LS-Login/ELIXIR AAI login does not work for apps deployed under a sub-URI

[fbacall]

It seems omniauth does not recognize the callback path.

https://github.com/seek4science/seek/blob/8c6c1fccef6394df8b7360fd3357886ac9f094f5/lib/seek/config.rb#L315

Changing this line to exclude the relative URL root seems to fix things. Need to confirm, and see if we can test for this.

[erlefloch]

Hi @stuzart and @fbacall , We just saw this issue. We were having this exact case with LS Login with our subURI-deployed instances ( https://urgi.versailles.inrae.fr/fairdom/ and https://beta-urgi.versailles.inrae.fr/fairdom/). We could test this patch on our beta instance ? However it is currently an instance of the version 1.12.0. And should we test this patch directly, or first upgrade to 1.13.0 or 1.13.1 ? Cyril & Erwan

[fbacall]

Hi, this issue arose from discussions with Raphael from your group.

I believe after changing the path to callback_path: "/#{callback_path}", we ran into #1030 , and then after updating that there was a general error that we were not able to resolve:

I, [2022-06-30T16:13:06.189761 #3774]  INFO -- : (elixir_aai) Request phase initiated.
I, [2022-06-30T16:13:12.495828 #3774]  INFO -- : (elixir_aai) Callback phase initiated.
E, [2022-06-30T16:13:12.707025 #3774] ERROR -- : (elixir_aai) Authentication failure! invalid_credentials: Rack::OAuth2::Client::Error, invalid_client
I, [2022-06-30T16:13:12.904564 #3774]  INFO -- : method=GET path=/fairdom/auth/failure format=html controller=SessionsController action=omniauth_failure status=200 duration=89.77 view=62.16 db=22.89 time=8561942.76 user_agent=Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:101.0) Gecko/20100101 Firefox/101.0

[erlefloch]

ok, thanks finn ! ping @cpommier @raf64flo

[cpommier]

Thanks for the feedback! Are you planing to work on it, possibly with lifescienceAAI team ?

[fbacall]

It's on my list, but my list is pretty long :(

I'd like to tackle it along with #984 if possible.

Any help in figuring out a configuration (https://github.com/seek4science/seek/blob/dd5edd56165bcdb205e06be23c02f27076c157fa/lib/seek/config.rb#L314-L342) that works for the LS-Login endpoint would be really useful. I did register a client in the LS-Login test environment with the intention of trying to figure it out myself, but I've been swamped with other priorities since then.

[erlefloch]

@fbacall we would be happy to help you finding out a configuration with our test instance (https://beta-urgi.versailles.inrae.fr/fairdom).

[fbacall]

Tested custom OIDC provider which uses the same omniauth strategy as the LS-Login authentication on https://testing-suburi.fairdomseek.org/seek/ and there were no issues. Need to confirm if this is still a problem after 1.15 is released.