search

sipcapture / homer

HOMER - 100% Open-Source SIP, VoIP, RTC Packet Capture & Monitoring
https://sipcapture.org
GNU Affero General Public License v3.0
1.61k stars 240 forks source link

Oauth2 configuration failed to authenticate. #579

Closed anannaya closed 1 year ago

anannaya commented 1 year ago

I am getting below error when i enable the oauth2 on homer {"level":"debug","msg":"Doing AuthSericeRequest for provider: oidc","time":"2023-02-23T05:56:28Z"} {"level":"debug","msg":"Options for token exchange in AuthSericeRequest : [{code_verifier randommin43characterstringisneededasusertoken}]","time":"2023-02-23T05:56:28Z"} {"level":"error","msg":"AuthSericeRequest OAuth2Config Exchange is invalid:oauth2: cannot fetch token: 400 Bad Request\nResponse: {\"error_description\":\"Authorization code is invalid or expired.\",\"error\":\"invalid_grant\"}","time":"2023-02-23T05:56:28Z"}

Below is my configuration "oauth2": { "enable": true, "client_id": "XXXXXX", "client_secret": "XXXXXXX", "project_id": "Homer OAuth", "auth_uri": "https://cloudsso.WWWWW.com/as/authorization.oauth2", "token_uri": "https://cloudsso.WWWWW.com/as/token.oauth2", "redirect_uri": "https://homer.WAAAAAA.lab.net//api/v3/oauth2/auth", "profile_uri": "https://cloudsso.WWWWW.com/idp/userinfo.openid", "provider_name": "oidc" } Can you pls help me , what could be wrong here > how to debug the issue?

github-actions[bot] commented 1 year ago

Please star this repository to motivate the developers and to get higher priority! :star:

kYroL01 commented 1 year ago

Seems the answer is here

{"level":"error","msg":"AuthSericeRequest OAuth2Config Exchange is invalid:oauth2: cannot fetch token: 400 Bad Request

Are you using a valid token ?

anannaya commented 1 year ago

@kYroL01 We do not generate token manually isn't it ? We are actively using oauth-proxy from 3yrs we don't have any issue. I feel some configuration we need to tune , could you pls help me with that ?

anannaya commented 1 year ago

@adubovikov I think i am hitting the same issue, https://github.com/sipcapture/homer-app/issues/458

anannaya commented 1 year ago

I have tried with below configuration as well, same error 


"oauth2": {
        "enable": true,
        "client_id": "rtms-qa-xxxxx-oauth-client",
        "client_secret": "xxxxxxx",
        "project_id": "Homer OAuth",
        "auth_uri": "https://cloudsso.xxx.com/as/authorization.oauth2",
        "token_uri": "https://cloudsso.xxxx.com/as/token.oauth2",
        "redirect_uri": "https://homer.qa-us1.xxxxxx.net/api/v3/oauth2/auth",
        "profile_uri": "https://cloudsso.xxxxx.com/idp/userinfo.openid",
        "grant_type": "authorization_code",
        "response_type": "code",
        "auth_style": 1,
        "user_token": "RandomURLSafeStringWithAMinimumLengthOf43Characters",
        "gravatar": true,
        "gravatar_url": "https://en.gravatar.com/userimage/232853033/sdsdsd.png",
        "provider_name": "oidc"
      }, 
`
anannaya commented 1 year ago

