OneDev
Dashboards
Projects
Global Views
Code Search
server
Code
Pull Requests
Issues
List
Boards
Iterations
Builds
Packages
Statistics
Child Projects
Audit Log
OneDev 14.0.7
Documentation Support & Bug Report RESTful API Incompatibilities License Agreement Check Update
Projects onedev server Issues OD-607
Authentik OpenID Failing (OD-607)
Josh Chapman opened 4 years ago

I cannot find generic instructions for connecting OIDC, but as far as I can tell, I have this set up correctly - however, clicking on the OpenID button on login is giving an error of

Server returned HTTP response code: 403 for URL: https://auth.unseenspite.com/application/o/git/.well-known/openid-configuration

Visiting this URL, however, does in fact return valid information (it is public facing). I am trying to debug to figure out where the issue is actually occurring. I am able to validate that the data from the configuration page does in fact return and that (so far) I have no error logs on the authentication server.

Logs from OneDev show:

java.io.IOException: Server returned HTTP response code: 403 for URL: https://auth.unseenspite.com/application/o/git/.well-known/openid-configuration
	at sun.net.www.protocol.http.HttpURLConnection.getInputStream0(HttpURLConnection.java:1897)
	at sun.net.www.protocol.http.HttpURLConnection.getInputStream(HttpURLConnection.java:1495)
	at sun.net.www.protocol.https.HttpsURLConnectionImpl.getInputStream(HttpsURLConnectionImpl.java:268)
	at java.net.URL.openStream(URL.java:1093)
	at com.fasterxml.jackson.core.TokenStreamFactory._optimizedStreamFromURL(TokenStreamFactory.java:211)
	at com.fasterxml.jackson.core.JsonFactory.createParser(JsonFactory.java:1057)
	at com.fasterxml.jackson.databind.ObjectMapper.readTree(ObjectMapper.java:3091)
	at io.onedev.server.plugin.sso.openid.OpenIdConnector.discoverProviderMetadata(OpenIdConnector.java:316)
	at io.onedev.server.plugin.sso.openid.OpenIdConnector.initiateLogin(OpenIdConnector.java:298)
	at io.onedev.server.web.page.admin.sso.SsoProcessPage.<init>(SsoProcessPage.java:66)
	at sun.reflect.NativeConstructorAccessorImpl.newInstance0(Native Method)
	at sun.reflect.NativeConstructorAccessorImpl.newInstance(NativeConstructorAccessorImpl.java:62)
	at sun.reflect.DelegatingConstructorAccessorImpl.newInstance(DelegatingConstructorAccessorImpl.java:45)
	at java.lang.reflect.Constructor.newInstance(Constructor.java:423)
	at org.apache.wicket.session.DefaultPageFactory.newPage(DefaultPageFactory.java:171)
	at org.apache.wicket.session.DefaultPageFactory.newPage(DefaultPageFactory.java:99)
	at org.apache.wicket.DefaultMapperContext.newPageInstance(DefaultMapperContext.java:106)
	at org.apache.wicket.core.request.handler.PageProvider.resolvePageInstance(PageProvider.java:271)
	at org.apache.wicket.core.request.handler.PageProvider.getPageInstance(PageProvider.java:169)
	at org.apache.wicket.core.request.handler.RenderPageRequestHandler.getPage(RenderPageRequestHandler.java:168)
	at io.onedev.server.web.WebApplication$8.shouldPreserveClientUrl(WebApplication.java:311)
	at org.apache.wicket.request.handler.render.WebPageRenderer.shouldPreserveClientUrl(WebPageRenderer.java:297)
	at org.apache.wicket.request.handler.render.WebPageRenderer.shouldRenderPageAndWriteResponse(WebPageRenderer.java:329)
	at org.apache.wicket.request.handler.render.WebPageRenderer.respond(WebPageRenderer.java:193)
	at org.apache.wicket.core.request.handler.RenderPageRequestHandler.respond(RenderPageRequestHandler.java:175)
	at org.apache.wicket.request.cycle.RequestCycle$HandlerExecutor.respond(RequestCycle.java:955)
