search

davido / gerrit-oauth-provider

OAuth2 authentication provider for Gerrit Code Review. Please upload changes for review to: https://gerrit-review.googlesource.com/#/admin/projects/plugins/oauth
Apache License 2.0
140 stars 84 forks source link

InternalServerError on request to https://graph.microsoft.com/v1.0/me #144

Open luizduma opened 4 years ago

luizduma commented 4 years ago

I´m using oauth with Office 365 and facing an InternalServerError on request to https://graph.microsoft.com/v1.0/me

[2020-06-24T00:01:14.862-0300] [HTTP-116] ERROR com.google.gerrit.pgm.http.jetty.HiddenErrorHandler : Error in GET /oauth?code=
**_(.. removed part of response .. )_**
RWEI%3d&session_state=a18e90cf-66f4-4133-8d2d-d31ed492e437
java.io.IOException: Status 500 ({
  "error": {
    "code": "InternalServerError",
    "message": "The MIME type 'text/html, image/gif, image/jpeg, *; q=.2, */*; q=.2' requires a '/' character between type and subtype, such as 'text/plain'.",
    "innerError": {
      "date": "2020-06-24T03:01:14",
      "request-id": "c9656d84-84e9-489b-a925-c9fd6a888fb3"
    }
  }
}) for request https://graph.microsoft.com/v1.0/me
        at com.googlesource.gerrit.plugins.oauth.Office365OAuthService.getUserInfo(Office365OAuthService.java:88)

The problem happens with a build based on commit 41e558599a965f09a90923dab4c898103e790f17 and with the release v3.0.0.0, released on 18 Jun 2019

I fixed the problem applying a patch over the commit 41e558599a965f09a90923dab4c898103e790f17 

--- a/src/main/java/com/googlesource/gerrit/plugins/oauth/Office365OAuthService.java
+++ b/src/main/java/com/googlesource/gerrit/plugins/oauth/Office365OAuthService.java
@@ -80,6 +80,7 @@ class Office365OAuthService implements OAuthServiceProvider {
     OAuthRequest request = new OAuthRequest(Verb.GET, PROTECTED_RESOURCE_URL);
     OAuth2AccessToken t = new OAuth2AccessToken(token.getToken(), token.getRaw());
     service.signRequest(t, request);
+    request.addHeader("Accept", "*/*");

     JsonElement userJson = null;
     try (Response response = service.execute(request)) {

But this problem seems to be fixed in the past because I saw a different version of this file at

http://www.java2s.com/example/java-src/pkg/com/googlesource/gerrit/plugins/oauth/office365oauthservice-e2266.html

davido commented 4 years ago

Apparently it got broken during the Scribe Java library upgrade in: [1].

Can you upload your patch to gerrit-review? To stable-2.16 branch, here: https://gerrit-review.googlesource.com/admin/repos/plugins/oauth? Otherwise I could fix it myself as well.

[1] https://gerrit-review.googlesource.com/c/plugins/oauth/+/253929/2/src/main/java/com/googlesource/gerrit/plugins/oauth/Office365OAuthService.java#80

luizduma commented 4 years ago

I can upload the fix but I don´t know if there are more items missed after the merge. I saw other differences in the file and maybe there are more files affected

luizduma commented 4 years ago

The http request problem was fixed but the sign in is not working yet. I don ´t know if is the same problem reported on https://github.com/davido/gerrit-oauth-provider/issues/132

We are migrating our corporate email from gmail to Office 365 and we have the following error at gerrit/error_log

[2020-06-25T22:46:59.867-0300] [HTTP GET /oauth?code=OAQABAAIAAAAGV_bv21oQQ4ROqh0_1-tAhtxJB01X4CBSVr3H4TrDji7upRNits9GLytCxlYBd8qgM0D78M_g-zF73p8EGwKNRQ (N/A from MY_IP_ADDR)] WARN  com.google.gerrit.server.account.AccountManager : Email MYUSER@MYDOMAIN is already assigned to account 1000035; cannot create external ID office365-oauth:c4df1afb-344b-4cc6-8d15-05422b721fb1 with the same email for account 1000300.
[2020-06-25T22:46:59.868-0300] [HTTP GET /oauth?code=OAQABAAIAAAAGV_bv21oQQ4ROqh0_1-tAhtxJB01X4CBSVr3H4TrDji7upRNits9GLytCxlYBd8qgM0D78M_g-zF73p8EGwKNRQ (N/A from MY_IP_ADDR)] ERROR com.google.gerrit.httpd.auth.oauth.OAuthSession : Unable to authenticate user "com.google.gerrit.extensions.auth.oauth.OAuthUserInfo@2bc20416"
com.google.gerrit.server.account.AccountException: Email 'MYUSER@MYDOMAIN' in use by another account
        at com.google.gerrit.server.account.AccountManager.checkEmailNotUsed(AccountManager.java:375)
        at com.google.gerrit.server.account.AccountManager.create(AccountManager.java:279)

My original account ID is 1000035 but it seems the plugin is trying to create another account (100030) during the login

At All-Users repository I have 3 files/entries, with externalId configuration

[externalId "username:MYUSER"]
        accountId = 1000035

[externalId "google-oauth:MY_GOOGLE_ID"]
        accountId = 1000035
        email = MYUSER@MYDOMAIN

[externalId "mailto:MYUSER@MYDOMAIN"]
        accountId = 1000035
        email = MYUSER@MYDOMAIN

Do you have any suggestion ? If you need I can do tests in my environment and also change the source and build a plugin version for the tests

davido commented 4 years ago

What Gerrit version are you using? There were a number of fixes recently in this code area. Also how should Gerrit unserstand that you are linking those accounts?

The usual workflow for account linking is:

luizduma commented 4 years ago

We are using Gerrit 3.2.2 I saw the section "Multiple Identities" at https://gerrit-review.googlesource.com/Documentation/config-sso.html#:~:text=To%20link%20another%20identity%20to,the%20'Link%20Another%20Identity'%20button I can´t see the option 'Link Another Identity' in my user Seetings and I will check if it is necessary to do the "manual merge" of my Identities