Undefined user agent #468

New Issue

GiteaMirror · 2025-10-31T15:12:50-05:00

GiteaMirror commented

2025-10-31 15:12:50 -05:00

Originally created by @cristhianwon on GitHub (Jul 12, 2025).

I have a problem from Komodo with OIDC, I have this IDP protected with a WAF and this block the request from komodo to OIDC because the request does not have a user agent.

A recommended protection from WAF is only accept request with defined user agent.

Now my solution is disable this protection from WAF but I recommend to add the user agent from http client in komodo.

Originally created by @cristhianwon on GitHub (Jul 12, 2025). I have a problem from Komodo with OIDC, I have this IDP protected with a WAF and this block the request from komodo to OIDC because the request does not have a user agent. A recommended protection from WAF is only accept request with defined user agent. Now my solution is disable this protection from WAF but I recommend to add the user agent from http client in komodo. <img width="1576" height="436" alt="Image" src="https://github.com/user-attachments/assets/6a0f1c52-671a-4c9f-8bdc-f97de5a8fea3" />

GiteaMirror closed this issue

2025-10-31 15:12:50 -05:00

GiteaMirror commented

2025-10-31 15:12:51 -05:00

@eleith commented on GitHub (Jul 15, 2025):

this would also help with general investigation and tuning.

for example, i'm seeing a call to /application/o/komodo/jwks/ and /application/o/komodo/.well-known/openid-configuration every minute!

the current hypothesis is that since the userAgent is empty, it's coming from komodo.

it's unclear how to turn this down as 1 minute doesn't correspond to any configurable interval (MONITORING, RESOURCE_POLL and JWT_TTL)

@eleith commented on GitHub (Jul 15, 2025): this would also help with general investigation and tuning. for example, i'm seeing a call to `/application/o/komodo/jwks/` and `/application/o/komodo/.well-known/openid-configuration` every minute! the current hypothesis is that since the `userAgent` is empty, it's coming from komodo. it's unclear how to turn this down as 1 minute doesn't correspond to any configurable interval (`MONITORING`, `RESOURCE_POLL` and `JWT_TTL`)

GiteaMirror commented

2025-10-31 15:12:51 -05:00

@eleith commented on GitHub (Aug 1, 2025):

i can confirm why and where this happens.

komodo spawns an oidc check every 60 seconds to keep the jwk refresh here: 118ae9b92c/bin/core/src/auth/oidc/client.rs (L43-L62)

this was introduced in 3f767ed42e

@eleith commented on GitHub (Aug 1, 2025): i can confirm why and where this happens. komodo spawns an oidc check every 60 seconds to keep the jwk refresh here: https://github.com/moghtech/komodo/blob/118ae9b92caf95ae0fdabe9f5984923af4c3bd9d/bin/core/src/auth/oidc/client.rs#L43-L62 this was introduced in https://github.com/moghtech/komodo/pull/248/commits/3f767ed42e328be6887ee0b8b330669d6810dc44

GiteaMirror commented

2025-10-31 15:12:51 -05:00

@eleith commented on GitHub (Aug 1, 2025):

setting the user agent might be a small change, according to the reqwest docs the following method:

118ae9b92c/bin/core/src/auth/oidc/mod.rs (L34-L42)

could be modified to call something like

  static REQWEST: OnceLock<reqwest::Client> = OnceLock::new();
  REQWEST.get_or_init(|| {
    reqwest::Client::builder()
      .redirect(reqwest::redirect::Policy::none())
      .user_agent("Komodo/1.18.4")
      .build()
      .expect("Invalid OIDC reqwest client")
  })

@eleith commented on GitHub (Aug 1, 2025): setting the user agent might be a small change, according to the [reqwest docs](https://docs.rs/reqwest/latest/reqwest/struct.ClientBuilder.html#method.user_agent) the following method: https://github.com/moghtech/komodo/blob/118ae9b92caf95ae0fdabe9f5984923af4c3bd9d/bin/core/src/auth/oidc/mod.rs#L34-L42 could be modified to call something like ```rust static REQWEST: OnceLock<reqwest::Client> = OnceLock::new(); REQWEST.get_or_init(|| { reqwest::Client::builder() .redirect(reqwest::redirect::Policy::none()) .user_agent("Komodo/1.18.4") .build() .expect("Invalid OIDC reqwest client") }) ```

GiteaMirror commented

2025-10-31 15:12:52 -05:00

@cristhianwon commented on GitHub (Aug 1, 2025):

@eleith maybe the problem is with the reqwest lib where is missing the User-Agent header

118ae9b92c/bin/core/src/auth/oidc/mod.rs (L34-L42)

@cristhianwon commented on GitHub (Aug 1, 2025): @eleith maybe the problem is with the reqwest lib where is missing the User-Agent header https://github.com/moghtech/komodo/blob/118ae9b92caf95ae0fdabe9f5984923af4c3bd9d/bin/core/src/auth/oidc/mod.rs#L34-L42

GiteaMirror commented

2025-10-31 15:12:52 -05:00

@eleith commented on GitHub (Aug 1, 2025):

@cristhianwon you beat me to it.

my next question would be why is the oidc happening every 60s and if it could be tuned down or made configurable. but that might deserve it's own issue.

@eleith commented on GitHub (Aug 1, 2025): @cristhianwon you beat me to it. my next question would be why is the oidc happening every 60s and if it could be tuned down or made configurable. but that might deserve it's own issue.

GiteaMirror commented

2025-10-31 15:12:52 -05:00

@cristhianwon commented on GitHub (Aug 1, 2025):

Yes @eleith , i think the configuration about the timing of oidc refresh should be handled in another issue.

@cristhianwon commented on GitHub (Aug 1, 2025): Yes @eleith , i think the configuration about the timing of oidc refresh should be handled in another issue.

GiteaMirror commented

2025-10-31 15:12:52 -05:00

@eleith commented on GitHub (Aug 1, 2025):

i've proposed a PR to resolve this issue and branched out my discussion to another issue.

@eleith commented on GitHub (Aug 1, 2025): i've proposed a PR to resolve this issue and branched out my discussion to another issue.

GiteaMirror commented

2025-10-31 15:12:53 -05:00

@cristhianwon commented on GitHub (Aug 1, 2025):

thanks @eleith !

@cristhianwon commented on GitHub (Aug 1, 2025): thanks @eleith !

GiteaMirror referenced this issue

2025-10-31 15:21:36 -05:00