owncloud / ocis-konnectd

:atom_symbol: Serve Konnectd for oCIS
https://owncloud.github.io/extensions/ocis_konnectd/
Apache License 2.0
1 stars 2 forks source link

Getting error when running phoenix with ocis and konnectd #35

Closed dpakach closed 4 years ago

dpakach commented 4 years ago

Getting CORS error when trying to run phoenix with ocis and konnectd from different host.

Steps to reproduce

  1. Run LDAP server docker container to provide users backend for ocis. Script from https://github.com/owncloud/administration/blob/master/ldap-testing/start.sh works.
  2. Create new config file for phoenix with following content
    {
    "server": "http://172.17.0.1:9140",
    "theme": "owncloud",
    "version": "0.1.0",
    "openIdConnect": {
    "metadata_url": "https://172.17.0.1:9130/.well-known/openid-configuration",
    "authority": "https://172.17.0.1:9130",
    "client_id": "phoenix",
    "response_type": "code",
    "scope": "openid profile email"
    },
    "apps": [
    "files",
    "draw-io",
    "pdf-viewer",
    "markdown-editor",
    "media-viewer"
    ]
    }
  3. Start reva, ocis services with following script
    
    # reva services
    ocis-reva/bin/ocis-reva gateway & \
    ocis-reva/bin/ocis-reva users & \
    ocis-reva/bin/ocis-reva auth-basic & \
    ocis-reva/bin/ocis-reva auth-bearer & \
    ocis-reva/bin/ocis-reva sharing & \
    ocis-reva/bin/ocis-reva storage-root & \
    ocis-reva/bin/ocis-reva storage-home & \
    ocis-reva/bin/ocis-reva storage-home-data & \
    ocis-reva/bin/ocis-reva storage-oc & \
    ocis-reva/bin/ocis-reva storage-oc-data & \
    ocis-reva/bin/ocis-reva frontend & \

phoenix and devldap

PHOENIX_WEB_CONFIG=config.json ocis/bin/ocis phoenix & ocis/bin/ocis devldap & \

4. Start ocis-konnectd with settings for ldap server matching 

LDAP_BASEDN="ou=TestUsers,dc=owncloud,dc=com" LDAP_BINDDN="cn=admin,dc=owncloud,dc=com" LDAP_URI=ldap://localhost:389 ocis-konnectd/bin/ocis-konnectd server --iss https://172.17.0.1:9130

