search

plankanban / planka

The realtime kanban board for workgroups built with React and Redux.
https://planka.app
GNU Affero General Public License v3.0
8.06k stars 754 forks source link

OIDC with FortiAuthenticator #690

Open nicedevil007 opened 7 months ago

nicedevil007 commented 7 months ago

Hey guys, I'm trying to get OIDC working with our FortiAuthenticator. Unfortunately I can't get anything up and running.

My planka systemd service stops with the following message:

Apr 08 12:00:56 planka npm[2627]: > start
Apr 08 12:00:56 planka npm[2627]: > nodemon
Apr 08 12:00:56 planka npm[2639]: [nodemon] 3.0.1
Apr 08 12:00:56 planka npm[2639]: [nodemon] to restart at any time, enter `rs`
Apr 08 12:00:56 planka npm[2639]: [nodemon] watching path(s): *.*
Apr 08 12:00:56 planka npm[2639]: [nodemon] watching extensions: js,mjs,cjs,json
Apr 08 12:00:56 planka npm[2639]: [nodemon] starting `node app.js`
Apr 08 12:00:57 planka npm[2652]: 2024-04-08 12:00:57 [E] A hook (`oidc`) failed to load!
Apr 08 12:00:57 planka npm[2652]: 2024-04-08 12:00:57 [E] Failed to lift app: expected 200 OK, got: 301 Moved Permanently
Apr 08 12:00:57 planka npm[2639]: [nodemon] clean exit - waiting for changes before restart

Here is my config:

## Required

BASE_URL=https://planka.mydomain.org
DATABASE_URL=postgresql://planka:<SECRET>@localhost/planka
SECRET_KEY=<SECRET>

## Optional

TRUST_PROXY=1
#TOKEN_EXPIRES_IN=14 # In days

# related: https://github.com/knex/knex/issues/2354
# As knex does not pass query parameters from the connection string we
# have to use environment variables in order to pass the desired values, e.g.
# PGSSLMODE=<value>

# Configure knex to accept SSL certificates
# KNEX_REJECT_UNAUTHORIZED_SSL_CERTIFICATE=false

#DEFAULT_ADMIN_EMAIL=demo@demo.demo # Do not remove if you want to prevent this user from being edited/deleted
#DEFAULT_ADMIN_PASSWORD=demo
#DEFAULT_ADMIN_NAME=Demo Demo
#DEFAULT_ADMIN_USERNAME=demo

# Email Notifications (https://nodemailer.com/smtp/)
SMTP_HOST=my.mydomain.org
SMTP_PORT=465
SMTP_SECURE=true
#SMTP_USER=
#SMTP_PASSWORD=
SMTP_FROM="Planka" <noreply@email.server>

OIDC_ISSUER=https://auth.mydomain.org/api/v1/oauth
OIDC_CLIENT_ID=<SECRET>
OIDC_CLIENT_SECRET=<SECRET>
OIDC_SCOPES=openid email profile
# OIDC_ADMIN_ROLES=admin
#OIDC_EMAIL_ATTRIBUTE=email
#OIDC_NAME_ATTRIBUTE=name
#OIDC_USERNAME_ATTRIBUTE=preferred_username
#OIDC_ROLES_ATTRIBUTE=groups
# OIDC_IGNORE_USERNAME=true
# OIDC_IGNORE_ROLES=true
# OIDC_ENFORCED=true

## Do not edit this

TZ=UTC

So here a quick overview of the network that is all this in:

Network A: planka is hosted on seperate Ubuntu VM (it is installed with manual install method) Network B: Nginx Proxy Manager that forwards traffic going to https://planka.email.server to the Network A VM with Planka running on it Network C: FortiAuthenticator

Ofc: All firewall rules to reach the one or other Network are up and running and nothing is blocked so far (at least this is what my logs tell me ;D)

If I disable all OIDC env variables it is working with local logins.

meltyshev commented 7 months ago

Hi! It looks like openid-client can't discover the issuer by the provided URL:

const issuer = await openidClient.Issuer.discover(sails.config.custom.oidcIssuer);

Please try to navigate to the address of your issuer https://auth.mydomain.org/api/v1/oauth in a browser and see where you will be redirected to and specify the final address. It's also possible that you need to put a slash at the end of https://auth.mydomain.org/api/v1/oauth/ (but it's just a guess why redirection is done).

nicedevil007 commented 7 months ago

Ok I tested this with / and without. Not working at all.

