"missing ID token: <nil>" on successful login

[sanzoghenzo]

Hi, I'm trying to use this wonderful tool (thanks!) in my company development server.

I got to the point where I can login with Microsoft OIDC, but after a correct login I get a "Bad Gateway" page.
The logs shows "missing ID token ".

This is my docker compose (some of the envvars are there after a trial and error phase, not sure if I need them all):

version: "3.3"

services:
  traefik:
    image: "traefik:latest"
    restart: always
    ports:
      - "80:80"
      - "443:443"
    environment:
      - TZ=Europe/Rome
    volumes:
      - traefik-ssl-certs:/ssl-certs
      - /usr/share/zoneinfo:/usr/share/zoneinfo:ro
      - /var/run/docker.sock:/var/run/docker.sock:ro

  traefik-forward-auth:
    image: mesosphere/traefik-forward-auth
    restart: always
    environment:
      - PROVIDER_URI=https://login.microsoftonline.com/${TENANT_ID}/v2.0
      - CLIENT_ID=${MS_CLIENT_ID}
      - CLIENT_SECRET=${MS_SECRET}
      - SCOPE=user.read
      - DOMAIN=${TENANT_DOMAIN}
      - COOKIE_DOMAIN=${MY_DOMAIN}
      - AUTH_HOST=auth.${MY_DOMAIN}
      - SECRET=${FORWARD_AUTH_SECRET}
      - ENCRYPTION_KEY=${FORWARD_AUTH_ENCRYPTION_KEY}
      - FORWARD_TOKEN_HEADER_NAME=X-Forwarded-Token
      - INSECURE_COOKIE=true
      - LOG_LEVEL=debug
    labels:
      - traefik.enable=true
      - traefik.http.routers.traefik-forward-auth.rule=Host(`auth.${MY_DOMAIN}`)
      - traefik.http.middlewares.traefik-forward-auth.forwardauth.address=http://traefik-forward-auth:4181
      - traefik.http.middlewares.traefik-forward-auth.forwardauth.authResponseHeaders=X-Forwarded-User
      - traefik.http.services.traefik-forward-auth.loadbalancer.server.port=4181
      - traefik.http.routers.traefik-forward-auth.middlewares=traefik-forward-auth

  nginx:
    image: nginx:latest
    restart: always
    volumes:
      - "/nas/web:/usr/share/nginx/html"
    labels:
      - traefik.enable=true
      - traefik.http.routers.nginx.rule=Host(`www.${MY_DOMAIN}`)
      - traefik.http.services.nginx.loadBalancer.server.port=80
      - traefik.http.routers.nginx.tls.certResolver=production
      - traefik.http.routers.nginx.middlewares=traefik-forward-auth

volumes:
  traefik-ssl-certs: {}

Here's the full log (tenant, client id and domains are ok, I've obscured them):

