I have a Kubernetes cluster where I'm deploying two containers with a web page (Asp.Net Core with Kestrel, React) and with the identity server 4. The ingress controller I'm using is Nginx-ingress. The identity server is configured to use Oidc implicit flow against an Azure Active Directory app registrations. One user can login successfully into the web page and two others cannot: they see 502 errors or "page cannot be reached". The nginx logs shows the Oidc flow going correctly up to the second call to the /identityserver/External/Callback path. There is no indication as why this calls are stripped of details.
The things I've tried were from those two answers, but to no avail.
12.25.114.244 - [12.25.114.244] - - [08/Aug/2019:14:35:59 +0000] "POST /identityserver/signin-oidc HTTP/2.0" 302 0 "https://login.microsoftonline.com/common/SAS/ProcessAuth" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/64.0.3282.140 Safari/537.36 Edge/17.17134" 2518 0.222 [default-identityserver-9000] 10.244.0.40:9000 0 0.220 302 8249f8f3ce72756bf8f2cfa1cc2faf3d 12.25.114.244 - [12.25.114.244] - - [08/Aug/2019:14:35:59 +0000] "-" 000 0 "https://login.microsoftonline.com/common/SAS/ProcessAuth" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/64.0.3282.140 Safari/537.36 Edge/17.17134" 5604 0.000 [] - - - - a162031b9747a7b9ff8d281265d62d4f 12.25.114.244 - [12.25.114.244] - - [08/Aug/2019:14:35:59 +0000] "-" 000 0 "https://login.microsoftonline.com/common/SAS/ProcessAuth" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/64.0.3282.140 Safari/537.36 Edge/17.17134" 5870 0.000 [] - - - - 6f2e99f98fdb7cb367134572fbf52c37 12.25.114.244 - [12.25.114.244] - - [08/Aug/2019:14:35:59 +0000] "-" 000 0 "https://login.microsoftonline.com/common/SAS/ProcessAuth" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/64.0.3282.140 Safari/537.36 Edge/17.17134" 5870 0.000 [] - - - - 2837e78e72ef64edd27078ae6b2d2b4b 12.25.114.244 - [12.25.114.244] - - [08/Aug/2019:14:35:59 +0000] "-" 000 0 "https://login.microsoftonline.com/common/SAS/ProcessAuth" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/64.0.3282.140 Safari/537.36 Edge/17.17134" 5870 0.000 [] - - - - 1de946ed242f391dadfb78bb9f72bfdc 12.25.114.244 - [12.25.114.244] - - [08/Aug/2019:14:35:59 +0000] "-" 000 0 "https://login.microsoftonline.com/common/SAS/ProcessAuth" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/64.0.3282.140 Safari/537.36 Edge/17.17134" 5870 0.000 [] - - - - 4b441be747adb2c29f10d55568dc4e64 12.25.114.244 - [12.25.114.244] - - [08/Aug/2019:14:36:00 +0000] "-" 000 0 "https://login.microsoftonline.com/common/SAS/ProcessAuth" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/64.0.3282.140 Safari/537.36 Edge/17.17134" 5870 0.000 [] - - - - dce572bd77990586010372c156fff9be 12.25.114.244 - [12.25.114.244] - - [08/Aug/2019:14:36:00 +0000] "-" 000 0 "https://login.microsoftonline.com/common/SAS/ProcessAuth" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/64.0.3282.140 Safari/537.36 Edge/17.17134" 5870 0.000 [] - - - - fc2094d7a449925eccc9b525f908b477
Is there anything I miss on why two users cannot login while the other can?
Later Edit: There are pieces which need to be added here for the complete picture. Terraform is used to deploy to Kubernetes, using a Helm provider and a Helm chart for Nginx-Ingress.
This two answers, as well as this Github issue, are useful but Terraform needs a template file to specify those annotations and config values. Here is what I've ended up with:
data "template_file" "nginx-ingress" {
template = <<EOF
controller:
config:
http2-max-field-size: "16k"
http2-max-header-size: "64k"
proxy-buffer-size: "64k"
EOF
}
And the helm_release provider needs its values to be set:
resource "helm_release" "nginx_ingress" {
values = [
"${data.template_file.nginx-ingress.rendered}"
]
}