"You may not use an undefined variable" error with Docker Compose and Kickstart
-
I'm trying to configure FusionAuth with kickstart for a project in need of OIDC support, but I've been having some issues getting it configured properly through docker-compose.
My issue is that I want to define the application client secret in my environment, since my application needs to know this for the flow to work. I therefore experimented with something like this in my kickstart.json:
{ "variables": { "adminPassword": "#{ENV.FUSIONAUTH_ADMIN_PASSWORD}", "adminEmail": "#{ENV.FUSIONAUTH_ADMIN_EMAIL}", "projectApplicationId": "#{ENV.FUSIONAUTH_PROJECT_APPLICATION_ID}", "appClientSecret:": "#{ENV.FUSIONAUTH_APPLICATION_CLIENT_SECRET}", "applicationClientId": "#{ENV.FUSIONAUTH_APPLICATION_CLIENT_ID}", "authorizedRedirectUrls": "#{ENV.FUSIONAUTH_AUTHORIZED_REDIRECT_URLS}", "apiKey": "#{ENV.FUSIONAUTH_API_KEY}", "idpId": "#{ENV.FUSIONAUTH_IDP_ID}", "logoutUrl": "#{ENV.FUSIONAUTH_LOGOUT_URL}", "oidcIssuer": "#{ENV.OIDC_ISSUER}", "oidcClientId": "#{ENV.OIDC_CLIENT_ID}", "oidcClientSecret": "#{ENV.OIDC_CLIENT_SECRET}", "oidcScope": "#{ENV.OIDC_SCOPE}" }, "apiKeys": [ { "key": "#{apiKey}" } ], "requests": [ { "method": "POST", "url": "/api/application/#{projectApplicationId}", "body": { "application": { "active": true, "name": "Test App", "roles": [ { "description": "Test App system administrator", "name": "admin" }, { "description": "Test App user", "name": "user" } ], "oauthConfiguration": { "authorizedRedirectURLs": ["#{authorizedRedirectUrls}"], "clientAuthenticationPolicy": "Required", "enabledGrants": ["authorization_code", "refresh_token"], "clientId": "#{applicationClientId}", "clientSecret": "#{appClientSecret}", "generateRefreshToken": true, "logoutBehavior": "AllApplications", "logoutURL": "#{logoutUrl}", "proofKeyForCodeExchangePolicy": "NotRequired" } } } }, { "method": "POST", "url": "/api/user/registration", "body": { "user": { "email": "#{adminEmail}", "password": "#{adminPassword}" }, "registration": { "applicationId": "3c219e58-ed0e-4b18-ad48-f4f92793ae32", "roles": ["admin"] } } }, { "method": "POST", "url": "/api/identity-provider/#{idpId}", "body": { "identityProvider": { "applicationConfiguration": { "#{projectApplicationId}": { "createRegistration": true, "enabled": true } }, "oauth2": { "issuer": "#{oidcIssuer}", "client_id": "#{oidcClientId}", "client_secret": "#{oidcClientSecret}", "clientAuthenticationMethod": "client_secret_basic", "scope": "#{oidcScope}" }, "buttonText": "Login with OpenID Connect", "debug": false, "enabled": true, "name": "OpenID Connect Provider", "type": "OpenIDConnect" } } } ] }The problem is that an error is thrown by DefaultKickstartService when the docker container is started:
2022-04-01 12:34:47.555 PM ERROR io.fusionauth.api.service.system.kickstart.DefaultKickstartService - You may not use an undefined variable. Found #{appClientSecret} but this was not provided in the variables section.But "appClientSecret" is clearly defined, and in the docker environment I can confirm that the environment variable it's bound to is defined together with all of the other variables. Removing the "clientSecret" property from the request allows FusionAuth to start as expected without any issues.
Can someone explain why it's undefined?
Misc info:
- I'm pulling latest for fusionauth-app
- Pulling postgres:11.9-alpine
- MacOS 12.3 (Intel)
Thanks a lot!
-
Is this still an active issue for you?
https://fusionauth.io/docs/v1/tech/installation-guide/kickstart#using-environment-variables
Thanks,
Josh -
Hi Josh,
My workaround is to leave it undefined in the kickstart config, and make a call to the application-endpoint and fetch the client secret that way whenever I need it. I haven't found another solution to the issue. I have read through the kickstart docs for defining environment variables, but could not find anything related to why this field isn't being parsed.
-
Interesting.
Does it work if you hardcode the client secret?
... "clientSecret": "ajklajlsdjlasdj", ...Have you doublechecked that
FUSIONAUTH_APPLICATION_CLIENT_SECRETis set? Is it a weird value? -
@dan Yes, it works with a hardcoded secret. It kickstarts as normal, and I can see it when logging in and inspecting the application.
I'll just walk through what I'm doing:
I'll define both variables in my
.env:FUSIONAUTH_APPLICATION_CLIENT_SECRET=myclientsecret749653 FUSIONAUTH_APPLICATION_CLIENT_ID=...In my
docker-compose.yamlI define them under the environment:... FUSIONAUTH_APPLICATION_CLIENT_SECRET:'${FUSIONAUTH_APPLICATION_CLIENT_SECRET}' FUSIONAUTH_APPLICATION_CLIENT_ID: '${FUSIONAUTH_APPLICATION_CLIENT_ID}' ...And in my
kickstart.jsonI define them in the variable block:... "applicationClientSecret:": "#{ENV.FUSIONAUTH_APPLICATION_CLIENT_SECRET}", "applicationClientId": "#{ENV.FUSIONAUTH_APPLICATION_CLIENT_ID}", ...And then in the
oauthConfigurationblock for theapplicationI define it like this."oauthConfiguration": { "authorizedRedirectURLs": ["#{authorizedRedirectUrls}"], "clientAuthenticationPolicy": "Required", "enabledGrants": ["authorization_code", "refresh_token"], "clientId": "#{applicationClientId}", "clientSecret": "#{applicationClientSecret}", "generateRefreshToken": true, "logoutBehavior": "AllApplications", "logoutURL": "#{logoutUrl}", "proofKeyForCodeExchangePolicy": "NotRequired" }The
clientIddefined exactly like theclientSecretfrom env to kickstart, but it for some reason isn't parsed as a variable.If this is just me not using the API properly then I would expect something more descriptive.
-
Thanks for the detailed repro steps. I just looked through the code and didn't see anything that indicated this behavior.
Could you do one more test for me, please? Can you check and see what happens if you don't use
FUSIONAUTH_APPLICATION_CLIENT_SECRETand instead use a different variable name? Something likeMY_COOL_APPLICATION_CLIENT_SECRETor something like that?I don't think there's a collision or reserved variable, but it's worth ruling out.
Also, what version of FusionAuth are you running?