	at org.apache.wicket.request.RequestHandlerStack.execute(RequestHandlerStack.java:64)
	at org.apache.wicket.request.cycle.RequestCycle.execute(RequestCycle.java:288)
	at org.apache.wicket.request.cycle.RequestCycle.processRequest(RequestCycle.java:245)
	at org.apache.wicket.request.cycle.RequestCycle.processRequestAndDetach(RequestCycle.java:316)
	at org.apache.wicket.protocol.ws.AbstractUpgradeFilter.processRequestCycle(AbstractUpgradeFilter.java:70)
	at org.apache.wicket.protocol.http.WicketFilter.processRequest(WicketFilter.java:203)
	at org.apache.wicket.protocol.http.WicketServlet.doGet(WicketServlet.java:137)
	at javax.servlet.http.HttpServlet.service(HttpServlet.java:687)
	at javax.servlet.http.HttpServlet.service(HttpServlet.java:790)
	at io.onedev.server.web.DefaultWicketServlet.service(DefaultWicketServlet.java:43)
	at io.onedev.server.web.DefaultWicketServlet$$EnhancerByGuice$$4c7ce51.CGLIB$service$0(<generated>)
	at io.onedev.server.web.DefaultWicketServlet$$EnhancerByGuice$$4c7ce51$$FastClassByGuice$$e35a994d.invoke(<generated>)
	at com.google.inject.internal.cglib.proxy.$MethodProxy.invokeSuper(MethodProxy.java:228)
	at com.google.inject.internal.InterceptorStackCallback$InterceptedMethodInvocation.proceed(InterceptorStackCallback.java:76)
	at io.onedev.server.persistence.SessionInterceptor$1.call(SessionInterceptor.java:23)
	at io.onedev.server.persistence.DefaultSessionManager.call(DefaultSessionManager.java:79)
	at io.onedev.server.persistence.SessionInterceptor.invoke(SessionInterceptor.java:18)
	at com.google.inject.internal.InterceptorStackCallback$InterceptedMethodInvocation.proceed(InterceptorStackCallback.java:78)
	at com.google.inject.internal.InterceptorStackCallback.intercept(InterceptorStackCallback.java:54)
	at io.onedev.server.web.DefaultWicketServlet$$EnhancerByGuice$$4c7ce51.service(<generated>)
	at org.eclipse.jetty.servlet.ServletHolder.handle(ServletHolder.java:799)
	at org.eclipse.jetty.servlet.ServletHandler$ChainEnd.doFilter(ServletHandler.java:1626)
	at com.google.inject.servlet.DefaultFilterPipeline.dispatch(DefaultFilterPipeline.java:47)
	at com.google.inject.servlet.GuiceFilter.doFilter(GuiceFilter.java:133)
	at org.eclipse.jetty.servlet.FilterHolder.doFilter(FilterHolder.java:193)
	at org.eclipse.jetty.servlet.ServletHandler$Chain.doFilter(ServletHandler.java:1601)
	at io.onedev.server.git.GoGetFilter.doFilter(GoGetFilter.java:87)
	at org.eclipse.jetty.servlet.FilterHolder.doFilter(FilterHolder.java:193)
	at org.eclipse.jetty.servlet.ServletHandler$Chain.doFilter(ServletHandler.java:1601)
	at io.onedev.server.git.GitLfsFilter.doFilter(GitLfsFilter.java:440)
	at org.eclipse.jetty.servlet.FilterHolder.doFilter(FilterHolder.java:193)
	at org.eclipse.jetty.servlet.ServletHandler$Chain.doFilter(ServletHandler.java:1601)
	at io.onedev.server.git.GitFilter.doFilter(GitFilter.java:330)
	at org.eclipse.jetty.servlet.FilterHolder.doFilter(FilterHolder.java:193)
	at org.eclipse.jetty.servlet.ServletHandler$Chain.doFilter(ServletHandler.java:1601)
	at org.apache.shiro.web.servlet.ProxiedFilterChain.doFilter(ProxiedFilterChain.java:61)
	at org.apache.shiro.web.servlet.AdviceFilter.executeChain(AdviceFilter.java:108)
	at org.apache.shiro.web.servlet.AdviceFilter.doFilterInternal(AdviceFilter.java:137)
	at org.apache.shiro.web.servlet.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:125)
	at org.apache.shiro.web.servlet.ProxiedFilterChain.doFilter(ProxiedFilterChain.java:66)
	at org.apache.shiro.web.servlet.AdviceFilter.executeChain(AdviceFilter.java:108)
	at org.apache.shiro.web.servlet.AdviceFilter.doFilterInternal(AdviceFilter.java:137)
	at org.apache.shiro.web.servlet.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:125)
	at org.apache.shiro.web.servlet.ProxiedFilterChain.doFilter(ProxiedFilterChain.java:66)
	at org.apache.shiro.web.servlet.AbstractShiroFilter.executeChain(AbstractShiroFilter.java:450)
	at org.apache.shiro.web.servlet.AbstractShiroFilter$1.call(AbstractShiroFilter.java:365)
	at org.apache.shiro.subject.support.SubjectCallable.doCall(SubjectCallable.java:90)
	at org.apache.shiro.subject.support.SubjectCallable.call(SubjectCallable.java:83)
	at org.apache.shiro.subject.support.DelegatingSubject.execute(DelegatingSubject.java:387)
	at org.apache.shiro.web.servlet.AbstractShiroFilter.doFilterInternal(AbstractShiroFilter.java:362)
	at org.apache.shiro.web.servlet.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:125)
	at org.eclipse.jetty.servlet.FilterHolder.doFilter(FilterHolder.java:193)
	at org.eclipse.jetty.servlet.ServletHandler$Chain.doFilter(ServletHandler.java:1601)
	at io.onedev.server.util.jetty.DisableTraceFilter.doFilter(DisableTraceFilter.java:28)
	at org.eclipse.jetty.servlet.FilterHolder.doFilter(FilterHolder.java:193)
	at org.eclipse.jetty.servlet.ServletHandler$Chain.doFilter(ServletHandler.java:1601)
	at org.eclipse.jetty.servlet.ServletHandler.doHandle(ServletHandler.java:548)
	at org.eclipse.jetty.server.handler.ScopedHandler.nextHandle(ScopedHandler.java:233)
	at org.eclipse.jetty.server.session.SessionHandler.doHandle(SessionHandler.java:1624)
	at org.eclipse.jetty.server.handler.ScopedHandler.nextHandle(ScopedHandler.java:233)
	at org.eclipse.jetty.server.handler.ContextHandler.doHandle(ContextHandler.java:1434)
	at org.eclipse.jetty.server.handler.ScopedHandler.nextScope(ScopedHandler.java:188)
	at org.eclipse.jetty.servlet.ServletHandler.doScope(ServletHandler.java:501)
	at org.eclipse.jetty.server.session.SessionHandler.doScope(SessionHandler.java:1594)
	at org.eclipse.jetty.server.handler.ScopedHandler.nextScope(ScopedHandler.java:186)
	at org.eclipse.jetty.server.handler.ContextHandler.doScope(ContextHandler.java:1349)
	at org.eclipse.jetty.server.handler.ScopedHandler.handle(ScopedHandler.java:141)
	at org.eclipse.jetty.server.handler.gzip.GzipHandler.handle(GzipHandler.java:763)
	at org.eclipse.jetty.server.handler.HandlerWrapper.handle(HandlerWrapper.java:127)
	at org.eclipse.jetty.server.Server.handle(Server.java:516)
	at org.eclipse.jetty.server.HttpChannel.lambda$handle$1(HttpChannel.java:388)
	at org.eclipse.jetty.server.HttpChannel.dispatch(HttpChannel.java:633)
	at org.eclipse.jetty.server.HttpChannel.handle(HttpChannel.java:380)
	at org.eclipse.jetty.server.HttpConnection.onFillable(HttpConnection.java:277)
	at org.eclipse.jetty.io.AbstractConnection$ReadCallback.succeeded(AbstractConnection.java:311)
	at org.eclipse.jetty.io.FillInterest.fillable(FillInterest.java:105)
	at org.eclipse.jetty.io.ChannelEndPoint$1.run(ChannelEndPoint.java:104)
	at org.eclipse.jetty.util.thread.strategy.EatWhatYouKill.runTask(EatWhatYouKill.java:338)
	at org.eclipse.jetty.util.thread.strategy.EatWhatYouKill.doProduce(EatWhatYouKill.java:315)
	at org.eclipse.jetty.util.thread.strategy.EatWhatYouKill.tryProduce(EatWhatYouKill.java:173)
	at org.eclipse.jetty.util.thread.strategy.EatWhatYouKill.run(EatWhatYouKill.java:131)
	at org.eclipse.jetty.util.thread.ReservedThreadExecutor$ReservedThread.run(ReservedThreadExecutor.java:386)
	at org.eclipse.jetty.util.thread.QueuedThreadPool.runJob(QueuedThreadPool.java:883)
	at org.eclipse.jetty.util.thread.QueuedThreadPool$Runner.run(QueuedThreadPool.java:1034)
	at java.lang.Thread.run(Thread.java:748)

Current setup for OneDev: OneDevSetup.png

Current setup for Auth Server: Auth1.png

  • Robin Shen commented 4 years ago

    I am accessing this url and it gives me below error:

    2022-03-03_08-13-40.png

    PS: There are many tutorials here including an example OIDC set up for Okta:

    https://code.onedev.io/projects/162/blob/main/pages/tutorials.md

  • Josh Chapman commented 4 years ago

    Thanks Robin,

    Could I ask which URL you're getting that error from? I just hit the pasted URL from a completely disconnected device, one that has never logged in to this site at all, and got this:

    Screenshot_20220302-172344.png

    I was actually following that guide when I ran in to this issue, so just trying to figure out what may be blocking.

  • Josh Chapman commented 4 years ago

    In the meantime, I'm going to dig through CloudFlare to see if there's something there to assist as well.

  • Robin Shen commented 4 years ago

    I am accessing this url:

    https://auth.unseenspite.com/application/o/git/.well-known/openid-configuration

    Either accessing from browser (with cache cleared and start clean) or with curl gives me same result.

  • Josh Chapman commented 4 years ago

    Scratch everything I just asked. It's a combination of none of the services actually being secure (behind reverse proxy but only for base 80/443) and CloudFlare being over jealous on it's defense. I will fix and it will likely work just fine. Please feel free to close the ticket.

    Edit: Removed screenshot since CloudFlare data was included.

  • Robin Shen changed state to 'Closed' 4 years ago
    Previous Value Current Value 
    Open
    		 
    Closed
  • Robin Shen commented 4 years ago

    Closing now. Feel free to reopen if you have any problems configuring OneDev working with Authentik

  • Josh Chapman commented 4 years ago

    Unfortunately, I am back with more issues. I got the two servers talking successfully, but immediately get an error of:

    OIDC response error (code: invalid_grant, description: The provided authorization grant or refresh token is invalid, expired, revoked, does not match the redirection URI used in the authorization request, or was issued to another client, http status code: 400)

    Unfortunately, neither server seem to be logging any errors at all regarding this one, so I'm a bit stuck how to begin digging in to what the actual issue is. Any advice on where to start debugging would be greatly appreciated.

  • Josh Chapman commented 4 years ago

    And yet again, this one was completely on a bad build. I ripped this back down and rebuilt it from scratch and everything works great. Apparently, somehow (still haven't figured out how I did it), the time on the OneDev server wasn't synced properly, so the token times didn't match. Very odd, but a rebuild is all that was needed.

  • Robin Shen commented 4 years ago

    Glad to see it is working now.

issue 1/1
Type
Question
Priority
Normal
Assignee
Robin Shen
Issue Votes (0)
Login to vote
Watchers (4)
Reference
OD-607
Please wait...
Connection lost or session expired, reload to recover
Page is in error, reload to recover