PKCE error with cookie.samesite

tbs575 commented 2 years ago

https://github.com/owncloud/openidconnect/issues/218#issue-1166047800 as using docker owncloud, so add one more config file

<?php
$CONFIG = [
  'http.cookie.samesite' => 'None',
  'openid-connect' => [
     'provider-url' => 'https://xxxxxxxxxxxx/auth/realms/icep',
     'client-id' => 'owncloud',
     'client-secret' => 'xxxxxxxxxxxxxx',
     'loginButtonName' => 'Login via xxxxxxxxx',
     'frontchannel_logout_session_required' => true,
     'insecure' => true,
     'auto-provision' => [
      // explicit enable the auto provisioning mode
      'enabled' => true,
      // documentation about standard claims: https://openid.net/specs/openid-connect-core-1_0.html#StandardClaims
      // only relevant in userid mode,  defines the claim which holds the email of the user
      'email-claim' => 'email',
      // defines a list of groups to which the newly created user will be added automatically
      'groups' => ['guests', 'employees'],
    ]
  ]
];

but still PKCE error

DeepDiver1975 commented 2 years ago

after changing the cookie settings it is absolutly necesssary to ensure that the existing sessions are gone:

kill all browsers
kill all sessions server side

DeepDiver1975 commented 2 years ago

(no need to open a new issue - we could continue in the previous one)

tbs575 commented 2 years ago

@DeepDiver1975 thanks your reply, as you suggestion. and Now, can not login, still error

from ownlcoud log, I saw invalidtoken

{"reqId":"KYpmtIBp6eUFI5VjYG5A","level":0,"time":"2022-03-11T07:57:56+00:00","remoteAddr":"172.22.0.2","user":"--","app":"OC\\Authentication\\Token\\DefaultTokenProvider::invalidateToken","method":"GET","url":"\/apps\/openidconnect\/redirect?state=1c08b3513cd2cd2932b3ece50b7fa83b&session_state=d7da3c7c-7663-4fa0-9f44-a1a463d141c8&code=07b200ea-f1e7-46f3-bb5d-fdfe8f6cbbf1.d7da3c7c-7663-4fa0-9f44-a1a463d141c8.2acc1fd5-cd2d-4f4e-b132-f056e953e971","message":"invalidating token 80db0294dadb5d7c2d81069046e6d1f97247e4a3712d5ae053d43c2bdc88192f15200a2d3bbe62bc93c64f4301e258cf69b645b5edba56930f2e3424947f9689"}
{"reqId":"KYpmtIBp6eUFI5VjYG5A","level":0,"time":"2022-03-11T07:57:56+00:00","remoteAddr":"172.22.0.2","user":"--","app":"OpenID","method":"GET","url":"\/apps\/openidconnect\/redirect?state=1c08b3513cd2cd2932b3ece50b7fa83b&session_state=d7da3c7c-7663-4fa0-9f44-a1a463d141c8&code=07b200ea-f1e7-46f3-bb5d-fdfe8f6cbbf1.d7da3c7c-7663-4fa0-9f44-a1a463d141c8.2acc1fd5-cd2d-4f4e-b132-f056e953e971","message":"Entering LoginFlowController::login"}
{"reqId":"KYpmtIBp6eUFI5VjYG5A","level":0,"time":"2022-03-11T07:57:56+00:00","remoteAddr":"172.22.0.2","user":"--","app":"OpenID","method":"GET","url":"\/apps\/openidconnect\/redirect?state=1c08b3513cd2cd2932b3ece50b7fa83b&session_state=d7da3c7c-7663-4fa0-9f44-a1a463d141c8&code=07b200ea-f1e7-46f3-bb5d-fdfe8f6cbbf1.d7da3c7c-7663-4fa0-9f44-a1a463d141c8.2acc1fd5-cd2d-4f4e-b132-f056e953e971","message":"Before openid->authenticate"}
{"reqId":"KYpmtIBp6eUFI5VjYG5A","level":3,"time":"2022-03-11T07:57:56+00:00","remoteAddr":"172.22.0.2","user":"--","app":"OpenID","method":"GET","url":"\/apps\/openidconnect\/redirect?state=1c08b3513cd2cd2932b3ece50b7fa83b&session_state=d7da3c7c-7663-4fa0-9f44-a1a463d141c8&code=07b200ea-f1e7-46f3-bb5d-fdfe8f6cbbf1.d7da3c7c-7663-4fa0-9f44-a1a463d141c8.2acc1fd5-cd2d-4f4e-b132-f056e953e971","message":"Exception: {\"Exception\":\"JuliusPC\\\\OpenIDConnectClientException\",\"Message\":\"PKCE code verifier not specified\",\"Code\":0,\"Trace\":\"#0 \\\/var\\\/www\\\/owncloud\\\/apps\\\/openidconnect\\\/lib\\\/Client.php(206): JuliusPC\\\\OpenIDConnectClient->authenticate()\\n#1 \\\/var\\\/www\\\/owncloud\\\/apps\\\/openidconnect\\\/lib\\\/Controller\\\/LoginFlowController.php(125): OCA\\\\OpenIdConnect\\\\Client->authenticate()\\n#2 \\\/var\\\/www\\\/owncloud\\\/lib\\\/private\\\/AppFramework\\\/Http\\\/Dispatcher.php(170): OCA\\\\OpenIdConnect\\\\Controller\\\\LoginFlowController->login(*** sensitive parameters replaced ***)\\n#3 \\\/var\\\/www\\\/owncloud\\\/lib\\\/private\\\/AppFramework\\\/Http\\\/Dispatcher.php(89): OC\\\\AppFramework\\\\Http\\\\Dispatcher->executeController()\\n#4 \\\/var\\\/www\\\/owncloud\\\/lib\\\/private\\\/AppFramework\\\/App.php(100): OC\\\\AppFramework\\\\Http\\\\Dispatcher->dispatch()\\n#5 \\\/var\\\/www\\\/owncloud\\\/lib\\\/private\\\/AppFramework\\\/Routing\\\/RouteActionHandler.php(47): OC\\\\AppFramework\\\\App::main()\\n#6 \\\/var\\\/www\\\/owncloud\\\/lib\\\/private\\\/Route\\\/Router.php(344): OC\\\\AppFramework\\\\Routing\\\\RouteActionHandler->__invoke()\\n#7 \\\/var\\\/www\\\/owncloud\\\/lib\\\/base.php(927): OC\\\\Route\\\\Router->match()\\n#8 \\\/var\\\/www\\\/owncloud\\\/index.php(54): OC::handleRequest()\\n#9 {main}\",\"File\":\"\\\/var\\\/www\\\/owncloud\\\/apps\\\/openidconnect\\\/vendor\\\/juliuspc\\\/openid-connect-php\\\/src\\\/OpenIDConnectClient.php\",\"Line\":339}"}

tbs575 commented 2 years ago

@DeepDiver1975 more information: following your suggestion, I do two test with 'http.cookie.samesite' => 'None' and no 'http.cookie.samesite var

one: using openid https protocol with http.cookie.samesite, can not login, all error is PKCE code not specified

using openid https protocol without http.cookie.samesite, can not login, this first time, met PKCE code not specified and the second time, can login, like case https://github.com/owncloud/openidconnect/issues/218#issue-1166047800

two: using openid http protocol with http.cookie.samesite, can not login, still same error with PKCE code not specified using openid https protocol without http.cookie.samesite, all be OK

owncloud / openidconnect

PKCE error with cookie.samesite #219