Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[QA] openidconnect fails to refresh oidc token after 10 min #9490

Closed
jnweiger opened this issue Mar 8, 2022 · 7 comments
Closed

[QA] openidconnect fails to refresh oidc token after 10 min #9490

jnweiger opened this issue Mar 8, 2022 · 7 comments
Assignees
@TheOneRing @michaelstingl

Comments

@jnweiger
Copy link
Contributor

jnweiger commented Mar 8, 2022
edited
Loading

Seen with desktop client 2.10.0 (btr branding, and also unbranded) connected to a 10.9.1 server with openidconnect 2.1.1 rc1 with kopano IDP.

  • connect the client with kopano user 'aliyaha_abernathy'
  • the openid process through web browser, idp, and redirect back to the client works flawless.
  • wait 10 minutes.
  • The web browser opens with another IDP authorization dialog. BAD.

Excerpt from the client log:

03-08 00:42:11:146 [ info sync.httplogger ]:    "94fd03b8-be83-410e-bfe4-5ab5ba6be0ce: Request: POST https://konnect-oidc-211rc1-20220228.jw-qa.owncloud.works/konnect/v1/register Header: { Content-Type: application/json, Authorization: Bearer [redacted], User-Agent: Mozilla/5.0 (Linux) mirall/2.10.0 (build 6718) (btr, linuxmint-5.4.0-100-generic ClientArchitecture: x86_64 OsArchitecture: x86_64), Accept: */*, X-Request-ID: 94fd03b8-be83-410e-bfe4-5ab5ba6be0ce, Original-Request-ID: 94fd03b8-be83-410e-bfe4-5ab5ba6be0ce, Content-Length: 209, } Data: [{\n    \"application_type\": \"native\",\n    \"client_name\": \"BtR Test Client 2.10.0 (build 6718)\",\n    \"redirect_uris\": [\n        \"http://127.0.0.1\"\n    ],\n    \"token_endpoint_auth_method\": \"client_secret_basic\"\n}\n]"
03-08 00:42:11:146 [ info sync.networkjob ]:    Created OCC::SimpleNetworkJob("https://konnect-oidc-211rc1-20220228.jw-qa.owncloud.works/konnect/v1/register", "94fd03b8-be83-410e-bfe4-5ab5ba6be0ce", "94fd03b8-be83-410e-bfe4-5ab5ba6be0ce") for RegisterClientJob(0x55f9ecb65810)
03-08 00:42:11:318 [ info sync.httplogger ]:    "94fd03b8-be83-410e-bfe4-5ab5ba6be0ce: Response: POST 400 https://konnect-oidc-211rc1-20220228.jw-qa.owncloud.works/konnect/v1/register Header: { Cache-Control: no-cache, no-store, must-revalidate, Content-Length: 127, Content-Type: application/json; encoding=utf-8, Date: Mon, 07 Mar 2022 23:42:11 GMT, Pragma: no-cache, Referrer-Policy: origin, Server: Caddy, X-Content-Type-Options: nosniff, } Data: [{\n  \"error\": \"invalid_redirect_uri\",\n  \"error_description\": \"native clients must only use localhost redirect_uris with http\"\n}\n]"
03-08 00:42:11:318 [ debug sync.networkjob ]    [ OCC::AbstractNetworkJob::needsRetry ]:        Not Retry auth job OCC::SimpleNetworkJob("https://konnect-oidc-211rc1-20220228.jw-qa.owncloud.works/konnect/v1/register", "94fd03b8-be83-410e-bfe4-5ab5ba6be0ce", "94fd03b8-be83-410e-bfe4-5ab5ba6be0ce", "Error transferring https://konnect-oidc-211rc1-20220228.jw-qa.owncloud.works/konnect/v1/register - server replied: Bad Request") QUrl("https://konnect-oidc-211rc1-20220228.jw-qa.owncloud.works/konnect/v1/register")
03-08 00:42:11:319 [ warning sync.networkjob ]: OCC::SimpleNetworkJob("https://konnect-oidc-211rc1-20220228.jw-qa.owncloud.works/konnect/v1/register", "94fd03b8-be83-410e-bfe4-5ab5ba6be0ce", "94fd03b8-be83-410e-bfe4-5ab5ba6be0ce", "Error transferring https://konnect-oidc-211rc1-20220228.jw-qa.owncloud.works/konnect/v1/register - server replied: Bad Request") QNetworkReply::ProtocolInvalidOperationError "Server replied \"400 Bad Request\" to \"POST https://konnect-oidc-211rc1-20220228.jw-qa.owncloud.works/konnect/v1/register\"" 400
03-08 00:42:11:319 [ warning sync.credentials.oauth ]:  Failed to dynamically register the client, try the default client id "\tError: Missing field client_secret_expires_at\n"
03-08 00:42:11:319 [ debug gui.account.manager ]        [ OCC::AccountManager::saveAccount ]:   Saving account "https://oc1091-oidc-211rc1-20220228.jw-qa.owncloud.works/"
03-08 00:42:11:319 [ info gui.account.manager ]:        Saving  0  unknown certs.
03-08 00:42:11:319 [ info gui.account.manager ]:        Saving cookies. "/home/testy/.config/btr/cookies1.db"
03-08 00:42:11:319 [ debug sync.cookiejar ]     [ OCC::CookieJar::save ]:       "/home/testy/.config/btr/cookies1.db"
03-08 00:42:11:331 [ debug gui.account.manager ]        [ OCC::AccountManager::saveAccount ]:   Saved account settings, status: QSettings::NoError
03-08 00:42:11:331 [ info sync.credentials.manager ]:   del "btr_credentials:oc1091-oidc-211rc1-20220228.jw-qa.owncloud.works:e3f2ce63-7e3b-4526-99cf-28aa2edf06f9:http/oauthtoken"
03-08 00:42:11:331 [ info gui.account.state ]:  Invalid credentials for "https://oc1091-oidc-211rc1-20220228.jw-qa.owncloud.works/"
03-08 00:42:11:331 [ info gui.account.state ]:  refreshing oauth
03-08 00:42:11:331 [ info gui.account.state ]:  refreshing oauth failed
03-08 00:42:11:331 [ info gui.account.state ]:  asking user
  • the redirect_uri with http://127.0.0.1 is reported as invalid.
  • the user can manually authorize. (It seems this time the redirect_uri with http://127.0.0.1 is okay)
  • after another 10 minutes, the same happens again. 100% reproducable.

