search

owncloud / appliance

Integration with Univention for the ownCloud server appliance.
1 stars 0 forks source link

Bug: Client: Connection is stuck at browser login #81

Closed voroyam closed 4 years ago

voroyam commented 4 years ago

When you try to add a new account to the sync client, you get until the browser login, but then nothing happens.

If you logged in you just get the files view.

If you aren't logged in you can login but the window in the client stays.

image

@HanaGemela

HanaGemela commented 4 years ago

For me on macOS 10.15.3, client 2.6.3 (build 13765), server 10.4.1 this seems working fine. Is it appliance bug?

voroyam commented 4 years ago

voroyam commented 4 years ago

For me on macOS 10.15.3, client 2.6.3 (build 13765), server 10.4.1 this seems working fine. Is it appliance bug?

maybe

voroyam commented 4 years ago

Test Server:

95.217.135.31

ucsd.owncloud.works

Login: Administrator

Password: ownCloud_1234

https://ucsd.owncloud.works/.well-known/openid-configuration

michaelstingl commented 4 years ago

ownCloud is at https://ucsd.owncloud.works/owncloud ?

Why not https://ucsd.owncloud.works/owncloud/.well-known/openid-configuration

DeepDiver1975 commented 4 years ago

https://ucsd.owncloud.works/.well-known/openid-configuration

this is the wellknown url as provided by ucs itself. Due to convenience for out clients we have to deliver this url as https://ucsd.owncloud.works/owncloud/.well-known/openid-configuration This needs adaptation in the appliance docker image - I'll take care.

The expectation is to use the standard client id/secrets for UCS as well - right?

michaelstingl commented 4 years ago

https://ucsd.owncloud.works/owncloud/.well-known/openid-configuration This needs adaptation in the appliance docker image - I'll take care.

I'll coordinate with all client development teams.

The expectation is to use the standard client id/secrets for UCS as well - right?

Yes, that's what I understood.

felix-schwarz commented 4 years ago

@DeepDiver1975 @michaelstingl Ok, so just so we're on the same page: instead of checking just for /.well-known/openid-configuration (absolute path, at root of server), the code should also check .well-known/openid-connection (relative to the instance root URL, which would be https://ucsd.owncloud.works/owncloud/ here)?

What should a client do if both /.well-known/openid-configuration and .well-known/openid-configuration return a valid set of information? Should it prioritize one over the other?

michaelstingl commented 4 years ago

@felix-schwarz According to @DeepDiver1975 , if owncloud is the location, only https://ucsd.owncloud.works/owncloud/.well-known/openid-configuration is valid. Also no fallback to server root is needed.

DeepDiver1975 commented 4 years ago

Generally speaking: If owncloud is setup in a sub-folder the root can be setup completely different. With respect to regular wellknow not - but for openid-connect :shrug: - so let's better play this save for well-known(openidconnect: only in the owncloud folder (root or sub-folder)

michaelstingl commented 4 years ago

so let's better play this save for well-known(openidconnect: only in the owncloud folder (root or sub-folder)

@voroyam @DeepDiver1975 Is this proposed change already applied at https://ucsd.owncloud.works/owncloud/ ? Ready to proceed with testing?

voroyam commented 4 years ago

not that I know of

felix-schwarz commented 4 years ago

Ok, just made the change for the ios-sdk (https://github.com/owncloud/ios-sdk/pull/61/commits/fc43fe071f726f078a890ef8d320df3ec04f7e0d) so it'll be in the next release version of the app.

During testing I noticed that this breaks OIDC detection for https://oidc-workshop.owncloud-demo.com/oc10/ where the OIDC info is in /.well-known/ rather than /oc10/.well-known/. But I assume that's just a dev version of the server running there, with code that's not up-to-date.

voroyam commented 4 years ago

Tested today. Client still stuck.

michaelstingl commented 4 years ago

Setup still not done as discussed in https://github.com/owncloud/appliance/issues/81#issuecomment-645981038 :

