Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[QA] OIDC Kopano expects localhost instead 127.0.0.1 #8968

Closed
jnweiger opened this issue Aug 30, 2021 · 14 comments
Closed

[QA] OIDC Kopano expects localhost instead 127.0.0.1 #8968

jnweiger opened this issue Aug 30, 2021 · 14 comments

Comments

@jnweiger
Copy link
Contributor

Seen with testpilotcloud-client 2.9.0-beta3 on Linux Mint, with server 10.8.0 and openidconnect 2.0.0 using kopano idp.

The client does a roundtrip via firefox, the redirect URL uses 127.0.0.1 instead of localhost. But the client_id matches the static 'ownClod desktop app' from our identifier-registration.yml

https://konnect-oidc-2-0-0-20210830.jw-qa.owncloud.works/signin/v1/chooseaccount?client_id=xdXOt13JKxym1B1QcEncf2XDkLAexMBFwiT9j6EfhhHFJhs2KM9jbjTmf8JBXE69&code_challenge=WTv6x-IN-mzsKOkkgmLve8Z-nLufTnOi4XTSkDNV-7M&code_challenge_method=S256&flow=oidc&login_hint=aaliyah_abernathy&prompt=select_account+consent&redirect_uri=http%3A%2F%2F127.0.0.1%3A35287&response_type=code&scope=openid+offline_access+email+profile&state=mCjspJiDGFxTm8PpQjfpbMGyxVyzqiUpbG_KVUrsQsk%3D&user=aaliyah_abernathy

The client logfile says:

08-30 14:36:09:364 [ info sync.httplogger ]:    "ad72d963-fd1e-48df-8ee2-8d74d247c768: Request: POST https://konnect-oidc-2-0-0-20210830.jw-qa.owncloud.works/konnect/v1/register Header: { Content-Type: application/json, User-Agent: Mozilla/5.0 (Linux) mirall/2.9.0beta3 (build 5019) (testpilotcloud, linuxmint-5.4.0-81-generic ClientArchitecture: x86_64 OsArchitecture: x86_64), Accept: */*, X-Request-ID: ad72d963-fd1e-48df-8ee2-8d74d247c768, Original-Request-ID: ad72d963-fd1e-48df-8ee2-8d74d247c768, Content-Length: 224, } Data: [{\n    \"application_type\": \"native\",\n    \"client_name\": \"ownCloud Testpilot Edition 2.9.0beta3 (build 5019)\",\n    \"redirect_uris\": [\n        \"http://127.0.0.1\"\n    ],\n    \"token_endpoint_auth_method\": \"client_secret_basic\"\n}\n]"
08-30 14:36:09:364 [ info sync.networkjob ]:    OCC::SimpleNetworkJob("https://konnect-oidc-2-0-0-20210830.jw-qa.owncloud.works/konnect/v1/register", "ad72d963-fd1e-48df-8ee2-8d74d247c768", "ad72d963-fd1e-48df-8ee2-8d74d247c768") created for "https://oc-10-8-0-oidc-2-0-0-20210830.jw-qa.owncloud.works/" + "" "RegisterClientJob"
08-30 14:36:09:538 [ info sync.httplogger ]:    "ad72d963-fd1e-48df-8ee2-8d74d247c768: Response: POST 400 https://konnect-oidc-2-0-0-20210830.jw-qa.owncloud.works/konnect/v1/register Header: { Cache-Control: no-cache, no-store, must-revalidate, Content-Length: 127, Content-Type: application/json; encoding=utf-8, Date: Mon, 30 Aug 2021 12:36:09 GMT, Pragma: no-cache, Referrer-Policy: origin, Server: Caddy, X-Content-Type-Options: nosniff, } Data: [{\n  \"error\": \"invalid_redirect_uri\",\n  \"error_description\": \"native clients must only use localhost redirect_uris with http\"\n}\n]"
08-30 14:36:09:538 [ debug sync.networkjob ]    [ OCC::AbstractNetworkJob::needsRetry ]:        Not Retry auth job OCC::SimpleNetworkJob("https://konnect-oidc-2-0-0-20210830.jw-qa.owncloud.works/konnect/v1/register", "ad72d963-fd1e-48df-8ee2-8d74d247c768", "ad72d963-fd1e-48df-8ee2-8d74d247c768", "Error transferring https://konnect-oidc-2-0-0-20210830.jw-qa.owncloud.works/konnect/v1/register - server replied: Bad Request") QUrl("https://konnect-oidc-2-0-0-20210830.jw-qa.owncloud.works/konnect/v1/register")
08-30 14:36:09:538 [ warning sync.networkjob ]: OCC::SimpleNetworkJob("https://konnect-oidc-2-0-0-20210830.jw-qa.owncloud.works/konnect/v1/register", "ad72d963-fd1e-48df-8ee2-8d74d247c768", "ad72d963-fd1e-48df-8ee2-8d74d247c768", "Error transferring https://konnect-oidc-2-0-0-20210830.jw-qa.owncloud.works/konnect/v1/register - server replied: Bad Request") QNetworkReply::ProtocolInvalidOperationError "Server replied \"400 Bad Request\" to \"POST https://konnect-oidc-2-0-0-20210830.jw-qa.owncloud.works/konnect/v1/register\"" 400
08-30 14:36:09:538 [ warning sync.credentials.oauth ]:  Failed to dynamically register the client, try the default client id "\tError: Missing field client_secret_expires_at\n"
08-30 14:36:09:538 [ debug sync.credentials.oauth ]     [ isUrlValid ]: Checking URL for validity: QUrl("https://konnect-oidc-2-0-0-20210830.jw-qa.owncloud.works/signin/v1/identifier/_/authorize?response_type=code&client_id=xdXOt13JKxym1B1QcEncf2XDkLAexMBFwiT9j6EfhhHFJhs2KM9jbjTmf8JBXE69&redirect_uri=http://127.0.0.1:35287&code_challenge=WTv6x-IN-mzsKOkkgmLve8Z-nLufTnOi4XTSkDNV-7M&code_challenge_method=S256&scope=openid offline_access email profile&prompt=select_account consent&state=mCjspJiDGFxTm8PpQjfpbMGyxVyzqiUpbG_KVUrsQsk%3D&login_hint=aaliyah_abernathy&user=aaliyah_abernathy")
08-30 14:36:09:549 [ debug sync.networkjob ]    [ OCC::AbstractNetworkJob::slotFinished ]:      Network job finished OCC::SimpleNetworkJob("https://konnect-oidc-2-0-0-20210830.jw-qa.owncloud.works/konnect/v1/register", "ad72d963-fd1e-48df-8ee2-8d74d247c768", "ad72d963-fd1e-48df-8ee2-8d74d247c768", "Error transferring https://konnect-oidc-2-0-0-20210830.jw-qa.owncloud.works/konnect/v1/register - server replied: Bad Request")
08-30 14:36:17:045 [ warning gui.account.state ]:       checkConnectivity blocking: false
08-30 14:36:17:046 [ debug gui.account.state ]  [ OCC::AccountState::checkConnectivity ]:       "[email protected]" The last ETag check succeeded within the last  122 s ( 63 s). No connection check needed!
@jnweiger
Copy link
Contributor Author

