SSO login fails: Failed to parse token auth data: missing field username

[uumas]

Describe the bug
Trying to login to the vpn using gpclient connect portal.domain.tld. It opens a browser window, I log in but the browser window just returns to the login screen.

Expected behavior
It should authenticate successfully and connect

Screenshots

Logs

[2024-06-07T11:40:54Z INFO  gpauth::auth_window] Auth window user agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/17.0 Safari/605.1.15
[2024-06-07T11:40:54Z INFO  gpauth::auth_window] Load the SAML request as HTML...
[2024-06-07T11:40:54Z INFO  gpauth::auth_window] Loaded uri: about:blank
[2024-06-07T11:40:54Z INFO  gpauth::auth_window] Trying to read auth data from response headers...
[2024-06-07T11:40:54Z INFO  gpauth::auth_window] No headers found in response
[2024-06-07T11:40:54Z INFO  gpauth::auth_window] No auth data found in headers, trying to read from body...
[2024-06-07T11:40:54Z INFO  gpauth::auth_window] Failed to read auth data from body: No auth data found
[2024-06-07T11:40:54Z INFO  gpauth::auth_window] No auth data found, it may not be the /SAML20/SP/ACS endpoint
[2024-06-07T11:40:54Z INFO  gpauth::auth_window] Raise window in 1 second(s)
[2024-06-07T11:40:54Z INFO  gpauth::auth_window] Raise window cancelled
[2024-06-07T11:40:54Z INFO  gpauth::auth_window] Loaded uri: https://c**********m/auth
[2024-06-07T11:40:54Z INFO  gpauth::auth_window] Trying to read auth data from response headers...
[2024-06-07T11:40:54Z INFO  gpauth::auth_window] No saml-auth-status header found
[2024-06-07T11:40:54Z INFO  gpauth::auth_window] No auth data found in headers, trying to read from body...
[2024-06-07T11:40:54Z INFO  gpauth::auth_window] Failed to read auth data from body: No auth data found
[2024-06-07T11:40:54Z INFO  gpauth::auth_window] No auth data found, it may not be the /SAML20/SP/ACS endpoint
[2024-06-07T11:40:54Z INFO  gpauth::auth_window] Raise window in 1 second(s)
[2024-06-07T11:41:58Z INFO  gpauth::auth_window] Loaded uri: https://l**********m/-snip-/saml2?SAMLRequest=l**********%3D&RelayState=_**********0&SigAlg=h**********6&Signature=c**********%3D
[2024-06-07T11:41:58Z INFO  gpauth::auth_window] Trying to read auth data from response headers...
[2024-06-07T11:41:58Z INFO  gpauth::auth_window] No saml-auth-status header found
[2024-06-07T11:41:58Z INFO  gpauth::auth_window] No auth data found in headers, trying to read from body...
[2024-06-07T11:41:58Z INFO  gpauth::auth_window] Failed to read auth data from body: No auth data found
[2024-06-07T11:41:58Z INFO  gpauth::auth_window] No auth data found, it may not be the /SAML20/SP/ACS endpoint
[2024-06-07T11:41:58Z INFO  gpauth::auth_window] Loaded uri: https://c**********m/sp/acs
[2024-06-07T11:41:58Z INFO  gpauth::auth_window] Trying to read auth data from response headers...
[2024-06-07T11:41:58Z INFO  gpauth::auth_window] No saml-auth-status header found
[2024-06-07T11:41:58Z INFO  gpauth::auth_window] No auth data found in headers, trying to read from body...
[2024-06-07T11:41:58Z INFO  gpauth::auth_window] Failed to read auth data from body: No auth data found
[2024-06-07T11:41:58Z INFO  gpauth::auth_window] No auth data found, it may not be the /SAML20/SP/ACS endpoint
[2024-06-07T11:41:59Z INFO  gpauth::auth_window] Loaded uri: https://p**********i/SAML20/SP/ACS
[2024-06-07T11:41:59Z INFO  gpauth::auth_window] Trying to read auth data from response headers...
[2024-06-07T11:41:59Z INFO  gpauth::auth_window] No saml-auth-status header found
[2024-06-07T11:41:59Z INFO  gpauth::auth_window] No auth data found in headers, trying to read from body...
[2024-06-07T11:41:59Z INFO  gpauth::auth_window] Found gpcallback from html...
[2024-06-07T11:41:59Z INFO  gpapi::auth] Got CAS auth data from globalprotectcallback
[2024-06-07T11:41:59Z WARN  gpapi::auth] Failed to parse token auth data: missing field `username`
[2024-06-07T11:41:59Z INFO  gpauth::auth_window] Failed to read auth data from body: Invalid auth data
[2024-06-07T11:41:59Z INFO  gpauth::auth_window] Got invalid auth data, retrying...
[2024-06-07T11:41:59Z INFO  gpapi::portal::prelogin] Portal prelogin with user_agent: PAN GlobalProtect
[2024-06-07T11:41:59Z INFO  gpauth::auth_window] Injected loading element successfully
[2024-06-07T11:41:59Z INFO  gpauth::auth_window] Loaded uri: globalprotectcallback:cas-as%3D1%**********A
[2024-06-07T11:41:59Z INFO  gpauth::auth_window] Load the SAML request as HTML...
[2024-06-07T11:41:59Z INFO  gpauth::auth_window] Loaded uri: about:blank
[2024-06-07T11:41:59Z INFO  gpauth::auth_window] Trying to read auth data from response headers...
[2024-06-07T11:41:59Z INFO  gpauth::auth_window] No headers found in response
[2024-06-07T11:41:59Z INFO  gpauth::auth_window] No auth data found in headers, trying to read from body...
[2024-06-07T11:41:59Z INFO  gpauth::auth_window] Failed to read auth data from body: No auth data found
[2024-06-07T11:41:59Z INFO  gpauth::auth_window] No auth data found, it may not be the /SAML20/SP/ACS endpoint
[2024-06-07T11:41:59Z INFO  gpauth::auth_window] Loaded uri: https://c**********m/auth
[2024-06-07T11:41:59Z INFO  gpauth::auth_window] Trying to read auth data from response headers...
[2024-06-07T11:41:59Z INFO  gpauth::auth_window] No saml-auth-status header found
[2024-06-07T11:41:59Z INFO  gpauth::auth_window] No auth data found in headers, trying to read from body...
[2024-06-07T11:41:59Z INFO  gpauth::auth_window] Failed to read auth data from body: No auth data found
[2024-06-07T11:41:59Z INFO  gpauth::auth_window] No auth data found, it may not be the /SAML20/SP/ACS endpoint

