cosign icon indicating copy to clipboard operation
cosign copied to clipboard
verified publisher icon sigstore

OIDC client secret is not taken into account using device flow

Open tailtwo opened this issue 2 years ago • 2 comments

Description

It seems that the OIDC client secret is not taken into account when Cosign is using device flow.

./cosign-linux-amd64 -d sign docker.redacted.com/testimage:latest \
--oidc-client-id='sigstore' \
--oidc-issuer='https://keycloak.redacted.com/realms/testrealm' \
--fulcio-url='http://fulcio.redacted.com/' \
--rekor-url='http://rekor.redacted.com/' \
--oidc-client-secret-file='client-credentials.txt' </dev/null >cosign.log 2>&1

Gives me :

Generating ephemeral keys...
Retrieving signed certificate...
Non-interactive mode detected, using device flow.
Error: signing [docker.redacted.com/imagetest:latest]: getting signer: getting key from Fulcio: retrieving cert: 401 Unauthorized: {"error":"unauthorized_client","error_description":"Invalid client or Invalid client credentials"}
main.go:74: error during command execution: signing [docker.redacted.com/imagetest:latest]: getting signer: getting key from Fulcio: retrieving cert: 401 Unauthorized: {"error":"unauthorized_client","error_description":"Invalid client or Invalid client credentials"}

Keycloak log :

2023-09-25 10:09:23,141 WARN  [org.keycloak.events] (executor-thread-158) type=OAUTH2_DEVICE_AUTH_ERROR, realmId=redacted, clientId=sigstore, userId=null, ipAddress=redacted, error=invalid_client_credentials

The specified client (sigstore) does exist inside Keycloak. Client authentication is enabled on Keycloak side with a set Client ID and secret. client-credentials.txt file exists and contains the correct secret. OAuth 2.0 Device Authorization Grant is enabled as well. I was able to sign an image using normal flow, but not with device flow. I found an issue and a merged MR, looks like those are related to my problem? https://github.com/sigstore/cosign/issues/1309 https://github.com/sigstore/cosign/pull/1310

Version

GitVersion: v2.2.0 GitCommit: 546f1c5b91ef58d6b034a402d0211d980184a0e5

tailtwo avatar Sep 25 '23 10:09 tailtwo

At a glance this should be passed, user-provided client secrets have been supported for some time. If someone would like to dig into the code and see where the secret isn't getting passed, open to a PR to fix this.

Hayden-IO avatar Jan 24 '24 00:01 Hayden-IO

@tailtwo did you find a resolution to this? @haydentherapper I'm also seeing this issue for OAUTH2_DEVICE_AUTH_ERROR. The exact same parameters (client id, secret, etc) work fine when running outside of non-interactive mode, however, when running in non-interactive mode, it throws invalid_client_credentials

@haydentherapper I found that the client_secret is not being passed here:

https://github.com/sigstore/sigstore/blob/main/pkg/oauthflow/device.go#L93

which causes an issue with keycloak, however, the issue is moot, because even if its passed correctly, keycloak device flow requires brower interactivity, so it doesn't work anyways.

On a separate note @haydentherapper is their any interest in a PR to add client_credentials as another cosign flow? Because the device flow doesn't work with keycloak, I ended up whipping that up, is there a reason that already isn't a flow? Happy to PR it back in -- would rather have it that way.

nkreiger avatar Feb 03 '24 06:02 nkreiger