1

Locally everything works!

However, after a deployment to my Kubernetes k3s cluster on raspberrypi, which is accessible via https domain the oauth2 code exchange for token feature doesn't work. I currently support authentication via Google and GitHub and both of them have this problem. Below are the logs:

GitHub login failure:

org.springframework.security.oauth2.core.OAuth2AuthenticationException: 
[invalid_token_response] An error occurred while attempting to retrieve the OAuth 2.0 Access Token Response: Error while extracting response for type [class org.springframework.security.oauth2.core.endpoint.OAuth2AccessTokenResponse] and content type [application/json;charset=utf-8]; 
nested exception is org.springframework.http.converter.HttpMessageNotReadableException: An error occurred reading the OAuth 2.0 Access Token Response: tokenValue cannot be empty; 
nested exception is java.lang.IllegalArgumentException: tokenValue cannot be empty

Google login failure:

org.springframework.security.oauth2.core.OAuth2AuthenticationException: 
[invalid_token_response] An error occurred while attempting to retrieve the OAuth 2.0 Access Token Response: I/O error on POST request for "https://www.googleapis.com/oauth2/v4/token": Invalid ECDH ServerKeyExchange signature; 
nested exception is javax.net.ssl.SSLHandshakeException: Invalid ECDH ServerKeyExchange signature

What I've already tried:

I thought it might be a problem with sending https requests from within my Kubernetes cluster, but I connected to the running pod and curled https://google.com and it worked just fine.

Have any of you guys encountered such a problem?

@edit I'm using Java 11

@edit2 There seems to be a problem with docker on my raaspberrypi. Curling https requests work fine, but using RestTemplate in Java doesn't work

@edit3 Found a related issue https://github.com/docker-library/tomcat/issues/182

Humberd
  • 2,794
  • 3
  • 20
  • 37

2 Answers2

1

Assuming you are using the exact same container/executable/libraries both locally and Kubernetes and based on the error messages that you shared, the most likely reason is different credentials and/or private keys between your local environment and your Kubernetes environment.

The errors look different for Github and Google though. The first error (GitHub) seems like you are sending an empty token.

The second error (Google) seems like you are sending an private key that doesn't match a certificate. Based on similar Java errors:

The Invalid ECDH ServerKeyExchange signature can indicate that a key and a corresponding certificate don’t match and are causing the handshake to fail. Verify the contents of each of the files you are using for your configured certificate authorities, certificates and keys. In particular, check that the key and certificate belong to the same key pair.

Rico
  • 58,485
  • 12
  • 111
  • 141
1

Problem Solved and is not connected with spring or oauth configuration at all.

Adoptopenjdk Docker image for arm is broken. It prevents making https requests. Even the following example failed:

RestTemplate().getForEntity("https://google.com", String::class.java)

So the solution is to swap broken base image in my Dockerfile like this:

Previous:

FROM adoptopenjdk/openjdk11:armv7l-ubuntu-jdk-11.0.6_10-slim

Current:

FROM arm32v7/openjdk:11.0.3-slim
Humberd
  • 2,794
  • 3
  • 20
  • 37