Environment:

• OS: Linux (Arch)
• Is remote SSH? No

[yuezk]

Can you try it with the --default-browser parameter?

[uumas]

If I run it as my normal user, it fails with:

[2024-06-07T14:46:57Z INFO  gpclient::cli] gpclient started: 2.3.0 (2024-05-20)
[2024-06-07T14:46:57Z INFO  gpapi::portal::prelogin] Portal prelogin with user_agent: PAN GlobalProtect
[2024-06-07T14:46:57Z INFO  gpauth::cli] gpauth started: 2.3.0 (2024-05-20)
[2024-06-07T14:46:57Z INFO  gpauth::cli] Please continue the authentication process in the default browser
[2024-06-07T14:46:57Z INFO  gpclient::connect] Waiting for the browser authentication to complete...
[2024-06-07T14:46:57Z INFO  gpclient::connect] Failed to connect portal with prelogin: Permission denied (os error 13)

Error: Permission denied (os error 13)

If run as root, it seems fine in terminal but doesn't open a browser:

[2024-06-07T14:51:14Z INFO  gpclient::cli] gpclient started: 2.3.0 (2024-05-20)
[2024-06-07T14:51:14Z INFO  gpapi::portal::prelogin] Portal prelogin with user_agent: PAN GlobalProtect
[2024-06-07T14:51:14Z INFO  gpauth::cli] gpauth started: 2.3.0 (2024-05-20)
[2024-06-07T14:51:14Z INFO  gpauth::cli] Please continue the authentication process in the default browser
[2024-06-07T14:51:14Z INFO  gpclient::connect] Waiting for the browser authentication to complete...
[2024-06-07T14:51:14Z INFO  gpclient::connect] Listening authentication data on port 36611

[yuezk]

Try the following command

sudo -E gpclient connect --default-browser <portal>

[uumas]

that fails the same way as running it as root without sudo -E, but I forgot to mention that it also pops up a window The file or folder /tmp/gpauth.html does not exist.. I tested creating a dummy file there manually but it gets deleted when I run gpclient connect

[yuezk]

that fails the same way as running it as root without sudo -E, but I forgot to mention that it also pops up a window The file or folder /tmp/gpauth.html does not exist.. I tested creating a dummy file there manually but it gets deleted when I run gpclient connect

This is another issue I'm trying to fix in the next update in #366, but it may not related to your initial problem.

