Inconsistent OpenID authentication behaviour

[SamuZad]

Issue Summary We have setup OpenID authentication with an Okta app, and set AUTH_REQUIRED True

About 50% of the time, the authentication seems to fail with the following error message in the popup window:

ERROR: Failed to retrieve client config from Alerta API endpoint / api/config.
This could be due to the API not being available, or to a missing or invalid config.json file. Please confirm a config.json file exists, contains an "endpoint" setting and is in the same directory as the application index.html

However, upon clicking OK, the popup closes itself and the authentication succeeds

We have tried setting UWSGI_PROCESSES to 1, thinking it would be something with workers, to no avail. Turning on the audit logs also wasn't particularly helpful, though we could have missed something of course

Environment

• OS: Linux

• API version: 9.0.3

• Deployment: Docker

• Database: Postgres

• Server config: Auth enabled? Yes Auth provider? OpenID Customer views? No

Expected behavior We expect the authentication flow to be more consistent.

Additional context Config:

AUDIT_LOG = True
AUDIT_LOG_JSON = False
AUDIT_LOG_REDACT = False
AUDIT_TRAIL = ['admin', 'write', 'auth']
AUTH_PROVIDER = 'openid'
AUTH_REQUIRED = True
BASE_URL = "/api"
DEBUG = True
OIDC_AUTH_URL = 'https://mycompany.okta.com/oauth2/v1/authorize'
USE_PROXYFIX = True
OAUTH2_CLIENT_ID='CLIENTID'
OAUTH2_CLIENT_SECRET='CLIENT_SECRET'
OIDC_ISSUER_URL='https://mycompany.okta.com'
SECRET_KEY='SECRET_KEY'

config.js: {"endpoint": "https://alerta.mycompany.com/api"}

[Tukkan]

We found this issue yesterday in our project as well.

The problem is with hardcoded keycloak redirectUri in auth.ts of alerta web ui.

Basically, what aplication needs after successful login is authorization code which is scrapped by vue-authenticate library parseQueryString function and it doesn't matter where we are redirected as just the authorization code matters.

The problem is, popup us being redirected for a moment to another instance of alerta (with autorization code as get parameter), which wants to bootstrap itself. So, it makes request for config.json and api call to /config (this is what alerta does on bootstrap).

The main instance of alerta, from which we are opening the popup, closes the popup as it successfully obtained the authorization code from the popup url, but the second one (bootstrapping second instance of alerta) might not finish the request to /config so the browser cancels the request which result in browser alert here.

The problem sometimes occurs and sometimes not is because vue-authenticate library is using pooling with 250ms interval here to obtain the authorization code from the popup url, so sometimes the /config api call is successful and sometimes not.

It can be fixed in multiple ways. 1) Changing the alert to console.error 2) Changing the redirect uri here to something else (and adding it in keycloak admin panel) but that would require removal of this if statement as well