search

Crivaledaz / Mattermost-LDAP

This module provides an external LDAP authentication in Mattermost for the Team Edition (free).
MIT License
354 stars 71 forks source link

Mattermost auth failure - Invalid state #79

Open nikolaysu opened 3 years ago

nikolaysu commented 3 years ago

Describe the bug Authorization does not work in a fresh installation. "Invalid state"

To Reproduce Steps to reproduce the behavior:

  1. Install mattermost Version: 5.36.1 Build Number: 5.36.1
  2. Install Mattermost-LDAP on the same server as Bare metal (Apache/2.4.46 port 8443 over SSL, PHP 7.0.33-0+deb9u6)
  3. Open mattermost login page, click gitlab, redirected to https://mm.example.com:8443/oauth/. Eneter ldap login and password.

Provide commands, Mattermost and PHP logs or configuration file if possible. 172.20.1.6 - client ip, mm.example.com:8065 - mattermost server, mm.example.com:8443 - Mattermost-LDAP web page

Mattermost logs in debug mode

{"level":"debug","ts":1625024999.5828278,"caller":"web/handlers.go:107","msg":"Received HTTP request","method":"GET","url":"/oauth/gitlab/login","request_id":"wrw3p3dc4inn5p84rtrhh4q5qr","host":"mm.example.com:8065","scheme":"","status_code":"302"}
{"level":"debug","ts":1625025008.811365,"caller":"mlog/log.go:230","msg":"Invalid state","path":"/signup/gitlab/complete","request_id":"wj1xym7qspgj8b8yeftrdwr55e","ip_addr":"172.20.1.16","user_id":"","method":"GET","err_where":"AuthorizeOAuthUser","http_code":400,"err_details":""}
{"level":"debug","ts":1625025008.8446581,"caller":"web/handlers.go:107","msg":"Received HTTP request","method":"GET","url":"/signup/gitlab/complete","request_id":"wj1xym7qspgj8b8yeftrdwr55e","host":"mm.example.com:8065","scheme":"","status_code":"400"}
{"level":"debug","ts":1625025009.055701,"caller":"web/handlers.go:107","msg":"Received HTTP request","method":"GET","url":"/error","request_id":"mpucaqfdxfn5tyc7haxm548jee","host":"mm.example.com:8065","scheme":"","status_code":"200"}
{"level":"debug","ts":1625025010.0175362,"caller":"web/handlers.go:107","msg":"Received HTTP request","method":"GET","url":"/api/v4/config/client","request_id":"pnocb59j9pdni818a83doqke8a","host":"mm.example.com:8065","scheme":"","status_code":"200"}
{"level":"debug","ts":1625025010.0197144,"caller":"web/handlers.go:107","msg":"Received HTTP request","method":"GET","url":"/api/v4/license/client","request_id":"cdogz56mep8r5fwkabwrqwjazc","host":"mm.example.com:8065","scheme":"","status_code":"200"}
{"level":"debug","ts":1625025010.0702233,"caller":"web/handlers.go:107","msg":"Received HTTP request","method":"GET","url":"/api/v4/plugins/webapp","request_id":"qr39g15nfprq5k1bt71335esec","host":"mm.example.com:8065","scheme":"","status_code":"200"}

Apache logs

172.20.1.16 - - [30/Jun/2021:06:49:59 +0300] "GET /oauth/authorize.php?response_type=code&client_id=116311075dc0e9848caf9c881d9fa2598b0fe7030d068f9eff22af7368094b81&redirect_uri=http%3A%2F%2Fmm.example.com%3A8065%2Fsignup%2Fgitlab%2Fcomplete&state=eyJhY3Rpb24iOiJsb2dpbiIsImlzTW9iaWxlIjoiZmFsc2UiLCJ0b2tlbiI6Im13eXFleWVzZG03ZmtnYnR5bXlkdWRmYWdjZ21mdXRvcjhtM3Q4am5yMzRzdXdrZXJzMW4xbjlqeTZhbTNyeGIifQ%3D%3D HTTP/1.1" 302 6150 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/91.0.4472.124 Safari/537.36"
172.20.1.16 - - [30/Jun/2021:06:49:59 +0300] "GET /oauth/index.php HTTP/1.1" 200 1029 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/91.0.4472.124 Safari/537.36"
172.20.1.16 - - [30/Jun/2021:06:49:59 +0300] "GET /oauth/style.css HTTP/1.1" 200 1711 "https://mm.example.com:8443/oauth/index.php" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/91.0.4472.124 Safari/537.36"
172.20.1.16 - - [30/Jun/2021:06:49:59 +0300] "GET /oauth/images/prompt_icon.png HTTP/1.1" 304 209 "https://mm.example.com:8443/oauth/index.php" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/91.0.4472.124 Safari/537.36"
172.20.1.16 - - [30/Jun/2021:06:50:08 +0300] "POST /oauth/index.php HTTP/1.1" 302 1210 "https://mm.example.com:8443/oauth/index.php" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/91.0.4472.124 Safari/537.36"
172.20.1.16 - - [30/Jun/2021:06:50:08 +0300] "GET /oauth/authorize.php?response_type=code&client_id=116311075dc0e9848caf9c881d9fa2598b0fe7030d068f9eff22af7368094b81&redirect_uri=http%3A%2F%2Fmm.example.com%3A8065%2Fsignup%2Fgitlab%2Fcomplete&state=eyJhY3Rpb24iOiJsb2dpbiIsImlzTW9iaWxlIjoiZmFsc2UiLCJ0b2tlbiI6Im13eXFleWVzZG03ZmtnYnR5bXlkdWRmYWdjZ21mdXRvcjhtM3Q4am5yMzRzdXdrZXJzMW4xbjlqeTZhbTNyeGIifQ%3D%3D HTTP/1.1" 302 609 "https://mm.example.com:8443/oauth/index.php" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/91.0.4472.124 Safari/537.36"
172.20.1.16 - - [30/Jun/2021:06:50:28 +0300] "-" 408 511 "-" "-"

Mttermost config

 "GitLabSettings": {
        "Enable": true,
        "Secret": "4a77dabc75f336c464964996a596c8307ee1cc6df6c10f727ac43d9a294c6e86",
        "Id": "116311075dc0e9848caf9c881d9fa2598b0fe7030d068f9eff22af7368094b81",
        "Scope": "",
        "AuthEndpoint": "https://mm.example.com:8443/oauth/authorize.php",
        "TokenEndpoint": "https://mm.example.com:8443/oauth/token.php",
        "UserApiEndpoint": "https://mm.example.com:8443/oauth/resource.php",
        "DiscoveryEndpoint": "",
        "ButtonText": "",
        "ButtonColor": ""
    },

In oauth_db (postgres)

sudo -u postgres psql -d oauth_db -c "select * from oauth_clients;"
client_id                             |                          client_secret                           |                 redirect_uri                  |    grant_types     | scope | user_id
------------------------------------------------------------------+------------------------------------------------------------------+-----------------------------------------------+--------------------+-------+---------
 116311075dc0e9848caf9c881d9fa2598b0fe7030d068f9eff22af7368094b81 | 4a77dabc75f336c464964996a596c8307ee1cc6df6c10f727ac43d9a294c6e86 | http://mm.example.com:8065/signup/gitlab/complete | authorization_code | api   |
Crivaledaz commented 3 years ago

Hi,

Thank you for using Mattermost-LDAP and for the detailed you provide on your issue.

I can't find what goes wrong in your setup by reading the logs. There are no error logs. Only the last Apache log is intriguing. I don't know what is going on, if I understand you get a 408 error (HTTP_REQUEST_TIME_OUT), but I don't know what was the request.

In your Apache logs, there is no logs about token.php or resource.php pages. It seems that the Mattermost server does not contact the Oauth server, but I don't see a misconfiguration that explains why.

I remark you are using HTTPS for the Oauth server. Maybe you also run Mattermost server with HTTPS. In this case, the redirect_uri parameter in the oauth_clients table, should be in HTTPS too. Furthermore, be sure Matermost server trust the Oauth' SSL certificate, else it will not perform authentication against Oauth.

Your error is very strange because Mattermost classifies the "Invalid state" as a debug level. I am afraid you will need to inspect the network exchanges between Oauth and Mattermost, to understand what is going on. For this, you could use Wireshark or Tshark.

For your information, I have successfully run Mattermost 5.36.1 with Mattermost-LDAP using the demo docker-compose.

