Comments (6)
E0221 04:01:56.718006 1 authentication.go:65] Unable to authenticate the request due to an error: [invalid bearer token, [invalid bearer token, oidc: verify token: failed to verify signature: fetching keys oidc: failed to decode keys: expected Content-Type = application/json, got "": unexpected end of JSON input ]]
from fist.
2019/02/21 07:27:18 http: TLS handshake error from 172.31.12.61:58762: remote error: tls: bad certificate
new provider failed: Get https://dex.example.com:8080/.well-known/openid-configuration: x509: certificate signed by unknown authority
在容器内失败,在宿主机上把ca.pem加到系统信任列表成功。
cat ca.pem >> /etc/pki/tls/certs/ca-bundle.crt
from fist.
github.com/coreos/go-oidc/jwks.go#134
if keyID == "" || key.KeyID == keyID { | -mu : sync.Mutex
if payload, err := jws.Verify(&key); err == nil { | -now : func() time.Tim
return payload, nil | [methods]
} | +VerifySignature(ctx c
}
keyID与key.KeyID不相等造成failed to verify id token signature错误
from fist.
公钥的keyID必须和签token时subject一致!
pub = jose.JSONWebKey{
Key: key.Public(),
KeyID: "Cgc4OTEyNTU3EgZnaXRodWI",
Algorithm: "RS256",
Use: "sig",
}
tok := idTokenClaims{
Issuer: "https://dex.example.com:8080",
Subject: "Cgc4OTEyNTU3EgZnaXRodWI",
Audience: "example-app",
Expiry: time.Now().Add(time.Hour * 100).Unix(),
IssuedAt: time.Now().Unix(),
Email: "[email protected]",
EmailVerified: &ev,
Groups: []string{"dev"},
Name: "fanux",
}
from fist.
- --oidc-issuer-url=https://dex.example.com:8080
- --oidc-client-id=example-app
- --oidc-ca-file=/etc/kubernetes/pki/ca.pem
- --oidc-username-claim=name
- --oidc-groups-claim=groups
from fist.
[root@iZj6cegflzze2l7fpcqoerZ ssl]# cat /etc/hosts
127.0.0.1 localhost localhost.localdomain localhost4 localhost4.localdomain4
::1 localhost localhost.localdomain localhost6 localhost6.localdomain6
172.31.12.61 dex.example.com
from fist.
Related Issues (20)
- RBAC模块的验证功能 HOT 1
- RBAC模块以及重构功能 HOT 2
- token接口使用http
- oidc增加prefix参数 HOT 1
- tty清理功能无效 HOT 2
- Render 功能 HOT 1
- Namespace管理与PSP
- APP store功能
- pipeline功能
- Ingress代理tty解决安全问题
- auth模块密钥对生成从文件读取 HOT 2
- 时间太短,干个100年
- 获取终端列表 HOT 2
- cors has been blocked by CORS policy: No 'Access-Control-Allow-Origin' header is present on the requested resource
- x509: certificate has expired or is not yet valid
- template从文件读取模板功能 HOT 1
- 执行器设计 HOT 2
- template模块,templates元数据列表查询接口
- webterminal访问入口
- 官网调整完新版页面后,会员登录出现了问题
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from fist.