Wrong method to fetch token for openID connect

[Lichtjaeger]

• Gitea version (or commit ref): 1.2.0-rc1
• Git version: 2.14.1
• Operating system: Windows 10
• Database (use [x]):
  • PostgreSQL
  • MySQL
  • MSSQL
  • SQLite
• Can you reproduce the bug at https://try.gitea.io:
  • Yes (provide example URL)
  • No
  • Not relevant
• Log:

2017/08/29 10:40:12 [I] Log Mode: File(Info)
2017/08/29 10:40:12 [I] XORM Log Mode: File(Info)
2017/08/29 10:40:12 [I] Cache Service Enabled
2017/08/29 10:40:12 [I] Session Service Enabled
2017/08/29 10:40:13 [I] Git Version: 2.14.1
2017/08/29 10:40:13 [I] SQLite3 Supported
2017/08/29 10:40:13 [I] Run Mode: Production
2017/08/29 10:40:13 [I] Listen: http://0.0.0.0:3000
2017/08/29 10:40:35 [...routers/user/auth.go:409 handleOAuth2SignIn()] [E] UserSignIn: oauth2: cannot fetch token: 405 Method Not Allowed
Response: {"error":"invalid_request","error_description":"method not allowed"}

Description

Hi, I try to implement an openID connect Login with oidc-provider for Node.js.

But I get "method not allowed" errors if I test this solution. I opened an Issue at the provider page ( panva/node-oidc-provider#150 ) and the answer was, that the client used the wrong method to request the token.

[panva]

Hi, I am maintaining oidc-provider.

method not allowed is returned in cases where a route only responds to certain HTTP methods(verbs), in this case a POST for a token_endpoint, but other method is encountered.

[lunny]

From the log, it seems you are try to use OAuth2 login but not OpenID connect ?

[panva]

From an authorization_code flow perspective the two are the same (only in OIDC you must request the openid scope). Either way, the token_endpoint request must use a POST, does it?

[Lichtjaeger]

Here are my settings:

And the "/.well-known/openid-configuration.json":
openid-configuration.zip

[Lichtjaeger]

No improvement in Gitea v1.2.0-rc2.

[lunny]

@strk maybe you can see this?

[Lichtjaeger]

No improvement in Gitea v1.2.0-rc3.

[Lichtjaeger]

No improvement in Gitea v1.2.0. #618 still doesn't work for me.

[Lichtjaeger]

No improvement in Gitea v1.3.0-rc1.

[Lichtjaeger]

No improvement in Gitea v1.3.2.

@strk please state something.

[strk]

Sorry but I'm not involved in OpenID Connect consumer code at all. I did OpenID-2.0 one. The OpenID Connect code, as far as I can tell, was added by @willemvd in commit 950f2e2 via #1010

Willem, can you help here ?

[strk]

@Lichtjaeger re "#618 still doesn't work for me." you mean you don't haven an OpenID-2.0 server to use against, right ? Or file a separate issue if OpenID-2.0 is also not working for you, against a valid server.

[Lichtjaeger]

you mean you don't haven an OpenID-2.0 server to use against, right ? Or file a separate issue if OpenID-2.0 is also not working for you, against a valid server.

Sorry, I was looking for a reference to my problem and only found this. Yes, I don't have an OpenID-2.0 Server. I tried to use OpenID connect from the start.

[willemvd]

@Lichtjaeger have you also configured the yammer provider? This error message is only displayed when using the yammer provider (https://github.com/markbates/goth/search?q=%22cannot+fetch+token%22&type=)
Looks like the error message returned from the library is not correct

[Lichtjaeger]

@willemvd I don't know anything about yammer provider. But the message ("cannot fetch token: 405 Method Not Allowed") is correct. I use the oidc-provider for NodeJS from @panva. You can also read the error message I've got from the provider at panva/node-oidc-provider#150.

[Lichtjaeger]

I eventually found the problem. In my NginX loadbalancer I used return 301 https://$server_name$request_uri; to force SSL. This changed the POST request into a GET request.

Now I use return 308 https://$server_name$request_uri;, but I get some other errors.

Requesting the token without https results in:

2018/01/25 08:35:22 [...routers/user/auth.go:411 handleOAuth2SignIn()] [E] UserSignIn: oauth2: cannot fetch token: 308 
Response: https://auth.gbn.web/token

Requesting without forcing SSL results in:

2018/01/25 09:14:49 [...routers/user/auth.go:411 handleOAuth2SignIn()] [E] UserSignIn: userinfo response did not contain a 'sub' claim: map[string]interface {}{"sub":57}

[Lichtjaeger]

The error for 308 statuses is solved thru reconfiguration of the /.well-known/openid-configuration endpoint.

But there is still the error with the "sub" claim. The debug output of the oidc-provider is:

oidc-provider:userinfo uuid=fbb7df8c-1cfa-4dbd-a896-da077ffe4eb4 content-type=application/json response={ sub: 57 }

[Lichtjaeger]

OK, I changed the type of the "sub" from number to string and now it works.

[strk]

Great to hear you succeeded in that! Are you going to write a blog post about how to setup OpenID Connect server and Gitea to work with it ? Maybe publishing it on https://github.com/go-gitea/blog ?

[Lichtjaeger]

I can try to make time for it.

PS: I have a suggestion for improvement. oidc provides a lot of other claims (for example email, family_name, given_name, name, preferred_username). The discovery result can tell you if they are available. You could use them to autofill the registration form.

[strk]

I can try to make time for it.

Thanks!

PS: I have a suggestion for improvement. oidc provides a lot of other claims (for example email, family_name, given_name, name, preferred_username). The discovery result can tell you if they are available. You could use them to autofill the registration form.

Great idea, please file an enhancement ticket for that, so you don't forget. You can send a PR later :)