[Single Sign On Openid provider] Onedev server responses ERROR to Oauth2 openid authorization code redirected url (OD-2146)

y opened 1 year ago
onedev server version

11.3.3
OAuth2 openid authorization code redirect url is

http://172.17.0.1:6610/~sso/callback/xxxx.xxxx.xxxx.localhost?code=xxxxxxxxxxxxxxxxx&state=OIDC-xxxxxxxxxxxxxxxxxxx&nonce=xxxxxxxxxxxxxxxxxxxxxxx
error response page

server error log

2024-11-02 08:30:44,323 ERROR [qtp1792963022-5610] i.o.s.w.p.s.error.GeneralErrorPage Error processing wicket request
org.apache.wicket.WicketRuntimeException: Can't instantiate page using constructor 'public io.onedev.server.web.page.admin.ssosetting.SsoProcessPage(org.apache.wicket.request.mapper.parameter.PageParameters)' and argument 'code=[xxxxxxxxxxxxxxxxxxxxxxxx], state=[OIDC-xxxxxxxxxxxxxxxxxxxx], nonce=[xxxxxxxxxxxxxxxxxxxxx], stage=[callback], connector=[xxxx.xxxx.xxxx.localhost]'. An exception has been thrown during construction!
        at org.apache.wicket.session.DefaultPageFactory.newPage(DefaultPageFactory.java:194)
        at org.apache.wicket.session.DefaultPageFactory.newPage(DefaultPageFactory.java:99)
        at org.apache.wicket.DefaultMapperContext.newPageInstance(DefaultMapperContext.java:106)
        at org.apache.wicket.core.request.handler.PageProvider.resolvePageInstance(PageProvider.java:271)
        at org.apache.wicket.core.request.handler.PageProvider.getPageInstance(PageProvider.java:169)
        at org.apache.wicket.core.request.handler.RenderPageRequestHandler.getPage(RenderPageRequestHandler.java:168)
        at io.onedev.server.web.WebApplication$8.shouldPreserveClientUrl(WebApplication.java:289)
        at org.apache.wicket.request.handler.render.WebPageRenderer.shouldPreserveClientUrl(WebPageRenderer.java:297)
        at org.apache.wicket.request.handler.render.WebPageRenderer.shouldRenderPageAndWriteResponse(WebPageRenderer.java:329)
        at org.apache.wicket.request.handler.render.WebPageRenderer.respond(WebPageRenderer.java:193)
        at org.apache.wicket.core.request.handler.RenderPageRequestHandler.respond(RenderPageRequestHandler.java:175)
        at org.apache.wicket.request.cycle.RequestCycle$HandlerExecutor.respond(RequestCycle.java:891)
        at org.apache.wicket.request.RequestHandlerStack.execute(RequestHandlerStack.java:64)
        at org.apache.wicket.request.cycle.RequestCycle.execute(RequestCycle.java:260)
        at org.apache.wicket.request.cycle.RequestCycle.processRequest(RequestCycle.java:217)
        at org.apache.wicket.request.cycle.RequestCycle.processRequestAndDetach(RequestCycle.java:288)
        at org.apache.wicket.protocol.ws.AbstractUpgradeFilter.processRequestCycle(AbstractUpgradeFilter.java:70)
        at org.apache.wicket.protocol.http.WicketFilter.processRequest(WicketFilter.java:203)
        at org.apache.wicket.protocol.http.WicketServlet.doGet(WicketServlet.java:137)
        at javax.servlet.http.HttpServlet.service(HttpServlet.java:687)
        at javax.servlet.http.HttpServlet.service(HttpServlet.java:790)
        at io.onedev.server.web.DefaultWicketServlet.lambda$service$0(DefaultWicketServlet.java:48)
        at io.onedev.server.persistence.DefaultSessionManager.lambda$run$0(DefaultSessionManager.java:108)
        at io.onedev.server.persistence.DefaultSessionManager.call(DefaultSessionManager.java:90)
        at io.onedev.server.persistence.DefaultSessionManager.run(DefaultSessionManager.java:107)
        at io.onedev.server.web.DefaultWicketServlet.service(DefaultWicketServlet.java:42)
        at org.eclipse.jetty.servlet.ServletHolder.handle(ServletHolder.java:799)
        at org.eclipse.jetty.servlet.ServletHandler$ChainEnd.doFilter(ServletHandler.java:1656)
        at com.google.inject.servlet.DefaultFilterPipeline.dispatch(DefaultFilterPipeline.java:47)
        at com.google.inject.servlet.GuiceFilter.doFilter(GuiceFilter.java:133)
        at org.eclipse.jetty.servlet.FilterHolder.doFilter(FilterHolder.java:193)
        at org.eclipse.jetty.servlet.ServletHandler$Chain.doFilter(ServletHandler.java:1626)
        at io.onedev.server.git.GoGetFilter.doFilter(GoGetFilter.java:87)
        at org.eclipse.jetty.servlet.FilterHolder.doFilter(FilterHolder.java:193)
