You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
After enabling spec.options.pin_source_ip: true in a Teleport role, the user should be able to log out of the web UI and re-login to get a certificate with a pinned IP.
Current behavior
The web UI displays an error on refresh as soon as pin_source_ip is enabled, and the user is unable to even log out.
The root cause seems to be a 500 response to the DELETE call when trying to log the user out:
Additionally, as soon as a renewal of the bearer token is attempted, the renew operation fails and then plunges the browser into a redirect loop of doom:
The auth server also repeatedly displays an error whenever an operation is denied. Auth server logs here:
May 16 16:14:58 ip-172-31-0-105.ec2.internal teleport[1925]: 2024-05-16T16:14:58Z WARN [AUTH:1] pinned IP is required for the user, but is not present on identity pid:1925.1 authz/permissions.go:562
May 16 16:14:59 ip-172-31-0-105.ec2.internal teleport[1925]: 2024-05-16T16:14:59Z WARN [AUTH:1] pinned IP is required for the user, but is not present on identity pid:1925.1 authz/permissions.go:562
May 16 16:15:01 ip-172-31-0-105.ec2.internal teleport[1925]: 2024-05-16T16:15:01Z WARN [AUTH:1] pinned IP is required for the user, but is not present on identity pid:1925.1 authz/permissions.go:562
May 16 16:15:03 ip-172-31-0-105.ec2.internal teleport[1925]: 2024-05-16T16:15:03Z WARN [AUTH:1] pinned IP is required for the user, but is not present on identity pid:1925.1 authz/permissions.go:562
May 16 16:15:04 ip-172-31-0-105.ec2.internal teleport[1925]: 2024-05-16T16:15:04Z WARN [AUTH:1] pinned IP is required for the user, but is not present on identity pid:1925.1 authz/permissions.go:562
May 16 16:15:05 ip-172-31-0-105.ec2.internal teleport[1925]: 2024-05-16T16:15:05Z WARN [AUTH:1] pinned IP is required for the user, but is not present on identity pid:1925.1 authz/permissions.go:562
May 16 16:15:07 ip-172-31-0-105.ec2.internal teleport[1925]: 2024-05-16T16:15:07Z WARN [AUTH:1] pinned IP is required for the user, but is not present on identity pid:1925.1 authz/permissions.go:562
May 16 16:15:08 ip-172-31-0-105.ec2.internal teleport[1925]: 2024-05-16T16:15:08Z WARN [AUTH:1] pinned IP is required for the user, but is not present on identity pid:1925.1 authz/permissions.go:562
May 16 16:15:10 ip-172-31-0-105.ec2.internal teleport[1925]: 2024-05-16T16:15:10Z WARN [AUTH:1] pinned IP is required for the user, but is not present on identity pid:1925.1 authz/permissions.go:562
May 16 16:15:11 ip-172-31-0-105.ec2.internal teleport[1925]: 2024-05-16T16:15:11Z WARN [AUTH:1] pinned IP is required for the user, but is not present on identity pid:1925.1 authz/permissions.go:562
May 16 16:15:13 ip-172-31-0-105.ec2.internal teleport[1925]: 2024-05-16T16:15:13Z WARN [AUTH:1] pinned IP is required for the user, but is not present on identity pid:1925.1 authz/permissions.go:562
May 16 16:15:14 ip-172-31-0-105.ec2.internal teleport[1925]: 2024-05-16T16:15:14Z WARN [AUTH:1] pinned IP is required for the user, but is not present on identity pid:1925.1 authz/permissions.go:562
May 16 16:15:15 ip-172-31-0-105.ec2.internal teleport[1925]: 2024-05-16T16:15:15Z WARN [AUTH:1] pinned IP is required for the user, but is not present on identity pid:1925.1 authz/permissions.go:562
May 16 16:15:16 ip-172-31-0-105.ec2.internal teleport[1925]: 2024-05-16T16:15:16Z WARN [AUTH:1] pinned IP is required for the user, but is not present on identity pid:1925.1 authz/permissions.go:562
May 16 16:15:17 ip-172-31-0-105.ec2.internal teleport[1925]: 2024-05-16T16:15:17Z WARN [AUTH:1] pinned IP is required for the user, but is not present on identity pid:1925.1 authz/permissions.go:562
May 16 16:15:19 ip-172-31-0-105.ec2.internal teleport[1925]: 2024-05-16T16:15:19Z WARN [AUTH:1] pinned IP is required for the user, but is not present on identity pid:1925.1 authz/permissions.go:562
May 16 16:15:20 ip-172-31-0-105.ec2.internal teleport[1925]: 2024-05-16T16:15:20Z WARN [AUTH:1] pinned IP is required for the user, but is not present on identity pid:1925.1 authz/permissions.go:562
Workarounds
Clear cookies
Use a different browser or incognito window
Bug details
Teleport version: 15.3.4
The text was updated successfully, but these errors were encountered:
Expected behavior
After enabling
spec.options.pin_source_ip: true
in a Teleport role, the user should be able to log out of the web UI and re-login to get a certificate with a pinned IP.Current behavior
The web UI displays an error on refresh as soon as
pin_source_ip
is enabled, and the user is unable to even log out.The root cause seems to be a 500 response to the
DELETE
call when trying to log the user out:Additionally, as soon as a renewal of the bearer token is attempted, the
renew
operation fails and then plunges the browser into a redirect loop of doom:The auth server also repeatedly displays an error whenever an operation is denied. Auth server logs here:
Workarounds
Bug details
The text was updated successfully, but these errors were encountered: