-
Notifications
You must be signed in to change notification settings - Fork 1.1k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
400-style errors when signing in via OAuth2 with Nextcloud #1056
Comments
I had an error in a similar place, I can't recall if it was exactly the same. My CodiMD and Oauth services run on docker containers each, and one wasn't able to make a network call to the other. I was missing DNS setup, if I remember correctly. I confirmed this by logging on to each one and pinging the other by its full domain name (not any shorthands like they are used in docker). |
but the described error is a little weird, in that this line should not fail. Because this line 70 fails, we're actually losing the codimd/lib/web/auth/oauth2/index.js Lines 66 to 70 in df2a2e6
Either way: the error in question occurs when the "profile" information would be obtained by CodiMD (CodiMD asks your OAuth service for things like username, so it can be displayed as author info). |
I believe i can make a quick fix for the described code error which masks your root cause. |
Could you try out these changes and let me know how it goes? The Error will not be gone, but instead of (edit: I messed up one thing with the import which should be fixed now) |
Thank you! When I use the bug/oauth2internalerror branch from your repo CodiMD crashes on startup though :/
Meanwhile, I'm still trying to find out why CodiMD can't fetch the profile. The network setup is not the problem, the URL of my cloud resolves correctly an can be connected to. When I try |
I'm sorry, I realized my mistake a few seconds before, I just pushed an updated version to the server, under the same branch. |
Thanks for the |
Yeah, it works now. When signing in, the server doesn't crash anymore. In the browser I get a page with »Internal Server Error« and the following appears in the log:
Actually, I would join the matrix room, but I currently have trouble with my matrix server, I can't join rooms, and I didn't get around to try fixing it, sorry 😂 |
:-D Alright, we're getting somewhere. Sadly, this still somewhat obsuceres the error. Perhaps @SISheogorath has an idea where such an error might end up. Maybe there's a different place where passport errors end up? |
This fixes part of hackmdio#1056: an error while obtaining the profile would have `502`-crashed the server. Signed-off-by: Claudius Coenen <opensource@amenthes.de>
So... some information I gathered: The When I call This is expected behavior as (of course) this information isn't public and one needs to sign in to retrieve it. See here. So, following the information from the link I generated an app token as password and executed According to this Nextcloud issue that's because I need to send the Is maybe one of these the problem (missing authentication or header) when CodiMD tries to retrieve profile data? |
I just checked a bit around nextcloud and it seems like they fixed it earlier this year and now broke it again -.- We have to check with upstream what's their plan. The current way doesn't allow any generic setup. I guess you run Nextcloud 14, right? As far as I can say it worked on Nextcloud 13 and broke on my own Nextcloud instance with version 14 (as I just checked). But I'm also not willing to write a workaround just for Nextcloud because once we start that, we'll write more and more exceptions and special handlings over time, which will probably become unmaintainable. So I guess upstream issue it is. |
Yes, I'm using Nextcloud 14. What exactly did they break though? |
this is odd. I'm running nc 14 and codi 1.2.1 side by side with oauth2. |
When I interpret it correctly, I would look into this: According to this when you use a token (which oAuth2 should do), it should work without CSRF error. Mhm but somehow I just realized I took the idea that the problem is caused by a CSRF error, which doesn't have to be the case .-. |
I changed the title to reflect that a tiny part of the problem has been resolved. |
If the CSRF check is indeed the problem, and NC isn't fixing it, maybe adding a |
Then I still don't get why it "works for me"? |
@ccoenen What happens if you call |
here's the final two lines from the apache log file from nextcloud:
I'll try curling next. |
I can curl successfully with this: curl -H 'Authorization: Bearer yBA---some-token---zWo6' 'https://<username>:<pwd>@<server>/ocs/v2.php/cloud/user?format=json' and it will return the json I expected. (with |
I got the |
To re-iterate: curl does need to set the curl as suggested by me above with just the username/password/url will return |
WOOOW This is an awesome issue! But I figured it out! I had to add some debug logging in our code base as well as the depending oauth2 library. But it worked out. Before I saw in the nextcloud log that it responded with an HTTP code So as mentioned, added some debugging code. First in our oAuth module: codimd/lib/web/auth/oauth2/index.js Lines 69 to 71 in f9aa001
I added some lines: console.log(err)
console.log(res) Which turned out, res was empty as well as body. And error was quite short, since it only contained the response code 303. So I needed to extend the error message itself a bit. Since we use JS and in JS we use callbacks, let's climb up. Where do we pass the callback to? codimd/lib/web/auth/oauth2/index.js Lines 66 to 84 in f9aa001
The But of course this is only the remapping. So up the tree: Of course our actual call isn't in here either, so we search the Which turns out to call the So we finally found our function. The critical part is, besides the condition, the error it pushes: callback({ statusCode: response.statusCode, data: result }); Extending the error with the actual response then solved the missing information problem: callback({ statusCode: response.statusCode, data: result, response: response }); As it turns out, we were redirected to the following URL:
And when you ever setup multiple 2FA providers for your Nextcloud account, you know that this is the view to decide which one you want to use for your current login. So all in all: This error is caused by the multi-factor authentication implemented in Nextcloud. I'm not sure if it appears when you use a single 2FA provider for your account (like TOTP) but when you use multiple, it seems to be the case and causing problems. I'm not sure if Hope this helps and explains a bit how to debug such a problem, if someone ever want to go for such a horror. It would probably be easer to use a debugger here but I was in a live environment. Lesson for today: Don't strip away too much information with an error. Always provide all information you have to your callbacks. |
this is some nice detectivework! |
InternalOAuthError is not part of passport, but of passport-oauth2 #1056
Nice, thank you for the commitment! I'm using only TOTP, so the problem appears with only a single 2FA provider enabled. |
@Eisfunke do you want to take care of creating an upstream bug and linking it here? Would be awesome :) |
The nextcloud issue should be fixed now. As soon as it lands in my Nextcloud version I'll test it with CodiMD and close this (of course anybody else could do it as well). |
Good to hear, thanks for your work! |
Releases to look for:
|
Nextcloud 14.0.4 released on 22.11 contains the fix |
nice! It used to be 14.0.5, but has been prioritized, apparently. |
I just checked: With Nextcloud 14.0.4 sign-in via OAuth2 works just fine. |
Thanks for checking back :-) |
I use CodiMD in a Docker container using the current master branch. I configured OAuth2 with my Nextcloud following the directions.
The set environment variables concerning OAuth2 are:
Now, every time when I try to sign in using OAuth, I get forwarded to my Nextcloud just fine. I sign in, grant the request, Nextcloud forwards me to
https://**my codimd**/auth/oauth2/callback?state=&code=**snip**
.That's when CodiMD crashes with an uncaught exception (which is why I get an 502 Bad Gateway error in the browser). The console output is:
Any ideas what the problem is? Thanks in advance!
The text was updated successfully, but these errors were encountered: