Skip to content
New issue

Have a question about this project? # for a free GitHub account to open an issue and contact its maintainers and the community.

#

By clicking “#”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? # to your account

Jump to bottom

Kratos is unable to contact NAT64 addresses (64:ff9b::/96) #4142

Open
3 of 5 tasks
tesinormed opened this issue Oct 4, 2024 · 1 comment
Open
3 of 5 tasks

Kratos is unable to contact NAT64 addresses (64:ff9b::/96) #4142

tesinormed opened this issue Oct 4, 2024 · 1 comment
Labels
bug Something is not working.

Comments

@tesinormed
Copy link

tesinormed commented Oct 4, 2024
edited
Loading

Preflight checklist

Ory Network Project

No response

Describe the bug

GitHub or Discord, both IPv4-only websites, do not work with Kratos when it is a IPv6-only network and NAT64 is deployed with the well-known prefix 64:ff9b::/96.

Reproducing the bug

  1. Set up Kratos in a IPv6-only network (no IPv4 address assigned)
  2. Add a selfservice.methods.oidc.providers configuration with a service that is IPv4-only (like GitHub or Discord)
  3. Try to login / # using that service

Relevant log output

time=2024-10-04T02:33:21Z level=info msg=Encountered self-service login error. audience=audit error=map[message:Post "https://github.com/#/oauth/access_token": dial tcp [64:ff9b::8c52:7403]:443: prohibited IP address: 64:ff9b::8c52:7403 is not a permitted destination as it's outside of the IPv6 Global Unicast range] http_request=map[headers:map[accept:text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/png,image/svg+xml,*/*;q=0.8 accept-encoding:gzip, deflate, br, zstd accept-language:en-US,en;q=0.5 cookie:Value is sensitive and has been redacted. To see the value set config key "log.leak_sensitive_values = true" or environment variable "LOG_LEAK_SENSITIVE_VALUES=true". dnt:1 priority:u=0, i referer:https://iam.5505.industries/ sec-fetch-dest:document sec-fetch-mode:navigate sec-fetch-site:cross-site sec-fetch-user:?1 sec-gpc:1 upgrade-insecure-requests:1 user-agent:Mozilla/5.0 (X11; Linux x86_64; rv:130.0) Gecko/20100101 Firefox/130.0 x-forwarded-for:2600:8802:d05:fc01:2e98:11ff:fe3d:4775 x-forwarded-host:api.iam.5505.industries x-forwarded-port:443 x-forwarded-proto:https x-forwarded-server:0.ingress.5505.industries x-real-ip:2600:8802:d05:fc01:2e98:11ff:fe3d:4775] host:api.iam.5505.industries method:GET path:/self-service/methods/oidc/callback/github query:Value is sensitive and has been redacted. To see the value set config key "log.leak_sensitive_values = true" or environment variable "LOG_LEAK_SENSITIVE_VALUES=true". remote:[fd23:1591:fdfc:940b::2]:58564 scheme:http] login_flow=map[active:oidc id:7c48906a-a6a0-46ab-a030-fe42b4a98a8b nid:f0b8cd2a-731e-428a-809c-77c2876cbeb5 refresh:false request_url:https://api.iam.5505.industries/self-service/#/browser?aal=&refresh=&return_to=&organization=&via= requested_aal:aal1 return_to: state:choose_method type:browser] service_name=Ory Kratos service_version=v1.3.0

Relevant configuration

clients:
  http:
    disallow_private_ip_ranges: false

selfservice:
  methods:
    oidc:
      enabled: true
      config:
        providers:
          - id: 'github'
            provider: github
            label: 'GitHub'
            client_id: 'REDACTED'
            client_secret: 'REDACTED'
            mapper_url: 'base64://bG9jYWwgY2xhaW1zID0gewogIGVtYWlsX3ZlcmlmaWVkOiBmYWxzZSwKfSArIHN0ZC5leHRWYXIoJ2NsYWltcycpOwp7CiAgaWRlbnRpdHk6IHsKICAgIHRyYWl0czogewogICAgICAvLyBBbGxvd2luZyB1bnZlcmlmaWVkIGVtYWlsIGFkZHJlc3NlcyBlbmFibGVzIGFjY291bnQKICAgICAgLy8gZW51bWVyYXRpb24gYXR0YWNrcywgZXNwZWNpYWxseSBpZiB0aGUgdmFsdWUgaXMgdXNlZCBmb3IKICAgICAgLy8gZS5nLiB2ZXJpZmljYXRpb24gb3IgYXMgYSBwYXNzd29yZCBsb2dpbiBpZGVudGlmaWVyLgogICAgICAvLwogICAgICAvLyBUaGVyZWZvcmUgd2Ugb25seSByZXR1cm4gdGhlIGVtYWlsIGlmIGl0IChhKSBleGlzdHMgYW5kIChiKSBpcyBtYXJrZWQgdmVyaWZpZWQKICAgICAgLy8gYnkgR2l0SHViLgogICAgICBbaWYgJ2VtYWlsJyBpbiBjbGFpbXMgJiYgY2xhaW1zLmVtYWlsX3ZlcmlmaWVkIHRoZW4gJ2VtYWlsJyBlbHNlIG51bGxdOiBjbGFpbXMuZW1haWwsCiAgICB9LAogIH0sCn0K'
            scope:
              - read:user
              - read:email

Version

1.3.0

On which operating system are you observing this issue?

None

In which environment are you deploying?

Kubernetes with Helm

Additional Context

No response
@tesinormed tesinormed added the bug Something is not working. label Oct 4, 2024
@aeneasr
Copy link
Member

aeneasr commented Feb 11, 2025

Thank you for the report - a PR for this would be accepted but we don’t have bandwidth to fix this ourselves.

@tesinormed tesinormed changed the title Kratos is unable to contact NAT64 addresses even when clients.http.disallow_private_ip_ranges is false Kratos is unable to contact NAT64 addresses (64:ff9b::/96) Feb 11, 2025
# for free to join this conversation on GitHub. Already have an account? # to comment
Assignees
No one assigned
Labels
bug Something is not working.
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@aeneasr @tesinormed