbf28199a3","time":"2024-08-06T22:15:31Z","message":"config: updated config"}
{"level":"info","service":"envoy","name":"upstream","time":"2024-08-06T22:15:31Z","message":"lds: add/update listener \\'http-ingress\\'"}
{"level":"info","ip":"127.0.0.1","user_agent":"Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/127.0.0.0 Safari/537.36","request-id":"6522184b-df2f-47bb-9e95-ae89f0fcc9cc","error":"Bad Request: internal/sessions: session is not found","idp_id":"","time":"2024-08-06T22:15:42Z","message":"authenticate: session load error"}
{"level":"info","service":"envoy","upstream-cluster":"pomerium-control-plane-http","method":"GET","authority":"pomerium.authenticate.com","path":"/","user-agent":"Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/127.0.0.0 Safari/537.36","referer":"","forwarded-for":"10.154.0.33","request-id":"20bdedf9-e6c9-4571-b079-bdc8adb5dc77","duration":1.812122,"size":34,"response-code":302,"response-code-details":"via_upstream","time":"2024-08-06T22:15:42Z","message":"http-request"}
{"level":"info","service":"envoy","upstream-cluster":"pomerium-control-plane-http","method":"GET","authority":"pomerium.authenticate.com","path":"/.pomerium/","user-agent":"Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/127.0.0.0 Safari/537.36","referer":"","forwarded-for":"10.154.0.33","request-id":"6522184b-df2f-47bb-9e95-ae89f0fcc9cc","duration":99.028589,"size":425,"response-code":302,"response-code-details":"via_upstream","time":"2024-08-06T22:15:42Z","message":"http-request"}
{"level":"error","ip":"127.0.0.1","user_agent":"Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/127.0.0.0 Safari/537.36","referer":"https://idp.example.com/","request-id":"11ddb19c-df14-4fe4-8a7b-a1e99d4c6265","error":"authenticate.OAuthCallback: error redeeming authenticate code: identity/oidc: failed getting id_token: identity/oidc: missing id_token","status":500,"status-text":"Internal Server Error","request-id":"11ddb19c-df14-4fe4-8a7b-a1e99d4c6265","time":"2024-08-06T22:16:08Z","message":"httputil: error"}
{"level":"info","service":"envoy","upstream-cluster":"pomerium-control-plane-http","method":"GET","authority":"pomerium.authenticate.com","path":"/oauth2/callback","user-agent":"Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/127.0.0.0 Safari/537.36","referer":"https://idp.example.com/","forwarded-for":"10.154.0.33","request-id":"11ddb19c-df14-4fe4-8a7b-a1e99d4c6265","duration":86.588007,"size":677,"response-code":500,"response-code-details":"via_upstream","time":"2024-08-06T22:16:08Z","message":"http-request"}
{"level":"info","service":"envoy","upstream-cluster":"pomerium-control-plane-http","method":"GET","authority":"pomerium.authenticate.com","path":"/.pomerium/index.css","user-agent":"Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/127.0.0.0 Safari/537.36","referer":"https://pomerium.authenticate.com/oauth2/callback","forwarded-for":"10.154.0.33","request-id":"976006d7-4972-48ca-9f6c-38b4b923f6f9","duration":10.508211,"size":134110,"response-code":200,"response-code-details":"via_upstream","time":"2024-08-06T22:16:08Z","message":"http-request"}
{"level":"info","service":"envoy","upstream-cluster":"pomerium-control-plane-http","method":"GET","authority":"pomerium.authenticate.com","path":"/.pomerium/index.js","user-agent":"Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/127.0.0.0 Safari/537.36","referer":"https://pomerium.authenticate.com/oauth2/callback","forwarded-for":"10.154.0.33","request-id":"020a4da4-3583-45e2-9779-27c401f5aeb3","duration":303.953576,"size":892177,"response-code":200,"response-code-details":"via_upstream","time":"2024-08-06T22:16:08Z","message":"http-request"}

Additional context

Add any other context about the problem here.

2

the identity provider does not seem to return an ID token in the OAuth2 callback. please add at least standard OIDC scopes:

- openid
- profile
- email
- offline_access

what is your OIDC provider?

3

It is custom self hosted OIDC, developed by our customer

The scope is different, it contains only email. Is the standard OIDC scope is must?

4

Hi @misha , Pomerium is designed to work out of the box with standard OIDC identity providers. A homebrew might have unique differences that require a bit more investigating.

If you believe this warrants a larger discussion with our team so we can better understand what your team and your customer are looking for, book a time with us and we can take a better look.