        at org.eclipse.jetty.servlet.ServletHandler$Chain.doFilter(ServletHandler.java:1626)
        at io.onedev.server.git.GitLfsFilter.doFilter(GitLfsFilter.java:454)
        at org.eclipse.jetty.servlet.FilterHolder.doFilter(FilterHolder.java:193)
        at org.eclipse.jetty.servlet.ServletHandler$Chain.doFilter(ServletHandler.java:1626)
        at io.onedev.server.git.GitFilter.doFilter(GitFilter.java:363)
        at org.eclipse.jetty.servlet.FilterHolder.doFilter(FilterHolder.java:193)
        at org.eclipse.jetty.servlet.ServletHandler$Chain.doFilter(ServletHandler.java:1626)
        at org.apache.shiro.web.servlet.ProxiedFilterChain.doFilter(ProxiedFilterChain.java:61)
        at org.apache.shiro.web.servlet.AdviceFilter.executeChain(AdviceFilter.java:108)
        at org.apache.shiro.web.servlet.AdviceFilter.doFilterInternal(AdviceFilter.java:137)
        at org.apache.shiro.web.servlet.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:154)
        at org.apache.shiro.web.servlet.ProxiedFilterChain.doFilter(ProxiedFilterChain.java:66)
        at org.apache.shiro.web.servlet.AdviceFilter.executeChain(AdviceFilter.java:108)
        at org.apache.shiro.web.servlet.AdviceFilter.doFilterInternal(AdviceFilter.java:137)
        at org.apache.shiro.web.servlet.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:154)
        at org.apache.shiro.web.servlet.ProxiedFilterChain.doFilter(ProxiedFilterChain.java:66)
        at org.apache.shiro.web.servlet.AdviceFilter.executeChain(AdviceFilter.java:108)
        at org.apache.shiro.web.servlet.AdviceFilter.doFilterInternal(AdviceFilter.java:137)
        at org.apache.shiro.web.servlet.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:154)
        at org.apache.shiro.web.servlet.ProxiedFilterChain.doFilter(ProxiedFilterChain.java:66)
        at org.apache.shiro.web.servlet.AbstractShiroFilter.executeChain(AbstractShiroFilter.java:458)
        at org.apache.shiro.web.servlet.AbstractShiroFilter$1.call(AbstractShiroFilter.java:373)
        at org.apache.shiro.subject.support.SubjectCallable.doCall(SubjectCallable.java:90)
        at org.apache.shiro.subject.support.SubjectCallable.call(SubjectCallable.java:83)
        at org.apache.shiro.subject.support.DelegatingSubject.execute(DelegatingSubject.java:387)
        at org.apache.shiro.web.servlet.AbstractShiroFilter.doFilterInternal(AbstractShiroFilter.java:370)
        at org.apache.shiro.web.servlet.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:154)
        at org.eclipse.jetty.servlet.FilterHolder.doFilter(FilterHolder.java:193)
        at org.eclipse.jetty.servlet.ServletHandler$Chain.doFilter(ServletHandler.java:1626)
        at io.onedev.server.security.CorsFilter.doFilter(CorsFilter.java:47)
        at org.eclipse.jetty.servlet.FilterHolder.doFilter(FilterHolder.java:193)
        at org.eclipse.jetty.servlet.ServletHandler$Chain.doFilter(ServletHandler.java:1626)
        at io.onedev.server.jetty.DisableTraceFilter.doFilter(DisableTraceFilter.java:28)
        at org.eclipse.jetty.servlet.FilterHolder.doFilter(FilterHolder.java:193)
        at org.eclipse.jetty.servlet.ServletHandler$Chain.doFilter(ServletHandler.java:1626)
        at org.eclipse.jetty.servlet.ServletHandler.doHandle(ServletHandler.java:552)
        at org.eclipse.jetty.server.handler.ScopedHandler.nextHandle(ScopedHandler.java:233)
        at org.eclipse.jetty.server.session.SessionHandler.doHandle(SessionHandler.java:1624)
        at org.eclipse.jetty.server.handler.ScopedHandler.nextHandle(ScopedHandler.java:233)
        at org.eclipse.jetty.server.handler.ContextHandler.doHandle(ContextHandler.java:1440)
        at org.eclipse.jetty.server.handler.ScopedHandler.nextScope(ScopedHandler.java:188)
        at org.eclipse.jetty.servlet.ServletHandler.doScope(ServletHandler.java:505)
        at org.eclipse.jetty.server.session.SessionHandler.doScope(SessionHandler.java:1594)
        at org.eclipse.jetty.server.handler.ScopedHandler.nextScope(ScopedHandler.java:186)
        at org.eclipse.jetty.server.handler.ContextHandler.doScope(ContextHandler.java:1355)
        at org.eclipse.jetty.server.handler.ScopedHandler.handle(ScopedHandler.java:141)
