oauth token cannot take effect

[happy-berry]

（https://github.com/processone/ejabberd/discussions）。

## env- ejabberd
version：the news
os：Linux（ubuntu）

Is my conf：
oauth_expire: 2592000
oauth_access: all

api_permissions:
  "console commands":
    from:
      - ejabberd_ctl
    who: all
    what: "*"
  "admin access":
    who:
      - access:
          - allow:
            - acl: admin
      - oauth:
        - scope: "ejabberd:admin"
        - access:
          - allow:
              - acl: admin
    what:
      - "*"
      - "!stop"
      - "!start"   

acl:
  admin:
    user: admin@ejabberd.qaq.cn
  local:
    user_regexp: ""
  loopback:
    ip:
      - 127.0.0.0/8
      - ::1/128

  -
    port: 5280
    ip: "::"
    module: ejabberd_http
    request_handlers:
      /api: mod_http_api
      /oauth: ejabberd_oauth
      /admin: ejabberd_web_admin
      /.well-known/acme-challenge: ejabberd_acme

my configuration is already the same as on the official website. why I get err : { "status": "error", "code": 32, "message": "AccessRules: Account does not have the right to perform the operation." }

[prefiks]

So per that config, only tokens generated for admin@ejabberd.qaq.cn and with scope "ejabberd:admin" will allow you to execute that command. Do you token match those two conditions?

[happy-berry]

yes, I'm ture. I can generate token , but when I put it in header. return that error

[prefiks]

Could you run ejabberdctl oauth_list_tokens and see if your token is listed here and what fields it has?

[happy-berry]

like this : Cgsr5372JoTV51lmfitNMbO7FRjV70ti admin@ejabberddev.qaq.cn [<<"ejabberd:admin">>] 989 seconds P8LIKrBUGfKnxEZCct5jBbhuKJwuWIn1 admin@ejabberddev.qaq.cn [<<"ejabberd:admin">>] 315345455 seconds hLtaDVPKPaCbfjOEWszIaenyHwfbjzo1 admin@ejabberddev.qaq.cn [<<"ejabberd:admin">>] 31521957 seconds 93osYtPWpIoKyNEXPpL4iJtvNEE012aU admin@ejabberddev.qaq.cn [<<"ejabberd:admin">>] 997 seconds

[happy-berry]

I think all the admin level tokens I generated should be usable, but I found that none of the ones I generated can be used

[prefiks]

I see admin@ejabberddev.qaq.cn and not admin@ejabberd.qaq.cn that you have in admin rule, is that from different server, or if not that may be issue here.

[happy-berry]

now I rollback my new config , I got the same result as before: this is my all update:

hosts:
  - ejabberddev.xyplay.cn

 -
    port: 5280
    ip: "::"
    module: ejabberd_http
    request_handlers:
      /oauth: ejabberd_oauth
      /api: mod_http_api
      /admin: ejabberd_web_admin
      /.well-known/acme-challenge: ejabberd_acme

acl:
  admin:
    user: admin@ejabberddev.xyplay.cn
  local:
    user_regexp: ""
  loopback:
    ip:
      - 127.0.0.0/8
      - ::1/128

api_permissions:
  "console commands":
    from:
      - ejabberd_ctl
    who: all
    what: "*"
  "admin access":
    who:
      oauth:
        scope: "ejabberd:admin"
        access:
          allow:
            - acl: loopback
            - acl: admin
    what:
      - "*"
      - "!stop"
      - "!start"
  "public commands":
    who:
      ip: 127.0.0.1/8
    what:
      - status
      - connected_users_number

oauth_access: all
oauth_expire: 3600

[prefiks]

Can you also switch loglevel to debug with ejabberdctl set_loglevel debug and try to execute command and see what is logged about that attempt? (don't forget to switch back loglevel to iniitial value)

[prefiks]

Also if you are changing config do you issue ejabberdctl reload_config after doing it?

[happy-berry]

no, but I run ejabberdctl restart Is my log: 2024-01-15 23:38:00.088711+08:00 [debug] <0.1505.0>@ejabberd_http:process_header/2:291 (#Port<0.59>) http query: 'POST' <<"/api/get_room_occupants">>

2024-01-15 23:38:00.089066+08:00 [debug] <0.1505.0>@ejabberd_http:process/1:363 [<<"api">>,<<"get_room_occupants">>] matches [<<"api">>] 2024-01-15 23:38:00.089604+08:00 [info] <0.1505.0>@mod_http_api:log/3:511 API call get_room_occupants [{<<"name">>,<<"room1">>}, {<<"service">>,<<"ejabberddev.xyplay.cn">>}] from ::ffff:192.168.0.57:50592 2024-01-15 23:38:00.095003+08:00 [debug] <0.1505.0>@ejabberd_access_permissions:can_access/2:96 Command 'get_room_occupants' execution denied (CallerInfo=#{tag => <<>>, ip => {0,0,0,0,0, 65535,49320, 57}, usr => {<<"admin">>, <<"ejabberddev.xyplay.cn">>, <<>>}, caller_module => mod_http_api, oauth_scope => [<<"ejabberd:admin">>], caller_server => <<"ejabberddev.xyplay.cn">>})

[prefiks]

Ok, now you have this

  "admin access":
    who:
      oauth:
        scope: "ejabberd:admin"
        access:
          allow:
            - acl: loopback
            - acl: admin

and you will not match - acl: loopback part - you aren't connecting from 127.0.0.0, try removing this part and try again.

[happy-berry]

Thank you, I have resolved this error, but I would like to know why this configuration restricts me from accessing only my localhost

[prefiks]

This is determined by fragment marked here:

  "admin access":
    who:
      oauth:
        scope: "ejabberd:admin"
        access:
          allow:
            - acl: loopback # <---- This part
            - acl: admin
    what:
      - "*"
      - "!stop"
      - "!start"

This together with acl:admin says that only person authenticated as admin and issuing request from loopback can execute rules from what:, if you remove - acl: loopback leaving only acl: admin you will get to state where any admin could execute command from all hosts.

[happy-berry]

so the loopback == localhost ?

[prefiks]

You have loopback defined in acl: section:

  loopback:
    ip:
      - 127.0.0.0/8
      - ::1/128

so it's ipv4 or ipv6 address for localhost

[happy-berry]

oh I understand , I always thought this was an independent configuration similar to a whitelist, but I didn't expect it to be a global IP configuration for loopback ， very thanks