Can't link OAuth2 account / login with OAuth2 account - Githubissues

kanboard / plugin-oauth2

Generic OAuth2 authentication plugin

MIT License

27 stars 33 forks source link

Can't link OAuth2 account / login with OAuth2 account #23

Closed posledov closed 4 years ago

posledov commented 4 years ago

Actual behaviour

Auth request: https://id.example.net/auth/realms/example.net/protocol/openid-connect/auth?response_type=code&client_id=some_client_id&redirect_uri=https%3A%2F%2Fkanboard.example.net%2Foauth%2Fcallback&scope=&state=190b....ae36

The param scope is empty

As a result there is such lines in Keycloak's logs:

2020-06-04 11:29:01,564 ERROR [org.keycloak.services] (default task-85) KC-SERVICES0093: Invalid parameter value for: scope
2020-06-04 11:29:01,566 WARN  [org.keycloak.events] (default task-85) type=LOGIN_ERROR, realmId=example.net, clientId=kanboard.example.net, userId=null, ipAddress=192.168.99.30, error=invalid_request, response_type=code, redirect_uri=https://kanboard.example.net/oauth/callback, response
_mode=query

Expected behaviour

Auth request: https://id.example.net/auth/realms/example.net/protocol/openid-connect/auth?response_type=code&client_id=some_client_id&redirect_uri=https%3A%2F%2Fkanboard.example.net%2Foauth%2Fcallback&**scope=openid**&state=190b....ae36

The param scope should be equal to openid

Steps to reproduce

Just try to login with/link OAuth2 account using Keycloak as OAuth2 provider

Configuration

Plugin version: 1.0.1
Kanboard version: 1.2.14
Database type and version: MySQL 5.7
PHP version: 7.2
OS: Centos 7.8
Browser: Firefox 77

Ryonez commented 4 years ago

Can also confirm this issue, the plugin needs to ask for valid scopes. Keycloak has switched to using explicit scopes as of version 10.0.0. Null/incorrect scopes will always fail now.

Ryonez commented 4 years ago

The scopes required btw are openid, profile, email.

Ryonez commented 4 years ago

Pinging @fguillot.

Not sure if you've seen this, but kanboard has been inaccessible for me for a little while. I'm not asking for a fix right now, but knowing you've seen and are looking at this would be good.

fguillot commented 4 years ago

You should be able to add the scopes in Settings > Integration.

Ryonez commented 4 years ago

What setting in the database would that be, and what format do I use? I can't access the site to fix this because I can't log in. I can edit the database though.

fguillot commented 4 years ago

I just realized the plugin has been updated in a while. Upgrade this plugin to version 1.0.2. Someone already patched the code to support scopes: https://github.com/kanboard/plugin-oauth2/commit/b6713cf0dc8f24c4bca150db8b0c65d738bc6c56

Ryonez commented 4 years ago

Alright, grabbed that. I thanks to the commit, I was able to see what it was looking for and manually added the field and data needed.

I can now log in again, thank you very much for the support!