8000 OpenID connect auth (registration?) does not work · Issue #7394 · hcengineering/platform · GitHub
[go: up one dir, main page]
Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

OpenID connect auth (registration?) does not work #7394

Open
RarogCmex opened this issue Dec 9, 2024 — with Huly GitHub Staging · 3 comments
Open

OpenID connect auth (registration?) does not work #7394

RarogCmex opened this issue Dec 9, 2024 — with Huly GitHub Staging · 3 comments

Comments

8000
@RarogCmex Huly GitHub Staging
Copy link
RarogCmex commented Dec 9, 2024
edited by lexiv0re
Loading

Description of the issue

I have set up login with openid-connect via environment variables:
OPENID_CLIENT_ID=fe16398962548a0113ba
OPENID_CLIENT_SECRET=secret
OPENID_ISSUER=https://identity.a-star.org.ru/.well-known/openid-configuration
ACCOUNTS_URL=https://a-star.org.ru/_accounts
When I perform login by pressing 'Continue with openid' button on /login page, it succesfully redirects to casdoor (identity.a-star.org.ru), I sign in, then it redirects to https://a-star.org.ru/_accounts/auth/openid/callback?code=a067ce35231b327acd7b&state=%7B%7D, then it redirects to /login without actual session.
I recorded video:
https://github.com/user-attachments/assets/b4048389-409b-41ad-8ca2-d705a828c6a4

Your environment

  • v0.6.377, docker version
  • Browser: Chrome, Firefox
  • Linux, MacOS, Windows
  • Auth Provider: Casdoor

Steps to reproduce

  1. login by pressing 'Continue with openid' button on /login page
  2. it succesfully redirects to casdoor (identity.a-star.org.ru)
  3. sign in via casdoor
  4. it redirects to https://a-star.org.ru/_accounts/auth/openid/callback?code=a067ce35231b327acd7b&state=%7B%7D
  5. it redirects to /login without actual login session

Logs from docker

account-1       | {"issuer":{"authorization_endpoint":"https://identity.a-star.org.ru/login/oauth/authorize","claim_types_supported":["normal"],"claims_parameter_supported":false,"claims_supported":["iss","ver","sub","aud","iat","exp","id","type","displayName","avatar","permanentAvatar","email","phone","location","affiliation","title","homepage","bio","tag","region","language","score","ranking","isOnline","isAdmin","isForbidden","signupApplication","ldap"],"end_session_endpoint":"https://identity.a-star.org.ru/api/logout","grant_types_supported":["password","authorization_code"],"id_token_signing_alg_values_supported":["RS256","RS512","ES256","ES384","ES512"],"introspection_endpoint":"https://identity.a-star.org.ru/api/login/oauth/introspect","introspection_endpoint_auth_methods_supported":["client_secret_basic"],"issuer":"https://identity.a-star.org.ru","jwks_uri":"https://identity.a-star.org.ru/.well-known/jwks","request_object_signing_alg_values_supported":["HS256","HS384","HS512"],"request_parameter_supported":true,"request_uri_parameter_supported":true,"require_request_uri_registration":false,"response_modes_supported":["query","fragment","login","code","link"],"response_types_supported":["code","token","id_token","code token","code id_token","token id_token","code token id_token","none"],"scopes_supported":["openid","email","profile","address","phone","offline_access"],"subject_types_supported":["public"],"token_endpoint":"https://identity.a-star.org.ru/api/login/oauth/access_token","token_endpoint_auth_methods_supported":["client_secret_basic"],"userinfo_endpoint":"https://identity.a-star.org.ru/api/userinfo"},"level":"info","message":"Discovered issuer","timestamp":"2024-12-09T08:32:50.561Z"}
account-1       | {"level":"info","message":"Created OIDC client","timestamp":"2024-12-09T08:32:50.563Z"}
account-1       | {"level":"info","message":"Registered OIDC strategy","timestamp":"2024-12-09T08:32:50.564Z"}
account-1       | {"level":"info","message":"try auth via","provider":"openid","timestamp":"2024-12-09T08:42:33.075Z"}

Complete logs:
logs.txt

Expected behaviour

I should be logged in

Actual behaviour

I am not able to log in

Possible solutions

The suspicious code which should be debugged is placed from here:

platform/pods/authProviders/src/openid.ts

Line 66 in 52b21ef

measureCtx.info('try auth via', { provider: 'openid' })

to here
https://github.com/hcengineering/platform/blob/52b21efee759593c356c60052c02e53c20f4417f/pods/authProviders/src/openid.ts#L89C1-L90C1
@RarogCmex RarogCmex mentioned this issue Dec 10, 2024
Open
@lexiv0re
Copy link
Collaborator

It looks like the auth is not successful on the IdP side. I'd suggest to:

  1. Verify the redirect URL is configured properly on the IdP application side
  2. Check the IdP log of events for any clues
  3. Click "Preserve log" in the browser's dev tools before clicking 'Continue with openid' to inspect all the redirects on the IdP side

@congppt
Copy link
congppt commented Jan 15, 2025
edited
Loading

It looks like the auth is not successful on the IdP side. I'd suggest to:

  1. Verify the redirect URL is configured properly on the IdP application side
  2. Check the IdP log of events for any clues
  3. Click "Preserve log" in the browser's dev tools before clicking 'Continue with openid' to inspect all the redirects on the IdP side

@lexiv0re
i got the same issue and the same suspect, my IdP is keycloak, user events looks fine
image

Something must have gone wrong here, the code block doesn't log on failure

platform/pods/authProviders/src/openid.ts

Line 88 in 52b21ef

await passport.authenticate('oidc', {

My suggestion is to use koa-passport props to log authentication status
https://github.com/rkusa/koa-passport/blob/b22458494d5187d407f502102420c8153b4d837e/lib/framework/koa.js#L66

@Daandeve
Copy link

My issue was that my idp encrypted the jwt token, and huly does not support that. My Idp is authentik and since I disabled encryption it all works!

Huly error message:

failed to decode JWT (TypeError: encrypted JWTs cannot be decoded)

More info:
https://community.auth0.com/t/badrequesterror-failed-to-decode-jwt-typeerror-encrypted-jwts-cannot-be-decoded/97949

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
4 participants
@lexiv0re @RarogCmex @Daandeve @congppt
0