Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

oidc: issuer did not match the issuer returned by provider #357

Open
TBG-FR opened this issue Oct 27, 2023 · 2 comments
Open

oidc: issuer did not match the issuer returned by provider #357

TBG-FR opened this issue Oct 27, 2023 · 2 comments

Comments

@TBG-FR
Copy link

TBG-FR commented Oct 27, 2023

Hello and thanks for that awesomely useful service 👌

I frequently use https://oidctest.wsweet.org/ to configure, test and validate OpenIDConnect authentication on various web and software elements, and I found myself facing an issue with traefik-forward-auth doing so...

Here's what my .env looked like

OIDC_META_URL=https://oidctest.wsweet.org
OIDC_CLIENT_ID=private
OIDC_CLIENT_SECRET=tardis
OIDC_SIGN_SECRET=abcdefgh

And here's the error returned by traefik-forward-auth container

user@redacted:/opt/web-traefik$ docker logs -f auth
time="2023-10-26T22:53:01Z" level=fatal msg="oidc: issuer did not match the issuer returned by provider, expected \"https://oidctest.wsweet.org\" got \"https://oidctest.wsweet.org/\""
time="2023-10-26T22:53:02Z" level=fatal msg="oidc: issuer did not match the issuer returned by provider, expected \"https://oidctest.wsweet.org\" got \"https://oidctest.wsweet.org/\""
time="2023-10-26T22:53:03Z" level=fatal msg="oidc: issuer did not match the issuer returned by provider, expected \"https://oidctest.wsweet.org\" got \"https://oidctest.wsweet.org/\""
time="2023-10-26T22:53:04Z" level=fatal msg="oidc: issuer did not match the issuer returned by provider, expected \"https://oidctest.wsweet.org\" got \"https://oidctest.wsweet.org/\""

I then tried to add the trailing slash that seem to be missing but got the exact same error

OIDC_META_URL=https://oidctest.wsweet.org/

It worked well when I switched to Microsoft provider, following associated guide so I believe it's related to other "various" providers, and it may affect other people... Maybe there's something in the code that removes the last trailing slash ? or maybe the verification rule needs to be softened ?* I didn't check the code yet however, so you may be know better than me

@monsdar
Copy link

monsdar commented Nov 17, 2023

I'm having a similar issue, where in my setup the URL I'm providing traefik-forward-auth is not exactly the same as the one Keycloak is thinking to run under. Therefore they differ.

I guess OIDC_META_URL could be exactly what I'd need but I can't find any info about that option within the repo. Is this from a fork or part of a PR that hasn't been merged yet?

@monsdar
Copy link

monsdar commented Nov 17, 2023

In case someone stumbles upon it: I solved my issue by adding a network-alias to my docker-compose so that the services was reachable within the internal docker-network by its external DNS-address as well:

traefik:
    container_name: traefik
    image: traefik:v2.6.1
    networks:
      internal-nw:
        aliases:
          - traefik.external.domain

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

No branches or pull requests

2 participants