Unable to authenticate to the vSphere Supervisor with ADFS. "Bad Gateway: error exchanging and validating upstream tokens"
search cancel

Unable to authenticate to the vSphere Supervisor with ADFS. "Bad Gateway: error exchanging and validating upstream tokens"

book

Article ID: 420436

calendar_today

Updated On:

Products

VMware vSphere Kubernetes Service

Issue/Introduction

Microsoft Active Directory Federation Services (ADFS) is registered as an External Identity Provider (IDP) on vSphere Supervisor. See, Register an External IDP with Supervisor

Users may observe one of the following issues when authenticating to Supervisor with ADFS:

  • Authentication fails with the error: "Bad Gateway: error exchanging and validating upstream tokens"
  • Users are logged out after a short period of time, requiring a fresh login.

Environment

vSphere Supervisor 8

vSphere Supervsior 9

Cause

Authentication fails as ADFS does not correctly implement the OAuth2 refresh token flow that is used to extend a user login session with vSphere Supervisor. 

Resolution

vSphere Supervisor uses Pinniped for external IDP authentication. 
A workaround has been added to Pinniped v0.41.0 which will be included in a future release of vSphere. 

To work around the error, SSH into one of the Supervisor VMs (See KB 323407) and perform the following operations:

  1. Edit the pinniped-supervisor-static-config ConfigMap
    kubectl edit configmap/pinniped-supervisor-static-config -n vmware-system-pinniped
  2. Update the ConfigMap with by adding an oidc entry with the ADFS Issuer URL under "whenIssuerExactlyMatches:" 
    kind: ConfigMap
apiVersion: v1
metadata:
  name: pinniped-supervisor-static-config
  namespace: vmware-system-pinniped
data:
  pinniped.yaml: |
    oidc:
      ignoreUserInfoEndpoint:
        whenIssuerExactlyMatches:
          - "https://ad1.example.com/adfs"
          - "https://ad2.example.com/adfs"
  3. Replace the <https://ad1.example.com/adfs> with the issuer url used to register the external IDP.
  4. Restart the pinniped-supervisor pod
    kubectl rollout restart deployments/pinniped-supervisor -n vmware-system-pinniped

Additional Information

For further information about Pinniped, see https://pinniped.dev

For further information on this specific issue: https://github.com/vmware/pinniped/pull/2580 

For further information about OAuth2 refresh token flows, see:

Powered by Wolken Software