client and server logs: client+server-logs.zip
@jnweiger
Copy link
Contributor Author

jnweiger commented Mar 8, 2022

Not sure, if this is a client issue, a misconfiguration in the test setup, or a server issue. Please advise.

This was referenced Mar 8, 2022
Closed
Closed
@TheOneRing
Copy link
Contributor 

03-08 00:42:11:319 [ warning sync.networkjob ]: OCC::SimpleNetworkJob("https://konnect-oidc-211rc1-20220228.jw-qa.owncloud.works/konnect/v1/register", "94fd03b8-be83-410e-bfe4-5ab5ba6be0ce", "94fd03b8-be83-410e-bfe4-5ab5ba6be0ce", "Error transferring https://konnect-oidc-211rc1-20220228.jw-qa.owncloud.works/konnect/v1/register - server replied: Bad Request") QNetworkReply::ProtocolInvalidOperationError "Server replied \"400 Bad Request\" to \"POST https://konnect-oidc-211rc1-20220228.jw-qa.owncloud.works/konnect/v1/register\"" 400
03-08 00:42:11:319 [ warning sync.credentials.oauth ]:  Failed to dynamically register the client, try the default client id "\tError: Missing field client_secret_expires_at\n"

The server announces dynamic registration and it fails.

@michaelstingl
Copy link
Contributor

@jnweiger could you compare with the latest Android app? Same problem?

@jnweiger
Copy link
Contributor Author

jnweiger commented Mar 9, 2022
edited
Loading

Reproduced also with the owncloud android app version 2.2.0

  • Connect to the same server as above.
  • Agree to save the password.
  • Wait 10 Minutes.
  • Logged out.

image

@TheOneRing
Copy link
Contributor

So lets agree that it is a setup error?

@jnweiger
Copy link
Contributor Author

jnweiger commented Mar 9, 2022
edited
Loading

At least it is not a regression. If it is a setup error, then I had the same faulty setup in the past, and will have the same faulty setup in the future -- unless we find something, that can be improved.
#9056

The error "invalid_redirect_uri",\n "error_description": "native clients must only use localhost redirect_uris with http"
comes from a library used by Kopano_konnect.
They seem to have updated some code on their side, but I am stuck with the old 0.33 version of kopano.
Follow up: zokradonh/kopano-docker#490

Other error messages are about client registrations. No idea which one is more important :-(

@TheOneRing
Copy link
Contributor

Kopano is supposed to understand that "http://127.0.0.1" is localhost, closing.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@TheOneRing TheOneRing

@michaelstingl michaelstingl

Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@TheOneRing @michaelstingl @jnweiger