[bug] OAuth consumer mode broken #646

New issue

Closed

opened 2023-10-04 15:33:36 +00:00 by tcmal · 2 comments

tcmal commented

2023-10-04 15:33:36 +00:00

Contributor

Your setup

From source

Extra details

Debian 10, Elixir 1.15.4

Version

stable (ebfb617b26)

PostgreSQL version

13.11

What were you trying to do?

Set up Akkoma to authenticate users using Keycloak, as we have in the past using pleroma.

What did you expect to happen?

Users can log in using keycloak.

What actually happened?

When trying to log in, the user is redirected to keycloak, then back to the callback url (/oauth/keycloak/callback), which is a blank page with code 500.

Logs

```
Oct 04 15:12:26 office mix[2754546]: 15:12:26.259 request_id=F4rwOwcIvWdCJ-UAAvPC [error] Internal server error: %Jason.DecodeError{position: 0,token: nil, data: "AHmXX9Zl4swKHbApXOYNBVx-"}
Oct 04 15:12:26 office mix[2754546]: 15:12:26.287 [error] Ranch listener Pleroma.Web.Endpoint.HTTP, connection process #PID<0.5090.0>, stream 10had its request process #PID<0.5308.0> exit with reason{{    %Protocol.UndefinedError{        protocol: Phoenix.HTML.Safe,        value: %{errors: %{detail: "Internal server error"}},        description: ""        },    [        {Phoenix.HTML.Safe, :impl_for!, 1, [file: ~c"lib/phoenix_html/safe.ex", line: 1]},        {Phoenix.HTML.Safe, :to_iodata, 1, [file: ~c"lib/phoenix_html/safe.ex", line: 15]},        {Phoenix.Controller, :render_and_send, 4, [file: ~c"lib/phoenix/controller.ex", line: 772]},        {Phoenix.Endpoint.RenderErrors, :instrument_render_and_send, 5, [file: ~c"lib/phoenix/endpoint/render_errors.ex", line: 78]},        {Phoenix.Endpoint.RenderErrors, :__catch__, 5, [file: ~c"lib/phoenix/endpoint/render_errors.ex", line: 64]},        {Phoenix.Endpoint.Cowboy2Handler, :init, 4, [file: ~c"lib/phoenix/endpoint/cowboy2_handler.ex", line: 54]},        {:cowboy_handler, :execute, 2, [file: ~c"/opt/pleroma/deps/cowboy/src/cowboy_handler.erl", line: 37]},        {:cowboy_stream_h, :execute, 3, [file: ~c"/opt/pleroma/deps/cowboy/src/cowboy_stream_h.erl", line: 306]}   ]},{Pleroma.Web.Endpoint, :call, [                       %Plug.Conn{adapter: {Plug.Cowboy.Conn, :...}, assigns: %{}, body_params: %Plug.Conn.Unfetched{aspect: :body_params}, cookies: %Plug.Conn.Unfetched{aspect: :cookies}, halted: false, host: "fed.tardisproject.uk", method: "GET", owner: #PID<0.5308.0>, params: %Plug.Conn.Unfetched{aspect: :params}, path_info: ["oauth", "keycloak", "callback"], path_params: %{}, port: 80, private: %{}, query_params: %Plug.Conn.Unfetched{aspect: :query_params}, query_string: "state=AHmXX9Zl4swKHbApXOYNBVx-&session_state=043f85c7-62dc-406d-822f-6ab1a1d498b2&code=8d69cf0a-97df-4b98-9769-b5fcad918b5a.043f85c7-62dc-406d-822f-6ab1a1d498b2.648b06ae-9312-45e7-a741-3717f84b0b42", remote_ip: {192, 168, 0, 14}, req_cookies: %Plug.Conn.Unfetched{aspect: :cookies}, req_headers: [REDACTED], request_path: "/oauth/keycloak/callback", resp_body: nil, resp_cookies: %{}, resp_headers: [{"cache-control", "max-age=0, private, must-revalidate"}], scheme: :http, script_name: [], secret_key_base: nil, state: :unset, status: nil},                       []]}} and stacktrace []
```

Severity

I cannot use it as easily as I'd like

Have you searched for this issue?

I have double-checked and have not found this issue mentioned anywhere.

