Improper backend Auth config error handling

[maia-iyer]

When the backend is set up with issuer at localhost incorrectly, it returns an error

2024/04/04 14:17:07 Cannot Configure: Cannot configure auth plugin: Couldn't configure Auth: Could not set up OIDC Discovery client: error decoding provider metadata response: json: cannot unmarshal number into Go value of type discovery.ProviderMetadata

We need to improve this error handling.

[nesangcode]

What improve that can be applied?

[nesangcode]

Did you expect the error to return

Error: issuer at localhost incorrectly set up

or, is there any additional info that error return?

[maia-iyer]

Hello! Right now I believe the error comes from these lines.

I think we should include more clear information such as what URL was attempted, and a hint to check the issuer field so something like:

2024/04/04 14:17:07 Cannot Configure: auth plugin: Could not set up OIDC Discovery client with issuer = '<insert IssuerURL>': error decoding provider metadata response: json: cannot unmarshal number into Go value of type discovery.ProviderMetadata

[nesangcode]

... such as what URL was attempted ...

Did you mean add IssuerURL information?

Edit: Solved

[nesangcode]

Thank you, I think i can work on it.

Edit: I'll try to reproduce the issue first. Be right back.

[maia-iyer]

Great! So i think the amount of code that must change is quite minimal, but getting everything up and running may take some time. Please let me know if you'd like any help or have any questions 😄

I think to reproduce the error, you need only run the quickstart with the UserManagement plugin config with some URL for issuer

[nesangcode]

Thanks.

[nesangcode]

When I tried to do quick setup, in the last command before step 3 kubectl -n spire describe pod spire-server-0 | select-string "Image:", it only yield one line.

[nesangcode]

This is tornjak-configmap.yaml which filled by UserManagement plugin with arbitrary issuer to reproduce the issue as you said.

apiVersion: v1
kind: ConfigMap
metadata:
  name: tornjak-agent
  namespace: spire
data:
  server.conf: |

    server {
      # location of SPIRE socket
      # here, set to default SPIRE socket path
      spire_socket_path = "unix:///tmp/spire-server/private/api.sock"

      # configure HTTP connection to Tornjak server
      http {
        port = 10000 # opens at port 10000
      }

    }

    plugins {
      DataStore "sql" { # local database plugin
        plugin_data {
          drivername = "sqlite3"
          filename = "/run/spire/data/tornjak.sqlite3" # stores locally in this file
        }
      }
    
      UserManagement "KeycloakAuth" {
        plugin_data {
          # issuer - Issuer URL for OIDC
          # here is a sample for Keycloak running locally on Minikube
          # issuer = "http://host.docker.internal:8080/realms/tornjak"
          # for cloud deployment it would be something like:
          issuer = "http://localhost"
  
        }
      }
    }

[nesangcode]

I decided to use clean up guide and start over again. This time, i use [Click] For the deployment of only the Tornjak backend (API) guide and change the issuer to https://www.google.com

When I do kubectl get statefulset --namespace spire, it shows below:

NAME           READY   AGE
spire-server   0/1     7m35s

spire-server never got ready.

[nesangcode]

This is when I do kubectl get pods --namespace spire.

NAME             READY   STATUS             RESTARTS        AGE
spire-server-0   1/2     CrashLoopBackOff   10 (102s ago)   27m

[nesangcode]

Found this log instead.

2024/04/06 15:37:20 Cannot Configure: Cannot configure auth plugin: Couldn't configure Auth: Could not create Keyfunc for url : Get "": unsupported protocol scheme ""

[nesangcode]

tornjak/pkg/agent/auth/keycloak.go

Line 95 in f762363

jwks, err := getKeyFunc(httpjwks, jwksURL)

I believe the error is in here. It means, OIDC have been created without any errors.

[maia-iyer]

Hello! So actually this issue is related to very recent work relating to our unreleased tornjak v1.6. So you will need to use an updated image to reproduce the error above.

Explanation of the error you're seeing:

• This issuer field is something we are introducing in tornjak v1.6.0, so this is why your error seems to be showing the URL as blank as evidenced from the blank quotes. The old image v1.4.2 is parsing the configmap differently and expects jwksURL instead of issuer as the field name.

How to reproduce the error of this issue:

• when you do the quickstart with the section [Click] For the deployment of only the Tornjak backend, you will be using the statefulset defined here.
• You can use kubectl -n spire describe pod spire-server-0 | select-string "Image:" to verify that the image used is ghcr.io/spiffe/tornjak-backend:v1.4.2
• Instead, we need to use the latest updated experimental image ghcr.io/spiffe/tornjak-backend:v1.6.0. This should be a matter of changing that line in the server-statefulset file.

Does this help and/or make sense?

[nesangcode]

[...] This issuer field is something we are introducing in tornjak v1.6.0

Seem's like i'm using v1.4.2 one, got it from my server-statefulset.yaml:

- name: tornjak-backend
  image: ghcr.io/spiffe/tornjak-backend:v1.4.2

Gonna try again with v1.6.0.

[nesangcode]

Got this log after changing to tornjak-backend:v1.6.0

2024/04/08 07:28:12 Cannot Configure: Cannot configure auth plugin: Couldn't configure Auth: Could not set up OIDC Discovery client: error fetching host/.well-known/openid-configuration: Get "host/.well-known/openid-configuration": unsupported protocol scheme ""

After changing issuer to http://localhost:

2024/04/08 07:35:08 Cannot Configure: Cannot configure auth plugin: Couldn't configure Auth: Could not set up OIDC Discovery client: error fetching http://localhost/.well-known/openid-configuration: Get "http://localhost/.well-known/openid-configuration": dial tcp 127.0.0.1:80: connect: connection refused

After changing issuer to http://host.docker.internal:8080:

2024/04/08 07:45:27 Cannot Configure: Cannot configure auth plugin: Couldn't configure Auth: Could not set up OIDC Discovery client: error fetching http://host.docker.internal:8080/.well-known/openid-configuration: Get "http://host.docker.internal:8080/.well-known/openid-configuration": dial tcp 192.168.65.254:8080: connect: connection refused

After changing issuer to https://www.google.com:

2024/04/08 07:47:39 Cannot Configure: Cannot configure auth plugin: Couldn't configure Auth: Could not set up OIDC Discovery client: error decoding provider metadata response: invalid character '<' looking for beginning of value

Can't reproduce error cannot unmarshal number into Go value of type discovery.ProviderMetadata

[maia-iyer]

Hm, you're right, I can't seem to reproduce it either. Let me ask the person that first got this error offline for more details

But thank you for the PR! as far as I'm concerned, this will fix the issue; let me run the tests

[nesangcode]

Thank you for guiding me to resolve this issue.

By the way, when I try to run agent.go, it needs --tornjak-config which needs tornjak.sqlite3 file that I retrieved from /run/spire/data/tornjak.sqlite3 directory in tornjak-backend container.

Is there any better way to run tornjak backend locally without manually retrieve tornjak.sqlite3 file from container?

[maia-iyer]

Hm, you shouldn't need to retrieve the file - if it doesn't exist it should be initialized properly. Try running the backend locally with the db filename set to a local file that doesn't exist. Do you get errors doing this?