5. Add following content on the `identifier-registration.yml` file for konnectd
```yml
  - id: phoenix
    name: OCIS
    application_type: web
    insecure: yes
    redirect_uris:
      - http://localhost:9100/oidc-callback.html
      - http://localhost:9100
      - http://172.17.0.1:9100/oidc-callback.html
      - http://172.17.0.1:9100
    origins:
      -  http://localhost:9100
      -  http://172.17.0.1:9100
  1. Start chrome with --ignore-certificate-errors flag
  2. Visit 172.17.0.1:9100 on chrome to run phoenix and try to login
  3. Authenticate with kopano using the user that exists on the ldap server we set up

Expected result.

The authentication works fine and we are redirected to phoenix.

Actual result

we get this error on phoenix Screenshot from 2020-02-25 12-09-04

On the js Console we get this error

Access to XMLHttpRequest at 'http://172.17.0.1:9140/ocs/v1.php/cloud/capabilities?format=json' from origin 'http://172.17.0.1:9100' has been blocked by CORS policy: No 'Access-Control-Allow-Origin' header is present on the requested resource.
core.bundle.js:110 Seems that your token is invalid. Error: Error: CORS request rejected: http://172.17.0.1:9140/ocs/v1.php/cloud/capabilities?format=json
    at l (core.bundle.js:68)
    at XMLHttpRequest.i.onreadystatechange (core.bundle.js:68)
core.bundle.js:68 GET http://172.17.0.1:9140/ocs/v1.php/cloud/capabilities?format=json net::ERR_FAILED

Actual request Details

Request URL:http://172.17.0.1:9140/ocs/v1.php/cloud/capabilities?format=json
Request Method:GET
Remote Address:172.17.0.1:9140
Status Code:
401
Version:HTTP/1.1
Referrer Policy:no-referrer-when-downgrade

Request Headers

Host: 172.17.0.1:9140
User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko/20100101 Firefox/73.0
Accept: */*
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
X-Requested-With: XMLHttpRequest
OCS-APIREQUEST: true
authorization: Bearer eyJhbGciOiJQUzI1NiIsImtpZCI6IiIsInR5cCI6IkpXVCJ9.eyJhdWQiOiJwaG9lbml4IiwiZXhwIjoxNTgyNjEyNzYzLCJqdGkiOiJ4Y3pmY056cG5SNjBuck5qUGxEMzdaRnlGR0Z4UFFFSyIsImlhdCI6MTU4MjYxMjE2MywiaXNzIjoiaHR0cHM6Ly8xNzIuMTcuMC4xOjkxMzAiLCJzdWIiOiJmQVhwaVpDQkpUZHFMNVhBYXludTZ1ZTBMOXZpMTR2VzQ0MUlzN015YzZjSDdwNnh4RE1salBXOEgxSkFxNzVNdzlKRllYdC1FR214Tmw0NW1RQnE4Z0Brb25uZWN0Iiwia2MuaXNBY2Nlc3NUb2tlbiI6dHJ1ZSwia2MuYXV0aG9yaXplZFNjb3BlcyI6WyJlbWFpbCIsIm9wZW5pZCIsInByb2ZpbGUiXSwia2MuaWRlbnRpdHkiOnsia2MuaS5kbiI6IlVzZXIwIiwia2MuaS5pZCI6InVpZD11c2VyMCxvdT1UZXN0VXNlcnMsZGM9b3duY2xvdWQsZGM9Y29tIiwia2MuaS51biI6InVzZXIwIn0sImtjLnByb3ZpZGVyIjoiaWRlbnRpZmllci1sZGFwIn0.nNEISW3iwBaz7ggK0YAxqW5NKugj2SbpY7W6qXiADgi02J5Rg7WCc6Qeqa_aLazoagE4uSN_uDfltGskskUdX_NtJzE5oBISH8iYXFBQBU-Ul4V3gpgxt7Eq0EBIiQ7bruVyzegQtp50y6xieY5KE1CWsrVlyroznED_JWW7RDyfbFCr389QHIbDboY-cIafsR0vPqo26amkftPclSVZR6wNp0kp-NonxdeQRvfWyK6B_7-siuSEJidIYaVMWzOvji3dOp5YSh5P8DwrLGg_yDhT0Ijha57gpeD8qOzkmsw__4NDLYCDxoysIv1aNmAQbBhl1xVmq6X4D-Nf-o5g1Q
content-type: application/x-www-form-urlencoded
Origin: http://172.17.0.1:9100
Connection: keep-alive
Referer: http://172.17.0.1:9100/
butonic commented 4 years ago

can you try with firefox? copy the requests since logging in as HAR and upload them somewhere?

butonic commented 4 years ago

AFAICT this is a configuration issue with ocis-reva. Can you double check the defaults for the oidc flags:

   --oidc-issuer value        OIDC issuer (default: "https://localhost:9130") [$REVA_OIDC_ISSUER]
   --oidc-insecure            OIDC allow insecure communication (default: true) [$REVA_OIDC_INSECURE]
   --oidc-id-claim value      OIDC id claim (default: "sub") [$REVA_OIDC_ID_CLAIM]

What version of ocis-reva are you using? Are any REVA_* environment variables configured? What does the ocis-reva auth-bearer log have to say about the invalid credentials?

dpakach commented 4 years ago

The problem was with reva not getting the REVA_OIDC_ISSUER value. By default it used localhost:9130 but in our case we need to override that to 172.17.0.1:9130