search

wekan / wekan

The Open Source kanban (built with Meteor). Keep variable/table/field names camelCase. For translations, only add Pull Request changes to wekan/i18n/en.i18n.json , other translations are done at https://app.transifex.com/wekan/wekan only.
https://wekan.github.io
MIT License
19.26k stars 2.81k forks source link

Errors occur when using spring-authentication-server as OIDC provider #5150

Open Esther125 opened 9 months ago

Esther125 commented 9 months ago

I used GitLab as my OIDC provider before, but now I switch to a self-host spring-authentication-server. I already connect the OIDC buttom with my authentication server, but after I login an 404 error occurs. (Which means I can jump to the server login page and I can use my account and password login, but I can't redirect back to my app after the login. I am not sure whether the problem is in the redirect session or there are other problems.)

spring-authentication-server code I referred: https://github.com/spring-projects/spring-authorization-server (I run the default application version)

settings in my applications.yml:

server:
  port: 9000

logging:
  level:
    org.springframework.security: trace

spring:
  security:
    user:
      name: user1
      password: password
      roles: ADMIN
    oauth2:
      authorizationserver:
        client:
          messaging-client:
            registration:
              client-id: "messaging-client"
              client-secret: "secret"
              client-authentication-methods:
                - "client_secret_basic"
              authorization-grant-types:
                - "authorization_code"
                - "refresh_token"
                - "client_credentials"
              redirect-uris:
                - "http://localhost:3000/_oauth/oidc"
              post-logout-redirect-uris:
                - "http://localhost:3000/logged-out"
              scopes:
                - "openid"
                - "profile"
                - "message.read"
                - "message.write"
            require-authorization-consent: true

OAUTH settings in my Wekan app:

      # Enable the OAuth2 connection
      - OAUTH2_ENABLED=true
      - OAUTH2_LOGIN_STYLE=popup
      - OAUTH2_CLIENT_ID=messaging-client
      - OAUTH2_SECRET=secret
      - OAUTH2_SERVER_URL=http://localhost:9000
      - OAUTH2_AUTH_ENDPOINT=/oauth/authorize
      - OAUTH2_USERINFO_ENDPOINT=/oauth/userinfo
      - OAUTH2_TOKEN_ENDPOINT=/oauth/token
      - OAUTH2_REQUEST_PERMISSIONS=openid profile
      - OAUTH2_ID_MAP=sub
      - OAUTH2_USERNAME_MAP=nickname
      - OAUTH2_FULLNAME_MAP=name

The log in server:

0-05T02:22:55.403+08:00 TRACE 5389 --- [nio-9000-exec-4] w.c.HttpSessionSecurityContextRepository : Retrieved SecurityContextImpl [Authentication=UsernamePasswordAuthenticationToken [Principal=org.springframework.security.core.userdetails.User [Username=user1, Password=[PROTECTED], Enabled=true, AccountNonExpired=true, credentialsNonExpired=true, AccountNonLocked=true, Granted Authorities=[ROLE_ADMIN]], Credentials=[PROTECTED], Authenticated=true, Details=WebAuthenticationDetails [RemoteIpAddress=xxx, SessionId=6CB7676B3A897786A1C75989C8FF69DA], Granted Authorities=[ROLE_ADMIN]]] from SPRING_SECURITY_CONTEXT
2023-10-05T02:22:55.403+08:00 TRACE 5389 --- [nio-9000-exec-4] o.s.s.w.a.AnonymousAuthenticationFilter  : Did not set SecurityContextHolder since already authenticated UsernamePasswordAuthenticationToken [Principal=org.springframework.security.core.userdetails.User [Username=user1, Password=[PROTECTED], Enabled=true, AccountNonExpired=true, credentialsNonExpired=true, AccountNonLocked=true, Granted Authorities=[ROLE_ADMIN]], Credentials=[PROTECTED], Authenticated=true, Details=WebAuthenticationDetails [RemoteIpAddress=xxx, SessionId=6CB7676B3A897786A1C75989C8FF69DA], Granted Authorities=[ROLE_ADMIN]]
2023-10-05T02:22:55.403+08:00 DEBUG 5389 --- [nio-9000-exec-4] o.s.security.web.FilterChainProxy        : Secured GET /error?loginStyle=popup&client_id=messaging-client&response_type=code&redirect_uri=http%3A%2F%2Flocalhost%3A3000%2F_oauth%2Foidc&state=eyJsb2dpblN0eWxlIjoicG9wdXAiLCJjcmVkZW50aWFsVG9rZW4iOiItc0ZMRWJYaDVoQVFtVXM0YU80S3B1Zi1kdEc4NWpFMjZBTE9GbWROcy1mIiwiaXNDb3Jkb3ZhIjpmYWxzZX0%3D&scope=openid%20profile&display=popup&continue

I really appreciate any help and suggestions!

xet7 commented 9 months ago

@Esther125

Change username and email mapping to:

- OAUTH2_USERNAME_MAP=email
- OAUTH2_EMAIL_MAP=email

Also add this, to see is there more logging:

- DEBUG=true

For docker, see logs with:

docker logs wekan-app

For OAUTH2_REQUEST_PERMISSION, maybe it needs full URL to permission like here:

https://github.com/wekan/wekan/wiki/Google-login Or look at bottom of /var/log/syslog

For source, see logs at console where you started with start-wekan.sh or start-wekan.bat

xet7 commented 9 months ago

@Esther125

              post-logout-redirect-uris:
                - "http://localhost:3000/logged-out"

There is not yet logout endpoint, see #5061

@RowhamD

What do you think about this?

Esther125 commented 9 months ago

@xet7 Hello, thanks for your advice. I already done the changes below but the error still exists:

I checked my source logs and it seems that there wasn't any error logs there and the spring server log is the same as my previous post. Do you have any idea how to fix this? Thanks a lot.