search

kontron / redmine_oauth

Redmine authentication through OAuth.
GNU General Public License v2.0
62 stars 27 forks source link

Keep getting: "No verified email provider, check your setting on OAuth provider site." #57

Closed anderscollstrup closed 2 weeks ago

anderscollstrup commented 3 weeks ago

Hi,

I try to configure redmine_oauth my apereo CAS with oidc. I'm on redmine 5.1.3 running debian 12

My settings in redmine: (secret removed from screendump) image

My service file on CAS:

{ "@class" : "org.apereo.cas.services.OidcRegisteredService", "evaluationOrder" : 1000101, "clientId": "redmine", "clientSecret": "REMOVED", "serviceId" : "^(https|http)://redmine\.ruc\.dk.*", "name" : "RUC SSO", "bypassApprovalPrompt" : true, "id" : 106, "attributeReleasePolicy" : { "@class": "org.apereo.cas.services.ReturnMappedAttributeReleasePolicy", "allowedAttributes": { "@class": "java.util.TreeMap", "uid": "preferred_username", "mail" : [ "java.util.ArrayList", [ "email", "email_verified" ] ] } } }

oidc Info about my server: https://signon.ruc.dk/oidc/.well-known/openid-configuration

In my CAS logs I see:

2024-10-31 14:14:41,428 INFO [PROTOCOL_MESSAGE] - <

OAuth/OpenID Connect User Profile Request

Client ID: redmine Access Token: AT-908-****FVBYtc1XCU1IT-IO

2024-10-31 14:14:41,432 INFO [PROTOCOL_MESSAGE] - <

OpenID Connect User Profile Response

Client ID: redmine Service: RUC SSO Content Type: application/json;charset=UTF-8

{"sub":"anco","service":"https://redmine.ruc.dk/oauth2callback","auth_time":XXXXXXXXXX,"attributes":{"email_verified":"[anco@ruc.dk](mailto:anco@ruc.dk)","preferred_username":"anco","email":"[anco@ruc.dk](mailto:anco@ruc.dk)"},"id":"anco","client_id":"redmine"}

So both email and email_verified is returned. So why does it keep saying:

image

?

