Authentification Failed

Hello everyone Help solve the problem, please. I have Boundary + IDP (KeyCloack) + Vault deployed. First, for test operation, I started authentication by login and password. It was successful. I could authenticate to the boundary Desktop and to the WEB. But after enabling OIDC, when using Boundary Desktop, I can’t authenticate. I get an error like in the screenshot.


OIDC authentication works because I can access the WEB interface of the controller using this authentication method. I have tried both HTTP and HTTPs (self-signed certificate) in both cases the problem remains. I tried to look at WIRESHARK TCPDUMP and see that after pressing SIGN IN in the Boundary Desktop, the packet from the controller comes to the Desktop and then nothing happens

how do I diagnose this problem? I need use OIDC…

Is the scope setting the same for both the web GUI login and the desktop login?

I use the same scope for Boundary Desktop and WEB

There are a few things you can check:

  • Since you’re using HTTP in your test, you can see the payload of the server’s response using Wireshark. That would be useful to post here.
  • Normally when you click Sign In, a browser window opens up for you to authenticate against the IdP. Did you see that window? It may be that for any reason Boundary Desktop cannot launch the browser.
  • You can try authenticating via Boundary CLI instead which will execute the same workflow but be more verbose about it.

Thank you for participating in solving my problem.
IT’s (bandarya.cap - Google Drive) payload of the server’s response:
JavaScript Object Notation: application/json
Object
Member: attributes
Object
Member: auth_url
[Path with value [truncated]: /attributes/auth_url:http://10.20.5.10:31148/realms/boundary/protocol/openid-connect/auth?client_id=boundaryclient&max_age=0&nonce=U8vRK3JQwx1CfFyuGmkH&redirect_uri=https%3A%2F%2F10.20.5.10%3A30000%2Fv1%2Fauth]
[Member with value [truncated]: auth_url:http://10.20.5.10:31148/realms/boundary/protocol/openid-connect/auth?client_id=boundaryclient&max_age=0&nonce=U8vRK3JQwx1CfFyuGmkH&redirect_uri=https%3A%2F%2F10.20.5.10%3A30000%2Fv1%2Fauth-methods%2]
String value [truncated]: http://10.20.5.10:31148/realms/boundary/protocol/openid-connect/auth?client_id=boundaryclient&max_age=0&nonce=U8vRK3JQwx1CfFyuGmkH&redirect_uri=https%3A%2F%2F10.20.5.10%3A30000%2Fv1%2Fauth-methods%2Foidc%3Aauthen
Key: auth_url
[Path: /attributes/auth_url]
Member: token_id
[Path with value [truncated]: /attributes/token_id:7ZzACG7rMWQjakFcwSpA3ghdSBgew8HUHh8yR7sjH3svTuiHfdaudn7cPVEEDMLwXcq1XJidz5dCicwYpNDfXpuHYX9WSxFtELwvLw4ZCJwLeSYNGwDE9myX9o6XnTma3onUGayWMUt3ZgqK9LtDjXonyKPELGQCpSGAwfDo1Eug5F4KDw4GKohC4yNR]
[Member with value [truncated]: token_id:7ZzACG7rMWQjakFcwSpA3ghdSBgew8HUHh8yR7sjH3svTuiHfdaudn7cPVEEDMLwXcq1XJidz5dCicwYpNDfXpuHYX9WSxFtELwvLw4ZCJwLeSYNGwDE9myX9o6XnTma3onUGayWMUt3ZgqK9LtDjXonyKPELGQCpSGAwfDo1Eug5F4KDw4GKohC4yNR3SxvQdSJeG]
String value [truncated]: 7ZzACG7rMWQjakFcwSpA3ghdSBgew8HUHh8yR7sjH3svTuiHfdaudn7cPVEEDMLwXcq1XJidz5dCicwYpNDfXpuHYX9WSxFtELwvLw4ZCJwLeSYNGwDE9myX9o6XnTma3onUGayWMUt3ZgqK9LtDjXonyKPELGQCpSGAwfDo1Eug5F4KDw4GKohC4yNR3SxvQdSJeGueZfJpKYegs2Fc
Key: token_id
[Path: /attributes/token_id]
Key: attributes
[Path: /attributes]
Member: command
[Path with value: /command:start]
[Member with value: command:start]
String value: start
Key: command
[Path: /command]

I can see IDP Window only when i use WEB Auth. I can authenticating with CLI -it’s WORK, i get URL for authenticating. But Boundary Desktop shows me the error.

So in that packet capture, Boundary is at 10.20.5.10:30000 and Keycloak is at 10.20.5.10:31148?

Is Keycloak giving you any info in its logs indicating that it’s ignoring or rejecting requests, and if so, why?

When you try to authenticate with Boundary Desktop using your OIDC auth method, do you get any error before or besides the red “Authentication Failed” overlay in the lower left?

