Comments (4)
# trusted_certs:
Instead of commenting this out try
trusted_certs: []
from openunison-k8s-login-oidc.
Hey @mlbiam Thanks for being quick and helpfull. It works ! as expected was miss from my side.
I need your help again in configuring here. Now i started getting error Error An error occurred while processing this request. Please see the system administrator for assistance.
orchestra pod returns these -
[2021-04-21 13:50:54,598][XNIO-1 task-1] INFO AccessLog - [AuFail] - scale - https://k8sou.app.103-149-126-200.nip.io/auth/oidc - cn=none - enterprise_idp [10.40.0.11] - [f3645ec94e2f3f8cc8201b0aed6250a62a1930518]
[2021-04-21 13:50:54,958][Thread-23] INFO K8sLoadTrusts - watching https://10.96.0.1:443/apis/openunison.tremolo.io/v1/namespaces/openunison/trusts?watch=true&timeoutSeconds=10
[2021-04-21 13:50:55,247][XNIO-1 task-1] INFO AccessLog - [Error] - scale - https://k8sou.app.103-149-126-200.nip.io/auth/oidc - uid=Anonymous,o=Tremolo - NONE [10.40.0.11] - [f3645ec94e2f3f8cc8201b0aed6250a62a1930518]
[2021-04-21 13:50:55,247][XNIO-1 task-1] ERROR ConfigSys - Could not process request
javax.servlet.ServletException: Could not load user data
at com.tremolosecurity.unison.proxy.auth.openidconnect.OpenIDConnectAuthMech.doGet(OpenIDConnectAuthMech.java:248) ~[unison-auth-openidconnect-1.0.20.jar:?]
at com.tremolosecurity.proxy.auth.AuthMgrSys.doAuthMgr(AuthMgrSys.java:191) ~[unison-server-core-1.0.20.jar:?]
at com.tremolosecurity.embedd.NextEmbSys.nextSys(NextEmbSys.java:126) ~[unison-server-core-1.0.20.jar:?]
at com.tremolosecurity.proxy.auth.AzSys.doAz(AzSys.java:89) ~[unison-sdk-1.0.20.jar:?]
at com.tremolosecurity.embedd.NextEmbSys.nextSys(NextEmbSys.java:111) ~[unison-server-core-1.0.20.jar:?]
at com.tremolosecurity.proxy.auth.AuthSys.doAuth(AuthSys.java:118) ~[unison-server-core-1.0.20.jar:?]
at com.tremolosecurity.embedd.NextEmbSys.nextSys(NextEmbSys.java:105) ~[unison-server-core-1.0.20.jar:?]
at com.tremolosecurity.proxy.ConfigSys.doConfig(ConfigSys.java:293) [unison-server-core-1.0.20.jar:?]
at com.tremolosecurity.embedd.NextEmbSys.nextSys(NextEmbSys.java:93) [unison-server-core-1.0.20.jar:?]
at com.tremolosecurity.filter.UnisonServletFilter.doFilter(UnisonServletFilter.java:290) [unison-server-core-1.0.20.jar:?]
at io.undertow.servlet.core.ManagedFilter.doFilter(ManagedFilter.java:61) [undertow-servlet-2.1.3.Final.jar:2.1.3.Final]
at io.undertow.servlet.handlers.FilterHandler$FilterChainImpl.doFilter(FilterHandler.java:131) [undertow-servlet-2.1.3.Final.jar:2.1.3.Final]
at io.undertow.servlet.handlers.FilterHandler.handleRequest(FilterHandler.java:84) [undertow-servlet-2.1.3.Final.jar:2.1.3.Final]
at io.undertow.servlet.handlers.security.ServletSecurityRoleHandler.handleRequest(ServletSecurityRoleHandler.java:62) [undertow-servlet-2.1.3.Final.jar:2.1.3.Final]
at io.undertow.servlet.handlers.ServletChain$1.handleRequest(ServletChain.java:68) [undertow-servlet-2.1.3.Final.jar:2.1.3.Final]
at io.undertow.servlet.handlers.ServletDispatchingHandler.handleRequest(ServletDispatchingHandler.java:36) [undertow-servlet-2.1.3.Final.jar:2.1.3.Final]
at io.undertow.servlet.handlers.RedirectDirHandler.handleRequest(RedirectDirHandler.java:68) [undertow-servlet-2.1.3.Final.jar:2.1.3.Final]
at io.undertow.servlet.handlers.security.SSLInformationAssociationHandler.handleRequest(SSLInformationAssociationHandler.java:132) [undertow-servlet-2.1.3.Final.jar:2.1.3.Final]
at io.undertow.servlet.handlers.security.ServletAuthenticationCallHandler.handleRequest(ServletAuthenticationCallHandler.java:57) [undertow-servlet-2.1.3.Final.jar:2.1.3.Final]
at io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43) [undertow-core-2.1.3.Final.jar:2.1.3.Final]
at io.undertow.security.handlers.AbstractConfidentialityHandler.handleRequest(AbstractConfidentialityHandler.java:46) [undertow-core-2.1.3.Final.jar:2.1.3.Final]
at io.undertow.servlet.handlers.security.ServletConfidentialityConstraintHandler.handleRequest(ServletConfidentialityConstraintHandler.java:64) [undertow-servlet-2.1.3.Final.jar:2.1.3.Final]
at io.undertow.security.handlers.AuthenticationMechanismsHandler.handleRequest(AuthenticationMechanismsHandler.java:60) [undertow-core-2.1.3.Final.jar:2.1.3.Final]
at io.undertow.servlet.handlers.security.CachedAuthenticatedSessionHandler.handleRequest(CachedAuthenticatedSessionHandler.java:77) [undertow-servlet-2.1.3.Final.jar:2.1.3.Final]
at io.undertow.security.handlers.AbstractSecurityContextAssociationHandler.handleRequest(AbstractSecurityContextAssociationHandler.java:43) [undertow-core-2.1.3.Final.jar:2.1.3.Final]