The redmine production logs think I'm anonymous

I, [2024-10-31T14:36:05.531049 #11843] INFO -- : [116cf54e-9fb1-4ec7-b173-6a1d2f76beb7] Completed 200 OK in 121ms (Views: 89.4ms | ActiveRecord: 17.4ms | Allocations: 94910) I, [2024-10-31T14:40:15.969514 #11843] INFO -- : [4b99ac34-17ad-4cd3-9937-5a165976ac94] Started GET "/" for 130.226.196.14 at 2024-10-31 14:40:15 +0100 I, [2024-10-31T14:40:15.970517 #11843] INFO -- : [4b99ac34-17ad-4cd3-9937-5a165976ac94] Processing by WelcomeController#index as HTML I, [2024-10-31T14:40:15.973641 #11843] INFO -- : [4b99ac34-17ad-4cd3-9937-5a165976ac94] Current user: anonymous I, [2024-10-31T14:40:15.974092 #11843] INFO -- : [4b99ac34-17ad-4cd3-9937-5a165976ac94] Redirected to https://redmine.ruc.dk/login?back_url=https%3A%2F%2Fredmine.ruc.dk%2F I, [2024-10-31T14:40:15.974145 #11843] INFO -- : [4b99ac34-17ad-4cd3-9937-5a165976ac94] Filter chain halted as :check_if_login_required rendered or redirected I, [2024-10-31T14:40:15.974231 #11843] INFO -- : [4b99ac34-17ad-4cd3-9937-5a165976ac94] Completed 302 Found in 4ms (ActiveRecord: 0.7ms | Allocations: 710) I, [2024-10-31T14:40:50.656669 #11843] INFO -- : [718d9b33-f834-4d48-a104-a0a66ce3f554] Started GET "/oauth?utf8=%E2%9C%93&back_url=%2F&login-oauth=" for 10.29.17.42 at 2024-10-31 14:40:50 +0100 I, [2024-10-31T14:40:50.657694 #11843] INFO -- : [718d9b33-f834-4d48-a104-a0a66ce3f554] Processing by RedmineOauthController#oauth as HTML I, [2024-10-31T14:40:50.657749 #11843] INFO -- : [718d9b33-f834-4d48-a104-a0a66ce3f554] Parameters: {"utf8"=>"✓", "back_url"=>"/", "login-oauth"=>""} I, [2024-10-31T14:40:50.661035 #11843] INFO -- : [718d9b33-f834-4d48-a104-a0a66ce3f554] Current user: anonymous I, [2024-10-31T14:40:50.663344 #11843] INFO -- : [718d9b33-f834-4d48-a104-a0a66ce3f554] Redirected to https://signon.ruc.dk/oidc/oidcAuthorize?client_id=redmine&redirect_uri=https%3A%2F%2Fredmine.ruc.dk%2Foauth2callback&response_type=code&scope=openid+profile+email&state=8xf4YfwMcysRYk33rYmo8lBb09TNmV3nzLu64isRi1M%3D I, [2024-10-31T14:40:50.663475 #11843] INFO -- : [718d9b33-f834-4d48-a104-a0a66ce3f554] Completed 302 Found in 6ms (ActiveRecord: 1.1ms | Allocations: 1830) I, [2024-10-31T14:40:50.949625 #11843] INFO -- : [f37b927d-e0d6-4c6f-91b5-f0c7ffc4aaaa] Started GET "/oauth2callback?code=OC-957-00awjslG3ADt6VQpV6nPIt7dEmMdKUwH&state=8xf4YfwMcysRYk33rYmo8lBb09TNmV3nzLu64isRi1M%3D" for 10.29.17.42 at 2024-10-31 14:40:50 +0100 I, [2024-10-31T14:40:50.950455 #11843] INFO -- : [f37b927d-e0d6-4c6f-91b5-f0c7ffc4aaaa] Processing by RedmineOauthController#oauth_callback as HTML I, [2024-10-31T14:40:50.950512 #11843] INFO -- : [f37b927d-e0d6-4c6f-91b5-f0c7ffc4aaaa] Parameters: {"code"=>"OC-957-00awjslG3ADt6VQpV6nPIt7dEmMdKUwH", "state"=>"8xf4YfwMcysRYk33rYmo8lBb09TNmV3nzLu64isRi1M="} I, [2024-10-31T14:40:50.953563 #11843] INFO -- : [f37b927d-e0d6-4c6f-91b5-f0c7ffc4aaaa] Current user: anonymous E, [2024-10-31T14:40:51.069335 #11843] ERROR -- : [f37b927d-e0d6-4c6f-91b5-f0c7ffc4aaaa] No verified email provided, check your settings on OAuth provider site. I, [2024-10-31T14:40:51.069684 #11843] INFO -- : [f37b927d-e0d6-4c6f-91b5-f0c7ffc4aaaa] Redirected to https://redmine.ruc.dk/login I, [2024-10-31T14:40:51.069839 #11843] INFO -- : [f37b927d-e0d6-4c6f-91b5-f0c7ffc4aaaa] Completed 302 Found in 119ms (ActiveRecord: 0.6ms | Allocations: 4633) I, [2024-10-31T14:40:51.086388 #11843] INFO -- : [22795d35-9ba8-455e-8f81-c47f4d249147] Started GET "/login" for 10.29.17.42 at 2024-10-31 14:40:51 +0100 I, [2024-10-31T14:40:51.087114 #11843] INFO -- : [22795d35-9ba8-455e-8f81-c47f4d249147] Processing by AccountController#login as HTML I, [2024-10-31T14:40:51.090166 #11843] INFO -- : [22795d35-9ba8-455e-8f81-c47f4d249147] Current user: anonymous I, [2024-10-31T14:40:51.097650 #11843] INFO -- : [22795d35-9ba8-455e-8f81-c47f4d249147] Rendered account/login.html.erb within layouts/base (Duration: 5.2ms | Allocations: 2642) I, [2024-10-31T14:40:51.104400 #11843] INFO -- : [22795d35-9ba8-455e-8f81-c47f4d249147] Rendered layout layouts/base.html.erb (Duration: 12.0ms | Allocations: 5915) I, [2024-10-31T14:40:51.104643 #11843] INFO -- : [22795d35-9ba8-455e-8f81-c47f4d249147] Completed 200 OK in 17ms (Views: 12.3ms | ActiveRecord: 1.7ms | Allocations: 7587) I, [2024-10-31T14:45:15.176848 #11843] INFO -- : [95fb5723-8c7f-44e2-98cf-5a3286fc4889] Started GET "/" for 130.226.196.14 at 2024-10-31 14:45:15 +0100

Which claims redmine_oauth require and how should they be returned?

Best regards Anders

anderscollstrup commented 3 weeks ago

According to my log on CAS I now return the following:

{"sub":"anco","service":"https://redmine.ruc.dk/oauth2callback","auth_time":XXXXXXXXXX,"attributes":{"email_verified":true,"preferred_username":"anco","email":"anco@ruc.dk"},"id":"anco","client_id":"redmine"}

I but keep getting the error: "No verified email provided, check your settings on OAuth provider site."

So what am I missing?

picman commented 2 weeks ago

Maybe add an info message direct into the code to find out what is wrong. E.g: _plugin/redmine_oauth/app/controllers/redmine_oauthcontroller.rb

128    email = user_info[Setting.plugin_redmine_oauth[:custom_email_field]]
++     Rails.logger.info ">>> #{Setting.plugin_redmine_oauth[:custom_email_field]}"
++     Rails.logger.info ">>> #{email}"
++     Rails.logger.info ">>> #{user_info}"

And then check log/production.log file for the output.

anderscollstrup commented 2 weeks ago

Sorry but I enden up reverting to the old plugin "request environment authentication" and then make the authentication in apache. We don't have a test environment for redmine, so I needed to get it working.

So I cannot participate in any bug hunting. Sorry

/Anders