Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Invalid ping with multiple clients using OIDC #4466

Closed
1 of 11 tasks
RobKenis opened this issue Oct 3, 2024 · 4 comments · Fixed by #4475
Closed
1 of 11 tasks

Invalid ping with multiple clients using OIDC #4466

RobKenis opened this issue Oct 3, 2024 · 4 comments · Fixed by #4475

Comments

@RobKenis
Copy link
Contributor

RobKenis commented Oct 3, 2024

Bug Description

We run a single FRP Server and multiple FRP Client. For authentication, we use OIDC.
This works fine when a single FRPC is running, but we see following errors when running more than 1 FRPC at the same time.

2024/10/03 09:17:55 [W] [control.go:425] [7cd7d9906a894271] received invalid ping: received different OIDC subject in login and ping. original subject: e4712136-7694-4d03-871c-6758d4ca79e5, new subject: 2e63168f-a7b1-4b4c-9c0d-09c3ea9c5f9c

This results in the the FRP Clients constantly reconnecting, resulting in an unstable connection

frpc Version

0.53.2

frps Version

0.53.2

System Architecture

Server: linux/amd64, Client: windows/amd64

Configurations

Server:

authentication_method = oidc
oidc_issuer = {{ .Envs.FRP_KEYCLOAK_ADDRESS }}realms/<realm>
oidc_audience = account

Client:

[common]
server_addr = HOST
server_port = 7000
authentication_method = oidc
oidc_client_id = CLIENT_ID
oidc_client_secret = CLIENT_SECRET
oidc_audience = profile
oidc_token_endpoint_url = https://HOST/auth/realms/REALM/protocol/openid-connect/token
oidc_scope = openid

