Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

if upstream is down, authentication JWT is not cached #17

Closed
wasaga opened this issue Dec 8, 2021 · 2 comments · Fixed by #83
Closed

if upstream is down, authentication JWT is not cached #17

wasaga opened this issue Dec 8, 2021 · 2 comments · Fixed by #83
Assignees
@calebdoxsey
Labels
accepted backend

Comments

@wasaga
Copy link
Contributor

wasaga commented Dec 8, 2021

What happened?

If a destination TCP upstream is down, Pomerium serves HTTP 503 and JWT auth token would not be persisted by the CLI.

That causes two issues:

  • the need to open auth URL next time an authentication attempt is made, which, in case it is done by some software that auto-retries connections, will keep opening user's browser over and over again.
  • there is no indication to the user of the underlying root cause (destination upstream down).

image.png

What did you expect to happen?

  • JWT auth token persisted by the CLI
  • have a better user error message
@travisgroth travisgroth added WaitingForInfo Issue is not actionable because of missing required information, which needs to be provided. thinking and removed WaitingForInfo Issue is not actionable because of missing required information, which needs to be provided. labels Dec 9, 2021
@desimone
Copy link
Contributor

I think it's reasonable to cache (TOFU) the JWKS.

@calebdoxsey
Copy link
Contributor

have a better user error message

Is probably not possible. We intentionally don't provide detailed error messages. It's considered a security leak.

@calebdoxsey calebdoxsey self-assigned this Jun 22, 2022
@calebdoxsey calebdoxsey mentioned this issue Jun 22, 2022
Merged
6 tasks
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@calebdoxsey calebdoxsey

Labels
accepted backend
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

tcptunnel: on 503, keep cached JWT pomerium/cli
4 participants
@calebdoxsey @wasaga @desimone @travisgroth