OOD using HAproxy - Auth error?

Hi all!

I am working on an installation of two OOD instances using a HAproxy for traffic balancing. So far everything seemed to be going well but I have started to have problems at the time of final testing.
When I try to loggin with the two OOD instances up I get an error associated to the OIDC (I attach a related log). The strange thing is that when I turn off one of the two OODs the loggin works without problems.

This is a copy of my /etc/haproxy/haproxy.cfg

#### UNCOMMENT AFTER OOD IS INSTALLED ####

frontend hpcportal
        mode http
        bind 10.200.151.10:80
        default_backend ood-bk


backend ood-bk
        balance roundrobin
        mode http
        option forwardfor

       	stick-table type ip size 1m expire 0 store conn_cur

        http-request set-header Host %[req.hdr(Host)]
        http-request set-header X-Forwarded-Proto http
        http-request set-header X-Forwarded-For %[src]
        http-request set-header X-Forwarded-Host %[req.hdr(Host)]

        server ---------------- 10.200.146.14:80 check verify none
        server ---------------- 10.200.146.15:80 check verify none

        stick on src

##########################################

And here is the log that I obtain, I can see that is something related to oidc authentication but i don’t know why only when the 2 instances are up.

[Wed Mar 26 18:04:05.476410 2025] [auth_openidc:error] [pid 46771:tid 46900] [client 10.200.146.11:44170] oidc_util_json_string_print: oidc_util_check_json_error: response contained an "error" entry with value: ""invalid_grant"", referer: http://-----------/dex/auth/ldap_local/login?back=%2Fdex%2Fauth%3Fclient_id%3D------%26nonce%3DYyQnZDKtsl46Vnq3FcmHrbCZCAAg73ARPtxi6SIWPro%26redirect_uri%3Dhttp%253A%252F%252Fhpcportal.ieo.it%252Foidc%26response_type%3Dcode%26scope%3Dopenid%2Bprofile%2Bemail%26state%3DUG6rmUbMYsnPRUpuMgvmPuBz7R4&state=jdmlvhzkevm2q2ao7gqakfupm

[Wed Mar 26 18:04:05.476453 2025] [auth_openidc:error] [pid 46771:tid 46900] [client 10.200.146.11:44170] oidc_util_json_string_print: oidc_util_check_json_error: response contained an "error_description" entry with value: ""Invalid or expired code parameter."", referer: http://-------/dex/auth/ldap_local/login?back=%2Fdex%2Fauth%3Fclient_id%3D--------%26nonce%3DYyQnZDKtsl46Vnq3FcmHrbCZCAAg73ARPtxi6SIWPro%26redirect_uri%3Dhttp%253A%252F%252Fhpcportal.ieo.it%252Foidc%26response_type%3Dcode%26scope%3Dopenid%2Bprofile%2Bemail%26state%3DUG6rmUbMYsnPRUpuMgvmPuBz7R4&state=jdmlvhzkevm2q2ao7gqakfupm

[Wed Mar 26 18:04:05.476469 2025] [auth_openidc:error] [pid 46771:tid 46900] [client 10.200.146.11:44170] oidc_proto_resolve_code_and_validate_response: failed to resolve the code, referer: http://--------/dex/auth/ldap_local/login?back=%2Fdex%2Fauth%3Fclient_id%3D------%26nonce%3DYyQnZDKtsl46Vnq3FcmHrbCZCAAg73ARPtxi6SIWPro%26redirect_uri%3Dhttp%253A%252F%252Fhpcportal.ieo.it%252Foidc%26response_type%3Dcode%26scope%3Dopenid%2Bprofile%2Bemail%26state%3DUG6rmUbMYsnPRUpuMgvmPuBz7R4&state=jdmlvhzkevm2q2ao7gqakfupm

image927×264 12.1 KB

Best regards and thanks for the advice.
Pst : I mocked all the URLs whit “----”

Hmmmm. You’ve masked client_id in the logs, but I’d guess that it’s unique to one instance and somehow you’re being routed to another. So it’s not being sticky because you started with one instance and now you’re being routed to another with a different client_id. You may be able to track this down in your developer tools to see what client_id you start with and which one you end up with.

The error appears to be coming from here:

A quick google search indicates that maybe you may need to define the sticky table and stick on on the frontend, not the backend. But I could be wrong, I don’t know any more about haproxy than the 3 minutes I just went googling.

Hi Jeff and sorry for the delay in replying, this project has kept us very busy.

I have managed to identify and solve the problem. To understand this we need to keep in mind that we are using OOD on the same URL in two different instances, balancing using a HAproxy.
When the user makes requests to the URL (HAproxy) it redirects to one of the instances and adds an entry to the stikines table, here it binds its IP to the node. This behavior is correct, but we have identified that the error we have is because when we are trying to log in to a node, it makes requests to the URL as well, as the requests arrive to the HAproxy from the server node (another IP different from the client) the proxy identifies it as another new connection and redirects it to the other OOD instance, hence the authentication error with the cookies (they are not generated and arrive to the same OOD instance).

To solve this in essence is quite simple, just add an exception to the HAproxy stickines tables to redirect connections from the OOD server nodes to themselves. Here is an example

backend ood-bk
        balance roundrobin
        mode http
	option forwardfor

        stick-table type ip size 1m expire 0 store conn_cur

	acl is_node1 src 10.200.146.14
        acl is_node2 src 10.200.146.15

	stick match src if is_node1 || is_node2 
	use-server ----------- if is_node1
        use-server ----------- if is_node2
	
	server -------------- <IP A>:80 check verify none
        server -------------- <IP B>:80 check verify none

        stick on src

Thank you for your advice, as always