time="2023-01-30T13:12:26Z" level=debug msg="Starting with options: {\"LogLevel\":\"debug\",\"LogFormat\":\"text\",\"ProviderUri\":\"https://login.microsoftonline.com/...../v2.0\",\"ClientId\":\"....\",\"Scope\":\"user.read\",\"AuthHost\":\"auth.<MY_DOMAIN>\",\"CookieDomains\":[{\"Domain\":\"<MY_DOMAIN>\",\"DomainLen\":15,\"SubDomain\":\".<MY_DOMAIN>\",\"SubDomainLen\":16}],\"InsecureCookie\":true,\"CookieName\":\"_forward_auth\",\"UserCookieName\":\"_forward_auth_name\",\"CSRFCookieName\":\"_forward_auth_csrf\",\"DefaultAction\":\"auth\",\"Domains\":[\"....\"],\"LifetimeString\":43200,\"Path\":\"/_oauth\",\"Whitelist\":null,\"EnableImpersonation\":false,\"ServiceAccountTokenPath\":\"/var/run/secrets/kubernetes.io/serviceaccount/token\",\"Rules\":{},\"GroupClaimPrefix\":\"oidc:\",\"SessionKey\":\"\",\"GroupsAttributeName\":\"groups\",\"EnableRBAC\":false,\"AuthZPassThrough\":null,\"OIDCContext\":0,\"OIDCProvider\":{},\"Lifetime\":43200000000000,\"ServiceAccountToken\":\"\"}"
time="2023-01-30T13:12:26Z" level=info msg="Listening on :4181"
time="2023-01-30T13:12:43Z" level=debug msg="Authenticate request" headers="map[Accept:[text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9] Accept-Encoding:[gzip, deflate, br] Accept-Language:[en-US,en;q=0.9] Sec-Ch-Ua:[\"Not_A Brand\";v=\"99\", \"Microsoft Edge\";v=\"109\", \"Chromium\";v=\"109\"] Sec-Ch-Ua-Mobile:[?0] Sec-Ch-Ua-Platform:[\"Linux\"] Sec-Fetch-Dest:[document] Sec-Fetch-Mode:[navigate] Sec-Fetch-Site:[none] Sec-Fetch-User:[?1] Upgrade-Insecure-Requests:[1] User-Agent:[Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/109.0.0.0 Safari/537.36 Edg/109.0.1518.61] X-Forwarded-For:[10.10.205.31] X-Forwarded-Host:[www.<MY_DOMAIN>] X-Forwarded-Method:[GET] X-Forwarded-Port:[443] X-Forwarded-Proto:[https] X-Forwarded-Server:[86a08e764432] X-Forwarded-Uri:[/docs/yadp] X-Real-Ip:[10.10.205.31]]" rule=default source_ip=10.10.205.31
time="2023-01-30T13:12:43Z" level=debug msg="Set CSRF cookie and redirect to OIDC login" source_ip=10.10.205.31
time="2023-01-30T13:13:16Z" level=debug msg="Handling callback" headers="map[Accept:[text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9] Accept-Encoding:[gzip, deflate, br] Accept-Language:[en-US,en;q=0.9] Cache-Control:[max-age=0] Cookie:[_forward_auth_csrf=7da62652097cd279c25ca86076944ea1] Referer:[https://login.microsoftonline.com/] Sec-Ch-Ua:[\"Not_A Brand\";v=\"99\", \"Microsoft Edge\";v=\"109\", \"Chromium\";v=\"109\"] Sec-Ch-Ua-Mobile:[?0] Sec-Ch-Ua-Platform:[\"Linux\"] Sec-Fetch-Dest:[document] Sec-Fetch-Mode:[navigate] Sec-Fetch-Site:[cross-site] Sec-Fetch-User:[?1] Upgrade-Insecure-Requests:[1] User-Agent:[Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/109.0.0.0 Safari/537.36 Edg/109.0.1518.61] X-Forwarded-For:[10.10.205.31] X-Forwarded-Host:[auth.<MY_DOMAIN>] X-Forwarded-Method:[GET] X-Forwarded-Port:[443] X-Forwarded-Proto:[https] X-Forwarded-Server:[86a08e764432] X-Forwarded-Uri:[/_oauth?code=0.AQwA4STh97s8FEe5DtCGUodLZfIyVTryeUBEqwWaOl2Sto0MAAA.AgABAAIAAAD--DLA3VO7QrddgJg7WevrAgDs_wUA9P_IQCL4ydHyInc7xihH52TETdibHuBVAxBRzFzlIJy6BfRMKMbm4j9an3J1V6Wy-iqy-AC61j_y-bkOfjG9_wH0Eo6eadSQX3XukLMEO6lFaXxBlfPm6k-I1zYs6q9PVQvt4zIcH2E9FtY5klUEXM-ismtAaO4cXAK-3ojOO81cUxSoj0YqU2BuAvEID7OP4hKCeFYtxqeL4uez8VD0yRn5jE-BZ5twQsmk1OnyNkLbS7TSq0T3_jsDs-VuSptHfKj0wL_1BACAfqazTuzZOzGN26jmWNut0UM5nqNKFY253dZdn17F-dkwfFgCwP1N0jGfgdKThGBkUUniNKlLQkLbxv3lu6uPlcQ0H-FW4jwauccf-aDOEFuhcO5Gnr_tRxZe_PTyUsh1GphphN6w_-wU9Bqd97hykC4tV53UhaRYT3Tzw7hw2vWPxmD61NdWNsFSjo41qFpTprQ9FZBX_cMUKk0JdKTH19mnvn8lKNhoBZkJVCKRMxG7HB1Wd-bhQnyQ3sMmtq-mFpIC3OfTyxdQ7Rlbu-xFGTnHA4pJIGnrBS2yekLrqaYBHd36JPrn5h8mSPtp77wfYaiPBGu9S6VFIRaLky5dPwIwv-CsnkpXMbI7m8NQf3qad5uF3ZK26Yf8Wh7K53wgbKbxNKdPZAMMv6xWinLhmbhUliwCuCT8mQejzGtaIyh_t99TEL0e7OArdpPiC014DXz9PXcxaE0Nput6tQ1M4acZS4TnNtm3G7yjYRyq3GTzQ_aYJMAcqNpvq0mZXEri6VfnU6N0om9bt19vO0aFHqMWpPRXhQ9ayJM&state=7da62652097cd279c25ca86076944ea1%3ahttps%3a%2f%2fwww.<MY_DOMAIN>%2fdocs%2fyadp&session_state=bcc273a7-048a-49cf-a9b6-835aca9694b7] X-Real-Ip:[10.10.205.31]]" rule=default source_ip=10.10.205.31
time="2023-01-30T13:13:16Z" level=warning msg="missing ID token: <nil>" source_ip=10.10.205.31
time="2023-01-30T13:13:17Z" level=debug msg="Authenticate request" headers="map[Accept:[image/webp,image/apng,image/svg+xml,image/*,*/*;q=0.8] Accept-Encoding:[gzip, deflate, br] Accept-Language:[en-US,en;q=0.9] Referer:[https://auth.<MY_DOMAIN>/_oauth?code=0.AQwA4STh97s8FEe5DtCGUodLZfIyVTryeUBEqwWaOl2Sto0MAAA.AgABAAIAAAD--DLA3VO7QrddgJg7WevrAgDs_wUA9P_IQCL4ydHyInc7xihH52TETdibHuBVAxBRzFzlIJy6BfRMKMbm4j9an3J1V6Wy-iqy-AC61j_y-bkOfjG9_wH0Eo6eadSQX3XukLMEO6lFaXxBlfPm6k-I1zYs6q9PVQvt4zIcH2E9FtY5klUEXM-ismtAaO4cXAK-3ojOO81cUxSoj0YqU2BuAvEID7OP4hKCeFYtxqeL4uez8VD0yRn5jE-BZ5twQsmk1OnyNkLbS7TSq0T3_jsDs-VuSptHfKj0wL_1BACAfqazTuzZOzGN26jmWNut0UM5nqNKFY253dZdn17F-dkwfFgCwP1N0jGfgdKThGBkUUniNKlLQkLbxv3lu6uPlcQ0H-FW4jwauccf-aDOEFuhcO5Gnr_tRxZe_PTyUsh1GphphN6w_-wU9Bqd97hykC4tV53UhaRYT3Tzw7hw2vWPxmD61NdWNsFSjo41qFpTprQ9FZBX_cMUKk0JdKTH19mnvn8lKNhoBZkJVCKRMxG7HB1Wd-bhQnyQ3sMmtq-mFpIC3OfTyxdQ7Rlbu-xFGTnHA4pJIGnrBS2yekLrqaYBHd36JPrn5h8mSPtp77wfYaiPBGu9S6VFIRaLky5dPwIwv-CsnkpXMbI7m8NQf3qad5uF3ZK26Yf8Wh7K53wgbKbxNKdPZAMMv6xWinLhmbhUliwCuCT8mQejzGtaIyh_t99TEL0e7OArdpPiC014DXz9PXcxaE0Nput6tQ1M4acZS4TnNtm3G7yjYRyq3GTzQ_aYJMAcqNpvq0mZXEri6VfnU6N0om9bt19vO0aFHqMWpPRXhQ9ayJM&state=7da62652097cd279c25ca86076944ea1%3ahttps%3a%2f%2fwww.<MY_DOMAIN>%2fdocs%2fyadp&session_state=bcc273a7-048a-49cf-a9b6-835aca9694b7] Sec-Ch-Ua:[\"Not_A Brand\";v=\"99\", \"Microsoft Edge\";v=\"109\", \"Chromium\";v=\"109\"] Sec-Ch-Ua-Mobile:[?0] Sec-Ch-Ua-Platform:[\"Linux\"] Sec-Fetch-Dest:[image] Sec-Fetch-Mode:[no-cors] Sec-Fetch-Site:[same-origin] User-Agent:[Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/109.0.0.0 Safari/537.36 Edg/109.0.1518.61] X-Forwarded-For:[10.10.205.31] X-Forwarded-Host:[auth.<MY_DOMAIN>] X-Forwarded-Method:[GET] X-Forwarded-Port:[443] X-Forwarded-Proto:[https] X-Forwarded-Server:[86a08e764432] X-Forwarded-Uri:[/favicon.ico] X-Real-Ip:[10.10.205.31]]" rule=default source_ip=10.10.205.31
time="2023-01-30T13:13:17Z" level=warning msg="Non-HTML request: image/webp,image/apng,image/svg+xml,image/*,*/*;q=0.8" source_ip=10.10.205.31

