search

kontron / redmine_oauth

Redmine authentication through OAuth.
GNU General Public License v2.0
51 stars 25 forks source link

Blank screen after attempting Okta login #5

Closed ohmydds closed 1 year ago

ohmydds commented 1 year ago

Hello!

I followed the instructions to install the plugin then handed the Okta configuration off to our Okta team for that end.

After clicking "Continue with Okta" and then logging in to Okta, I am redirected to a blank white screen.

Here are some relevant bits from redmine production.log:

I, [2022-12-22T06:55:44.467905 #2532257]
  Started GET "/oauth?utf8=%E2%9C%93&login-oauth=" for 10.x.x.x at 2022-12-22 06:55:44 -0500

I, [2022-12-22T06:55:44.468679 #2532257]
  Processing by RedmineOauthController#oauth as HTML

I, [2022-12-22T06:55:44.468732 #2532257]
  Parameters: {"utf8"=>"✓", "login-oauth"=>""}

I, [2022-12-22T06:55:44.474262 #2532257]
  Redirected to https://<domain>.com/oauth2/default/v1/authorize?client_id=<client>&redirect_uri=https%3A%2F%2F<URL>%2Foauth2callback&response_type=code&scope=openid+profile+email&state=<state>

I, [2022-12-22T06:55:44.474409 #2532257]
  Completed 302 Found in 6ms (ActiveRecord: 1.2ms | Allocations: 1290)

I, [2022-12-22T06:56:23.374917 #2532257] INFO -- :
  Started GET "/oauth2callback?code=<code> state=<state>"
  for 10.x.x.x at 2022-12-22 06:56:23 -0500

I, [2022-12-22T06:56:23.375668 #2532257]  INFO -- :
  Processing by RedmineOauthController#oauth_callback as HTML

I, [2022-12-22T06:56:23.375714 #2532257]  INFO -- :
  Parameters: {"code"=>"<code>", "state"=>"<state>"}

W, [2022-12-22T06:56:23.764724 #2532257]  WARN -- :
  Failed login for '' from 10.x.x.x at 2022-12-22 11:56:23 UTC

I, [2022-12-22T06:56:23.767666 #2532257]  INFO -- :
  Completed 406 Not Acceptable in 392ms (ActiveRecord: 3.7ms | Allocations: 8218)

F, [2022-12-22T06:56:23.768161 #2532257] FATAL -- :
  ActionController::MissingExactTemplate (RedmineOauthController#oauth_callback is missing a template for request formats: text/html):

Apache error.log says:

App 2532240 stderr:
  OAuth2::AccessToken.from_hash: `hash` contained more than one 'token' key (["access_token", "id_token"]); using "access_token".

Refreshing the blank page shows this in the log file:

I, [2022-12-22T06:56:41.822596 #2532257]  INFO -- :
  Started GET "/oauth2callback?code=<code>&state=<state>"
  for 10.x.x.x at 2022-12-22 06:56:41 -0500

I, [2022-12-22T06:56:41.823545 #2532257]  INFO -- :
  Processing by RedmineOauthController#oauth_callback as HTML

I, [2022-12-22T06:56:41.823605 #2532257]  INFO -- :
  Parameters: {"code"=>"<code>", "state"=>"<state>"}

E, [2022-12-22T06:56:41.919623 #2532257] ERROR -- :
  invalid_grant: The authorization code is invalid or has expired.
  {"error":"invalid_grant","error_description":"The authorization code is invalid or has expired."}

I, [2022-12-22T06:56:41.919892 #2532257]  INFO -- :
  Redirected to https://<domain>.com/login

Any attempts to log in after the initial attempt are redirected to the blank screen with the url:

https://<domain>.com/oauth2callback?code=<code>&state=<state>

Redmine is installed on a Ubuntu EC2 instance behind an ALB load balancer. (AWS)

Sticky sessions are enabled so the same instance should be used for the requests and redirects.

Thanks!

picman commented 1 year ago
  1. Could you try the devel branch now? Instead of the white screen, you should see the login page with an error. Also the log message 'Failed login for' should contain the login name.
  2. It seems to me that your user is not registered in Redmine and self registration is forbidden?
ohmydds commented 1 year ago
  1. Could you try the devel branch now? Instead of the white screen, you should see the login page with an error. Also the log message 'Failed login for' should contain the login name.

Sure - I'll give it a shot here shortly

2. It seems to me that your user is not registered in Redmine and self registration is forbidden?

That's definitely possible and something I hadn't considered.

We currently use ldap for authentication and are working towards transitioning to Okta. Looks like I need to figure out how to tie the Okta user in with the ldap user

ohmydds commented 1 year ago

The devel branch gave me better results using Safari.

I had the same issues as above when using Firefox - but maybe Firefox cached the pages. (I tried using Firefox in private mode and Cmd+Shift+r to reload the page but it still didn't help)

The logs gave me more info as well:

I, [2022-12-22T09:23:01.120637 #2637050]  INFO -- : 
  Redirected to https://sso.<domain>.com/oauth2/default/v1/authorize?client_id=<client>&r
edirect_uri=https%3A%2F%2F<domain>.com%2Foauth2callback&response_type=code&scope=openid+profile+email&state=<state>

I, [2022-12-22T09:23:42.535374 #2637050]  INFO -- : 
  Started GET "/oauth2callback?code=<code>&state=<state>" for 10.xx.xx.xx at 2022-12-22 09:23:42 -0500

I, [2022-12-22T09:23:42.536161 #2637050]  INFO -- :
  Processing by RedmineOauthController#oauth_callback as HTML

I, [2022-12-22T09:23:42.536234 #2637050]  INFO -- : 
  Parameters: {"code"=>"<code>", "state"=>"<code>"}

W, [2022-12-22T09:23:42.900645 #2637050]  WARN -- :
  Failed login for '<username>@<domain>.com' from 10.xx.xx.xx at 2022-12-22 14:23:42 UTC

E, [2022-12-22T09:23:42.900847 #2637050] ERROR -- :
  Invalid user or password

I, [2022-12-22T09:23:42.901008 #2637050]  INFO -- :
  Redirected to https://<domain>.com/login

So now if I figure out how to get the LDAP user = Okta user, I think we're good.

Thank you very much for the prompt response :)

ohmydds commented 1 year ago

Email address was entered incorrectly in redmine (typo).

All is well now 🥳

Thanks again!