Another blocking issue with DCR at kopano would be owncloud/openidconnect#142 -- But I believe that in my case I am failing earler.

@michaelstingl
Copy link
Contributor

I've only seen DCR working with Keycloak.

@wkloucek
Copy link

From owncloud/openidconnect#142 (comment):

Thanks for sharing that! In the specs, nothing pointed to 0 as a possible/plausible value and the implementation in the iOS client would have seen that as expiration on the first minute of the year 1970.

the 0 value is part of the spec (see https://openid.net/specs/openid-connect-registration-1_0.html#RegistrationResponse). So treating it as 1970 is certainly an implementation bug.

Could be also the case for this implementation, even if the error message Error: Missing field client_secret_expires_at suggests an different error.

@TheOneRing
Copy link
Contributor

We handle the case that it is 0, but as the doc mentions it's a required field and thus should be present?
I could also default to 0 but ....

@wkloucek
Copy link

wkloucek commented Sep 7, 2021

We handle the case that it is 0, but as the doc mentions it's a required field and thus should be present?
I could also default to 0 but ....

If you read it exactly you will notice REQUIRED if client_secret is issued (took me also 5 times reading). But I don't know what to do if it is omitted 🤷‍♂️

@TheOneRing
Copy link
Contributor

Narf had another look at the output....
08-30 14:36:09:538 [ info sync.httplogger ]: "ad72d963-fd1e-48df-8ee2-8d74d247c768: Response: POST 400 https://konnect-oidc-2-0-0-20210830.jw-qa.owncloud.works/konnect/v1/register Header: { Cache-Control: no-cache, no-store, must-revalidate, Content-Length: 127, Content-Type: application/json; encoding=utf-8, Date: Mon, 30 Aug 2021 12:36:09 GMT, Pragma: no-cache, Referrer-Policy: origin, Server: Caddy, X-Content-Type-Options: nosniff, } Data: [{\n \"error\": \"invalid_redirect_uri\",\n \"error_description\": \"native clients must only use localhost redirect_uris with http\"\n}\n]"

so completely unrelated.

@TheOneRing TheOneRing changed the title [QA] OIDC DCR not working with kopano IDP [QA] OIDC Kopano expects localhost instead 127.0.0.1 Sep 7, 2021
@jnweiger
Copy link
Contributor Author

jnweiger commented Sep 14, 2021
edited
Loading

Sorry for mixing in the DCR topic here. Back to the original issue:
@TheOneRing: What can we do about the Kopano-case that was caused by #8593 ?

@TheOneRing
Copy link
Contributor

@TheOneRing (unrelated to the DCR topic, sorry for mixing that here): What can we do about the Kopano-case that was caused by #8593 ?

That was for oauth, this issue here needs fixing in kopano

@wkloucek
Copy link

@TheOneRing (unrelated to the DCR topic, sorry for mixing that here): What can we do about the Kopano-case that was caused by #8593 ?

That was for oauth, this issue here needs fixing in kopano

This shouldn't be an issue with version 0.34 (https://github.com/libregraph/lico/blob/22d608b4c8308a94afd53f43d00ec4afe699861e/identity/clients/clients.go#L49-L63).
Prior versions would only accept localhost. @jnweiger which version of the Kopano IDP did you use?

@michaelstingl
Copy link
Contributor

This shouldn't be an issue with version 0.34

@GeraldLeikam can you update this system and test again? (or send me credentials)

@wkloucek
Copy link

@michaelstingl you should also be able to use oCIS installations since we have that version of the Kopano IDP already running and configured ;-)

@michaelstingl
Copy link
Contributor

@michaelstingl you should also be able to use oCIS installations since we have that version of the Kopano IDP already running and configured ;-)

Good point 👍 (I always use Keycloak with oCIS)

@michaelstingl
Copy link
Contributor

redirect_uri=http://127.0.0.1:62285 works fine with https://ocis.ocis-traefik.latest.owncloud.works/.well-known/openid-configuration

@TheOneRing
Copy link
Contributor

Thx for checking!

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
4 participants
@TheOneRing @michaelstingl @jnweiger @wkloucek