Bad authority on /logout (Cognito AUTH)

[wwakas]

Issue submitter TODO list

• I've looked up my issue in FAQ
• I've searched for an already existing issues here
• I've tried running main-labeled docker image and the issue still persists there
• I'm running a supported version of the application which is listed here

Describe the bug (actual behavior)

I am using a setup with Kafbat-ui behind AWS ALB and Cognito as authorization/authentication provider.

With that, I am totally unable to log out of the app, because the "Bad authority" error shows in the browser.

Expected behavior

After clicking the logout button, the session is ended, and the user is properly logged out.

Your installation details

1. App version: v1.4.2

2. Helm Chart version: 1.6.0

3. Application config:

auth:
  oauth2:
    client:
      cognito:
        custom-params:
          logoutUrl: https://x-y-z-auth.auth.eu-central-1.amazoncognito.com/logout
          roles-field: groups
          type: cognito
logging:
  level:
    io.kafbat.ui: INFO
    root: INFO
rbac:
  roles:
  - clusters:
    - dev-kafka
    name: admin
    permissions:
    - actions: all
      resource: applicationconfig
    - actions: all
      resource: clusterconfig
    - actions: all
      resource: topic
      value: .*
    - actions: all
      resource: consumer
      value: .*
    - actions: all
      resource: schema
      value: .*
    - actions: all
      resource: connect
      value: .*
    - actions: all
      resource: ksql
    - actions: all
      resource: acl
    - actions: all
      resource: audit
    subjects:
    - provider: oauth_cognito
      type: user
      value: admin
    - provider: oauth_cognito
      type: group
      value: admins
  - clusters:
    - dev-kafka
    name: viewer
    permissions:
    - actions:
      - view
      resource: clusterconfig
    - actions:
      - VIEW
      - MESSAGES_READ
      resource: topic
      value: .*
    - actions:
      - view
      resource: consumer
      value: .*
    - actions:
      - view
      resource: schema
      value: .*
    - actions:
      - view
      resource: connect
      value: .*
    - actions:
      - view
      resource: acl
    subjects:
    - provider: oauth_cognito
      type: group
      value: viewers/kafka-ui

4. Rest of config via environment variables:

envs:
  config:
    SERVER_USEFORWARDHEADERS: native
    KAFKA_CLUSTERS_0_NAME: dev-kafka
    KAFKA_CLUSTERS_0_DYNAMICCONFIGENABLED: "True"
    KAFKA_CLUSTERS_0_BOOTSTRAPSERVERS: b-1.xyz.com:9092,b-2.xyz.com:9092,b-3.xyz.com:9092

    # UI cognito auth configuration
    AUTH_TYPE: OAUTH2
    AUTH_OAUTH2_CLIENT_COGNITO_SCOPE: openid
    AUTH_OAUTH2_CLIENT_COGNITO_CLIENT-ID: xyz
    AUTH_OAUTH2_CLIENT_COGNITO_CLIENT-SECRET: xyz
    AUTH_OAUTH2_CLIENT_COGNITO_ISSUER-URI: xyz
    AUTH_OAUTH2_CLIENT_COGNITO_JWK-SET-URI: xyz
    AUTH_OAUTH2_CLIENT_COGNITO_CLIENT-NAME: kafka-ui-app
    AUTH_OAUTH2_CLIENT_COGNITO_PROVIDER: cognito
    AUTH_OAUTH2_CLIENT_COGNITO_REDIRECT-URI: https://xyz.com/login/oauth2/code/cognito
    AUTH_OAUTH2_CLIENT_COGNITO_AUTHORIZATION-GRANT-TYPE: authorization_code
    AUTH_OAUTH2_CLIENT_COGNITO_USER-NAME-ATTRIBUTE: cognito:username

Steps to reproduce

1. Create a cognito user pool
2. Deploy kafbat-ui behind AWS ALB & Cognito auth provider
3. Login to application (works properly, user and RBAC permissions are recognized by app) and try to logout - then the Bad Authority error appears in browser.

Screenshots

Logs

ERROR 1 --- [or-http-epoll-4] a.w.r.e.AbstractErrorWebExceptionHandler : [1ae1da36-177]  500 Server Error for HTTP POST "/logout"

org.springframework.web.util.InvalidUrlException: Bad authority
        at org.springframework.web.util.RfcUriParser.fail(RfcUriParser.java:65) ~[spring-web-6.2.12.jar!/:6.2.12]
        Suppressed: reactor.core.publisher.FluxOnAssembly$OnAssemblyException: 
Error has been observed at the following site(s):
        *__checkpoint ⇢ LogoutWebFilter [DefaultWebFilterChain]
        *__checkpoint ⇢ ServerRequestCacheWebFilter [DefaultWebFilterChain]
        *__checkpoint ⇢ SecurityContextServerWebExchangeWebFilter [DefaultWebFilterChain]
        *__checkpoint ⇢ LogoutPageGeneratingWebFilter [DefaultWebFilterChain]
        *__checkpoint ⇢ LoginPageGeneratingWebFilter [DefaultWebFilterChain]
        *__checkpoint ⇢ StaticFileWebFilter [DefaultWebFilterChain]
        *__checkpoint ⇢ DefaultResourcesWebFilter [DefaultWebFilterChain]
        *__checkpoint ⇢ OAuth2LoginAuthenticationWebFilter [DefaultWebFilterChain]
        *__checkpoint ⇢ OAuth2AuthorizationRequestRedirectWebFilter [DefaultWebFilterChain]
        *__checkpoint ⇢ ReactorContextWebFilter [DefaultWebFilterChain]
        *__checkpoint ⇢ HttpHeaderWriterWebFilter [DefaultWebFilterChain]
        *__checkpoint ⇢ ServerWebExchangeReactorContextWebFilter [DefaultWebFilterChain]
        *__checkpoint ⇢ org.springframework.security.web.server.WebFilterChainProxy [DefaultWebFilterChain]
        *__checkpoint ⇢ HTTP POST "/logout" [ExceptionHandlingWebHandler]

Additional context

No response

[github-actions]

Hi wwakas! 👋

Welcome, and thank you for opening your first issue in the repo!

Please wait for triaging by our maintainers.

As development is carried out in our spare time, you can support us by sponsoring our activities or even funding the development of specific issues.
Sponsorship link

If you plan to raise a PR for this issue, please take a look at our contributing guide.

[Haarolean]

most likely, your URL is malformed, please verify if it's compliant with RFC 3986

[kapybro]

Further user feedback is requested. Please reply within 7 days or we might close the issue.

[wwakas]

most likely, your URL is malformed, please verify if it's compliant with RFC 3986

@Haarolean I think that my kafbat-ui domain (and logout url, too) is OK:

Let's say that it looks like that:

https://xyz-dev-kafbatui.abc.def.com

What do you mean exactly by malformed URL?

[kapybro]

Thanks for the additional feedback! We'll get back to your issue soon.