search

Crivaledaz / Mattermost-LDAP

This module provides an external LDAP authentication in Mattermost for the Team Edition (free).
MIT License
359 stars 71 forks source link

Fails with "Token request failed" #43

Closed mhier closed 4 years ago

mhier commented 4 years ago

After authorisation I get a "Token request failed" error page from mattermost. The authorisation itself seems to work, on a second attempt I am already signed in and I just have to click the "Authorize" button - but I will again just get the "Token request failed" error.

In the mattermost log I find:

{"level":"error","ts":1585655304.1903956,"caller":"web/oauth.go:259","msg":"AuthorizeOAuthUser: Token request failed, Post https://<redacted>:445/oauth/token.php: x509: certificate signed by unknown authority"}

In the web server access log for the oauth page I find:

<redacted> - - [31/Mar/2020:13:48:24 +0200] "POST /oauth/authorize.php?response_type=code&client_id=<redacted>&redirect_uri=https%3A%2F%<redacted>%2Fsignup%2Fgitlab%2Fcomplete&state=<redacted>%3D&scope=api HTTP/1.1" 302 5 "https://<redacted>:445/oauth/authorize.php?response_type=code&client_id=<redacted>&redirect_uri=https%3A%2F%<redacted>%2Fsignup%2Fgitlab%2Fcomplete&state=<redacted>%3D&scope=api" "Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:74.0) Gecko/20100101 Firefox/74.0"

which looks odd to me, since it does a 302 redirect to the same page, but there are no further requests coming. (Of course there are more requests before to get the login page etc., but they look normal.)

My setup is:

Is a setup in this way unsupported? How else to do it? Or is this a bug? Let me know if I shall provide further information.

b3 commented 4 years ago

I have got the same exact issue here with a slightly different setup :

I use Mattermost 5.13.0 and php-7.3.14-1.

b3 commented 4 years ago

The SSL authority certificat of the (intermediate) issuer of my SSL cert was not in the pool of recognized ones. I fixed it using:

cp TERENA_SSL_CA_3.crt /usr/local/share/ca-certificates/
update-ca-certificates

Now it worked but I get some new troubles:

b3 commented 4 years ago

BTW, I was using Mattermost 5.21.0 not 5.13.0.

mhier commented 4 years ago

I think there is indeed some issue with the certificate. Even though it is accepted by Firefox, and even though I have specifically added the issuer certificate to /usr/local/share/ca-certificates/ (despite the root CA is already present on the system by default), even wget complains about not being able to verify the certificate. My solution now was to use a gitlab installation for authentication which exists anyway and runs on a server with a working certificate.

So sorry for the noise, the problem was with my setup, and not a bug :-)

* I can log in and log out. But then I can not log with another LDAP user, the page which comes when I click on the GitLab is the one which ask me to _Authorize_ or _Deny_ the connection. I need to quit the browser to be able to log with another user.

I think this is a legit point and I have observed the same thing. This should be fixed, there should be some kind of logout button.

* Every time I want to log in I get the _Authorize_/_Deny_ page as if the answer was not saved.

Same for this.

@b3 I recommend you to create another issue for this, because these are separate problems. I will close this ticket, since it was just a problem with my local setup.

b3 commented 4 years ago

You are right. Done it in #44 and #45.

@mhier Your issue has been useful anyway (at least for me).