OIDC Session Error
When using the docker installation for AuRa the frontend can not get a session with tank. After the login a prompt pops up saying
Error: could not get a session with tank Status code: 400 Bad Request
Environment
The installation was done like this.
AuRa runs on localhost
with http
.
The content of the web .env
is the following:
STEERING_DB_PASS=passwd
STEERING_DB_USER=steering
STEERING_DB_NAME=steering
STEERING_SECRET_KEY=passwd
DJANGO_SUPERUSER_USERNAME=admin
DJANGO_SUPERUSER_PASSWORD=passwd
DJANGO_SUPERUSER_EMAIL=ole@loxbie.com
TANK_DB_PASS=passwd
TANK_DB_USER=tank
TANK_DB_NAME=tank
# OIDC client ids should be 6-digit integers
TANK_OIDC_CLIENT_ID=123456
TANK_OIDC_CLIENT_SECRET=passwd
# Point to the path were the tank-store lies. If deploying playout and web together, this can remain unset and docker will use a named volume instead of a configured path.
# TANK_STORE_PATH=
# engine secret should be the same as configured in engine
# via the ENGINE_TANK_SECRET env variable in aura-playout
ENGINE_SECRET=passwd
# Set the url to reach engine-api. This is only necessary if engine-api (e.g. aura-playout) is running on another machine than aura-web.
# INTERNAL_ENGINE_API_URL=
# leaving this empty should be ok for production; use http://localhost:8040 for dev
TANK_CALLBACK_BASE_URL=
# OIDC client ids should be 6-digit integers
DASHBOARD_OIDC_CLIENT_ID=654321
DASHBOARD_OIDC_CLIENT_SECRET=passwd
# leaving this empty should be ok for production; use http://localhost:8080 for dev
DASHBOARD_CALLBACK_BASE_URL=
AURA_HOST=localhost
# Only needed for production
CERTBOT_EMAIL=
# Set to http if you don't want to use ssl
AURA_PROTO=http
# Disable if you want to handle ssl yourself (e.g if you are deploying behind a reverse proxy)
# RUN_CERTBOT=true
# Configure dashboard clock
# Url the dashboard clock will bind to. You also need to provide the port. By default dashboard-clock will only be reachable from the local machine. To make it reachable from everywehere, set to 0.0.0.0:5001.
#DASHBOARD_CLOCK_BIND_URL=127.0.0.1:5001
# Include dashboard clock in the reverse proxy. This will make it reachable under $AURA_HOST/clock and usually it means the studio clock is now world-readable (no matter the bind URL you use above).
#INCLUDE_CLOCK=true
# Url the dashboard clock will be reachable from.
#DASHBOARD_CLOCK_HOST=127.0.0.1:5001
#DASHBOARD_CLOCK_NAME=Studio Clock
#DASHBOARD_CLOCK_LOGO_URL=https://gitlab.servus.at/aura/meta/-/raw/master/assets/images/aura-logo.png
#DASHBOARD_CLOCK_LOGO_SIZE=100px
# Set the engine-api url which is reachable for clients accessing dashboard clock (so usually the ip of the machine running engine-api).
