Hi Nicolas,
Yes, we followed the v7 to v8 upgrade docs during this process. Here’s what I’m seeing in my local dev environment’s backend.
0|admin-server | [forest] 🌳🌳🌳 Unable to register the client
0|admin-server | {
0|admin-server | "configuration": {
0|admin-server | "authorization_endpoint": "https://api.forestadmin.com/oidc/auth",
0|admin-server | "device_authorization_endpoint": "https://api.forestadmin.com/oidc/device/auth",
0|admin-server | "claims_parameter_supported": false,
0|admin-server | "claims_supported": [
0|admin-server | "sub",
0|admin-server | "email",
0|admin-server | "sid",
0|admin-server | "auth_time",
0|admin-server | "iss"
0|admin-server | ],
0|admin-server | "code_challenge_methods_supported": [
0|admin-server | "S256"
0|admin-server | ],
0|admin-server | "end_session_endpoint": "https://api.forestadmin.com/oidc/session/end",
0|admin-server | "grant_types_supported": [
0|admin-server | "authorization_code",
0|admin-server | "urn:ietf:params:oauth:grant-type:device_code"
0|admin-server | ],
0|admin-server | "id_token_signing_alg_values_supported": [
0|admin-server | "HS256",
0|admin-server | "RS256"
0|admin-server | ],
0|admin-server | "issuer": "https://api.forestadmin.com",
0|admin-server | "jwks_uri": "https://api.forestadmin.com/oidc/jwks",
0|admin-server | "registration_endpoint": "https://api.forestadmin.com/oidc/reg",
0|admin-server | "response_modes_supported": [
0|admin-server | "query"
0|admin-server | ],
0|admin-server | "response_types_supported": [
0|admin-server | "code",
0|admin-server | "none"
0|admin-server | ],
0|admin-server | "scopes_supported": [
0|admin-server | "openid",
0|admin-server | "email",
0|admin-server | "profile"
0|admin-server | ],
0|admin-server | "subject_types_supported": [
0|admin-server | "public"
0|admin-server | ],
0|admin-server | "token_endpoint_auth_methods_supported": [
0|admin-server | "none"
0|admin-server | ],
0|admin-server | "token_endpoint_auth_signing_alg_values_supported": [],
0|admin-server | "token_endpoint": "https://api.forestadmin.com/oidc/token",
0|admin-server | "request_object_signing_alg_values_supported": [
0|admin-server | "HS256",
0|admin-server | "RS256"
0|admin-server | ],
0|admin-server | "request_parameter_supported": false,
0|admin-server | "request_uri_parameter_supported": true,
0|admin-server | "require_request_uri_registration": true,
0|admin-server | "claim_types_supported": [
0|admin-server | "normal"
0|admin-server | ]
0|admin-server | },
0|admin-server | "registration": {
0|admin-server | "redirect_uris": [
0|admin-server | "https://admin.zach.atspoke-local.com/forest/authentication/callback"
0|admin-server | ],
0|admin-server | "token_endpoint_auth_method": "none"
0|admin-server | },
0|admin-server | "error": {
0|admin-server | "name": "RequestError",
0|admin-server | "code": "ERR_TLS_CERT_ALTNAME_INVALID",
0|admin-server | "timings": {
0|admin-server | "start": 1649866699760,
0|admin-server | "socket": 1649866699761,
0|admin-server | "lookup": 1649866699762,
0|admin-server | "connect": 1649866699762,
0|admin-server | "error": 1649866699773,
0|admin-server | "phases": {
0|admin-server | "wait": 1,
0|admin-server | "dns": 1,
0|admin-server | "tcp": 0,
0|admin-server | "total": 13
0|admin-server | }
0|admin-server | }
0|admin-server | }
0|admin-server | }
0|admin-server | [forest] 🌳🌳🌳 Unexpected error: Hostname/IP does not match certificate's altnames: Host: localhost. is not in the cert's altnames: DNS:*.zach.askspoke-local.com, DNS:*.zach.atspoke-local.com, DNS:zach.askspoke-local.com, DNS:zach.atspoke-local.com
0|admin-server | {
0|admin-server | "name": "RequestError",
0|admin-server | "code": "ERR_TLS_CERT_ALTNAME_INVALID",
0|admin-server | "timings": {
0|admin-server | "start": 1649866699760,
0|admin-server | "socket": 1649866699761,
0|admin-server | "lookup": 1649866699762,
0|admin-server | "connect": 1649866699762,
0|admin-server | "error": 1649866699773,
0|admin-server | "phases": {
0|admin-server | "wait": 1,
0|admin-server | "dns": 1,
0|admin-server | "tcp": 0,
0|admin-server | "total": 13
0|admin-server | }
0|admin-server | },
0|admin-server | "stack": "RequestError: Hostname/IP does not match certificate's altnames: Host: localhost. is not in the cert's altnames: DNS:*.zach.askspoke-local.com, DNS:*.zach.atspoke-local.com, DNS:zach.askspoke-local.com, DNS:zach.atspoke-local.com\n at ClientRequest.<anonymous> (/Users/zach/Repos/spoke/node_modules/got/dist/source/core/index.js:962:111)\n at Object.onceWrapper (events.js:422:26)\n at ClientRequest.emit (events.js:327:22)\n at ClientRequest.EventEmitter.emit (domain.js:467:12)\n at ClientRequest.origin.emit (/Users/zach/Repos/spoke/node_modules/@szmarczak/http-timer/dist/source/index.js:43:20)\n at TLSSocket.socketErrorListener (_http_client.js:469:9)\n at TLSSocket.emit (events.js:315:20)\n at TLSSocket.EventEmitter.emit (domain.js:467:12)\n at emitErrorNT (internal/streams/destroy.js:106:8)\n at emitErrorCloseNT (internal/streams/destroy.js:74:3)\n at processTicksAndRejections (internal/process/task_queues.js:80:21)\n at Object.checkServerIdentity (tls.js:297:12)\n at TLSSocket.onConnectSecure (_tls_wrap.js:1507:27)\n at TLSSocket.emit (events.js:315:20)\n at TLSSocket.EventEmitter.emit (domain.js:467:12)\n at TLSSocket._finishInit (_tls_wrap.js:932:8)\n at TLSWrap.ssl.onhandshakedone (_tls_wrap.js:706:12)"
0|admin-server | }
This second error is slightly different, complaining about TLS validation, but the cause is the same. For some reason the admin backend appears to be trying to make a request to itself (localhost:443) and getting an error. Locally I get this TLS validation because I have a webserver running on 443. In our cloud environments we get a connection refused as there’s nothing running on that port in the container our admin backend runs in.
I was mistaken in my original statement that the admin dashboard is attempting to query localhost
- it’s actually hitting the /authentication
endpoint on the host correctly - but from there the backend is attempting to query localhost for some reason. What could be causing this?