Keep me informed,

Regards

nikolaysu commented 3 years ago

Thanks for the answer!

mattermost and oauth on one server, and I don’t understand what can disturb network exchange

I set up SSL on mattermost. (There shouldn't be any problems with certificates. This is my domain's honest wildcard certificate) and i got another error - "Bad response from token request" {"level":"error","ts":1625044594.2157342,"caller":"mlog/log.go:251","msg":"Bad response from token request.","path":"/signup/gitlab/complete","request_id":"tw6jfkyqr3frtdz8u9rrmpw4wo","ip_addr":"172.20.1.16","user_id":"","method":"GET","err_where":"AuthorizeOAuthUser","http_code":500,"err_details":"response_body= {\"error\":\"redirect_uri_mismatch\",\"error_description\":\"The redirect URI is missing or do not match\",\"error_uri\":\"http:\\/\\/tools.ietf.org\\/html\\/rfc6749#section-4.1.3\"}, status_code=400"}

And apache log

172.20.1.16 - - [30/Jun/2021:12:47:10 +0300] "-" 408 5785 "-" "-"
172.20.1.16 - - [30/Jun/2021:12:47:39 +0300] "GET /oauth/authorize.php?response_type=code&client_id=116311075dc0e9848caf9c881d9fa2598b0fe7030d068f9eff22af7368094b81&redirect_uri=https%3A%2F%2Fmm.example.com%2Fsignup%2Fgitlab%2Fcomplete&state=eyJhY3Rpb24iOiJsb2dpbiIsImlzTW9iaWxlIjoiZmFsc2UiLCJ0b2tlbiI6IjE1cWprZzY2YTZqY2ZoaTg1aHc1OHBoeTU0bTRhZGVvZWRpYm9tMTR6Z3M2NnA5aG1heDRoNnpqOHN0emM4a2gifQ%3D%3D HTTP/1.1" 302 876 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/91.0.4472.124 Safari/537.36"
172.20.1.16 - - [30/Jun/2021:12:47:39 +0300] "GET /oauth/index.php HTTP/1.1" 200 1029 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/91.0.4472.124 Safari/537.36"
172.20.1.16 - - [30/Jun/2021:12:47:39 +0300] "GET /oauth/style.css HTTP/1.1" 200 1711 "https://mm.example.com:8443/oauth/index.php" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/91.0.4472.124 Safari/537.36"
172.20.1.16 - - [30/Jun/2021:12:47:39 +0300] "GET /oauth/images/prompt_icon.png HTTP/1.1" 304 209 "https://mm.example.com:8443/oauth/index.php" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/91.0.4472.124 Safari/537.36"
172.20.1.16 - - [30/Jun/2021:12:47:51 +0300] "POST /oauth/index.php HTTP/1.1" 302 1204 "https://mm.example.com:8443/oauth/index.php" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/91.0.4472.124 Safari/537.36"
172.20.1.16 - - [30/Jun/2021:12:47:51 +0300] "GET /oauth/authorize.php?response_type=code&client_id=116311075dc0e9848caf9c881d9fa2598b0fe7030d068f9eff22af7368094b81&redirect_uri=https%3A%2F%2Fmm.example.com%2Fsignup%2Fgitlab%2Fcomplete&state=eyJhY3Rpb24iOiJsb2dpbiIsImlzTW9iaWxlIjoiZmFsc2UiLCJ0b2tlbiI6IjE1cWprZzY2YTZqY2ZoaTg1aHc1OHBoeTU0bTRhZGVvZWRpYm9tMTR6Z3M2NnA5aG1heDRoNnpqOHN0emM4a2gifQ%3D%3D HTTP/1.1" 302 605 "https://mm.example.com:8443/oauth/index.php" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/91.0.4472.124 Safari/537.36"
172.18.101.55 - - [30/Jun/2021:12:47:51 +0300] "POST /oauth/token.php HTTP/1.1" 400 6127 "-" "Mattermost-Bot/1.1"
172.20.1.16 - - [30/Jun/2021:12:48:11 +0300] "-" 408 511 "-" "-"

until I understand where I could go wrong......