# EXTERNAL_ENGINE_API_URL=
# UNKNOWN_TITLE_STRING=Unknown Title
# NO_CURRENT_TIMESLOT_STRING=No show playing
# NO_NEXT_TIMESLOT_STRING=Nothing scheduled next
# PLAY_OFFSET=3
# CSS=
# FALLBACK_TEXT=
TIMEZONE=Europe/Vienna
# versions/release numbers of the docker images for the components
STEERING_VERSION=unstable
TANK_VERSION=unstable
DASHBOARD_VERSION=unstable
DASHBOARD_CLOCK_VERSION=unstable
# Activate Icecast (either here if it's the only profile, or add to a line with all profiles)
# COMPOSE_PROFILES=icecast
# Include icecast in the reverse proxy, thus making it reachable via $AURA_HOST/icecast.
# INCLUDE_ICECAST=true
# Configure Icecast
# The source PW has to be the same as in engine-core.ini for the source
# ICECAST_SOURCE_PASSWORD=
# ICECAST_ADMIN_PASSWORD=
# ICECAST_PASSWORD=
# ICECAST_RELAY_PASSWORD=
# If you want to use a dev-setup, which exposes some more ports
# and builds the containers locally, uncomment the following
# line
# COMPOSE_FILE=docker-compose.yml:docker-compose.dev.yml
and the content of the playout .env
:
# General
TIMEZONE=Europe/Vienna
# Engine
# Possible values: debug, info, warning, error, critical
ENGINE_LOG_LEVEL=debug
# [monitoring] can be left default/empty when you don't use monitoring
# Mail server credentials for sending email notifications (Admin and Programme Coordination)
ENGINE_MONITORING_MAIL_SERVER=
ENGINE_MONITORING_MAIL_SERVER_PORT=587
ENGINE_MONITORING_MAIL_USER=
ENGINE_MONITORING_MAIL_PASSWORD=
# Set to "true" if you want to notify programme-coordinators about about fallback situations, otherwise "false"
ENGINE_MONITORING_MAIL_COORDINATOR_ENABLED=false
# If you want to address multiple programme-coordinators separate their emails by space
ENGINE_MONITORING_COORDINATOR_MAIL=
# Set to "true" if you want to notify admins about incidents, otherwise "false"
ENGINE_MONITORING_ADMIN_MAIL_ENABLED=false
# If you want to address multiple administrators separate their emails by space
ENGINE_MONITORING_ADMIN_MAIL=
# The FROM email address used when sending
ENGINE_MONITORING_SENDER_MAILADDRESS=
# A subject prefix allows applying filter rules in your mail client
ENGINE_MONITORING_MAIL_SUBJECT_PREFIX=[AURA Engine]
# Server where heartbeat info is sent to
ENGINE_HEARTBEAT_SERVER=127.0.0.1
ENGINE_HEARTBEAT_SERVER_PORT=43334
# Seconds how often the vitality of the Engine should be checked (0 = disabled)
ENGINE_HEARTBEAT_FREQUENCY=1
# The BASE URL to get the health status and the Calendar via Steering
STEERING_BASE_URL=http://steering:8000/
# The session name which is used to authenticate against Tank
ENGINE_TANK_SESSION=engine
# The secret which is used to authenticate against Tank
ENGINE_TANK_SECRET=passwd
# The URL to get the health status and the playlist details via Tank
TANK_BASE_URL=http://tank:8040/
# Point to the path were the tank-store lies. If deploying playout and web together, this can remain unset and docker will use a named volume instead of a configured path.
# TANK_STORE_PATH=
# Engine-Api BASE URL (for availability check, store playlogs, store clock information and store health information)
ENGINE_API_BASE_URL=http://engine-api:8008/
ENGINE_DB_PASS=passwd
ENGINE_DB_USER=engine
ENGINE_DB_NAME=engine
# Base path as seen by "engine-core", not accessed by "engine"; this is required to construct the absolute audio file path (check "Audio Store" in the docs)
# Either provide an absolute base path or a relative one starting in the `engine-core/src` directory. In case of `engine-core` running in docker use `/var/audio/source`
ENGINE_AUDIO_SOURCE_FOLDER=/var/audio/source
ENGINE_AUDIO_SOURCE_EXTENSION=.flac
# Folder holding M3U Playlists to be scheduled in form of Engine Playlists (similar as audio source folder above)
ENGINE_AUDIO_PLAYLIST_FOLDER=/var/audio/playlist
# Offset in seconds how long it takes for Liquidsoap to actually execute a scheduler command; Crucial to keep things in sync
ENGINE_LATENCY_OFFSET=0.5
# How often should the calendar be fetched in seconds. This determines the time of the last changes applied, before a specific show is aired
ENGINE_FETCHING_FREQUENCY=30
# The scheduling window defines when the entries of each timeslot are queued for play-out. The windows start at (timeslot.start - window_start) seconds
# and ends at (timeslot.end - window.end) seconds. Its also worth noting, that timeslots can only be deleted before the start of the window.
ENGINE_SCHEDULING_WINDOW_START=60
ENGINE_SCHEDULING_WINDOW_END=60
# How many seconds before the actual schedule time the entry should be pre-rolled. Note to provide enough timeout for
# contents which take longer to load (big files, bad connectivity to streams etc.). If the planned start time is in
# the past the offset is ignored and the entry is played as soon as possible
ENGINE_PRELOAD_OFFSET=15
# Sometimes it might take longer to get a stream connected. Here you can define a viable length.
# But note, that this may affect the preloading time (see `preload_offset`), hence affecting the
# overall playout, it's delays and possible fallbacks
ENGINE_INPUT_STREAM_RETRY_DELAY=1
ENGINE_INPUT_STREAM_MAX_RETRIES=10
ENGINE_INPUT_STREAM_BUFFER=3.0
# How long we have to fade in and out, when we select another mixer input (seconds))
ENGINE_FADE_IN_TIME=1.5
ENGINE_FADE_OUT_TIME=1.5
# Engine-Api
# Set the URL engine-api should bind to. Note that setting this to 0.0.0.0:8008 would make engine-api globally accessible. You probably want to set this to a private network.