Has it ever worked before?

[uumas]

no. This is a new vpn setup I haven't connected to before.

[uumas]

I was able to work around #366 by racing it with cat and manually opening it in browser. Auth worked until the same error as with integrated browser:

[2024-06-10T10:12:07Z INFO  gpclient::cli] gpclient started: 2.3.0 (2024-05-20)
[2024-06-10T10:12:07Z INFO  gpapi::portal::prelogin] Portal prelogin with user_agent: PAN GlobalProtect
[2024-06-10T10:12:07Z INFO  gpauth::cli] gpauth started: 2.3.0 (2024-05-20)
[2024-06-10T10:12:07Z INFO  gpauth::cli] Please continue the authentication process in the default browser
[2024-06-10T10:12:07Z INFO  gpclient::connect] Waiting for the browser authentication to complete...
[2024-06-10T10:12:07Z INFO  gpclient::connect] Listening authentication data on port 35729
[2024-06-10T10:13:55Z INFO  gpclient::connect] Received the browser authentication data from the socket
[2024-06-10T10:13:55Z INFO  gpapi::auth] Got CAS auth data from globalprotectcallback
[2024-06-10T10:13:55Z WARN  gpapi::auth] Failed to parse token auth data: missing field `username`
[2024-06-10T10:13:55Z INFO  gpclient::connect] Failed to connect portal with prelogin: Invalid auth data

[uumas]

and the callback (url decoded) is globalprotectcallback:cas-as=1&[email protected]&token=-snip-

[yuezk]

The callback looks valid, it should be a bug in the processing logic, I will try to fix it soon.

[yuezk]

and the callback (url decoded) is globalprotectcallback:cas-as=1&[email protected]&token=-snip-

Hi @uumas I'm trying to fix this issue. But your callback URL looks good and the existing parsing logic and unit test case are shown below. Both are straightforward and UT is pass.

I assume there could be some special chars in the token field. Would you mind sending me the full callback URL to test it? Thanks.

Parsing code:

GlobalProtect-openconnect/crates/gpapi/src/auth.rs

Lines 65 to 74 in a25b5cb

	pub fn from_gpcallback(data: &str) -> anyhow::Result<SamlAuthData, AuthDataParseError> {
	let auth_data = data.trim_start_matches("globalprotectcallback:");
	if auth_data.starts_with("cas-as") {
	info!("Got CAS auth data from globalprotectcallback");
	let auth_data: SamlAuthData = serde_urlencoded::from_str(auth_data).map_err(|e| {
	warn!("Failed to parse token auth data: {}", e);
	AuthDataParseError::Invalid
	})?;

Unit test:

GlobalProtect-openconnect/crates/gpapi/src/auth.rs

Lines 135 to 143 in a25b5cb

	#[test]
	fn auth_data_from_gpcallback_cas() {
	let auth_data = "globalprotectcallback:cas-as=1&[email protected]&token=very_long_string";
	let auth_data = SamlAuthData::from_gpcallback(auth_data).unwrap();
	assert_eq!(auth_data.username(), "[email protected]");
	assert_eq!(auth_data.token(), Some("very_long_string"));
	}

[uumas]

I will get that in a moment, but if it might be special characters, maybe it's a dash (-) in my email

[uumas]

Where can I send the full url (if you still need it)?

[yuezk]

Hi @uumas I published a snapshot version, which will log the callback URL when it fails to parse it. Can you install the snapshot version from here and capture the logs? You can send the logs to me privately. My email is [email protected]

[uumas]

I emailed you

[yuezk]

Thanks, the logs are helpful, I will try to fix it.

[yuezk]

Hi @uumas can you help re-install the snapshot version from https://github.com/yuezk/GlobalProtect-openconnect/releases/tag/snapshot to see if it works for you now? Thanks.

[uumas]

it works!

[yuezk]

Good. I will release a new version soon.

[yuezk]

Released in 2.3.2. Closing