louislam / uptime-kuma

A fancy self-hosted monitoring tool

Home Page:https://uptime.kuma.pet

Geek Repo:Geek Repo

Github PK Tool:Github PK Tool

`oauth2-cc` should use the proxy configuration for `getOidcTokenClientCredentials`

harishbsrinivas opened this issue Β· comments

⚠️ Please verify that this question has NOT been raised before.

  • I checked and didn't find similar issue

πŸ›‘οΈ Security Policy

πŸ“ Describe your problem

I have a monitor protected by JWT based authentication. I have configured the endpoint/clientID/Secret etc. However, the monitor fails with error "The oauth config is invalid, ENOTFOUND error".

Troubleshooting this further, the token endpoint can be reached via curl from the Docker container running uptime kuma without issue. Both the clientID and secret are valid and have been tested via Postman calls. This rules out any DNS related problems, as curl as well as postman are able to resolve this endpoint.

I also have a proxy setup that has been configured to route specific traffic. What i suspect is that nodeJS is unable to route the traffic to the JWT endpoint as it is not aware of the proxy?

Has anyone else faced similar issues with JWT + Proxy?

πŸ“ Error Message(s) or Log

"The oauth config is invalid, ENOTFOUND error".

🐻 Uptime-Kuma Version

1.23.11

πŸ’» Operating System and Arch

Suse 15 with Kuma docker image

🌐 Browser

Firefox 115.10.0esr (64-bit)

πŸ–₯️ Deployment Environment

  • Runtime: 20.10.17-ce
  • Database: Sqlite/embedded
  • Filesystem used to store the database on: ext4
  • number of monitors: 108

We currently don't support JWT based auth.

image

=> Why are you getting an oauth error when you are specifying a JWT in a header?

Are you maybe using oauth2-cc instead?

Assuming you do, you are using

exports.getOidcTokenClientCredentials = async (tokenEndpoint, clientId, clientSecret, scope, authMethod = "client_secret_basic") => {
const oauthProvider = new oidc.Issuer({ token_endpoint: tokenEndpoint });
let client = new oauthProvider.Client({
client_id: clientId,
client_secret: clientSecret,
token_endpoint_auth_method: authMethod
});
// Increase default timeout and clock tolerance
client[oidc.custom.http_options] = () => ({ timeout: 10000 });
client[oidc.custom.clock_tolerance] = 5;
let grantParams = { grant_type: "client_credentials" };
if (scope) {
grantParams.scope = scope;
}
return await client.grant(grantParams);
};

Which uses openid-client.
=> something like panva/node-openid-client#307 wold be required to get this part to use the proxy as well