default-browser fails to hand back the authentication to the gpclient

[stheine]

Describe the bug

I'm calling sudo -E gpclient connect --default-browser <portal>.
this brings up my firefox, and I can log in using my corp credentials.
it ends with a paloalto networks screen reporting Authentication Complete, and firefox raising a dialog asking to open the 'globalprotectcallback'.
but no matter what I select here, the gpclient is stuck in gpclient::connect] Listening authentication data on port.

Expected behavior

pass back the authentication credentials, so that gpclient can continue.

Screenshots

Logs

$ sudo -E gpclient connect --default-browser <portal>
[2024-08-05T06:22:49Z INFO  gpclient::cli] gpclient started: 2.3.4 (2024-07-08)
[2024-08-05T06:22:49Z INFO  gpapi::portal::prelogin] Portal prelogin with user_agent: PAN GlobalProtect
[2024-08-05T06:22:49Z INFO  gpauth::cli] gpauth started: 2.3.4 (2024-07-08)
[2024-08-05T06:22:49Z INFO  gpauth::cli] Please continue the authentication process in the default browser
[2024-08-05T06:22:49Z INFO  gpclient::connect] Waiting for the browser authentication to complete...
[2024-08-05T06:22:49Z INFO  gpclient::connect] Listening authentication data on port 38659

Environment:

• OS: Ubuntu 22.04.04
• Desktop Environment: KDE
• Output of ps aux | grep 'gnome-keyring\|kwalletd5' | grep -v grep:

stheine     7538  0.0  0.0 241728  6784 ?        SLl  Jul31   0:02 /usr/bin/gnome-keyring-daemon --start --foreground --components=secrets
stheine  3205933  0.0  0.0 241576  9216 ?        SNl  07:27   0:00 /usr/bin/gnome-keyring-daemon --start --foreground --components=secrets

• Is remote SSH? No

Additional context

The authentication and connection using the built-in browser works fine.

[yuezk]

Hi @stheine Has the CLI ever worked? Have you tried with the GUI version and does it work?

[stheine]

The CLI works perfectly without the --default-browser option.
The GUI version (launch-gui) had also worked when I had tested it several months ago, but its trial license has expired by now, so I cannot retest that (and in the meantime I had used plain openconnect, as my company also offered Pulse VPN, but now they're forcing GlobalProtect, so I'm back to gpclient).

[yuezk]

I see. Then I suggest you to use it without the --default-browser option, it’s more friendly than the external browser. The external browser is useful if your company requires the security key, e.g. the Yubikey.

[u3z05en]

Thought I'd chime in. I have just experienced the same thing here.

To add to the complication, if I don't specify --default-browser and use the built-in, the built-in browser doesn't detect the "duo-desktop" service running on the local machine. Duo-desktop is used to verify the device uuid after login to the portal.

Firefox gets past that step, but doesn't hand it back to gpclient.

[stheine]

of course, not using the --default-browser and using the built-in, is a workaround.
I was just hoping I could make use of my password manager built into my default browser Firefox.

[yuezk]

Thought I'd chime in. I have just experienced the same thing here.

To add to the complication, if I don't specify --default-browser and use the built-in, the built-in browser doesn't detect the "duo-desktop" service running on the local machine. Duo-desktop is used to verify the device uuid after login to the portal.

Firefox gets past that step, but doesn't hand it back to gpclient.

@u3z05en Would you please set Chrome/Chromium as the default browser and see if it works? Thanks.

[stheine]

I tested it with Chrome, and in fact, there it's working ok!
is there a way to make gpclient use a specific 'default browser', that's not necessarily the one I have configured in my KDE settings? there I would like to keep Firefox, but for gpclient, it could be a workaround to switch to Chrome, if that's working.

[u3z05en]

@yuezk Sorry I should have mentioned that, but I tested it again to be sure, Chromium does the same thing, it can also detect the 'duo-desktop' socket and then tries to pass it back to the calling app.

Unlike FF, it gives an error "Could not read file globalprotectcallback:[entire-auth-string]"

I tried to netcat that string to the listening gpclient port, but it didn't like that.

I also tried to register a .desktop file for gpclient but couldn't get that working.

btw, I'm on Fedora 40.

[yuezk]

@stheine I'm trying to add the option to specify the browser.

@u3z05en can you give me a screenshot of the error in Chromium so I can understand the error better? Thanks.

[u3z05en]

Sorry for the delay, here's the error. The actual string is a fair bit longer than what's getting displayed.

The gpclient is waiting at [2024-08-14T12:27:02Z INFO gpclient::connect] Listening authentication data on port 34255

[yuezk]

Hi @u3z05en, I am not sure whether this is related: https://forum.manjaro.org/t/error-kio-client-on-google-chrome/86013

But you could try to install ocs-url to see if it works.

[u3z05en]

Found the latest package I could find ocs-url-3.1.0-1.fc20.x86_64.rpm which did install.

Unfortunately the outcome is identical for both FF and Chromium.

[yuezk]

@u3z05en did you run the command with the -E option? If not, please add it. Like sudo -E gpclient connect --default-browser <portal>

[u3z05en]

@yuezk yes, been running it as sudo -E gpclient connect --user <user> --clean --default-browser --disable-ipv6 --as-gateway <gateway>

[yuezk]

@u3z05en can you upgrade to 2.3.7 and try the following command to see if it works?

gpauth <portal> --gateway --browser default 2>/dev/null | sudo gpclient connect <portal> --as-gateway --cookie-on-stdin

[u3z05en]

@yuezk : Legendary work! I upgraded to 2.3.7 and tried my normal command above and:

• Chromium: works
• Firefox: works
  -- removed ocs-url
• Chromium: works
• Firefox: works

Here are some of the log lines after the previous hanging point.

[2024-08-16T13:11:41Z INFO  gpauth::cli] Listening authentication data on port 46587
[2024-08-16T13:11:41Z INFO  gpauth::cli] If it hangs, please check the logs at `/tmp/gpcallback.log` for more information
[2024-08-16T13:11:43Z INFO  gpauth::cli] Received the browser authentication data from the socket
[2024-08-16T13:11:43Z INFO  gpauth::cli] Authentication completed

Let me know if you still want that other command run and thanks heaps for the awesome support!

[yuezk]

@u3z05en I'm glad it works now.

I found that using sudo to launch a GUI application as a normal user is tricky, though I managed to achieve this. So, I enhanced the gpauth command to support the browser authentication, and the gpclient can accept the auth cookies from stdin. So we can use the pipeline to authenticate and then connect.

But honestly, I didn't expect your normal command to work with 2.3.7. I expected the command pipeline to work.

[u3z05en]

Ah I see. You got me curious so I tested it and yes, it works perfectly as well.
I've taken it down for future reference.
Thanks again!

[yuezk]

I'm closing this issue. @stheine the client also supports specifying the browser to launch via the --browser <browser> parameter.

[stheine]

@yuezk thanks for adding the --browser option. that really helps!