Logs

2024/09/23 12:45:26 [W] [control.go:425] [27c200cb77438642] received invalid ping: received different OIDC subject in login and ping. original subject: c789f698-547c-4453-a46b-e18c873aca9d, new subject: 312fb2ab-6c8d-4628-a8fc-d62a6c7d4e24
2024/09/23 12:45:26 [I] [proxy.go:115] [27c200cb77438642] [test-session] proxy closing
2024/09/23 12:45:26 [I] [control.go:359] [27c200cb77438642] client exit success
2024/09/23 12:45:27 [I] [service.go:563] [27c200cb77438642] client login info: ip [10.0.99.67:57445] version [0.53.2] hostname [] os [windows] arch [amd64]
2024/09/23 12:45:28 [I] [http.go:110] [27c200cb77438642] [test-session] http proxy listen for host [test-session] location [] group [], routeByHTTPUser []
2024/09/23 12:45:28 [I] [control.go:401] [27c200cb77438642] new proxy [test-session] type [http] success
2024/09/23 12:45:30 [W] [control.go:425] [da9f0b7c28941afa] received invalid ping: received different OIDC subject in login and ping. original subject: 312fb2ab-6c8d-4628-a8fc-d62a6c7d4e24, new subject: c789f698-547c-4453-a46b-e18c873aca9d
2024/09/23 12:45:30 [I] [proxy.go:115] [da9f0b7c28941afa] [test-data-connector] proxy closing
2024/09/23 12:45:30 [I] [control.go:359] [da9f0b7c28941afa] client exit success
2024/09/23 12:45:30 [I] [service.go:563] [da9f0b7c28941afa] client login info: ip [10.0.124.244:38998] version [0.53.2] hostname [] os [linux] arch [amd64]
2024/09/23 12:45:30 [I] [http.go:110] [da9f0b7c28941afa] [test-data-connector] http proxy listen for host [tm-test-data-connector-development] location [] group [], routeByHTTPUser []
2024/09/23 12:45:30 [I] [control.go:401] [da9f0b7c28941afa] new proxy [test-data-connector] type [http] success
2024/09/23 12:45:57 [W] [control.go:425] [27c200cb77438642] received invalid ping: received different OIDC subject in login and ping. original subject: c789f698-547c-4453-a46b-e18c873aca9d, new subject: 312fb2ab-6c8d-4628-a8fc-d62a6c7d4e24
2024/09/23 12:45:58 [I] [proxy.go:115] [27c200cb77438642] [test-session] proxy closing
2024/09/23 12:45:58 [I] [control.go:359] [27c200cb77438642] client exit success
2024/09/23 12:45:58 [I] [service.go:563] [27c200cb77438642] client login info: ip [10.0.114.214:62949] version [0.53.2] hostname [] os [windows] arch [amd64]
2024/09/23 12:45:59 [I] [http.go:110] [27c200cb77438642] [test-session] http proxy listen for host [test-session] location [] group [], routeByHTTPUser []
2024/09/23 12:45:59 [I] [control.go:401] [27c200cb77438642] new proxy [test-session] type [http] success
2024/09/23 12:46:00 [W] [control.go:425] [da9f0b7c28941afa] received invalid ping: received different OIDC subject in login and ping. original subject: 312fb2ab-6c8d-4628-a8fc-d62a6c7d4e24, new subject: c789f698-547c-4453-a46b-e18c873aca9d
2024/09/23 12:46:00 [I] [proxy.go:115] [da9f0b7c28941afa] [test-data-connector] proxy closing
2024/09/23 12:46:00 [I] [control.go:359] [da9f0b7c28941afa] client exit success
2024/09/23 12:46:00 [I] [service.go:563] [da9f0b7c28941afa] client login info: ip [10.0.124.244:33290] version [0.53.2] hostname [] os [linux] arch [amd64]
2024/09/23 12:46:01 [I] [http.go:110] [da9f0b7c28941afa] [test-data-connector] http proxy listen for host [tm-test-data-connector-development] location [] group [], routeByHTTPUser []
2024/09/23 12:46:01 [I] [control.go:401] [da9f0b7c28941afa] new proxy [test-data-connector] type [http] success
2024/09/23 12:46:28 [W] [control.go:425] [27c200cb77438642] received invalid ping: received different OIDC subject in login and ping. original subject: c789f698-547c-4453-a46b-e18c873aca9d, new subject: 312fb2ab-6c8d-4628-a8fc-d62a6c7d4e24
2024/09/23 12:46:29 [I] [proxy.go:115] [27c200cb77438642] [test-session] proxy closing
2024/09/23 12:46:29 [I] [control.go:359] [27c200cb77438642] client exit success
2024/09/23 12:46:29 [I] [service.go:563] [27c200cb77438642] client login info: ip [10.0.124.244:21986] version [0.53.2] hostname [] os [windows] arch [amd64]
2024/09/23 12:46:30 [I] [http.go:110] [27c200cb77438642] [test-session] http proxy listen for host [test-session] location [] group [], routeByHTTPUser []
2024/09/23 12:46:30 [I] [control.go:401] [27c200cb77438642] new proxy [test-session] type [http] success
2024/09/23 12:46:30 [W] [control.go:425] [da9f0b7c28941afa] received invalid ping: received different OIDC subject in login and ping. original subject: 312fb2ab-6c8d-4628-a8fc-d62a6c7d4e24, new subject: c789f698-547c-4453-a46b-e18c873aca9d
2024/09/23 12:46:30 [I] [proxy.go:115] [da9f0b7c28941afa] [test-data-connector] proxy closing
2024/09/23 12:46:30 [I] [control.go:359] [da9f0b7c28941afa] client exit success
2024/09/23 12:46:30 [I] [service.go:563] [da9f0b7c28941afa] client login info: ip [10.0.124.244:24708] version [0.53.2] hostname [] os [linux] arch [amd64]
2024/09/23 12:46:31 [I] [http.go:110] [da9f0b7c28941afa] [test-data-connector] http proxy listen for host [tm-test-data-connector-development] location [] group [], routeByHTTPUser []
2024/09/23 12:46:31 [I] [control.go:401] [da9f0b7c28941afa] new proxy [test-data-connector] type [http] success
2024/09/23 12:47:00 [W] [control.go:425] [27c200cb77438642] received invalid ping: received different OIDC subject in login and ping. original subject: c789f698-547c-4453-a46b-e18c873aca9d, new subject: 312fb2ab-6c8d-4628-a8fc-d62a6c7d4e24
2024/09/23 12:47:00 [I] [proxy.go:115] [27c200cb77438642] [test-session] proxy closing
2024/09/23 12:47:00 [I] [control.go:359] [27c200cb77438642] client exit success
2024/09/23 12:47:00 [I] [service.go:563] [27c200cb77438642] client login info: ip [10.0.114.214:25343] version [0.53.2] hostname [] os [windows] arch [amd64]
2024/09/23 12:47:01 [I] [http.go:110] [27c200cb77438642] [test-session] http proxy listen for host [test-session] location [] group [], routeByHTTPUser []
2024/09/23 12:47:01 [I] [control.go:401] [27c200cb77438642] new proxy [test-session] type [http] success
2024/09/23 12:47:30 [W] [control.go:425] [da9f0b7c28941afa] received invalid ping: received different OIDC subject in login and ping. original subject: 312fb2ab-6c8d-4628-a8fc-d62a6c7d4e24, new subject: c789f698-547c-4453-a46b-e18c873aca9d
2024/09/23 12:47:30 [I] [proxy.go:115] [da9f0b7c28941afa] [test-data-connector] proxy closing
2024/09/23 12:47:30 [I] [control.go:359] [da9f0b7c28941afa] client exit success
2024/09/23 12:47:30 [I] [service.go:563] [da9f0b7c28941afa] client login info: ip [10.0.100.43:49509] version [0.53.2] hostname [] os [linux] arch [amd64]
2024/09/23 12:47:31 [W] [control.go:425] [27c200cb77438642] received invalid ping: received different OIDC subject in login and ping. original subject: c789f698-547c-4453-a46b-e18c873aca9d, new subject: 312fb2ab-6c8d-4628-a8fc-d62a6c7d4e24
2024/09/23 12:47:31 [I] [http.go:110] [da9f0b7c28941afa] [test-data-connector] http proxy listen for host [tm-test-data-connector-development] location [] group [], routeByHTTPUser []
2024/09/23 12:47:31 [I] [control.go:401] [da9f0b7c28941afa] new proxy [test-data-connector] type [http] success
2024/09/23 12:47:31 [I] [proxy.go:115] [27c200cb77438642] [test-session] proxy closing
2024/09/23 12:47:31 [I] [control.go:359] [27c200cb77438642] client exit success
2024/09/23 12:47:31 [I] [service.go:563] [27c200cb77438642] client login info: ip [10.0.99.67:44672] version [0.53.2] hostname [] os [windows] arch [amd64]
2024/09/23 12:47:32 [I] [http.go:110] [27c200cb77438642] [test-session] http proxy listen for host [test-session] location [] group [], routeByHTTPUser []
2024/09/23 12:47:32 [I] [control.go:401] [27c200cb77438642] new proxy [test-session] type [http] success
2024/09/23 12:47:44 [I] [proxy.go:115] [da9f0b7c28941afa] [test-data-connector] proxy closing
2024/09/23 12:47:44 [I] [control.go:359] [da9f0b7c28941afa] client exit success