This is what I have available as URL on my FortiAuthenticator.

{
    "issuer": "https://auth.mydomain.org/api/v1/oauth",
    "authorization_endpoint": "https://auth.mydomain.org/api/v1/oauth/authorize/",
    "token_endpoint": "https://auth.mydomain.org/api/v1/oauth/token/",
    "userinfo_endpoint": "https://auth.mydomain.org/api/v1/oauth/userinfo/",
    "jwks_uri": "https://auth.mydomain.org/api/v1/oauth/.well-known/keys/",
    "response_types_supported": [
        "code",
        "token",
        "id_token",
        "id_token token",
        "code token",
        "code id_token",
        "code id_token token"
    ],
    "subject_types_supported": [
        "public"
    ],
    "id_token_signing_alg_values_supported": [
        "RS256"
    ],
    "token_endpoint_auth_methods_supported": [
        "client_secret_post",
        "client_secret_basic"
    ]
}

So what should I take from these ones?

meltyshev commented 7 months ago

The response looks correct. It's very hard to say why this might be happening. We'll try to test with FortiAuthenticator sometime or maybe someone has already encountered this and can tell us how to solve it.

nicedevil007 commented 5 months ago

Ok got a bit further but without succesfull login. I just changed the OIDC_ISSUER URL to this here:

OIDC_ISSUER=https://auth.mydomain.org/api/v1/oauth/.well-known/openid-configuration

Now our fortiauthenticator tells me (after succesfull login to the FAC) image

Is it even possible to not use the auto config method but use the method where we have to add all URI's by ourselfes?

nicedevil007 commented 4 months ago

Got a bit further, now Planka tells me that an unknown error appeared, where can I find those logs to get a bit more information about the error?

image

nicedevil007 commented 4 months ago

Found this in the docker logs:

2024-06-24 19:03:45 [W] Error while exchanging OIDC code: RPError: iss mismatch, expected https://auth.*******.org/api/v1/oauth, got: https://auth.*******.org/api/v1/oauth/.well-known/openid-configuration/
2024-06-24 19:03:45 [W] Invalid code or nonce! (IP: *******)
2024-06-24 19:04:08 [W] Error while exchanging OIDC code: RPError: iss mismatch, expected https://auth.*******.org/api/v1/oauth, got: https://auth.*******.org/api/v1/oauth/.well-known/openid-configuration/
2024-06-24 19:04:08 [W] Invalid code or nonce! (IP: *******)
nicedevil007 commented 4 months ago

Found this in the docker logs:

2024-06-24 19:03:45 [W] Error while exchanging OIDC code: RPError: iss mismatch, expected https://auth.*******.org/api/v1/oauth, got: https://auth.*******.org/api/v1/oauth/.well-known/openid-configuration/
2024-06-24 19:03:45 [W] Invalid code or nonce! (IP: *******)
2024-06-24 19:04:08 [W] Error while exchanging OIDC code: RPError: iss mismatch, expected https://auth.*******.org/api/v1/oauth, got: https://auth.*******.org/api/v1/oauth/.well-known/openid-configuration/
2024-06-24 19:04:08 [W] Invalid code or nonce! (IP: *******)

If I do what is telling me the error message (removing /.well-known/openid-configuration/ from the expected URI) it leads to this error in the docker logs:

2024-06-24 20:10:30 [E] A hook (`oidc`) failed to load!
2024-06-24 20:10:30 [E] Failed to lift app: expected 200 OK, got: 301 Moved Permanently

Now I would assume this is an error because planka is behind a reverseproxy?

nicedevil007 commented 2 months ago

Is there anything new here?