        at org.eclipse.jetty.server.handler.gzip.GzipHandler.handle(GzipHandler.java:772)
        at org.eclipse.jetty.server.handler.HandlerWrapper.handle(HandlerWrapper.java:127)
        at org.eclipse.jetty.server.Server.handle(Server.java:516)
        at org.eclipse.jetty.server.HttpChannel.lambda$handle$1(HttpChannel.java:487)
        at org.eclipse.jetty.server.HttpChannel.dispatch(HttpChannel.java:732)
        at org.eclipse.jetty.server.HttpChannel.handle(HttpChannel.java:479)
        at org.eclipse.jetty.server.HttpConnection.onFillable(HttpConnection.java:277)
        at org.eclipse.jetty.io.AbstractConnection$ReadCallback.succeeded(AbstractConnection.java:311)
        at org.eclipse.jetty.io.FillInterest.fillable(FillInterest.java:105)
        at org.eclipse.jetty.io.ChannelEndPoint$1.run(ChannelEndPoint.java:104)
        at org.eclipse.jetty.util.thread.strategy.EatWhatYouKill.runTask(EatWhatYouKill.java:338)
        at org.eclipse.jetty.util.thread.strategy.EatWhatYouKill.doProduce(EatWhatYouKill.java:315)
        at org.eclipse.jetty.util.thread.strategy.EatWhatYouKill.tryProduce(EatWhatYouKill.java:173)
        at org.eclipse.jetty.util.thread.strategy.EatWhatYouKill.run(EatWhatYouKill.java:131)
        at org.eclipse.jetty.util.thread.ReservedThreadExecutor$ReservedThread.run(ReservedThreadExecutor.java:409)
        at org.eclipse.jetty.util.thread.QueuedThreadPool.runJob(QueuedThreadPool.java:883)
        at org.eclipse.jetty.util.thread.QueuedThreadPool$Runner.run(QueuedThreadPool.java:1034)
        at java.base/java.lang.Thread.run(Thread.java:829)
Caused by: java.lang.reflect.InvocationTargetException: null
        at jdk.internal.reflect.GeneratedConstructorAccessor192.newInstance(Unknown Source)
        at java.base/jdk.internal.reflect.DelegatingConstructorAccessorImpl.newInstance(DelegatingConstructorAccessorImpl.java:45)
        at java.base/java.lang.reflect.Constructor.newInstance(Constructor.java:490)
        at org.apache.wicket.session.DefaultPageFactory.newPage(DefaultPageFactory.java:171)
        ... 97 common frames omitted
Caused by: java.lang.RuntimeException: com.nimbusds.oauth2.sdk.ParseException: Missing or empty HTTP message body
        at io.onedev.server.plugin.sso.openid.OpenIdConnector.processLoginResponse(OpenIdConnector.java:168)
        at io.onedev.server.web.page.admin.ssosetting.SsoProcessPage.<init>(SsoProcessPage.java:74)
        ... 101 common frames omitted
Caused by: com.nimbusds.oauth2.sdk.ParseException: Missing or empty HTTP message body
        at com.nimbusds.oauth2.sdk.http.HTTPMessage.ensureBody(HTTPMessage.java:246)
        at com.nimbusds.oauth2.sdk.http.HTTPMessage.getBodyAsJSONObject(HTTPMessage.java:289)
        at com.nimbusds.oauth2.sdk.http.HTTPResponse.getBodyAsJSONObject(HTTPResponse.java:61)
        at com.nimbusds.oauth2.sdk.http.HTTPResponse.getContentAsJSONObject(HTTPResponse.java:395)
        at com.nimbusds.openid.connect.sdk.OIDCTokenResponse.parse(OIDCTokenResponse.java:195)
        at com.nimbusds.openid.connect.sdk.OIDCTokenResponseParser.parse(OIDCTokenResponseParser.java:78)
        at io.onedev.server.plugin.sso.openid.OpenIdConnector.parseOIDCTokenResponse(OpenIdConnector.java:173)
        at io.onedev.server.plugin.sso.openid.OpenIdConnector.processLoginResponse(OpenIdConnector.java:160)
        ... 102 common frames omitted
Activities
y commented 1 year ago

I'm confused. Why does onedev server need "HTTP message body" on "/~sso/callback"?
Robin Shen commented 1 year ago

It expects to read OIDC token from http response body in the backend, which is a standard OpenID behavior. I tested with other OpenId providers such as GitHub/Okta, and it works.
y commented 1 year ago

Many thanks. Let me exam my oauth2 server token api. And by the way, it is great if onedev's promgram prints the target api url when the reponse is not as expected.
y changed state to 'Closed' 1 year ago
Previous Value Current Value
Open

Closed
y commented 1 year ago

Confirmed. It's our oauth2 server's problem.
Login to comment
Previous Value	Current Value
Open	Closed
Type	Question
Priority	Major
Assignee	Robin Shen
Labels	No labels
Issue Votes (0)
Watchers (2)
Reference
OD-2146