(OAuth2.Error) Server responded with status: 401

[not0kin]

I'm trying to get the application working with this: Mobilizon. But I get the title error.

Here are the details of the error:

mobilizon     | ** (exit) an exception was raised:
mobilizon     |     ** (OAuth2.Error) Server responded with status: 401
mobilizon     |
mobilizon     | Headers:
mobilizon     |
mobilizon     | cache-control: no-store, no-cache, must-revalidate
mobilizon     | connection: keep-alive
mobilizon     | date: Wed, 20 Sep 2023 09:00:39 GMT
mobilizon     | pragma: no-cache
mobilizon     | server: nginx/1.23.4
mobilizon     | content-length: 14
mobilizon     | content-type: application/json; charset=utf-8
mobilizon     | expires: Thu, 19 Nov 1981 08:52:00 GMT
mobilizon     | set-cookie: oc_sessionPassphrase=Jp7APSqYnmNbYcD7rFqhcTDq4vCf0XEkpROASChadvhbhLSrqi7ulqlmou4HF8IYBfhrPV8S4VxufetyafY%2FSAB24YExdM2F0cDV%2Fb9ZG0aLNNrntCn6pTkpZTfBhALP; path=/; secure; HttpOnly; SameSite=Lax
mobilizon     | content-security-policy: default-src 'self'; script-src 'self' 'nonce-YTNIVzJKSlN3MnFlUG5yQVpLNXE1YjFBZDhMMjdWVmlIVk92VDN0VXlyYz06TTBmbXF2OG1xeVRxZFJXTFU5ODloTlVHUDdDRGpucEpXamZGZWs0RGc0OD0='; style-src 'self' 'unsafe-inline'; frame-src *; img-src * data: blob:; font-src 'self' data:; media-src *; connect-src *; object-src 'none'; base-uri 'self';
mobilizon     | set-cookie: __Host-nc_sameSiteCookielax=true; path=/; httponly;secure; expires=Fri, 31-Dec-2100 23:59:59 GMT; SameSite=lax
mobilizon     | set-cookie: __Host-nc_sameSiteCookiestrict=true; path=/; httponly;secure; expires=Fri, 31-Dec-2100 23:59:59 GMT; SameSite=strict
mobilizon     | set-cookie: ocehwu9dxbiu=e4b202f74bc3127886e0ab257f8b0010; path=/; secure; HttpOnly; SameSite=Lax
mobilizon     | referrer-policy: no-referrer
mobilizon     | x-content-type-options: nosniff
mobilizon     | x-download-options: noopen
mobilizon     | x-frame-options: SAMEORIGIN
mobilizon     | x-permitted-cross-domain-policies: none
mobilizon     | x-robots-tag: noindex, nofollow
mobilizon     | x-xss-protection: 1; mode=block
mobilizon     | access-control-allow-origin: *
mobilizon     | access-control-allow-methods: GET, POST, OPTIONS
mobilizon     | access-control-allow-headers: DNT,User-Agent,X-Requested-With,If-Modified-Since,Cache-Control,Content-Type,Range
mobilizon     | access-control-expose-headers: Content-Length,Content-Range
mobilizon     |
mobilizon     | Body:
mobilizon     |
mobilizon     | %{"message" => ""}
mobilizon     |
mobilizon     |         (oauth2 2.1.0) lib/oauth2/client.ex:298: OAuth2.Client.get_token!/4
mobilizon     |         (ueberauth_keycloak_strategy 0.4.0) lib/ueberauth/strategy/keycloak/oauth.ex:80: Ueberauth.Strategy.Keycloak.OAuth.get_token!/2
mobilizon     |         (ueberauth_keycloak_strategy 0.4.0) lib/ueberauth/strategy/keycloak.ex:109: Ueberauth.Strategy.Keycloak.handle_callback!/1
mobilizon     |         (ueberauth 0.10.5) lib/ueberauth/strategy.ex:376: Ueberauth.Strategy.run_handle_callback/2
mobilizon     |         (mobilizon 3.1.3) lib/web/controllers/auth_controller.ex:87: Mobilizon.Web.AuthController.callback/2
mobilizon     |         (mobilizon 3.1.3) lib/web/controllers/auth_controller.ex:1: Mobilizon.Web.AuthController.action/2
mobilizon     |         (mobilizon 3.1.3) lib/web/controllers/auth_controller.ex:1: Mobilizon.Web.AuthController.phoenix_controller_pipeline/2
mobilizon     |         (phoenix 1.7.6) lib/phoenix/router.ex:430: Phoenix.Router.__call__/5

And the config that I used:

config :ueberauth,
    Ueberauth,
    providers: [
      keycloak: {Ueberauth.Strategy.Keycloak, [default_scope: "openid profile email"]}
    ]

config :mobilizon, :auth,
  oauth_consumer_strategies: [
    {:keycloak, "My Nextcloud Account"}
  ]

config :ueberauth, Ueberauth.Strategy.Keycloak.OAuth,
  client_id: "N8xg8NIlfBxj2d4HJThAp0aQosts9fZpj8Ru7myLHWSXHkbAiIUzmd0YTxkqXuKs",
  client_secret: "py5fLGYYL2LvItgYPzTtLWB4CyOiZiW5h35kegsiHCjyzSRxXOQmsO0ppUjB2p4U",
  site: "https://mobilizon-instance.tld",
  authorize_url: "https://mobilizon-instance.tld/apps/oidc/authorize",
  token_url: "https://mobilizon-instance.tld/apps/oidc/token",
  userinfo_url: "https://mobilizon-instance.tld/apps/oidc/userinfo",
  token_method: :post

Is there something that I missed or misconfigured ? Or is Mobilizon incompatible with this application ? I'm not well versed in web-services. I hope I didn't bite more than I can chew.

[H2CK]

In general your configuration looks good.

Could you provide logs from your Nextcloud instance to see what's going on there? How did you configure the callback url in Nextcloud for this client?

[not0kin]

Here are the Nextcloud logs :

2023-09-20T15:38:39.674744435Z docker_proxy_container_IP - - [20/Sep/2023:15:38:39 +0000] "GET /apps/oidc/authorize?client_id=N8xg8NIlfBxj2d4HJThAp0aQosts9fZpj8Ru7myLHWSXHkbAiIUzmd0YTxkqXuKs&redirect_uri=https%3A%2F%2Fmobilizon-instance.tld%2Fauth%2Fkeycloak%2Fcallback&response_type=code&scope=openid+profile+email&state=lMw8eMu7AJVEjJd-y6jTbtal HTTP/1.1" 303 0 "https://mobilizon-instance.tld/" "Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/117.0" "my_IP"
2023-09-20T15:38:40.922228595Z docker_proxy_container_IP - N8xg8NIlfBxj2d4HJThAp0aQosts9fZpj8Ru7myLHWSXHkbAiIUzmd0YTxkqXuKs [20/Sep/2023:15:38:40 +0000] "POST /apps/oidc/token HTTP/1.1" 401 24 "-" "-" "docker_gateway_IP"

For the callback URL, I followed the instructions in the link above and used : "https://mobilizon-instance.tld/auth/keycloak/callback".

[H2CK]

Those are not the logs of the Nextcloud server. But anyway. For further analysis it would be good to have the logs from Nextcloud itself.

Based on your infromation it seems you run into one of the limitations as stated here: https://github.com/H2CK/oidc#limitations

Client authentication to fetch token currently only supports the sending of the client credentials in the body. Basic Auth is currently not supported.

I assume that your configuration option token_method: :post should configure the client to send the credentials in the body instead of using Basic Auth. That should be fine for the oidc app. But it seems that this configuration option does not work and the OpenID Connect client in Mobilizon still uses Basic Auth. Is this configuration really correct? Shouldn't it be token_method: post? Is there a colon to much?

[not0kin]

I messed up and set the wrong logs, here are those I got from "nextcloud.log" :

{"reqId":"m7FyL6V12LM4SzQnj9V6","level":1,"time":"2023-09-24T12:17:26+00:00","remoteAddr":"docker_network_gateway_IP","user":"--","app":"no app in context","method":"POST","url":"/apps/oidc/token","message":"IP address throttled because it reached the attempts limit in the last 30 minutes [action: login, delay: 800, ip: docker_network_gateway_IP]","userAgent":"--","version":"27.0.0.8","data":[]}
{"reqId":"m7FyL6V12LM4SzQnj9V6","level":2,"time":"2023-09-24T12:17:27+00:00","remoteAddr":"docker_network_gateway_IP","user":"--","app":"core","method":"POST","url":"/apps/oidc/token","message":"Login failed: 'N8xg8NIlfBxj2d4HJThAp0aQosts9fZpj8Ru7myLHWSXHkbAiIUzmd0YTxkqXuKs' (Remote IP: 'docker_network_gateway_IP')","userAgent":"--","version":"27.0.0.8","data":{"app":"core"}}
{"reqId":"m7FyL6V12LM4SzQnj9V6","level":1,"time":"2023-09-24T12:17:27+00:00","remoteAddr":"docker_network_gateway_IP","user":"--","app":"core","method":"POST","url":"/apps/oidc/token","message":"Bruteforce attempt from \"docker_network_gateway_IP\" detected for action \"login\".","userAgent":"--","version":"27.0.0.8","data":{"app":"core"}}

Is this configuration really correct? Shouldn't it be token_method: post? Is there a colon to much?

If I try and remove a colon, the service no longer starts.

[H2CK]

The logs show only a brute force throttling based on the IP address when trying to fetch the token. It does not even reach the oidc app. Everything in the logs is handled by Nextcloud core.