% curl -I https://ucsd.owncloud.works/owncloud/.well-known/openid-configuration     
HTTP/1.1 302 Found
Date: Tue, 28 Jul 2020 18:09:33 GMT
Server: Apache
X-Content-Type-Options: nosniff
X-XSS-Protection: 1; mode=block
X-Robots-Tag: none
X-Frame-Options: SAMEORIGIN
X-Download-Options: noopen
X-Permitted-Cross-Domain-Policies: none
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate
Pragma: no-cache
Content-Security-Policy: default-src 'self'; script-src 'self' 'unsafe-eval'; style-src 'self' 'unsafe-inline'; frame-src *; img-src * data: blob:; font-src 'self' data:; media-src *; connect-src *
Location: https://ucsd.owncloud.works/owncloud/login
Content-Type: text/html; charset=UTF-8
Set-Cookie: ockrcrz25psi=59hqlhjneoq0knp2sgg4j3gft6; path=/owncloud; secure; HttpOnly
Set-Cookie: oc_sessionPassphrase=m9O3pVUl%2Fv9M%2FPC6ZdMFl31jDV8zSbpn7K3I9uvo%2FNI8xBQ%2B8SmZEFJtEphSWgq3dTDhFdMIt3Id5aL0jxzPZZNi7gbaO2HXRg%2B%2Fw5o44Fxn4rkL3OyAsXJTQ%2BfhbxZC; path=/owncloud; secure; HttpOnly
Via: 1.1 ucsd.owncloud.works
voroyam commented 4 years ago

https://github.com/owncloud-docker/appliance/pull/36

voroyam commented 4 years ago

@edamrose I have been getting these lately. Could you provide feedback?

Executing interface restore_data_after_setup for owncloud
No interface defined
Configuring owncloud=10.4.1
oidc provider installed
0
univention-run-join-scripts: runs all join scripts existing on local computer.
copyright (c) 2001-2020 Univention GmbH, Germany

**************************************************************************
* Running join scripts failed!                                           *
**************************************************************************
* Message:  The given joinscript '/usr/lib/univention-install/50owncloud.inst' does not exists
**************************************************************************
Executing interface configure for owncloud
Copying App Center's configure to container's /tmp/owncloud-configure
edamrose commented 4 years ago

Thats the configure script trying to add the openid connect settings to UCS. It is missing a check to not do that while the app is not completely installed. I will add a fix in a commit later today or tomorrow.

voroyam commented 4 years ago

Now I am getting

Error in OpenIdConnect:invalid client_secret: <nil>

voroyam commented 4 years ago

@edamrose If I am getting:

OPENID_CLIENT_SECRET=Dn4wjdLCvKOPq3c4cGsu
OPENID_LOGIN_ENABLED=true
OPENID_SEARCH_MODE=email
OPENID_CLIENT_ID=owncloud
OPENID_PROVIDER_URL=https://ucs-sso.ucs.intranet/
OPENID_LOGIN_BUTTON_NAME=Single Sign-On Login
OWNCLOUD_OPERATION_MODE=
OPENID_AUTO_REDIRECT_TO_IDP=true
OPENID_SEARCH_CLAIM=email

when I do printing in the ownCloud container - the env variables are set, right?

If yes, why then I get:

Error in OpenIdConnect:invalid client_secret: <nil>

When I try to login?

Error message in log:

{
  "reqId": "ohvSBhRC42nuf9XMvmbL",
  "level": 3,
  "time": "2020-07-28T12:16:15+00:00",
  "remoteAddr": "172.17.42.1",
  "user": "--",
  "app": "OpenID",
  "method": "GET",
  "url": "/owncloud/apps/openidconnect/redirect?code=sDYbONHezh8X5J9pxqJDohCyyf91Ko04&scope=openid%20profile%20email&session_state=417d7ba01d9fb1a04c6123d114945ff0b12c1024c14ce19860cc37b05e5bd0db.69p7PB5Xpc-f41NyZWjUXlawSSakLABkxXpae4g02ao%3D&state=ec027d162d86ea3ded87475a870e9c26",
  "message": "Exception: {\"Exception\":\"Jumbojett\\\\OpenIDConnectClientException\",\"Message\":\"invalid client_secret: <nil>\",\"Code\":0,\"Trace\":\"#0 \\/var\\/www\\/owncloud\\/apps\\/openidconnect\\/lib\\/Client.php(154): Jumbojett\\\\OpenIDConnectClient->authenticate()\\n#1 \\/var\\/www\\/owncloud\\/apps\\/openidconnect\\/lib\\/Controller\\/LoginFlowController.php(124): OCA\\\\OpenIdConnect\\\\Client->authenticate()\\n#2 \\/var\\/www\\/owncloud\\/lib\\/private\\/AppFramework\\/Http\\/Dispatcher.php(153): OCA\\\\OpenIdConnect\\\\Controller\\\\LoginFlowController->login(*** sensitive parameters replaced ***)\\n#3 \\/var\\/www\\/owncloud\\/lib\\/private\\/AppFramework\\/Http\\/Dispatcher.php(85): OC\\\\AppFramework\\\\Http\\\\Dispatcher->executeController(Object(OCA\\\\OpenIdConnect\\\\Controller\\\\LoginFlowController), 'login')\\n#4 \\/var\\/www\\/owncloud\\/lib\\/private\\/AppFramework\\/App.php(100): OC\\\\AppFramework\\\\Http\\\\Dispatcher->dispatch(Object(OCA\\\\OpenIdConnect\\\\Controller\\\\LoginFlowController), 'login')\\n#5 \\/var\\/www\\/owncloud\\/lib\\/private\\/AppFramework\\/Routing\\/RouteActionHandler.php(47): OC\\\\AppFramework\\\\App::main('OCA\\\\\\\\OpenIdConne...', 'login', Object(OC\\\\AppFramework\\\\DependencyInjection\\\\DIContainer), Array)\\n#6 \\/var\\/www\\/owncloud\\/lib\\/private\\/Route\\/Router.php(342): OC\\\\AppFramework\\\\Routing\\\\RouteActionHandler->__invoke(Array)\\n#7 \\/var\\/www\\/owncloud\\/lib\\/base.php(916): OC\\\\Route\\\\Router->match('\\/apps\\/openidcon...')\\n#8 \\/var\\/www\\/owncloud\\/index.php(54): OC::handleRequest()\\n#9 {main}\",\"File\":\"\\/var\\/www\\/owncloud\\/apps\\/openidconnect\\/vendor\\/jumbojett\\/openid-connect-php\\/src\\/OpenIDConnectClient.php\",\"Line\":288}"
}
voroyam commented 4 years ago

Logfile from the open ID container:

time="2020-07-28T11:33:54Z" level=info msg="serve started"
time="2020-07-28T11:33:54Z" level=debug msg="fetching SAML2 provider meta data: https://ucs-sso.ucs.intranet/simplesamlphp/saml2/idp/metadata.php" id=univention type=saml2
time="2020-07-28T11:33:54Z" level=info msg="starting http listener" listenAddr="0.0.0.0:8777"
time="2020-07-28T11:33:54Z" level=info msg="ready to handle requests"
time="2020-07-28T11:33:54Z" level=info msg="authority is now ready" id=univention type=saml2
time="2020-07-28T11:33:54Z" level=debug msg="SAML2 provider meta data loaded and initialized" id=univention issuer="https://ucs-sso.ucs.intranet/simplesamlphp/saml2/idp/metadata.php" signing_certs=1 type=saml2
time="2020-07-28T12:01:35Z" level=debug msg="failed to decode client session" error="decryption failed"
time="2020-07-28T12:03:56Z" level=debug msg="failed to decode client session" error="decryption failed"
time="2020-07-28T12:03:56Z" level=debug msg="saml2 attributeStatement" FriendlyName= Name=uid NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:basic" Values="[Administrator]"
time="2020-07-28T12:03:56Z" level=debug msg="saml2 authnStatement" SessionIndex=_bf72fd56c43677b378fff6397492b4f19d2c06900f SessionNotOnOrAfter="2020-07-29 00:03:54 +0000 UTC"
time="2020-07-28T12:03:56Z" level=debug msg="failed to decode client session" error="decryption failed"
time="2020-07-28T12:03:56Z" level=debug msg="identifier client lookup" client_id=owncloud known=true redirect_uri="https://oc.ucs.intranet/owncloud/apps/openidconnect/redirect" trusted=true
time="2020-07-28T12:09:11Z" level=debug msg="identifier client lookup" client_id=owncloud known=true redirect_uri="https://oc.ucs.intranet/owncloud/apps/openidconnect/redirect" trusted=true
time="2020-07-28T12:11:05Z" level=debug msg="identifier client lookup" client_id=owncloud known=true redirect_uri="https://oc.ucs.intranet/owncloud/apps/openidconnect/redirect" trusted=true
time="2020-07-28T12:14:42Z" level=debug msg="saml2 attributeStatement" FriendlyName= Name=uid NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:basic" Values="[dmitry]"
time="2020-07-28T12:14:42Z" level=debug msg="saml2 authnStatement" SessionIndex=_3619f0a3cf17ecf5dcc22f4c34e07a880bdc9e4faa SessionNotOnOrAfter="2020-07-29 00:14:39 +0000 UTC"
time="2020-07-28T12:14:42Z" level=debug msg="identifier client lookup" client_id=owncloud known=true redirect_uri="https://oc.ucs.intranet/owncloud/apps/openidconnect/redirect" trusted=true
time="2020-07-28T12:16:12Z" level=debug msg="identifier saml2 acs without state" error="state not found"
time="2020-07-28T12:16:15Z" level=debug msg="identifier client lookup" client_id=owncloud known=true redirect_uri="https://oc.ucs.intranet/owncloud/apps/openidconnect/redirect" trusted=true
voroyam commented 4 years ago 
time="2020-07-28T12:25:46Z" level=debug msg="identifier saml2 slo request for other session index"
time="2020-07-28T12:25:56Z" level=debug msg="identifier saml2 slo request for other session index"
time="2020-07-28T12:26:35Z" level=debug msg="saml2 attributeStatement" FriendlyName= Name=uid NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:basic" Values="[dmitry]"
time="2020-07-28T12:26:35Z" level=debug msg="saml2 authnStatement" SessionIndex=_ea5a5ef99f9fc311e20db5859a63559248a2b20561 SessionNotOnOrAfter="2020-07-29 00:26:29 +0000 UTC"
time="2020-07-28T12:26:35Z" level=debug msg="identifier client lookup" client_id=owncloud known=true redirect_uri="https://oc.ucs.intranet/owncloud/apps/openidconnect/redirect" trusted=true
voroyam commented 4 years ago