Crivaledaz commented 3 years ago

This time the Mattermost error is clearer :

"error":"redirect_uri_mismatch","error_description":"The redirect URI is missing or do not match"

In the Apache logs, you can see the authorize request (from client to /oauth/authorize.php). Among query parameters, there is the redirect_uri built by Mattermost form the site_url server parameter and its value is https://mm.example.com/signup/gitlab/complete. However, if you does not change the entry in the oauth_clients table, Oauth server expects the following value : http://mm.example.com/signup/gitlab/complete. For more information about this, refer to issue #66 (relevant answer).

To summarize, the redirect_uri in the database must be the same as the authorize request parameter. To update the database, use the following command : 

UPDATE oauth_clients SET redirect_uri = 'https://mm.example.com/signup/gitlab/complete' WHERE client_id='116311075dc0e9848caf9c881d9fa2598b0fe7030d068f9eff22af7368094b81';

I hope this will solve your problem,

Regards

nikolaysu commented 3 years ago

after setting the ssl in Mattermost i changed the values in the oauth database

oauth_db=# select * from oauth_clients;
                            client_id                             |                          client_secret                           |               redirect_uri                |    grant_types     | scope | user_id
------------------------------------------------------------------+------------------------------------------------------------------+-------------------------------------------+--------------------+-------+---------
 116311075dc0e9848caf9c881d9fa2598b0fe7030d068f9eff22af7368094b81 | 4a77dabc75f336c464964996a596c8307ee1cc6df6c10f727ac43d9a294c6e86 | https://mm.example.com/signup/gitlab/complete | authorization_code | api   |
(1 строка)

I also want to try up a nginx as proxy in front of Mattermost and see what requests go to Mattermost from oauth

nikolaysu commented 3 years ago

I set up a proxy for nginx as I wrote earlier. Surprisingly, I have not found any requests from oauth(ip: 172.18.101.55) to Mattermost(nginx). True, perhaps this is normal, I do not fully understand this mechanism.