### Your setup From source ### Extra details Debian 10, Elixir 1.15.4 ### Version stable (ebfb617b2607970e58be934b8336dfc47be7414a) ### PostgreSQL version 13.11 ### What were you trying to do? Set up Akkoma to authenticate users using Keycloak, as we have in the past using pleroma. ### What did you expect to happen? Users can log in using keycloak. ### What actually happened? When trying to log in, the user is redirected to keycloak, then back to the callback url (`/oauth/keycloak/callback`), which is a blank page with code 500. ### Logs ````shell ``` Oct 04 15:12:26 office mix[2754546]: 15:12:26.259 request_id=F4rwOwcIvWdCJ-UAAvPC [error] Internal server error: %Jason.DecodeError{position: 0,token: nil, data: "AHmXX9Zl4swKHbApXOYNBVx-"} Oct 04 15:12:26 office mix[2754546]: 15:12:26.287 [error] Ranch listener Pleroma.Web.Endpoint.HTTP, connection process #PID<0.5090.0>, stream 10had its request process #PID<0.5308.0> exit with reason{{ %Protocol.UndefinedError{ protocol: Phoenix.HTML.Safe, value: %{errors: %{detail: "Internal server error"}}, description: "" }, [ {Phoenix.HTML.Safe, :impl_for!, 1, [file: ~c"lib/phoenix_html/safe.ex", line: 1]}, {Phoenix.HTML.Safe, :to_iodata, 1, [file: ~c"lib/phoenix_html/safe.ex", line: 15]}, {Phoenix.Controller, :render_and_send, 4, [file: ~c"lib/phoenix/controller.ex", line: 772]}, {Phoenix.Endpoint.RenderErrors, :instrument_render_and_send, 5, [file: ~c"lib/phoenix/endpoint/render_errors.ex", line: 78]}, {Phoenix.Endpoint.RenderErrors, :__catch__, 5, [file: ~c"lib/phoenix/endpoint/render_errors.ex", line: 64]}, {Phoenix.Endpoint.Cowboy2Handler, :init, 4, [file: ~c"lib/phoenix/endpoint/cowboy2_handler.ex", line: 54]}, {:cowboy_handler, :execute, 2, [file: ~c"/opt/pleroma/deps/cowboy/src/cowboy_handler.erl", line: 37]}, {:cowboy_stream_h, :execute, 3, [file: ~c"/opt/pleroma/deps/cowboy/src/cowboy_stream_h.erl", line: 306]} ]},{Pleroma.Web.Endpoint, :call, [ %Plug.Conn{adapter: {Plug.Cowboy.Conn, :...}, assigns: %{}, body_params: %Plug.Conn.Unfetched{aspect: :body_params}, cookies: %Plug.Conn.Unfetched{aspect: :cookies}, halted: false, host: "fed.tardisproject.uk", method: "GET", owner: #PID<0.5308.0>, params: %Plug.Conn.Unfetched{aspect: :params}, path_info: ["oauth", "keycloak", "callback"], path_params: %{}, port: 80, private: %{}, query_params: %Plug.Conn.Unfetched{aspect: :query_params}, query_string: "state=AHmXX9Zl4swKHbApXOYNBVx-&session_state=043f85c7-62dc-406d-822f-6ab1a1d498b2&code=8d69cf0a-97df-4b98-9769-b5fcad918b5a.043f85c7-62dc-406d-822f-6ab1a1d498b2.648b06ae-9312-45e7-a741-3717f84b0b42", remote_ip: {192, 168, 0, 14}, req_cookies: %Plug.Conn.Unfetched{aspect: :cookies}, req_headers: [REDACTED], request_path: "/oauth/keycloak/callback", resp_body: nil, resp_cookies: %{}, resp_headers: [{"cache-control", "max-age=0, private, must-revalidate"}], scheme: :http, script_name: [], secret_key_base: nil, state: :unset, status: nil}, []]}} and stacktrace [] ``` ```` ### Severity I cannot use it as easily as I'd like ### Have you searched for this issue? - [x] I have double-checked and have not found this issue mentioned anywhere.

👍 2

tcmal added the

bug

label 2023-10-04 15:33:36 +00:00

tcmal commented

2023-10-04 15:36:21 +00:00

Author

Contributor

For whatever reason, state is expected to be a JSON blob. I can't find this decoding happening in ueberauth-keycloak or oauth2, and I'm not sure why it would be.

Also mentioned here, but not reported:

For whatever reason, `state` is expected to be a JSON blob. I can't find this decoding happening in `ueberauth-keycloak` or `oauth2`, and I'm not sure why it would be. Also mentioned here, but not reported: * https://meta.akkoma.dev/t/issues-getting-keycloak-to-run/40/6 * https://meta.akkoma.dev/t/500-error-with-keycloak-oauth-consumer/569 * https://meta.akkoma.dev/t/login-to-akkoma-with-oauth2-doesnt-work/390/8

tcmal commented

2023-12-17 15:51:11 +00:00

Author

Contributor

Picking this up again: Looks like pleroma is on version ~> 0.4.0 of ueberauth, while akkoma is on ~>0.10.0.

Between these versions, CSRF attack protection was added, and presumably the OAuth consumer mode code hasn't been updated for this.

Have tested with a few other providers and all seem broken.

Picking this up again: Looks like pleroma is on version `~> 0.4.0` of ueberauth, while akkoma is on `~>0.10.0`. Between these versions, [CSRF attack protection was added](https://github.com/ueberauth/ueberauth/pull/136), and presumably the OAuth consumer mode code hasn't been updated for this. Have tested with a few other providers and all seem broken.

tcmal changed title from ~~[bug] OAuth consumer mode broken when using Keycloak~~ to [bug] OAuth consumer mode broken

2023-12-17 15:51:18 +00:00

tcmal referenced this issue from a pull request that will close it,

2023-12-17 19:39:36 +00:00

Fix OAuth consumer mode #668