search

openid-certification / oidctest

THE CERTIFICATION TEST SUITE HAS BEEN MIGRATED TO A NEW SERVICE https://www.certificatinon.openid.net
Other
49 stars 15 forks source link

Connection refused in every calling of /token endpoint #215

Closed nullwiz closed 4 years ago

nullwiz commented 4 years ago

Hi guys.

Our team is very grateful of finding this tool. However, we are facing an issue every time the /token endpoint is called. We find that after completing the authorization, we get a connection refused from CherryPy.

Also, the endpoint is called before even completing the "Allow Access" part of the authorization.

Here are the full logs thrown:

`****

Something went wrong! If you know or suspect you know why, then try to fix it. If you have no idea, then please tell us at certification@oidf.org and we will help you figure it out.

Traceback (most recent call last): File "/usr/local/lib/python3.6/dist-packages/urllib3-1.25.8-py3.6.egg/urllib3/connection.py", line 157, in _new_conn (self._dns_host, self.port), self.timeout, **extra_kw File "/usr/local/lib/python3.6/dist-packages/urllib3-1.25.8-py3.6.egg/urllib3/util/connection.py", line 84, in create_connection raise err File "/usr/local/lib/python3.6/dist-packages/urllib3-1.25.8-py3.6.egg/urllib3/util/connection.py", line 74, in create_connection sock.connect(sa) ConnectionRefusedError: [Errno 111] Connection refused

During handling of the above exception, another exception occurred:

Traceback (most recent call last): File "/usr/local/lib/python3.6/dist-packages/urllib3-1.25.8-py3.6.egg/urllib3/connectionpool.py", line 672, in urlopen chunked=chunked, File "/usr/local/lib/python3.6/dist-packages/urllib3-1.25.8-py3.6.egg/urllib3/connectionpool.py", line 376, in _make_request self._validate_conn(conn) File "/usr/local/lib/python3.6/dist-packages/urllib3-1.25.8-py3.6.egg/urllib3/connectionpool.py", line 994, in _validate_conn conn.connect() File "/usr/local/lib/python3.6/dist-packages/urllib3-1.25.8-py3.6.egg/urllib3/connection.py", line 300, in connect conn = self._new_conn() File "/usr/local/lib/python3.6/dist-packages/urllib3-1.25.8-py3.6.egg/urllib3/connection.py", line 169, in _new_conn self, "Failed to establish a new connection: %s" % e urllib3.exceptions.NewConnectionError: <urllib3.connection.VerifiedHTTPSConnection object at 0x7f24cc5cbba8>: Failed to establish a new connection: [Errno 111] Connection refused

During handling of the above exception, another exception occurred:

Traceback (most recent call last): File "/usr/local/lib/python3.6/dist-packages/requests-2.22.0-py3.6.egg/requests/adapters.py", line 449, in send timeout=timeout File "/usr/local/lib/python3.6/dist-packages/urllib3-1.25.8-py3.6.egg/urllib3/connectionpool.py", line 720, in urlopen method, url, error=e, _pool=self, _stacktrace=sys.exc_info()[2] File "/usr/local/lib/python3.6/dist-packages/urllib3-1.25.8-py3.6.egg/urllib3/util/retry.py", line 436, in increment raise MaxRetryError(_pool, url, error or ResponseError(cause)) urllib3.exceptions.MaxRetryError: HTTPSConnectionPool(host='127.0.0.1', port=7000): Max retries exceeded with url: /token (Caused by NewConnectionError('<urllib3.connection.VerifiedHTTPSConnection object at 0x7f24cc5cbba8>: Failed to establish a new connection: [Errno 111] Connection refused',))

During handling of the above exception, another exception occurred:

Traceback (most recent call last): File "/usr/local/lib/python3.6/dist-packages/otest-0.8.0-py3.6.egg/otest/aus/tool.py", line 96, in run_flow resp = _oper() File "/usr/local/lib/python3.6/dist-packages/otest-0.8.0-py3.6.egg/otest/operation.py", line 105, in call res = self.run(*args, kwargs) File "/usr/local/lib/python3.6/dist-packages/oidctest-0.9.1-py3.6.egg/oidctest/op/oper.py", line 259, in run res = self._run() File "/usr/local/lib/python3.6/dist-packages/oidctest-0.9.1-py3.6.egg/oidctest/op/oper.py", line 289, in _run request_args=self.req_args, self.op_args) File "/usr/local/lib/python3.6/dist-packages/otest-0.8.0-py3.6.egg/otest/operation.py", line 171, in catch_exception_and_error res = func(kwargs) File "/usr/local/lib/python3.6/dist-packages/oic-1.1.2-py3.6.egg/oic/oic/init.py", line 681, in do_access_token_request kwargs File "/usr/local/lib/python3.6/dist-packages/oic-1.1.2-py3.6.egg/oic/oauth2/init.py", line 874, in do_access_token_request kwargs File "/usr/local/lib/python3.6/dist-packages/oic-1.1.2-py3.6.egg/oic/oauth2/init.py", line 752, in request_and_return resp = self.http_request(url, method, data=body, http_args) File "/usr/local/lib/python3.6/dist-packages/oic-1.1.2-py3.6.egg/oic/oauth2/base.py", line 93, in http_request r = requests.request(method, url, _kwargs) File "/usr/local/lib/python3.6/dist-packages/requests-2.22.0-py3.6.egg/requests/api.py", line 60, in request return session.request(method=method, url=url, kwargs) File "/usr/local/lib/python3.6/dist-packages/requests-2.22.0-py3.6.egg/requests/sessions.py", line 533, in request resp = self.send(prep, send_kwargs) File "/usr/local/lib/python3.6/dist-packages/requests-2.22.0-py3.6.egg/requests/sessions.py", line 646, in send r = adapter.send(request, kwargs) File "/usr/local/lib/python3.6/dist-packages/requests-2.22.0-py3.6.egg/requests/adapters.py", line 516, in send raise ConnectionError(e, request=request) requests.exceptions.ConnectionError: HTTPSConnectionPool(host='127.0.0.1', port=7000): Max retries exceeded with url: /token (Caused by NewConnectionError('<urllib3.connection.VerifiedHTTPSConnection object at 0x7f24cc5cbba8>: Failed to establish a new connection: [Errno 111] Connection refused',))`

It is not clear for us what might be causing the issue, but we do get partial logs here.

nullwiz commented 4 years ago

After some time and lots of debugging, I found that openssl wont answer to localhost on the specified server, and im unable to see the certificate if I do the following: openssl s_client -connect 127.0.0.1:7000

However, this shouldnt be a problem since (both on the docker and the online solution) insecure is set to False. It is not clear what "insecure" does: in the code I can see it should do verify=False as a parameter for the requests library, but this does not happen-- the connection is closed anyway. If I set a tunnel with ngrok, the connection is not closed when going to the /token endpoint.

Ngrok tunnel does have a valid certificate, so I dont know what is going on but I can assume this is an SSL issue.

What does the "insecure" flag do? What I would expect is that it would allow self-signed certificates, but this is not happening.

nullwiz commented 4 years ago

Finally fixed this issue. For anyone wondering, the main reason the suite was failing was because of a known Docker bug in MacOS.

Particularly, in networking -- the container was unable to reach the host. And even when the workaround from the docker docs was implemented (to reach the host I had to use hosts.docker.internal) the suite would fail with Invalid issuer (the same error i got through ngrok).

This was fixed by just running the suite in a Linux box, and running the container with --net=host .

If your service is running on the host machine, keep this in mind.

zandbelt commented 4 years ago

ok, thanks for reporting back and sorry for the late reaction