invalid bearer token
fanux opened this issue · comments
Unable to authenticate the request due to an error: [invalid bearer token, [invalid bearer token, oidc: verify token: failed to verify signature: failed to verify id token signature]]
E0221 04:01:56.718006 1 authentication.go:65] Unable to authenticate the request due to an error: [invalid bearer token, [invalid bearer token, oidc: verify token: failed to verify signature: fetching keys oidc: failed to decode keys: expected Content-Type = application/json, got "": unexpected end of JSON input ]]
2019/02/21 07:27:18 http: TLS handshake error from 172.31.12.61:58762: remote error: tls: bad certificate
new provider failed: Get https://dex.example.com:8080/.well-known/openid-configuration: x509: certificate signed by unknown authority
在容器内失败,在宿主机上把ca.pem加到系统信任列表成功。
cat ca.pem >> /etc/pki/tls/certs/ca-bundle.crt
github.com/coreos/go-oidc/jwks.go#134
if keyID == "" || key.KeyID == keyID { | -mu : sync.Mutex
if payload, err := jws.Verify(&key); err == nil { | -now : func() time.Tim
return payload, nil | [methods]
} | +VerifySignature(ctx c
}
keyID与key.KeyID不相等造成failed to verify id token signature错误
公钥的keyID必须和签token时subject一致!
pub = jose.JSONWebKey{
Key: key.Public(),
KeyID: "Cgc4OTEyNTU3EgZnaXRodWI",
Algorithm: "RS256",
Use: "sig",
}
tok := idTokenClaims{
Issuer: "https://dex.example.com:8080",
Subject: "Cgc4OTEyNTU3EgZnaXRodWI",
Audience: "example-app",
Expiry: time.Now().Add(time.Hour * 100).Unix(),
IssuedAt: time.Now().Unix(),
Email: "fhtjob@hotmail.com",
EmailVerified: &ev,
Groups: []string{"dev"},
Name: "fanux",
}
- --oidc-issuer-url=https://dex.example.com:8080
- --oidc-client-id=example-app
- --oidc-ca-file=/etc/kubernetes/pki/ca.pem
- --oidc-username-claim=name
- --oidc-groups-claim=groups
[root@iZj6cegflzze2l7fpcqoerZ ssl]# cat /etc/hosts
127.0.0.1 localhost localhost.localdomain localhost4 localhost4.localdomain4
::1 localhost localhost.localdomain localhost6 localhost6.localdomain6
172.31.12.61 dex.example.com