Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Failure to authenticate with generated tokens #24

Open
abdulito opened this issue Oct 3, 2018 · 6 comments
Open

Failure to authenticate with generated tokens #24

abdulito opened this issue Oct 3, 2018 · 6 comments

Comments

@abdulito
Copy link

abdulito commented Oct 3, 2018

Hi,

Thanks for this great tool. I am running into an issue where tokens generated with k8s-oidc-helper are not working and get error: You must be logged in to the server (Unauthorized). And Kuberenetes api server logs has:

E1003 19:03:27.751405       1 authentication.go:63] Unable to authenticate the request due to an error: [invalid bearer token, [invalid bearer token, invalid bearer token]]

I have tried tokens generated with different means and they worked. I am not sure if i am missing something but could it be that token generation is out of date or something?

Thanks!

-abdul
@abdulito
Copy link
Author

abdulito commented Oct 3, 2018

ok i think i figured it out. I changed the token generation url to "v4" instead of "v3" and it started working for me.

https://github.com/micahhausler/k8s-oidc-helper/blob/master/internal/helper/helper.go#L53

@abdulito
Copy link
Author

abdulito commented Oct 3, 2018

The only thing i noticed in jwt's returned from v4 is that it contains a couple of more fields but i don't know if they are relevant.

  "name": "Abdul Al Khatib",
  "picture": "https://lh6.googleusercontent.com/-aXcqoRfK2AQ/AAAAAAAAAAI/AAAAAAAAAAA/AAN31DVp2-cQU-fNMJXp8F7d1t8Gt6YEEQ/s96-c/photo.jpg",
  "given_name": "Abdul",
  "family_name": "Al Khatib",
  "locale": "en"

@lftoledo
Copy link

I am having the same issue, I found the problem but I don't know how to solve yet.
When Google creates the Tokens, it is sending:
"iat": 1539167269,
And my personal machine is 2 hours ahead from the cluster (I am in CEST and the cluster is UTC).
So when Kubeapi tries to verify the Token, it gives me 401.

I've tested it, changing my local time and generating a new Token.

@jaybe78
Copy link

jaybe78 commented Dec 19, 2018

I got same issue guys. The token generated works but I have to wait a couple of hours before token is verified

@jaybe78
Copy link

jaybe78 commented Dec 19, 2018

Please use this url https://oauth2.googleapis.com/token to solve the issue

@roberth1988
Copy link

ok i think i figured it out. I changed the token generation url to "v4" instead of "v3" and it started working for me.

https://github.com/micahhausler/k8s-oidc-helper/blob/master/internal/helper/helper.go#L53

I can confirm that it works with this change.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
4 participants
@abdulito @roberth1988 @jaybe78 @lftoledo