 172.20.1.16 - - [30/Jun/2021:18:38:26 +0300] "GET /login HTTP/2.0" 200 1201 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/91.0.4472.124 Safari/537.36"
172.20.1.16 - - [30/Jun/2021:18:38:27 +0300] "GET /static/main.ecb2bd8cff7ad3980df1.js.map HTTP/2.0" 200 2500104 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/91.0.4472.124 Safari/537.36"
172.20.1.16 - - [30/Jun/2021:18:38:27 +0300] "GET /static/main.e9f8e271c946b9faf8f2.css.map HTTP/2.0" 200 256015 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/91.0.4472.124 Safari/537.36"
172.20.1.16 - - [30/Jun/2021:18:38:27 +0300] "GET /static/628.8f0677f14f85b647fa7b.css.map HTTP/2.0" 200 50304 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/91.0.4472.124 Safari/537.36"
172.20.1.16 - - [30/Jun/2021:18:38:27 +0300] "GET /static/892.051fead3bae5700a1cc3.js.map HTTP/2.0" 200 1630671 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/91.0.4472.124 Safari/537.36"
172.20.1.16 - - [30/Jun/2021:18:38:28 +0300] "GET /api/v4/config/client?format=old HTTP/2.0" 200 1191 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/91.0.4472.124 Safari/537.36"
172.20.1.16 - - [30/Jun/2021:18:38:28 +0300] "GET /api/v4/license/client?format=old HTTP/2.0" 200 22 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/91.0.4472.124 Safari/537.36"
172.20.1.16 - - [30/Jun/2021:18:38:28 +0300] "GET /static/628.28c5bfeb2fc15185b133.js.map HTTP/2.0" 200 1345082 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/91.0.4472.124 Safari/537.36"
172.20.1.16 - - [30/Jun/2021:18:38:28 +0300] "GET /api/v4/plugins/webapp HTTP/2.0" 200 1200 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/91.0.4472.124 Safari/537.36"
172.20.1.16 - - [30/Jun/2021:18:38:28 +0300] "GET /plugins/com.mattermost.plugin-incident-management/api/v0/settings HTTP/2.0" 401 15 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/91.0.4472.124 Safari/537.36"
172.20.1.16 - - [30/Jun/2021:18:38:28 +0300] "GET /static/plugins/com.mattermost.plugin-incident-management/main.js.map HTTP/2.0" 200 1461861 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/91.0.4472.124 Safari/537.36"
172.20.1.16 - - [30/Jun/2021:18:38:28 +0300] "GET /static/77.deb1b5fd78339c68b2e9.js.map HTTP/2.0" 200 1914 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/91.0.4472.124 Safari/537.36"
172.20.1.16 - - [30/Jun/2021:18:38:28 +0300] "GET /static/424.b43d4c62bbe783182341.js.map HTTP/2.0" 200 15969 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/91.0.4472.124 Safari/537.36"
172.20.1.16 - - [30/Jun/2021:18:38:30 +0300] "GET /oauth/gitlab/login HTTP/2.0" 302 0 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/91.0.4472.124 Safari/537.36"
172.20.1.16 - - [30/Jun/2021:18:38:39 +0300] "GET /signup/gitlab/complete?code=ef18343d66d5669f921e98b296b7c3b1204a24c7&state=eyJhY3Rpb24iOiJsb2dpbiIsImlzTW9iaWxlIjoiZmFsc2UiLCJ0b2tlbiI6Ijl1eDN3ZWVhODlwd3Nja2N4cnNkemM5azM3eWI5OGJkYmRleXR3Y2Vpa2M5azZqdHk0bWJzOW9hNTU3ZW53YXAifQ%3D%3D HTTP/2.0" 500 1077 "https://mm.example.com:8443/" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/91.0.4472.124 Safari/537.36"
172.20.1.16 - - [30/Jun/2021:18:38:39 +0300] "GET /error?message=%D0%9F%D0%BB%D0%BE%D1%85%D0%BE%D0%B9+%D0%BE%D1%82%D0%B2%D0%B5%D1%82+%D0%BE%D1%82+%D0%B7%D0%B0%D0%BF%D1%80%D0%BE%D1%81%D0%B0+%D1%82%D0%BE%D0%BA%D0%B5%D0%BD%D0%B0.&s=MEUCIG58KTwuj_TKB2etgjolI8xinKBvq_oyC58qWYaDvEqLAiEA1DWYrqcbFaWmEZrTdM_KcGGmGq0jkfRBjrQfoy2eHvw= HTTP/2.0" 200 1201 "https://mm.example.com/signup/gitlab/complete?code=ef18343d66d5669f921e98b296b7c3b1204a24c7&state=eyJhY3Rpb24iOiJsb2dpbiIsImlzTW9iaWxlIjoiZmFsc2UiLCJ0b2tlbiI6Ijl1eDN3ZWVhODlwd3Nja2N4cnNkemM5azM3eWI5OGJkYmRleXR3Y2Vpa2M5azZqdHk0bWJzOW9hNTU3ZW53YXAifQ%3D%3D" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/91.0.4472.124 Safari/537.36"
172.20.1.16 - - [30/Jun/2021:18:38:40 +0300] "GET /static/main.ecb2bd8cff7ad3980df1.js.map HTTP/2.0" 200 2500104 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/91.0.4472.124 Safari/537.36"
172.20.1.16 - - [30/Jun/2021:18:38:40 +0300] "GET /static/main.e9f8e271c946b9faf8f2.css.map HTTP/2.0" 200 256015 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/91.0.4472.124 Safari/537.36"
172.20.1.16 - - [30/Jun/2021:18:38:40 +0300] "GET /static/628.8f0677f14f85b647fa7b.css.map HTTP/2.0" 200 50304 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/91.0.4472.124 Safari/537.36"
172.20.1.16 - - [30/Jun/2021:18:38:40 +0300] "GET /static/892.051fead3bae5700a1cc3.js.map HTTP/2.0" 200 1630671 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/91.0.4472.124 Safari/537.36"
172.20.1.16 - - [30/Jun/2021:18:38:41 +0300] "GET /api/v4/config/client?format=old HTTP/2.0" 200 1191 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/91.0.4472.124 Safari/537.36"
172.20.1.16 - - [30/Jun/2021:18:38:41 +0300] "GET /api/v4/license/client?format=old HTTP/2.0" 200 22 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/91.0.4472.124 Safari/537.36"
172.20.1.16 - - [30/Jun/2021:18:38:41 +0300] "GET /api/v4/plugins/webapp HTTP/2.0" 200 1200 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/91.0.4472.124 Safari/537.36"
172.20.1.16 - - [30/Jun/2021:18:38:41 +0300] "GET /static/628.28c5bfeb2fc15185b133.js.map HTTP/2.0" 200 1345082 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/91.0.4472.124 Safari/537.36"
172.20.1.16 - - [30/Jun/2021:18:38:41 +0300] "GET /plugins/com.mattermost.plugin-incident-management/api/v0/settings HTTP/2.0" 401 15 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/91.0.4472.124 Safari/537.36"
172.20.1.16 - - [30/Jun/2021:18:38:42 +0300] "GET /static/385.7e11ef31ea9f0aed4749.js.map HTTP/2.0" 200 5921 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/91.0.4472.124 Safari/537.36"
172.20.1.16 - - [30/Jun/2021:18:38:42 +0300] "GET /static/plugins/com.mattermost.plugin-incident-management/main.js.map HTTP/2.0" 200 1461861 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/91.0.4472.124 Safari/537.36"
172.20.1.16 - - [30/Jun/2021:18:38:42 +0300] "GET /static/835.b416dddd19bf5e1bf202.js.map HTTP/2.0" 200 531715 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/91.0.4472.124 Safari/537.36"
minduxntep commented 3 years ago

Same to me, {"level":"error","ts":1625129338.0646713,"caller":"web/oauth.go:273","msg":"AuthorizeOAuthUser: Сбой запроса токена., Post \"http://mattermost.example.com:380/oauth/token.php\": dial tcp: i/o timeout"}

GregpryA commented 1 year ago

Similar story, but few differences. Don't understand the reason. Docker installation, so DB is getting parameters from docker-compose.yaml. Part from it: redirect_uri: "https://mattermost.mysite.com/signup/gitlab/complete"

And indeed, it is getting things correctly: `oauth_db=> select * from oauth_clients; client_id | client_secret | redirect_uri | grant_types | scope | user_id

03e54d89fc383bb0cf | 30e9ce48a63cca38340ce58a42a1 | https://mattermost.mysite.com/signup/gitlab/complete | authorization_code | api | (1 row) `

Site configuration in Mattermost' config.json: "SiteURL": "https://mattermost.mysite.com",

Access log from nginx on oauth: `172.16.3.37 - - [12/Apr/2023:13:56:06 +0000] "GET /oauth/authorize.php?response_type=code&client_id=03e5430ad1868cb0a3e84352995550b39905d202b2f8bc291d1b89fc383bb0cf&redirect_uri=http%3A%2F%2Fmattermost.mysite.com%2Fsignup%2Fgitlab%2Fcomplete&state=eyJhY3Rpb24iOiJlbWFpbF90b19zc28iLCJlbWFpbCI6ImcuZ3VyZXZpY2hAY2FzaG1lcmUucnUiLCJ0b2tlbiI6Ink0amYxamdjZ2ZkcnlvMzZxeXFzZW9lYmY2c3lhYWhnaG1za3JyZ3gzZ2d6ajVneXVzbmZmazQ3aW1mODlhZGEifQ%3D%3D HTTP/1.1" 400 188 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/111.0.0.0 Safari/537.36 Edg/111.0.1661.62" "-"

And same error - "{"error":"redirect_uri_mismatch","error_description":"The redirect URI provided is missing or does not match","error_uri":"http:\/\/tools.ietf.org\/html\/rfc6749#section-3.1.2"}"}

What could be wrong? Replacement of slashes to %2F should not be culprit, as we see from the above comments. Aby Ideas?

Interesting note: if I copy this request and do curl from Oauth server - I am getting error: {"error":"invalid_client","error_description":"No client id supplied"}

And indeed, this URL does not include client ID which was configured on Matrermost and Oauth end!

But most strange responce is from any third server:

[1] 133844 [2] 133845 [3] 133846 [2]- Done client_id=03e5430ad1891d1b89fc383bb0cf (correct ID), I am pressing enter and... greg@sv-docker01:~$ {"error":"invalid_client","error_description":"No client id supplied"} [1]- Done curl https://auth.mysite.com/oauth/authorize.php?response_type=code [3]+ Done redirect_uri=https%3A%2F%2Fmattermost.mysite.com%2Fsignup%2Fgitlab%2Fcomplete Totally don't understand.

GregpryA commented 1 year ago

My problem solved. Seems that some hidden character was included into Mattermost ID, or some other error occuring when copying it from docker config to Mattermost.