@michaelstingl

New error 👍 curl -I https://ucsd.owncloud.works/owncloud/.well-known/openid-configuration HTTP/1.1 503 Service Unavailable Date: Wed, 29 Jul 2020 10:09:46 GMT Server: Apache X-Content-Type-Options: nosniff X-XSS-Protection: 1; mode=block X-Robots-Tag: none X-Frame-Options: SAMEORIGIN X-Download-Options: noopen X-Permitted-Cross-Domain-Policies: none Content-Type: text/html; charset=iso-8859-1 Via: 1.1 ucsd.owncloud.works Connection: close

michaelstingl commented 4 years ago

New error 👍

Sadly, nothing I can help with

voroyam commented 4 years ago

Okay, not it works like, I am getting something. I am getting redirected to the SSO login page of Univention, and then I am still getting nothing.

voroyam commented 4 years ago

@michaelstingl can you confirm my test?

Just try to add https://ucsd.owncloud.works/owncloud/

and then login with

test

123123123

voroyam commented 4 years ago

I don't quite understand why I get a server not available from the curl but I get something from the ownCloud client.

michaelstingl commented 4 years ago

I can confirm it's working with the 2.7.0-beta1 desktop client.

Probably it falls back to https://ucsd.owncloud.works/.well-known/openid-configuration .

% curl -I https://ucsd.owncloud.works/.well-known/openid-configuration 
HTTP/1.1 200 OK
Date: Wed, 29 Jul 2020 11:10:01 GMT
Server: Apache/2.4.25 (Univention)
Content-Type: application/json; encoding=utf-8
Vary: Origin
Content-Length: 1804
Via: 1.1 ucsd.owncloud.works

I can't guarantee this will work in the future and in all clients. See @DeepDiver1975 's comment in https://github.com/owncloud/appliance/issues/81#issuecomment-646476483 :

so let's better play this save for well-known(openidconnect: only in the owncloud folder (root or sub-folder)

If ownCloud is served in owncloud/folder, working .well-known/openid-configuration is expected to be there too…

voroyam commented 4 years ago

Working like you can connect a sync client to the account and sync files?

Or just the curl command?

DeepDiver1975 commented 4 years ago 
<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>503 Service Unavailable</title>
</head><body>
<h1>Service Unavailable</h1>
<p>The server is temporarily unable to service your
request due to maintenance downtime or capacity
problems. Please try again later.</p>
</body></html>
* Closing connection 0

owncloud is in maintenance mode

voroyam commented 4 years ago

{"installed":true,"maintenance":false,"needsDbUpgrade":false,"version":"10.4.1.3","versionstring":"10.4.1","edition":"Enterprise","productname":"ownCloud"} https://ucsd.owncloud.works/owncloud/status.php no it's not...

voroyam commented 4 years ago

Issue is fixed with https://github.com/owncloud/appliance/issues/90#issuecomment-669783413