Yes, boundary is 10.20.5.10:30000 and KC is 10.20.5.10:31148
KeyCloak does not provide such information, because it does not receive a request from Desktop. Look at TCPDUMP, there are no connection attempts with KC from Desktop
“When you try to authenticate with Boundary Desktop using your OIDC auth method, do you get any error before or besides the red “Authentication Failed” overlay in the lower left?” - No, I dont get any errors other than the one specified in the screenshot

Hello politehnn,

Hope you are doing well!

According to the docs:

Would you confirm that your Boundary desktop client is 1.2.0 and above?

  • We have checked the pcap file provided and the callback URL seems to match to what is expected from Boundary.

Hi! Yes, I am using the latest version 1.5.1. I tried version 1.2 and get a similar error. Is there any way to enable Boundary desktop logging?


maybe the reason is that I didn’t specify the group?

I found another problem. This is my conroller configuration:
apiVersion: v1
data:
config.hcl: |-
# Copyright (c) HashiCorp, Inc.
# SPDX-License-Identifier: MPL-2.0

# Disable memory lock: https://www.man7.org/linux/man-pages/man2/mlock.2.html
disable_mlock = true

# Controller Configuration
controller {
  # This name attribute must be unique across all controller instances when running in HA mode
  name = "docker-controller"
  description = "A controller for a docker demo!"
  public_cluster_addr = "10.20.5.10:30000"
  graceful_shutdown_wait_duration = "10s"
  # Database URL for postgres. This can be a direct "postgres://"
  # URL, or it can be "file://" to read the contents of a file to
  # supply the URL, or "env://" to name an environment variable
  # that contains the URL.
  database {
      url = "env://BOUNDARY_POSTGRES_URL"
  }
}
events {
  audit_enabled = true
  observations_enabled = true
  sysevents_enabled = true
  sink "stderr" {
    name = "default"
    event_types = ["*"]
    format = "cloudevents-json"
  }
}

# API listener configuration block 30000
listener "tcp" {
  # Should be the address of the NIC that the controller server will be reached on
  address = "0.0.0.0"
  tls_disable = "true"
  # Purpose of this listener block
  purpose = "api"
  #tls_cert_file = "/boundary/cert.pem"
  #tls_key_file  = "/boundary/key.pem"
  cors_enabled = true
}

# Data-plane listener configuration block (used for worker coordination) 9201
listener "tcp" {
  # Should be the IP of the NIC that the worker will connect on
  address = "0.0.0.0"
  # The purpose of this listener
  purpose = "cluster"
  #tls_disable = true
  #cors_allowed_origins= ["*"]
}


# Root KMS configuration block: this is the root key for Boundary
# Use a production KMS such as AWS KMS in production install


kms "transit" {
  purpose            = "root"
  address            = "https://10.20.5.10:32000"
  token              = "hvs.sSmfKBf4x1GaMvuhWVeDLtJM"
  disable_renewal    = "false"
  tls_skip_verify    = "true"


  key_name           = "boundary_controller"
  mount_path         = "transit/"


}

# Worker authorization KMS
# Use a production KMS such as AWS KMS for production installs
# This key is the same key used in the worker configuration
kms "transit" {
  purpose            = "worker-auth"
  address            = "https://10.20.5.10:32000"
  token              = "hvs.sSmfKBf4x1GaMvuhWVeDLtJM"
  disable_renewal    = "false"
  tls_skip_verify    = "true"

  key_name           = "boundary_controller"
  mount_path         = "transit/"


}

key.pem: |-
-----BEGIN RSA PRIVATE KEY-----
MIIEpg…

-----END RSA PRIVATE KEY-----

cert.pem: |-
Certificate:
Data:
Version: 3 (0x2)

rootCA.pem: |-
-----BEGIN CERTIFICATE-----
MIIFu…

-----END CERTIFICATE-----

kind: ConfigMap
metadata:
name: controller1
namespace: default

IF I set the parameter cors_enabled = true then:
in the global SCOPE, I cannot authenticate via the web with an administrator account by login and password. I have a similar error on the WEB
I can’t use OIDC on the web for SCOPE IFT, although I could do it on the WEB before, now I have a similar error on the WEB for all SCOPE.

However, I can only authenticate via Boundary Desktop with an Administrator account. Why does this parameter block my administrator access and not allow me to authenticate to the web?

Hello @politehnn

Hope you are doing well!

Are you able to access the Web when the cors_enabled = false?
If that works, you can switch back on the CORS with cors_enabled = true and use cors_allowed_origins parameter to allow the necessary exceptions to CORS, such as domains and IPs.

You can also attempt to have your configuration with cors_allowed_origins= [“*”] for the api listener and cors_enabled = true to allow all domains and IPs. This would keep CORS enabled, but it would allow all origins.

1 Like