at io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43) [undertow-core-2.1.3.Final.jar:2.1.3.Final]
at io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43) [undertow-core-2.1.3.Final.jar:2.1.3.Final]
at io.undertow.servlet.handlers.ServletInitialHandler.handleFirstRequest(ServletInitialHandler.java:269) [undertow-servlet-2.1.3.Final.jar:2.1.3.Final]
at io.undertow.servlet.handlers.ServletInitialHandler.access$100(ServletInitialHandler.java:78) [undertow-servlet-2.1.3.Final.jar:2.1.3.Final]
at io.undertow.servlet.handlers.ServletInitialHandler$2.call(ServletInitialHandler.java:133) [undertow-servlet-2.1.3.Final.jar:2.1.3.Final]
at io.undertow.servlet.handlers.ServletInitialHandler$2.call(ServletInitialHandler.java:130) [undertow-servlet-2.1.3.Final.jar:2.1.3.Final]
at io.undertow.servlet.core.ServletRequestContextThreadSetupAction$1.call(ServletRequestContextThreadSetupAction.java:48) [undertow-servlet-2.1.3.Final.jar:2.1.3.Final]
at io.undertow.servlet.core.ContextClassLoaderSetupAction$1.call(ContextClassLoaderSetupAction.java:43) [undertow-servlet-2.1.3.Final.jar:2.1.3.Final]
at io.undertow.servlet.handlers.ServletInitialHandler.dispatchRequest(ServletInitialHandler.java:249) [undertow-servlet-2.1.3.Final.jar:2.1.3.Final]
at io.undertow.servlet.handlers.ServletInitialHandler.access$000(ServletInitialHandler.java:78) [undertow-servlet-2.1.3.Final.jar:2.1.3.Final]
at io.undertow.servlet.handlers.ServletInitialHandler$1.handleRequest(ServletInitialHandler.java:99) [undertow-servlet-2.1.3.Final.jar:2.1.3.Final]
at io.undertow.server.Connectors.executeRootHandler(Connectors.java:370) [undertow-core-2.1.3.Final.jar:2.1.3.Final]
at io.undertow.server.HttpServerExchange$1.run(HttpServerExchange.java:830) [undertow-core-2.1.3.Final.jar:2.1.3.Final]
at org.jboss.threads.ContextClassLoaderSavingRunnable.run(ContextClassLoaderSavingRunnable.java:35) [jboss-threads-3.1.0.Final.jar:3.1.0.Final]
at org.jboss.threads.EnhancedQueueExecutor.safeRun(EnhancedQueueExecutor.java:2019) [jboss-threads-3.1.0.Final.jar:3.1.0.Final]
at org.jboss.threads.EnhancedQueueExecutor$ThreadBody.doRunTask(EnhancedQueueExecutor.java:1558) [jboss-threads-3.1.0.Final.jar:3.1.0.Final]
at org.jboss.threads.EnhancedQueueExecutor$ThreadBody.run(EnhancedQueueExecutor.java:1449) [jboss-threads-3.1.0.Final.jar:3.1.0.Final]
at java.lang.Thread.run(Thread.java:834) [?:?]
Caused by: java.lang.Exception: Could not retrieve token : 401 / Unauthorized
at com.tremolosecurity.unison.proxy.auth.openidconnect.loadUser.LoadAttributesFromWS.loadUserAttributesFromIdP(LoadAttributesFromWS.java:55) ~[unison-auth-openidconnect-1.0.20.jar:?]
at com.tremolosecurity.unison.proxy.auth.openidconnect.OpenIDConnectAuthMech.doGet(OpenIDConnectAuthMech.java:246) ~[unison-auth-openidconnect-1.0.20.jar:?]
... 42 more
from openunison-k8s-login-oidc.
AzureAD doesn't support the groups
claim out of the box, so AzureAD is rejecting the authentication request because the groups
scope is included in your values.yaml. You can either remove it or add groups to your oidc application in azure ad - https://docs.microsoft.com/en-us/azure/active-directory/develop/active-directory-optional-claims
from openunison-k8s-login-oidc.
Thanks!
from openunison-k8s-login-oidc.
Related Issues (20)
- Is it possible to add versions for new releases? HOT 2
- Is it possible to supply a custom certificate during installation? HOT 9
- multiple token for multiple cluster of the same user in config HOT 4
- Issue with dashboard proxy with non-default cluster domain (!= cluster.local) HOT 4
- kubectl exec|port-forward fails when using api impersonation HOT 35
- Streaming commands (logs and get -w) cuts off after 20~40 seconds HOT 23
- Unable to login to openunison HOT 58
- check-certs-orchestra getting kubernetes.default.svc.cluster.local: Name or service not known HOT 1
- OpenUnison resource reports Failed state after upgrade 1.0.21, but otherwise works HOT 4
- Not able to access Openunison UI HOT 30
- Helm chart for orchestra is not deploying ingress. HOT 7
- Openunison/Kubernetes Cert Issues HOT 2
- Integration with traefik ingressroute HOT 6
- Unable to install on k3d cluster HOT 6
- installing helm chart k8s-login-oidc results in error off of openunison_host HOT 3
- Dashboard is Unauthorized HOT 6
- Can't access Kubernetes Dashboard Chapter 7 HOT 2
- Other ingress controllers HOT 3
- OpenID Connect to AWS eks HOT 28
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from openunison-k8s-login-oidc.