Steps to reproduce

  1. Start server with OIDC Auth
  2. Start Client with OIDC
  3. Start second client with OIDC

Affected area

  • Docs
  • Installation
  • Performance and Scalability
  • Security
  • User Experience
  • Test and Release
  • Developer Infrastructure
  • Client Plugin
  • Server Plugin
  • Extensions
  • Others
@blizard863
Copy link
Collaborator

I test in auth0, there is no error like you. you can create an free auth0 account and test it.

My successful config.

frps
authentication_method = oidc
oidc_issuer = https://dev-xxxx.us.auth0.com/
oidc_audience = https://dev-xxxx.us.auth0.com/api/v2/

frpc
authentication_method = oidc
oidc_client_id = xxxx
oidc_client_secret = xxxx
oidc_audience = https://dev-xxxx.us.auth0.com/api/v2/
oidc_token_endpoint_url = https://dev-xxxx.us.auth0.com/oauth/token

oidc_audience should be same.

One frpc and multiple frpc are all right.

@RobKenis

@blizard863
Copy link
Collaborator

You can find more openid RFC docs to find your problems.

@RobKenis
Copy link
Contributor Author

RobKenis commented Oct 8, 2024

@blizard863 We are using different clients per frpc, so all tokens have a different subject. I am making a Pull Request currently to demonstrate the issue. I'll keep you posted

RobKenis pushed a commit to RobKenis/frp that referenced this issue Oct 8, 2024
support multiple subjects in oidc ping
54259a8 
Validate the subject in an oidc ping against a list of logged in subjects.

This resolves the issue that multiple connected FRP clients with different
OIDC clients result in a failing ping. The ping would fail because the
subject in memory would be the value of the last logged in FRPC.

This change also changes the constructor of OidcAuthVerifier to take
a TokenVerifier interface. This will not change production behavior, but makes
testing easier because we can inject a mock verifier during testing.

Resolves: fatedier#4466
@RobKenis RobKenis mentioned this issue Oct 8, 2024
Merged
RobKenis pushed a commit to RobKenis/frp that referenced this issue Oct 8, 2024
support multiple subjects in oidc ping
98658a9 
Validate the subject in an oidc ping against a list of logged in subjects.

This resolves the issue that multiple connected FRP clients with different
OIDC clients result in a failing ping. The ping would fail because the
subject in memory would be the value of the last logged in FRPC.

This change also changes the constructor of OidcAuthVerifier to take
a TokenVerifier interface. This will not change production behavior, but makes
testing easier because we can inject a mock verifier during testing.

Resolves: fatedier#4466
@blizard863
Copy link
Collaborator

OK, I will review it soon.

RobKenis pushed a commit to RobKenis/frp that referenced this issue Oct 11, 2024
support multiple subjects in oidc ping
d082976 
Validate the subject in an oidc ping against a list of logged in subjects.

This resolves the issue that multiple connected FRP clients with different
OIDC clients result in a failing ping. The ping would fail because the
subject in memory would be the value of the last logged in FRPC.

This change also changes the constructor of OidcAuthVerifier to take
a TokenVerifier interface. This will not change production behavior, but makes
testing easier because we can inject a mock verifier during testing.

Resolves: fatedier#4466
blizard863 pushed a commit that referenced this issue Oct 12, 2024
@RobKenis
support multiple subjects in oidc ping (#4475)
2466e65 
Resolves: #4466
aircross pushed a commit to aircross/frp that referenced this issue Oct 15, 2024
@RobKenis @aircross
support multiple subjects in oidc ping (fatedier#4475)
bf2fcc3 
Resolves: fatedier#4466
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

support multiple subjects in oidc ping RobKenis/frp
2 participants
@blizard863 @RobKenis