ID and Secret-id is still required even when the binary has been built with the said parameters about dexter HOT 11 CLOSED

Hi!

This is pretty much how I do it for our custom build for us internally.
Did I get you right that you use the same credentials on the commandline and it works?

Cheers!
Daniel

from dexter.

from dexter.

I have a hard time replicating this issue. Here's what I do:

❯ CLIENT_ID=REDACTED.apps.googleusercontent.com CLIENT_SECRET=REDACTED OS=darwin make build
building: bin/amd64/dexter
CGO_ENABLED=0 \
        GOOS=darwin \
        GOARCH=amd64 \
        go build \
          -o build/dexter_darwin_amd64 \
          -ldflags "-X github.com/gini/dexter/version.VERSION=0.2.v0.2.1-dirty \
            -X github.com/gini/dexter/version.GITHASH=v0.2.1-dirty \
            -X github.com/gini/dexter/version.DOB=1550491673 \
            -X github.com/gini/dexter/cmd.defaultClientID=REDACTED.apps.googleusercontent.com \
            -X github.com/gini/dexter/cmd.defaultClientSecret=REDACTED"

Resulting binary works as expected. If I skip the vars at build I can use the same credentials on the commandline and it works fine as well.

Can you share the build output?

from dexter.

from dexter.

Hey Daniel heres the build output.

CLIENT_ID=redacted.apps.googleusercontent.com CLIENT_SECRET=redacted OS=linux make build
building: bin/amd64/dexter
CGO_ENABLED=0
GOOS=linux
GOARCH=amd64
go build
-o build/dexter_linux_amd64
-ldflags "-X github.com/gini/dexter/version.VERSION=0.2.v0.2.1
-X github.com/gini/dexter/version.GITHASH=v0.2.1
-X github.com/gini/dexter/version.DOB=1550548278
-X github.com/gini/dexter/cmd.defaultClientID=redacted.apps.googleusercontent.com
-X github.com/gini/dexter/cmd.defaultClientSecret=redacted"

from dexter.

That looks totally fine to me. Can you please share the response from google?

from dexter.

Here it is Daniel,

Error: invalid_request

Missing required parameter: client_id

Request Details
access_type=offline
client_id=
prompt=consent
redirect_uri=http://127.0.0.1:64464/callback
response_type=code
scope=openid profile email
state=xT1VnWhj8980lIYZfPMPaGkj3XCyj3sfx.ST9TW

On a different context, may I ask how exactly did you manage to modify api server for multiple entries of the following to accommodate the rest of the users? Looks to be only one entry is accepted.

kubeAPIServer:
    oidcClientID: redacted.apps.googleusercontent.com
    oidcIssuerURL: https://accounts.google.com
    oidcUsernameClaim: email

from dexter.

Just to be absolutely sure: Are you really running the binary from the build folder ($DEXTER_FOLDER/build/dexter_linux_amd64). Because this is where the artifact is stored when you build with the Makefile.

Regarding the second question: You only need that definition once. The way it works is that the verification of the token is delegated to the OIDC provider by the api service.

from dexter.

Oh jeez turns out I have been running a different binary all this time. :(
i.e
$DEXTER_PATH/bin/dexter
as opposed to
$DEXTER_PATH/src/github.com/gini/dexter/build/dexter_linux_amd64
A million apologies Daniel. Once run from the latter works flawlessly. Thanks so much.

I would have given more context on my other question earlier. I have been trying to authenticate 2 different gmail addresses of my own with their respective client-ids and secrets. As per your latest comment I believe this isn't possible unless its being done on g-suite?

from dexter.

No need to apologize. I'm glad it's working as expected ;-)

To my knowledge it's only possible to use 1 OIDC config in the api server and I'm not aware that it's possible to authenticate with 2 different gmail domains. There may be a way to merge/manage them in google cloud but I have no experience with that. Feel free to close the ticket when you have all the answers you need

from dexter.

The issue reported is not valid. Incorrect binary was run by the reporter.

from dexter.