Android app hangs after SSO login

[smcpeck]

Summary

Application hangs and displays "not responding" dialog after logging in with SSO.

Environment Information

Device Name: Pixel 6a

OS Version:

Mattermost App Version: 2.0.0

Mattermost Server Version: 7.7

Steps to reproduce

How can we reproduce the issue (what version are you using?)

• Login redirect returns from SSO
• App hangs and requires force stop

Expected behavior

How can we reproduce the issue (what version are you using?)

• Login succeeds

Observed behavior (that appears unintentional)

Course of events that led to this...

1. Old app and server 7.5 were working fine with same SSO config.
2. Upgraded server to 7.7.
3. Old app stopped working.
4. Switched to app 2.0.0.
5. Observed above behavior.

I've cleared storage. Uninstalled and reinstalled. No luck. Web interface continues to work without issue.

I have no logs. I've selected "send feedback" at least twice from the Android "not responding" dialog, so hopefully the team has access to a stacktrace/error message.

Possible fixes

N/A

[amyblais]

@smcpeck What SSO method do you use to log in?

[smcpeck]

Good morning, @amyblais.

The SSO is actually Keycloak, but some URL rewrite rules are being used at the traefik reverse proxy to make it operate as though it were GitLab. So from Mattermost's POV, it is configured as GitLab.

Traefik rules:

- "traefik.http.middlewares.gitlabUser.redirectregex.regex=^https://SERVER/auth/realms/(.*)/api/v4/user"
- "traefik.http.middlewares.gitlabUser.redirectregex.replacement=https://SERVER/auth/realms/$${1}/protocol/openid-connect/userinfo"
- "traefik.http.middlewares.gitlabAuth.redirectregex.regex=^https://SERVER/auth/realms/(.*)/oauth/authorize"
- "traefik.http.middlewares.gitlabAuth.redirectregex.replacement=https://SERVER/auth/realms/$${1}/protocol/openid-connect/auth"
- "traefik.http.middlewares.gitlabToken.redirectregex.regex=^https://SERVER/auth/realms/(.*)/oauth/token"
- "traefik.http.middlewares.gitlabToken.redirectregex.replacement=https://SERVER/auth/realms/$${1}/protocol/openid-connect/token"

To reiterate: This works fine when using the web interface and has been working with mobile < 2.0 for well over a year.

[amyblais]

@larkox @Willyfrog Should I create a ticket for this?

[Willyfrog]

yes, thank you!

[larkox]

@smcpeck Just to confirm: it also fails in the old app (no changes in the mobile code), right? So, at least part of the problem, must be on how the server handle the SSO, right?

[smcpeck]

@larkox Only after upgrading the server to 7.7. When on 7.5, things were operating smoothly.

[amyblais]

Opened https://mattermost.atlassian.net/browse/MM-49784

[smcpeck]

@amyblais If someone can point me to a process for providing server logs and/or Android logs, I'm happy to try doing so.

[amyblais]

If someone can point me to a process for providing server logs and/or Android logs, I'm happy to try doing so.

cc @larkox @Willyfrog

[smcpeck]

I've done a little poking at things here...

When watching my MM logs, the only difference between web and mobile is that mobile hits the URL: https://MATTERMOST_SERVER/oauth/gitlab/mobile_login

Even so, the webpage (on mobile), shows that authentication succeeded but it seems the token doesn't get consumed or is deemed invalid once things swap back to mobile.

If it were a problem with scopes or anything else, I would expect logging in from the MM web interface to fail too.

I understand that my setup is a little unconventional, but... the reality remains:	Client	SSO Login
Web	🟢 Success
Android	🔴 Failure

Web and mobile must be doing things a little bit differently... 🤔

[larkox]

Re: logs You need to be connected at least to one server. You can connect to our community server to do that (community.mattermost.com)

The steps I recommend are:

• Once you are already logged in in community
• Try to add another server, and try to log in to your server
• When it fails, go back to community
• Go to your account (the rightmost button on the bottom bar)
• Go to settings
• Report a problem

On android shouldn't be any issue, but on iOS you should share with the ios mail app (other mail apps may not attach the files correctly).

[plant99]

Hi @smcpeck , could you please contact your system-administrator and help us with the following details.

1) What scopes are allowed in keycloak OAuth flow? We request with openid, profile, email. 2) The server logs corresponding to the time when there's a failed mobile login?

Edit: 3) Does anybody else with a different mobile platform experience this issue?

I am trying to pinpoint the culprit code, so far I along with others haven't been able to reproduce this.

[smcpeck]

@plant99 The solution was in your first question!

I did not have an openid scope being passed through. Once I added that, everything went through just fine. Thank you so much!

So, if I can be so bold as to suggest an action item out of this... maybe the mobile app can catch when a needed scope is not provided and display a proper error message versus hanging.

Also -- no big deal on my side, but if I were in your shoes I would be curious why the web client doesn't seem to know/care that the openid scope was missing. 🤷‍♂️

We can close this out as far as I'm concerned.

[plant99]

Thanks @smcpeck for your suggestions! I agree, they'd be nice improvements and would be helpful to sys-admins. We'll look into implementing them.