search

jsxc / xmpp-cloud-auth

:key: Authentication hub for Nextcloud+JSXC→Prosody, ejabberd, saslauthd, Postfix
https://www.jsxc.org
MIT License
60 stars 18 forks source link

Troubleshooting time limited tokens? #40

Closed poVoq closed 6 years ago

poVoq commented 6 years ago

I am trying to set up time limited tokens with my ejabberd 17-11 installation, but even though everything works great without it activated in my Nextcloud 12.0.4 installation, I can't seem to figure out why it doesn't with.

I followed the installation.md and the configured "cache-db=/var/cache/xcauth/user-cache.db" file gets created fine.

But when I check the "time limited token" box in Nextcloud and logout and in the JSXC doesn't show up any more.

In the console I get the following messages:

State changed to INITIATING Try to relogin I am not able to relogin State changed to TRYTOINTERCEPT State changed to INTERCEPTED State changed to ESTABLISHING New connection CONNECTING: null AUTHFAIL: null

and a bit later:

State changed to INITIATING Try to relogin I am currently busy and will try again later. Please be patient.

But that's it...

Help much apprechiated.

MarcelWaldvogel commented 6 years ago

What do you see in ejabberd and xmpp-cloud-auth logs?

MarcelWaldvogel commented 6 years ago

Using xclib/tests/generateTimeLimitedToken you can create a token according to your wishes and then try and authenticate with that token (as a password) from a "normal" XMPP client as well.

poVoq commented 6 years ago

Ok will try on the weekend, no access to the server right now. Thanks for the help.

poVoq commented 6 years ago

Hmm, so the xcauth.log doesn't say anything about it, except one(!) time (out of maybe 30 tries) where it randomly worked and it said "token is valid", but I can't reproduce it working since and there really isn't anything different I did then. Maybe some timeout value or something that would be effected by the response-time of the servers involved?

The ejabbered.log is also not very helpful. Without time limited tokens in NC enabled: 2018-01-06 12:37:44.229 [info] <0.1692.0>@ejabberd_c2s:handle_auth_success:433 (http_bind|ejabberd_bosh) Accepted c2s PLAIN authentication for myuser@users.mydomain.com by external backend from ::FFFF:127.0.0.1

With time limited tokens in NC enabled: 2018-01-06 12:39:31.283 [info] <0.1724.0>@ejabberd_c2s:handle_auth_failure:443 (http_bind|ejabberd_bosh) Failed c2s PLAIN authentication for myuser@users.mydomain.com from ::FFFF:127.0.0.1:Invalid username or password

I also can't quite understand how to do the generateTimeLimitedToken test, it says: Usage: generateTimeLimitedToken USER DOMAIN SECRET TTL STARTTIME which is not so self explanatory :cry: could you give me a practical example, please?

Edit: it that helps: I am reverse-proxying the BOSH with nginx.

poVoq commented 6 years ago

Ok this gets stranger and stranger... now after waiting a bit it suddenly worked again once (after logout-login not any more though), but then all other non JSXC XMPP clients I have stopped connecting to ejabberd. Only after restarting ejabberd I was able to get my desktop client etc to log in again.

MarcelWaldvogel commented 6 years ago

Any more information or reason to keep this open?

Closing for now.