search

jsxc / xmpp-cloud-auth

:key: Authentication hub for Nextcloud+JSXC→Prosody, ejabberd, saslauthd, Postfix
https://www.jsxc.org
MIT License
59 stars 18 forks source link

Prosody authentication problem: Password always wrong #19

Closed MarcelWaldvogel closed 7 years ago

MarcelWaldvogel commented 7 years ago

@rev138 commented in #13:

It seems auth script is not starting. Testing with -A works.

rev138 commented 7 years ago

It looks like the issue I was having is that logins via nextcloud are not causing it to launch the auth script, but using an XMPP client does. I must have the NC app mis-configured.

However, when I use my XMPP client (pidgin), I get this error about the token length. What token is it referring to? The api secret? That is 23 chars.

2017-06-09 20:46:37,305 DEBUG: "POST /apps/ojsxc/ajax/externalApi.php HTTP/1.1" 500 None 2017-06-09 20:46:37,309 INFO: FAILURE: Neither token nor cloud approves user user@example.com 2017-06-09 20:55:21,525 INFO: Start external auth script 0.2.1+ for prosody with endpoint: https://example.com/apps/ojsxc/ajax/externalApi.php 2017-06-09 20:55:21,525 DEBUG: Log level: DEBUG 2017-06-09 20:55:21,526 DEBUG: from_prosody got auth:user:example.com:**** 2017-06-09 20:55:21,526 DEBUG: Receive operation auth 2017-06-09 20:55:21,526 DEBUG: Token is too short: 11 != 23 (maybe not a token?) 2017-06-09 20:55:21,537 INFO: Starting new HTTPS connection (1): example.com 2017-06-09 20:55:22,024 DEBUG: "POST /apps/ojsxc/ajax/externalApi.php HTTP/1.1" 200 None 2017-06-09 20:55:22,028 INFO: FAILURE: Neither token nor cloud approves user user@example.com

Thanks!

MarcelWaldvogel commented 7 years ago

Does JSXC work against an internal Prosody user? If not, then the BoSH proxy/CORS configuration is probably broken.

MarcelWaldvogel commented 7 years ago

The token DEBUG statements are related to the "time-limited token" support.

There are two ways of authentication:

  1. The external authentication script asks the Nextcloud JSXC server whether this user exists (the one we are mostly talking about here)
  2. But before that, the script checks locally (=less overhead) whether the password potentially could be a legal cryptographic token that NC/JSXC has given the client, which would prove the user exists without asking back.

Unless you have activated the "time-limited token" option in the NC/JSXC admin panel, these warnings are always there, because the XMPP clients will submit a password, not a token.

MarcelWaldvogel commented 7 years ago

Sorry for the long delay, debugging Prosody external authentication is challenging.

Can you try d452aa8? It seems that mod_auth_external.lua sends \r\n, even though its own examples only expect \n.

MarcelWaldvogel commented 7 years ago

@rev138 Can you also have a look at the new installation instructions?

MarcelWaldvogel commented 7 years ago

In 0ca3a47b1dd2db2a8c7e368f7da2d32194b37213, there is experimental support talking to external_cloud.py over a socket instead of over the presumably unreliable lpty interface from Prosody mod_auth_external.lua.

Preliminary documentation is in the main README and the one in systemd/. Feel free to ask if the documentation is not sufficient yet. (It assumes a basic setup as described in the wiki.)

Please let me know how it works.

MarcelWaldvogel commented 7 years ago

Closing due to inactivity; please reopen if the problem persists