# ENGINE_API_BIND_URL=127.0.0.1:8008
# Configure the database for engine-api
ENGINE_API_DB_PASS=passwd
ENGINE_API_DB_USER=aura_engine_api
ENGINE_API_DB_NAME=aura_engine_api
# possible values: debug, info, warning, error, critical
ENGINE_API_LOG_LEVEL=info
ENGINE_API_DEBUG_FLASK=false
ENGINE_API_ENABLE_FEDERATION=false
ENGINE_API_SYNC_HOST=http://localhost:8010
# Engine-Core
# This profile makes docker-compose deploy engine-core
# If you want to deploy engine-core bare metal, comment the COMPOSE_PROFILES line out
COMPOSE_PROFILES=engine-core
# Does not work yet, please insert pw manually in engine-core.ini
ICECAST_SOURCE_PASSWORD=
# versions/release numbers of the docker images for the components
ENGINE_VERSION=unstable
ENGINE_API_VERSION=unstable
ENGINE_CORE_VERSION=unstable
# If you want to use a dev-setup, which exposes some more ports
# and builds the containers locally, uncomment the following
# line
# COMPOSE_FILE=docker-compose.yml:docker-compose.dev.yml
The logs of tank show docker-compose logs -f --tail=100 tank
the following:
tank | [ ERR ] authentication/oidc: initialization failed: oidc: issuer did not match the issuer returned by provider, expected "http://steering:8000/openid" got "http://localhost/openid", will retry...
The browser console gives the following three errors:
XHRPOSThttp://localhost/tank/auth/session
[HTTP/1.1 400 Bad Request 0ms]
POST
http://localhost/tank/auth/session
Status400
Bad Request
VersionHTTP/1.1
Transferred239 B (61 B size)
Referrer Policystrict-origin-when-cross-origin
Connection
keep-alive
Content-Length
61
Content-Type
application/json; charset=utf-8
Date
Wed, 18 May 2022 08:51:05 GMT
Server
nginx/1.20.2
Accept
application/json, text/plain, */*
Accept-Encoding
gzip, deflate
Accept-Language
en-US,en;q=0.5
Authorization
Bearer 16fb409760f44bf5a4a26d5b21769944
Cache-Control
no-cache
Connection
keep-alive
Content-Length
104
Content-Type
application/json;charset=utf-8
Cookie
csrftoken=kWsDwyYGGfhIFodYKuhH3mJKGNANSqDGZWypnL9yRqoN6YFhDYz6p4ud2amNK6Ym; sessionid=9k6vuu8jg5jqlm6xjpu95qroy8je0auh
Host
localhost
Origin
http://localhost
Pragma
no-cache
Referer
http://localhost/
Sec-Fetch-Dest
empty
Sec-Fetch-Mode
cors
Sec-Fetch-Site
same-origin
User-Agent
Mozilla/5.0 (X11; Linux x86_64; rv:91.0) Gecko/20100101 Firefox/91.0
error | 400 Bad Request vue-logger.js:95:63
printLogMessage vue-logger.js:95
i vue-logger.js:83
wi api-helper.js:51
oidcInit auth.js:182
(Async: promise callback)
oidcInit auth.js:182
(Async: promise callback)
oidcInit auth.js:144
O vuex.esm.js:851
dispatch vuex.esm.js:516
dispatch vuex.esm.js:406
created App.vue:117
VueJS 15
4010 main.js:19
s main.js:22
i jsonp chunk loading:20
Webpack 3
error |
Object { data: {…}, status: 400, statusText: "Bad Request", headers: {…}, config: {…}, request: XMLHttpRequest }
vue-logger.js:95:63
printLogMessage vue-logger.js:95
i vue-logger.js:83
wi api-helper.js:53
oidcInit auth.js:182
(Async: promise callback)
oidcInit auth.js:182
(Async: promise callback)
oidcInit auth.js:144
O vuex.esm.js:851
dispatch vuex.esm.js:516
dispatch vuex.esm.js:406
created App.vue:117
VueJS 15
4010 main.js:19
s main.js:22
i jsonp chunk loading:20
Webpack 3
O
<anonymous>
<anonymous>
Steps to reproduce
- Install and start all docker containers
- Visit http://localhost/
- Log in with
admin
andpasswd
Expected Result
No Erros showing up.
Actual Result
A promt showing this message:
Error: could not get a session with tank
Status code: 400 Bad Request
Workaround
Change the line in the /etc/aura/tank.yaml
file which contains the issuer-url
. It should be something like
issuer-url: http://localhost/openid
Edited by Ole Binder