Looks like server is crashing 


{"level":"debug","msg":"Doing URL for provider:oidc","time":"2023-03-13T05:56:46Z"}
{"level":"debug","msg":"RedirecToSericeAuth Redirecting URL :https://cloudsso.xxxx.com/as/authorization.oauth2?client_id=rtms-qa-xxxxxx-oauth-client\u0026code_challenge=wmxxSJg7R-3WASqWN5BshfYKexxxxH3Nmf2pYPwC32acIUP_g\u0026code_challenge_method=S256\u0026redirect_uri=https%3A%2F%2Fhomer.qa-us1.xxxx.net%2Fapi%2Fv3%2Foauth2%2Fauth%2Foidc\u0026response_type=code\u0026scope=email+openid+profile\u0026state=jkwh027yasj","time":"2023-03-13T05:56:46Z"}
Successful ping: homer-aurora.qa-us1.rtmslab.net, Type: config, Node: localnode{"level":"debug","msg":"79 \u003cnil\u003e","time":"2023-03-13T05:57:12Z"}
Successful ping: homer-aurora.qa-us1.rtmslab.net, Type: data, Node: LocalNode{"level":"debug","msg":"77 \u003cnil\u003e","time":"2023-03-13T05:57:12Z"}
{"level":"debug","msg":"Doing AuthSericeRequest for provider: oidc","time":"2023-03-13T05:57:25Z"}
{"level":"debug","msg":"Options for token exchange in AuthSericeRequest : [{grant_type authorization_code} {code dz1Vsowv1SB-xxxxxxxxx} {redirect_uri https://homer.xxxxx-us1.xxxxxxx.net/api/v3/oauth2/auth/oidc} {client_secret xxxxxxxx} {client_id rtms-qa-xxxxxx-oauth-client} {code_verifier RandomURLSafeStringWithAMinimumLengthOf43Characters}]","time":"2023-03-13T05:57:25Z"}
echo: http: panic serving 127.0.0.6:39449: runtime error: invalid memory address or nil pointer dereference
goroutine 905 [running]:
net/http.(*conn).serve.func1()
    /usr/local/go/src/net/http/server.go:1850 +0xbf
panic({0xc4a440, 0x15067e0})
    /usr/local/go/src/runtime/panic.go:890 +0x262
github.com/sipcapture/homer-app/controller/v1.(*UserController).AuthSericeRequest(0xc000614960?, {0xeac688, 0xc0003d2140})
    /homer-app/controller/v1/user.go:510 +0x1037
github.com/labstack/echo/v4.(*Echo).add.func1({0xeac688, 0xc0003d2140})
    /go/pkg/mod/github.com/labstack/echo/v4@v4.5.0/echo.go:544 +0x51
github.com/labstack/echo/v4/middleware.GzipWithConfig.func1.1({0xeac688, 0xc0003d2140})
    /go/pkg/mod/github.com/labstack/echo/v4@v4.5.0/middleware/compress.go:67 +0x52f
github.com/labstack/echo/v4/middleware.StaticWithConfig.func1.1({0xeac688, 0xc0003d2140})
    /go/pkg/mod/github.com/labstack/echo/v4@v4.5.0/middleware/static.go:195 +0x32d
main.GrafanaHeader.func1({0xeac688, 0xc0003d2140})
    /homer-app/main.go:1890 +0x187
github.com/labstack/echo/v4/middleware.CORSWithConfig.func1.1({0xeac688, 0xc0003d2140})
    /go/pkg/mod/github.com/labstack/echo/v4@v4.5.0/middleware/cors.go:118 +0x36f
github.com/labstack/echo/v4.(*Echo).ServeHTTP.func1({0xeac688, 0xc0003d2140})
    /go/pkg/mod/github.com/labstack/echo/v4@v4.5.0/echo.go:648 +0x132
github.com/labstack/echo/v4/middleware.RewriteWithConfig.func1.1({0xeac688, 0xc0003d2140})
    /go/pkg/mod/github.com/labstack/echo/v4@v4.5.0/middleware/rewrite.go:72 +0xa8
github.com/labstack/echo/v4.(*Echo).ServeHTTP(0xc00056e000, {0xe9de48?, 0xc0006dc1c0}, 0xc00022ac00)
    /go/pkg/mod/github.com/labstack/echo/v4@v4.5.0/echo.go:654 +0x3d1
net/http.serverHandler.ServeHTTP({0xc0005f8780?}, {0xe9de48, 0xc0006dc1c0}, 0xc00022ac00)
    /usr/local/go/src/net/http/server.go:2947 +0x30c
net/http.(*conn).serve(0xc000620280, {0xe9e540, 0xc00059a7b0})
    /usr/local/go/src/net/http/server.go:1991 +0x607
created by net/http.(*Server).Serve
    /usr/local/go/src/net/http/server.go:3102 +0x4db
adubovikov commented 1 year ago

Can you please install homer-app-1.4.47 and recheck it again ?

anannaya commented 1 year ago

@adubovikov We are using the latest tag for homer apps.. Is there any container repository i can pull the tagged images ? sipcapture/webapp. Also i don't see 1.4.47 released

image
anannaya commented 1 year ago

I tried with a latest tag as well , Still the same error . The only difference i see with oauth2-proxy (https://github.com/oauth2-proxy/oauth2-proxy) is homer webapp uses PKCE. I am not sure techniclly it should work.

adubovikov commented 1 year ago

please pull one more time. It should be fixed right now.

On Mon, Mar 13, 2023, 13:17 Anand Nayak @.***> wrote:

I tried with a latest tag as well , Still the same error . The only difference i see with oauth2-proxy ( https://github.com/oauth2-proxy/oauth2-proxy) is homer webapp uses PKCE. I am not sure techniclly it should work.

— Reply to this email directly, view it on GitHub https://github.com/sipcapture/homer/issues/579#issuecomment-1466039302, or unsubscribe https://github.com/notifications/unsubscribe-auth/ABCN2JMRCVFHY5D7OKBV3ETW34F5BANCNFSM6AAAAAAVFGF2SY . You are receiving this because you were mentioned.Message ID: @.***>

anannaya commented 1 year ago

@adubovikov Great now the error is gone, Seeing new one. 


{"level":"debug","msg":"Token access has been disabled: api_settings.enable_token_access","time":"2023-03-13T15:40:31Z"}
{"level":"debug","msg":"Claims","time":"2023-03-13T15:40:31Z"}
{"level":"error","msg":"post couldn't get profile error code: 401","time":"2023-03-13T15:40:31Z"}
adubovikov commented 1 year ago

@anannaya can you show your profile_url param ?

anannaya commented 1 year ago

@adubovikov https://github.com/sipcapture/homer/issues/579#issuecomment-1465457037

adubovikov commented 1 year ago

@anannaya
should be profile_url , not uri

"profile_url": "https://cloudsso.xxxxx.com/idp/userinfo.openid",
adubovikov commented 1 year ago

https://github.com/sipcapture/homer-app/blob/master/etc/webapp_config.json#L159 https://github.com/sipcapture/homer-app/blob/master/main.go#L438-L440

anannaya commented 1 year ago

@adubovikov Awesome SSO is working. Thanks a lot for support . Is there any way i can make the sso user part of "admin" group.?

adubovikov commented 1 year ago

for now sso auth gives you only user group. But any commitments are welcome.

On Tue, Mar 14, 2023, 00:40 Anand Nayak @.***> wrote:

@adubovikov https://github.com/adubovikov Awesome SSO is working. Thanks a lot for support . Is there any way i can make the sso user part of "admin" group.?

— Reply to this email directly, view it on GitHub https://github.com/sipcapture/homer/issues/579#issuecomment-1467124683, or unsubscribe https://github.com/notifications/unsubscribe-auth/ABCN2JN4623THYLEGPRPT7TW36V5XANCNFSM6AAAAAAVFGF2SY . You are receiving this because you were mentioned.Message ID: @.***>

anannaya commented 1 year ago

@adubovikov let me see if I raise PR for Authorization based on oidc groups.