oauth2.client.secret doesn't work when read from a file, but works when secret is passed plain-text

[saidfarah]

Current Behavior

Doesn't Work (Secret referenced as file) When connected it prints "Access Denied"

oauth2:
  issuer: "https://accounts.google.com"
  provider: "google"
  client:
    id: "XXX.apps.googleusercontent.com"
    secret: "file:///etc/openvpn-auth-oauth2/oauth2.client.secret"

File permission for oauth2.client.secret -rw-r--r-- root openvpn-auth-oauth2 oauth2.client.secret

Works: (Secret passed as plain-text) When connected it prints "Access Granted"

oauth2:
  issuer: "https://accounts.google.com"
  provider: "google"
  client:
    id: "XXX.apps.googleusercontent.com"
    secret: "XXXXX-XXXXX-XXXXX"

Expected Behavior

Secret file should be read and when connected through OpenVPN Connect, it should grant Access.

For reference, I'm also reading the secret file for openvpn.password like this

openvpn:
    password: "file:///etc/openvpn-auth-oauth2/openvpn.password"

This file is in the same directory, with the same user and group ownership and the same file permissions. -rw-r--r-- 1 root openvpn-auth-oauth2 oauth2.client.secret -rw-r--r-- 1 root openvpn-auth-oauth2 openvpn.password

Steps To Reproduce

No response

Environment

• openvpn-auth-oauth2 Version: 1.22.2
• OpenVPN Server Version: 2.6.12
• Server OS: Linux
• OpenVPN Client (flavor, OS): OpenVPN Connect
• OIDC Provider: Google

openvpn-auth-oauth2 logs

Oct 31 12:35:15 openvpn openvpn-auth-oauth2[397166]: time=2024-10-31T12:35:15.731Z level=INFO msg="initialize authorization via oauth2" ip=XXX:64101 cid=0 kid=1 common_name=XXX
Oct 31 12:35:15 openvpn openvpn-auth-oauth2[397166]: time=2024-10-31T12:35:15.985Z level=INFO msg="deny OpenVPN client cid 0, kid 1" ip=XXX:64101 cid=0 kid=1 common_name=XXX
Oct 31 12:35:15 openvpn openvpn-auth-oauth2[397166]: time=2024-10-31T12:35:15.985Z level=DEBUG msg="client-deny 0 1 \"client rejected\""
Oct 31 12:35:15 openvpn openvpn-auth-oauth2[397166]: time=2024-10-31T12:35:15.986Z level=WARN msg="Unauthorized: failed to exchange token: oauth2: \"invalid_client\" \"Unauthorized\"" ip=XXX:64101 cid=0 kid=1 common_name=XXX error_id=a5bffe3cb5888d007cd18f0a5759d879fd01e7e7cd9a2d0b592d2c5cab3d1d37
Oct 31 12:35:21 openvpn openvpn-auth-oauth2[397166]: time=2024-10-31T12:35:21.860Z level=DEBUG msg=">CLIENT:DISCONNECT,0\r\n>CLIENT:ENV,END\r\n"
Oct 31 12:35:21 openvpn openvpn-auth-oauth2[397166]: time=2024-10-31T12:35:21.860Z level=INFO msg="client disconnected" ip=: cid=0 common_name="" reason=DISCONNECT session_id="" session_state=""
Oct 31 12:35:21 openvpn openvpn-auth-oauth2[397166]: time=2024-10-31T12:35:21.860Z level=WARN msg="error from token store: value does not exist" ip=: cid=0 common_name="" reason=DISCONNECT session_id="" session_state=""

openvpn server logs

Oct 31 12:35:15 openvpn ovpn-server[397174]: XXX:64101 [XXX] Peer Connection Initiated with [AF_INET]XXX:64101
Oct 31 12:35:15 openvpn ovpn-server[397174]: XXX:64101 PUSH: Received control message: 'PUSH_REQUEST'
Oct 31 12:35:15 openvpn ovpn-server[397174]: MANAGEMENT: CMD 'client-deny 0 1 "client rejected"'
Oct 31 12:35:15 openvpn ovpn-server[397174]: MULTI: connection rejected: client rejected, CLI:[NULL]
Oct 31 12:35:16 openvpn ovpn-server[397174]: XXX:64101 Delayed exit in 5 seconds
Oct 31 12:35:16 openvpn ovpn-server[397174]: XXX:64101 SENT CONTROL [UNDEF]: 'AUTH_FAILED' (status=1)
Oct 31 12:35:16 openvpn ovpn-server[397174]: XXX:64101 SENT CONTROL [XXX]: 'AUTH_FAILED' (status=1)
Oct 31 12:35:21 openvpn ovpn-server[397174]: XXX:64101 SIGTERM[soft,delayed-exit] received, client-instance exiting

Anything else?

No response

[jkroepke]

please double check, if the file does not have a final newline.

[saidfarah]

Works now,

Used this to confirm the newline tail -c1 oauth2.client.secret | od -An -t x1

which returned 0a that confirmed the newline & removed it using this truncate -s -1 oauth2.client.secret

Thanks.