JWT Audience mismatch when running two instances for the same top level domain on seperate hosts

[fightforlife]

Hi there,

I just migrated from the no longer maintainend forward auth to this one, Thanks very much for your work.

I have a quite specific issue:

Currently I have two docker hosts running under the same domain.com.
Both of them have a forward-auth instances configured with the same secret and same Cookiedomain=domain.com
The only difference is the forward-auth hostname, auth.subone.domain.com and auth.subtwo.domain.com..

I want both forward-auths to create a valid cookie for both hosts. (That is why they have the same secret).
The problem is, that the generated JWT includes the auth host as audience!

When a user visits auth.subone.domain.com the JWT is generated with auth.subone.domain.com as audience.
If the user now switches to auth.subtwo.domain.com, there he gets a HTTP500 Error because the audience in the JWT does not match the hostname of the forward-auth.
If he reloads the page the HTTP500 is gone and the JWT is regenerated with the new audience.
If he switches back to a service on auth.subone.domain.com, he has the problem again.

Would it be possible to set the audiences of the jwt to the Cookiedomain?
Or make it configurable to add custom domains?

In my head it sounds as easy as replacing the host with the cookiedomain here:

traefik-forward-auth/pkg/server/util-cookies.go

Line 72 in 78a1fa0

jwt.WithAudience(cfg.Hostname),

But most likely there are dependencies that I not know of.

Best regards!

[ItalyPaleAle]

Thanks for the suggestion, I need to think about it as I want to make sure there are no unintended consequences to doing this.

May I ask what's the reason for needing 2 separate TFA instances but configured with the same cookie domain?

[fightforlife]

Regarding two instances: I have two hosts, one at home and one VPS.
They host different services with subdomains under the same domain name (domain.com).

Both have the traefik and forward auth configured individually so that (from the top of my head):

1. I can take one of them offline for maintenance, without any big hiccups.
   (Auth will still work, cookie is still valid, only the services on this specific host will be offline)
2. I can easily add/remove hosts each with their own traefik+forward auth, all sharing the same cookiedomain and cookiesecret.
3. I can move services between hosts, without having to reauth.
4. I really like to use traefik docker labels to configure my routes (main reason to have traefik on each host)

I think the easiest/best would be to make a conf parameter for advanced users.
Default: audience = authHost, but let the user redefine the audience if needed.

[ItalyPaleAle]

Ok I understand the scenario.

I agree the change would be simple, but I'm not fully convinced it's the _right_™ thing to do. A token's audience is its intended consumer, and two separate instances of an app (that respond on two separate endpoints) are technically two separate audiences.

Have you looked into alternative options? Two that come to mind:

1. Have 2 separate and independent instances of TFA, connected to the same IdP, and each with its own cookie domain (subone.domain.com and subtwo.domain.com). This means, of course, that sessions aren't portable - but as long as you're using the same IdP, users should be authenticated transparently.
2. If the above is not acceptable, consider using things split DNS or some failover proxying to route to the right deployment of TFA.

Would any of the above (or other options I can't think of right now) work?

[fightforlife]

I did not have time to test yet, but with Option1 and the following scenario.
Would i be able to authorize at Service2, Service4, Service5? As far as I see the cookie same-site paramter is set to Lax, which should allow using it on the same top-level domain, right?

Host1

• Auth service at auth.subone.domain.com and cookie domain set to subone.domain.com
• Service1 at service1.subone.domain.com
• Service2 at service2.domain.com

Host2

• Auth service at auth.subtwo.domain.com and cookie domain set to subtwo.domain.com
• Service3 at service3.subtwo.domain.com
• Service4 at service4.domain.com
• Service5 at domain.com

[fightforlife]

I just tried Option1 with my described hosts.
I can not access anything which is on the same level as the cookieDomain (e.g. Service2, Service4)
Error message before I see the Login page is: "Error: State cookie not found"

[fightforlife]

I am trying to modify the code to add an optional additioan audience for the session cookie locally.
Linking this here because relevant: golang-jwt/jwt#433

[ItalyPaleAle]

Thanks for the details. This is now available in v3.6.0

There's a new config option in the YAML:

traefik-forward-auth/config.sample.yaml

Lines 390 to 394 in 6b24d33

	## sessionTokenAudience (string)
	## Description:
	## Value for the audience claim to expect in session tokens used by Traefik Forward Auth.
	## This defaults to the value of `cookieDomain` which is appropriate for the majority of cases. Most users should rely on the default value.
	#sessionTokenAudience:

[fightforlife]

@ItalyPaleAle Thank you very much! I can confirm that changing between different Authhosts, works fine with this new logic.

Small question/nitpick: The variable is named sessionToken, but the audience is not only changed for the session cookie, but also for the stateCookie. Is the audience change needed in the stateCookie?

[ItalyPaleAle]

Yes the audience is changed on both the stat and session cookies