i've datahub connected to oidc, currently trying t...
# troubleshootb
better-orange-49102
09/15/2021, 6:50 AMi've datahub connected to oidc, currently trying to troubleshoot an issue where the users reported encountering error 502 when they attempted to reach datahub. (continued in thread)
better-orange-49102
09/15/2021, 10:28 AMtraced to an issue of the returned oidc token being too big, causing an exception in frontend-react
[CompletionException: org.pax4j.core.exception.TechnicalException: Bad token response, error=invalid grant]
better-orange-49102
09/15/2021, 10:28 AMi didnt set any optional OIDC configs in frontend-react
better-orange-49102
09/15/2021, 10:52 AMis there any settings that we can adjust for the size of the token?
b
big-carpet-38439
09/15/2021, 7:46 PMHey!
big-carpet-38439
09/15/2021, 7:46 PMInvalid grant - how do you know that size of token isa problem?
b
better-orange-49102
09/16/2021, 12:48 AMMy colleague noticed that people with too many roles in the oidc token are unable to login, we inferred that the token has too much information inside. Initially we thought it was a networking problem. Once we removed some roles, there is no issue accessing
b
big-carpet-38439
09/16/2021, 5:07 AMoh man
big-carpet-38439
09/16/2021, 7:10 PMThanks for the details. Can we try to change the OIDC request mode? Do you know if you're using GETs or POSTs?
b
better-orange-49102
09/17/2021, 4:25 AMI'll try to replicate the issue we faced in intranet with a keycloak setup. I just used the default oidc settings in docker.env
b
big-carpet-38439
09/17/2021, 4:59 PMOkay got it -- you can try the POST mode config and see if that makes any difference, will send an example
big-carpet-38439
09/17/2021, 5:00 PMYou can try to adjust the client request method using the following environment variable in datahub-frontend:
Copy code
- `AUTH_OIDC_CLIENT_AUTHENTICATION_METHOD`: a string representing the token authentication method to use with the identity provider. Default value
is `client_secret_basic`, which uses HTTP Basic authentication. Another option is `client_secret_post`, which includes the client_id and secret_id
as form parameters in the HTTP POST request. For more info, see [OAuth 2.0 Client Authentication](<https://darutk.medium.com/oauth-2-0-client-authentication-4b5f929305d4>)big-carpet-38439
09/17/2021, 5:00 PMSo you'd say
Copy code
AUTH_OIDC_CLIENT_AUTHENTICATION_METHOD: client_secret_postb
better-orange-49102
09/18/2021, 1:19 AMThanks for the tip! Will give it a go soon
b
big-carpet-38439
09/20/2021, 4:00 PMThanks - let me know how goes!!
b
better-orange-49102
09/20/2021, 11:49 PMSorry, haven't been able to test because of illness, will update when I'm able to
b
big-carpet-38439
09/21/2021, 1:22 AMSorry to hear that - no rush on our side
b
better-orange-49102
09/22/2021, 7:20 AMhi @big-carpet-38439, i'm still encountering the same error msg
better-orange-49102
09/22/2021, 8:00 AMam trying to reduce the size of the token by reducing the amount of information sent back from keycloak, will update again
b
big-carpet-38439
09/22/2021, 4:24 PMOkay. An update on my side: For an unrelated reason i'm investigating Pac4J, the library we use for OIDC authentication to a newer version. I'll have to comb through release notes, but I'm hopeful that maybe this issue has been addressed in that library
b
better-orange-49102
09/25/2021, 3:46 AMi would love to dig deeper to confirm the cause but distracted by other work at the moment... will update when i can on this.
better-orange-49102
10/15/2021, 11:02 AMok, it seems to be an issue caused by k8s for my org... seems like i can get around by setting
<http://nginx.ingress.kubernetes.io/proxy-buffer-size|nginx.ingress.kubernetes.io/proxy-buffer-size>4 Views