Regression ? upgrade to 2.2.0 via market makes it unable to login with OpenID

owncloud / openidconnect

OpenId Connect (OIDC) Integration for ownCloud

GNU General Public License v2.0

5 stars 2 forks source link

Regression ? upgrade to 2.2.0 via market makes it unable to login with OpenID #283

Open nodens opened 1 year ago

nodens commented 1 year ago

Hi,

We tried upgrading openidconnect on a test instance from 2.1.1 to 2.2.0.

Owncloud version: 10.11.0.6 (community). PHP version: 7.4

We have a minimalist configuration, with keycloak as idp, set in DB.

Values set: provider-url client-id client-secret loginButtonName

After upgrading from market and login out, trying to log back in gives "Access Forbidden": Screenshot from 2023-02-01 15-49-18

The log doesn't show anything wrong, and according to keycloak, access was granted properly.

Downgrading to 2.1.1 makes it functionnal again.

Am I missing something here? Any suggestion?

Thanks!

DeepDiver1975 commented 1 year ago

"raise" log level to debug - value 0 in config.php - then you should see more entries in the log.

nodens commented 1 year ago

Thanks!

I'm afraid it was already at 0 in owncloud/config/config.php though. I see exactly the same log entries as with 2.1.1 but it stops earlier.

With 2.2.0, after authenticating on the IDP, after the message": "LoginFlowController::login : Token info log entry, I get a message with the user info which seems to be correct, and then nothing. (app: OpenID). The "access forbidden" message shows up in the browser, but nothing in the logs.

With 2.1.1, after this message, I get a log entries from the OC\\Authentication\\Token\\DefaultTokenProvider::generateToken app saying generating token, then app: OpenID continue with messages such as access token payload, RefreshTokenResponse, and so on.

I can provide the actual logs if you're interested, but I'd need a pgp key to encrypt it or at least a private channel. ;)

nodens commented 7 months ago

adding a bit more info, since it's annoying to downgrade every time I upgrade owncloud now openid is bundled: As far as I can tell, the return is correct, but I always get a 403 (sometimes a 503) with 2.2.0. I'll try to git bisect to get more insight, but since there is no log (and no crash on owncloud side) it's a bit hard to debug.

nodens commented 7 months ago

So the result of the git bisect is that the problem occurs since either [783202d68db66a2a0e97000a3de275f811d70b55] feat: account info auto-update (#222) [2a569b3cc07eb663d1ebf5e74d65c73b04fafa43] feat: Added support for HTTP Proxy (#237)

But those don't give the exact behaviour described in this issue: it give a 500 instead when I log on our IDP (keycloak). the actual issue starts at [94fcbc37d6a697521a2ffa462f758cda1e2ce154]

Hope this helps!