I don't understand if it's a configuration problem, a traefik-forward-auth bug or a microsoft OIDC limitation.
What am I missing here?

Thanks in advance for any help!

[sanzoghenzo]

After examining the OpenID Connect scopes allowed by Microsoft, I tried to set the SCOPE envvar to openid,email,profile (groups is not supported), but now I get the following (reformatted for readability):

time="2023-01-31T10:18:31Z" 
level=warning
msg="failed to exchange token: oauth2: cannot fetch token: 400 Bad Request
Response: {
  "error": "invalid_request",
  "error_description": "AADSTS900144: The request body must contain the following parameter: 'code'.
    Trace ID: cf14a3e4-4fe2-463b-9924-49a2a2668700
    Correlation ID: f0772942-1940-474c-a47a-2525771124c2
    Timestamp: 2023-01-31 10:18:30Z",
  "error_codes":[900144],
  "timestamp": "2023-01-31 10:18:30Z",
  "trace_id": "cf14a3e4-4fe2-463b-9924-49a2a2668700",
  "correlation_id": "f0772942-1940-474c-a47a-2525771124c2",
  "error_uri": "https://login.microsoftonline.com/error?code=900144"
} 
source_ip=95.251.233.238

[sanzoghenzo]

I solved going back to thomseddon/traefik-forward-auth that has the right scopes by default.

I suppose that the SCOPE doesn't manage the user input as it should (I see that it is defined as a simple string, not as CommaSeparatedList).