vouch-proxy with Gitea working on v0.17.4 but stops working on v0.18.0+ #346
Comments
|
@layanto thanks for the report. Can you please use the latest version of VP and post a full log to a gist as per the README? |
|
I am also seeing this. I will try to get the requested logs. For the record, I am using the latest tag from docker hub for both gitea/gitea and voucher/vouch. Also, if I create a brand new oauth app, and update the vouch config to use that oauth client id/secret it works for a little while. I have the provider configured as "github" in the vouch config, as per a previous issue on gitea/vouch. |
|
I was also using gitea and vouch latest docker image. As workaround, I now use 0.17.4 tag for vouch docker image. Trying to figure out how to use the ./do.sh with vouch docker image. |
|
@layanto any chance you could supply that log for the most recent version? I'm happy to help work the issue. wrt to |
|
Will try tonight. I am presently only using the vouch docker image. To use the do.sh, do I need to git checkout this repo and then run the do.sh? Maybe easier just to take the log as is and then change my oauth key in gitea? |
|
Couldn't figure out how to use the do.sh so I ended up manually sanitizing the debug log. Gists below: I changed my domain to domain.com, gitea URL to gitea.domain.com, vouch URL to vouch.domain.com, application URL protected by vouch to protected.domain.com, username to username, email to [email protected] and various secrets, client_id, token, etc to vvv, www, xxx, etc. Hopefully I haven't messed up the debug log too badly. |
|
Would be a great feature if via config option, vouch can generate sanitized debug.log as a file in /data. This way the log file can be access in docker's host machine. Vouch already knows all the sensitive information (already in config or environment variables) so should be able to sanitize them without additional info from user (such as via do.sh which I couldn't figure out how to use). |
|
Still not working - exactly the same error. I tried both (blank) and plain for code_challenge_method under oauth config. |
|
@layanto looks like gitea supports OIDC, what happens if you try |
|
using oidc as oauth provider, Gitea works with v0.17.4 and latest. I didn't need to add the code_challenge_method. With github as oauth provider, Gitea only works with v0.17.4 or earlier and doesn't work with v0.18.0 or later. @eldondev Can you check if you observe the same behaviour as above? |
|
Hi, with gitea 1.13.1 vouch latest and provider oidc everything is working again. |
|
@mvivaldi @layanto thanks for testing that out. In your opinion should we consider this a docu-fix as "always use My suspicion is that if this line were commented out it might work for Gitea as Would either of you be in a position to test that? |
|
I am using vouch docker from dockerhub. Not sure how to test commenting out a line in vouch's go code. |
|
@layanto understood... If you cared to build the container locally |
|
Just followed up here. The switch to OIDC also seems to work for me. One alternative might be to see if gitea would support that code challenge method (if that is indeed the issue). |
|
@bnfinet Hey, I dug into the gitea source/docs a little bit, it looks like they expect PKCE support to work Also, they mention S256 in the source of the oauth provider , so, while frankly I don't expect them to be critical for my use case, I'd be willing to give diving into this issue a shot, if I could provide some sort of debug output or something that would help. |
|
Thanks @eldondev ... If you could provide conf and logs as described in the README and then take that line out and do it again that would be a solid start towards trying to diagnose the issue. |
|
Hi, I seem to have the same problem and thought the problem originated from Gitea itself. I will try the OIDC route and keep you updated. |
|
I got Vouch Proxy + Gitea working again by changing my Vouch Proxy config to: oauth:
provider: oidc
client_id: {id}
client_secret: {secret}
auth_url: https://auth.domain.com/login/oauth/authorize
token_url: https://auth.domain.com/login/oauth/access_token
user_info_url: https://auth.domain.com/login/oauth/userinfo
scopes:
- openid
- email
- profile
callback_url: https://vouch.domain.com/authChanging only the provider and the user_info_url. |
|
@mindfuucker thanks for the info, glad to have another confirmation that it's working with The only reason this is still open and flagged as a If anyone wants that feature to work (or to just get the |
This unlike |
the github provider isn't working for gitea on vouch-proxy 0.18+ vouch#346
Describe the problem
Getting 400 Bad Request after successful login to Gitea. Using exactly the same nginx, Gitea and vouch config, all working with vouch v0.17.4 (or earlier) but with vouch v0.18.0 (or later), I get 400 Bad Request. I have tried testing: true and all the redirects worked as expected, though still getting 400 Bad Request. It appears that the change between vouch v0.18.0 and v0.17.4 caused Gitea to respond oauth with
Expected behavior
No 400 Bad Request on vouch v0.18.0 (or later) just like how it was with vouch v0.17.4 (or earlier),
Desktop (please complete the following information):
The text was updated successfully, but these errors were encountered: