search

YunoHost / issues

General issue tracker for the YunoHost project
72 stars 8 forks source link

[SSOwat] Does not work with public apps at the root of a domain #1270

Closed djibux closed 10 months ago

djibux commented 5 years ago

Hello,

When installing public apps (I tried with Nextcloud and a public Wordpress) at the root of a domain, SSO doesn't work.

Test case:

Result: Nextcloud login form is displayed (ynhpanel.js return a 404), Wordpress login form is displayed (with the following message: ERROR: No user found in server variables.). Expected result: automatic login using SSO credentials.

Note that removing unprotected_uris: / from /etc/yunohost/apps/_appname_/settings.yml fixes the SSO but makes the app private (any call is redirected to the portal if not logged in).

I'm not sure how to help further with the debugging, but I am happy to do so if you give me pointers.

Thanks.

PS: I reported the issue in nextcloud_ynh before figuring out it also happens with Wordpress.

djibux commented 4 years ago

Hello, Today I noticed the following errors in the domain -error.log

2020/01/02 21:15:47 [error] 1275#1275: *54033 open() "/usr/share/nginx/htmlindex.php/ynhtheme/custom_overlay.css" failed (2: No such file or directory), client: x.x.x.x, server: example.com, request: "GET /ynhtheme/custom_overlay.css HTTP/2.0", host: "example.com"
2020/01/02 21:16:16 [error] 1275#1275: *54033 open() "/usr/share/nginx/htmlindex.php/ynh_portal.js" failed (2: No such file or directory), client: x.x.x.x, server: example.com, request: "GET /ynh_portal.js HTTP/2.0", host: "example.com"

The path should be /usr/share/ssowat/portal/assets/ instead of /usr/share/nginx/html but I'm not sure where the error comes from.

alexAubin commented 4 years ago

This should now be fixed in yunohost 4.0.7

djibux commented 4 years ago

I have version 4.0.7 and I still experience the issue. I didn't test with a fresh install.

alexAubin commented 4 years ago

Eeeeh wokay can you confirm that the diagnosis does not report any nginx conf file as manually modified ?

djibux commented 4 years ago

I confirm. The only diagnosis line mentioning ngnix mentions that the service is up and running.

zamentur commented 4 years ago

Could you do that:

cat /etc/nginx/conf.d/YOUR_DOMAIN.conf
ls /etc/nginx/conf.d/YOUR_DOMAIN.d
ls /etc/nginx/conf.d/

And return us the result, thanks

djibux commented 4 years ago

Hello, I just installed a VM for the purpose of testing.

I used the following domain names:

admin@example:/etc/nginx/conf.d$ ls -lR *
-rw-r--r-- 1 root root  125 Sep  7 16:59 acme-challenge.conf.inc
-rw-r--r-- 1 root root 2676 Sep  7 17:08 example.com.conf
-rw-r--r-- 1 root root   19 Sep  7 16:59 global.conf
-rw-r--r-- 1 root root 2695 Sep  7 17:35 nc.other.com.conf
-rw-r--r-- 1 root root 2638 Sep  7 17:29 other.com.conf
-rw-r--r-- 1 root root 1639 Sep  7 16:59 security.conf.inc
-rw-r--r-- 1 root root  109 Sep  7 16:59 ssowat.conf
-rw-r--r-- 1 root root 2695 Sep  7 17:35 wp.other.com.conf
-rw-r--r-- 1 root root  864 Sep  7 16:59 yunohost_admin.conf
-rw-r--r-- 1 root root  704 Sep  7 16:59 yunohost_admin.conf.inc
-rw-r--r-- 1 root root  526 Sep  7 16:59 yunohost_api.conf.inc
-rw-r--r-- 1 root root  652 Sep  7 16:59 yunohost_panel.conf.inc
-rw-r--r-- 1 root root  282 Sep  7 16:59 yunohost_sso.conf.inc

default.d:
total 4
-rw-r--r-- 1 root root 65 Sep  7 16:59 redirect_to_admin.conf

example.com.d:
total 4
-rw-r--r-- 1 root root 41 Sep  7 17:08 yunohost_local.conf

nc.other.com.d:
total 8
-rw-r--r-- 1 root root 4648 Sep  7 17:39 nextcloud.conf

other.com.d:
total 4
-rw-r--r-- 1 root root 1126 Sep  7 17:31 wordpress.conf

wp.other.com.d:
total 4
-rw-r--r-- 1 root root 1132 Sep  7 17:36 wordpress__2.conf

Here are the config files : conf.zip

alexAubin commented 4 years ago

I just installed a VM for the purpose of testing.

SSO works with a private Wordpress site. SSO doesn't work on a public Wordpress site (I need to login manually). The Yonohost icon is displayed on the bottom right. SSO doesn't work with Nextcloud. The YunoHost icon is not displayed on the bottom right.

Can you elaborate what you mean by "SSO doesn't work" ? Are you meaning that even if you explicitly and manually go to domain.tld/yunohost/sso, the SSO portal is not displayed and instead a weird 404 (or similar) is shown ?

(Edit: after re-reading ~carefully the issue, I believe it's more about "SSO doesn't work in cross-domain context or if SSO if on its own subdomain, rather than about apps installed at the root or in a subpath...)

djibux commented 4 years ago

Hello,

By "SSO doesn't work" I mean that I see a login form (Nextcloud or Wordpress) and I need to input my login and password.

I tried accessing the url you suggested. Both nc.other.com/yunohost/sso and wp.other.com/yunohost/sso return a 404.

You are right, I am reporting cross domain examples. I can try within the same domain tomorrow, but my initial report on Nextcloud mentions that the issue happens using a single domain and subdomain.

alexAubin commented 4 years ago

Wokay so I can reproduce the issue.

Setup :

Test1 :

Test2 :

Test3 :

That's pretty confusing, I would expect that if it doesn't work on the root, if wouldnt work on a subdomain either (because my naive explanation would be this is related to cookies etc)

djibux commented 4 years ago

To me this feels more like some kind of url rewrite issue, where calls to the sso (or to the YunoHost overlay displayed on the bottom right) are not properly interpreted… but I have tried playing with nginx config without success.

alexAubin commented 3 years ago

Forgot about this issue but recently had another no-SSO for nextcloud on my own server in 4.1.x ... (not exactly the scenario described here though)

SiM commented 3 years ago

Hi, Same issue here on one some YNH instances... but not on all, maybe a lead? :)

Case 1 (not working):

I am logged in to YNH through ynh.domain.tld/yunohost/sso, but I still need to log in on each apps

Case 2 (working):

I am logged in to YNH through domain.tld/yunohost/sso, and no need to log in on each apps, I'm already logged in

alexAubin commented 3 years ago

Investigating a similar issue today with Nextcloud :

After hours of investigation, I see in SSOwat that the proper Basic Auth header is sent, but this seems to have no effect on Nextcloud ... Not sure what I'm missing

grubshka commented 3 years ago

As far as I understand, this is because cross-origin security mechanisms ?

So I guess we should make SSOwat cookie domain configurable, so that even if Yunohost is installed on my.domain.tld, we could configure it for creating cookies on domain.tld

djibux commented 3 years ago

Hello, Thanks for looking into the issue.

I am not an expert but I doubt that it is a cookie-related issue.

As I mentioned in my original post:

Note that removing unprotected_uris: / from /etc/yunohost/apps/appname/settings.yml fixes the SSO but makes the app private (any call is redirected to the portal if not logged in).

Maybe the comment wasn't really clear but in other words, removing / from the protected_uris makes the SSO work. The main downside being the the app is no longer public (in the case of a Wordpress app, you can't view the blog as a visitor; in the case of a Nexcloud app, you can't access files shared with a public link).

rthouvenin commented 2 years ago

I think @grubshka is right. I have an Yunohost install where nextcloud is on a subdomain of the main domain, and SSO works as expected. But on another install (the same as Grubshka's) where nextcloud is on a sibling domain of the main one, then logging in the portal does not log me in Nextcloud.

alexAubin commented 1 year ago

(Probably going to be implicitly "fixed" by the ssowat/portal-api refactoring because we're gonna have one portal per main domain instead of the weird cross-domain authentication mechanism)

alexAubin commented 10 months ago

Closing, cf previous comment