Closed smcpeck closed 1 year ago
@smcpeck What SSO method do you use to log in?
Good morning, @amyblais.
The SSO is actually Keycloak, but some URL rewrite rules are being used at the traefik reverse proxy to make it operate as though it were GitLab. So from Mattermost's POV, it is configured as GitLab.
Traefik rules:
- "traefik.http.middlewares.gitlabUser.redirectregex.regex=^https://SERVER/auth/realms/(.*)/api/v4/user"
- "traefik.http.middlewares.gitlabUser.redirectregex.replacement=https://SERVER/auth/realms/$${1}/protocol/openid-connect/userinfo"
- "traefik.http.middlewares.gitlabAuth.redirectregex.regex=^https://SERVER/auth/realms/(.*)/oauth/authorize"
- "traefik.http.middlewares.gitlabAuth.redirectregex.replacement=https://SERVER/auth/realms/$${1}/protocol/openid-connect/auth"
- "traefik.http.middlewares.gitlabToken.redirectregex.regex=^https://SERVER/auth/realms/(.*)/oauth/token"
- "traefik.http.middlewares.gitlabToken.redirectregex.replacement=https://SERVER/auth/realms/$${1}/protocol/openid-connect/token"
To reiterate: This works fine when using the web interface and has been working with mobile < 2.0 for well over a year.
@larkox @Willyfrog Should I create a ticket for this?
yes, thank you!
@smcpeck Just to confirm: it also fails in the old app (no changes in the mobile code), right? So, at least part of the problem, must be on how the server handle the SSO, right?
@larkox Only after upgrading the server to 7.7. When on 7.5, things were operating smoothly.
@amyblais If someone can point me to a process for providing server logs and/or Android logs, I'm happy to try doing so.
If someone can point me to a process for providing server logs and/or Android logs, I'm happy to try doing so.
cc @larkox @Willyfrog
I've done a little poking at things here...
When watching my MM logs, the only difference between web and mobile is that mobile hits the URL: https://MATTERMOST_SERVER/oauth/gitlab/mobile_login
Even so, the webpage (on mobile), shows that authentication succeeded but it seems the token doesn't get consumed or is deemed invalid once things swap back to mobile.
If it were a problem with scopes or anything else, I would expect logging in from the MM web interface to fail too.
I understand that my setup is a little unconventional, but... the reality remains: | Client | SSO Login |
---|---|---|
Web | 🟢 Success | |
Android | 🔴 Failure |
Web and mobile must be doing things a little bit differently... 🤔
Re: logs You need to be connected at least to one server. You can connect to our community server to do that (community.mattermost.com)
The steps I recommend are:
On android shouldn't be any issue, but on iOS you should share with the ios mail app (other mail apps may not attach the files correctly).
Hi @smcpeck , could you please contact your system-administrator and help us with the following details.
1) What scopes are allowed in keycloak OAuth flow? We request with openid, profile, email
.
2) The server logs corresponding to the time when there's a failed mobile login?
Edit: 3) Does anybody else with a different mobile platform experience this issue?
I am trying to pinpoint the culprit code, so far I along with others haven't been able to reproduce this.
@plant99 The solution was in your first question!
I did not have an openid
scope being passed through. Once I added that, everything went through just fine. Thank you so much!
So, if I can be so bold as to suggest an action item out of this... maybe the mobile app can catch when a needed scope is not provided and display a proper error message versus hanging.
Also -- no big deal on my side, but if I were in your shoes I would be curious why the web client doesn't seem to know/care that the openid
scope was missing. 🤷♂️
We can close this out as far as I'm concerned.
Thanks @smcpeck for your suggestions! I agree, they'd be nice improvements and would be helpful to sys-admins. We'll look into implementing them.
Summary
Application hangs and displays "not responding" dialog after logging in with SSO.
Environment Information
Device Name: Pixel 6a
OS Version:
Mattermost App Version: 2.0.0
Mattermost Server Version: 7.7
Steps to reproduce
How can we reproduce the issue (what version are you using?)
Expected behavior
How can we reproduce the issue (what version are you using?)
Observed behavior (that appears unintentional)
Course of events that led to this...
I've cleared storage. Uninstalled and reinstalled. No luck. Web interface continues to work without issue.
I have no logs. I've selected "send feedback" at least twice from the Android "not responding" dialog, so hopefully the team has access to a stacktrace/error message.
Possible fixes
N/A