glpi icon indicating copy to clipboard operation
glpi copied to clipboard
verified publisher icon glpi-project

authorizationCode flow is broken on swagger UI

Open orthagh opened this issue 1 year ago • 3 comments

How to replicate:

  • create an oauth client (with full scopes and grants)
  • go to https://glpi/api.php/v2/doc
  • Start Authorize (green button on top left)
  • Fill "oauth (OAuth2, authorizationCode) " form with client_id and secret from oauth client
  • submit -> white page

Relevant log

[2024-10-04 07:56:39] glpiphplog.INFO: Matched route "{route}". {"route":"glpi_api","route_parameters":{"_route":"glpi_api","_controller":"Glpi\\Controller\\ApiController","request_parameters":"/authorize"},"request_uri":"http://localhost:8000/api.php/authorize?client_id=ed26ec4a1fca0277a13fef593a8cc76f0de4b850d2c841447f95365c3a00c555&redirect_uri=%2Fapi.php%2Fswagger-oauth-redirect&response_type=code&scope=email%20user%20api%20inventory%20status&state=RnJpIE9jdCAwNCAyMDI0IDA5OjU2OjM5IEdNVCswMjAwIChoZXVyZSBk4oCZw6l0w6kgZOKAmUV1cm9wZSBjZW50cmFsZSk%3D","method":"GET"} 
[2024-10-04 07:56:39] glpiphplog.ERROR: Uncaught PHP Exception Symfony\Component\HttpKernel\Exception\NotFoundHttpException: "No route found for "GET http://localhost:8000/favicon.ico" (from "http://localhost:8000/api.php/authorize?response_type=code&client_id=ed26ec4a1fca0277a13fef593a8cc76f0de4b850d2c841447f95365c3a00c555&redirect_uri=%2Fapi.php%2Fswagger-oauth-redirect&scope=email%20user%20api%20inventory%20status&state=RnJpIE9jdCAwNCAyMDI0IDA5OjU2OjM5IEdNVCswMjAwIChoZXVyZSBk4oCZw6l0w6kgZOKAmUV1cm9wZSBjZW50cmFsZSk%3D")" at RouterListener.php line 127 {"exception":"[object] (Symfony\\Component\\HttpKernel\\Exception\\NotFoundHttpException(code: 0): No route found for \"GET http://localhost:8000/favicon.ico\" (from \"http://localhost:8000/api.php/authorize?response_type=code&client_id=ed26ec4a1fca0277a13fef593a8cc76f0de4b850d2c841447f95365c3a00c555&redirect_uri=%2Fapi.php%2Fswagger-oauth-redirect&scope=email%20user%20api%20inventory%20status&state=RnJpIE9jdCAwNCAyMDI0IDA5OjU2OjM5IEdNVCswMjAwIChoZXVyZSBk4oCZw6l0w6kgZOKAmUV1cm9wZSBjZW50cmFsZSk%3D\") at /var/www/html/glpi/10.1.git/vendor/symfony/http-kernel/EventListener/RouterListener.php:127)
[previous exception] [object] (Symfony\\Component\\Routing\\Exception\\ResourceNotFoundException(code: 0): No routes found for \"/favicon.ico/\". at /var/www/html/glpi/10.1.git/vendor/symfony/routing/Matcher/Dumper/CompiledUrlMatcherTrait.php:70)"} 
[2024-10-04 07:56:39] glpiphplog.CRITICAL:   *** Uncaught Exception Symfony\Component\HttpKernel\Exception\NotFoundHttpException: No route found for "GET http://localhost:8000/favicon.ico" (from "http://localhost:8000/api.php/authorize?response_type=code&client_id=ed26ec4a1fca0277a13fef593a8cc76f0de4b850d2c841447f95365c3a00c555&redirect_uri=%2Fapi.php%2Fswagger-oauth-redirect&scope=email%20user%20api%20inventory%20status&state=RnJpIE9jdCAwNCAyMDI0IDA5OjU2OjM5IEdNVCswMjAwIChoZXVyZSBk4oCZw6l0w6kgZOKAmUV1cm9wZSBjZW50cmFsZSk%3D") in /var/www/html/glpi/10.1.git/vendor/symfony/http-kernel/EventListener/RouterListener.php at line 127
  Backtrace :
  .../event-dispatcher/Debug/WrappedListener.php:116 Symfony\Component\HttpKernel\EventListener\RouterListener->onKernelRequest()
  ...ymfony/event-dispatcher/EventDispatcher.php:220 Symfony\Component\EventDispatcher\Debug\WrappedListener->__invoke()
  ...symfony/event-dispatcher/EventDispatcher.php:56 Symfony\Component\EventDispatcher\EventDispatcher->callListeners()
  ...spatcher/Debug/TraceableEventDispatcher.php:139 Symfony\Component\EventDispatcher\EventDispatcher->dispatch()
  vendor/symfony/http-kernel/HttpKernel.php:157      Symfony\Component\EventDispatcher\Debug\TraceableEventDispatcher->dispatch()
  vendor/symfony/http-kernel/HttpKernel.php:76       Symfony\Component\HttpKernel\HttpKernel->handleRaw()
  vendor/symfony/http-kernel/Kernel.php:197          Symfony\Component\HttpKernel\HttpKernel->handle()
  public/index.php:56                                Symfony\Component\HttpKernel\Kernel->handle()

orthagh avatar Oct 04 '24 07:10 orthagh

To note:

  • if we check a "scope" in the form (in addition to the client_id and secret), we get the 500 error of the issue
  • if we do not check any "scope", we get a "Too many redirect" error

The two call in loop (Apache access log):

127.0.0.1 - - [04/Oct/2024:12:20:07 +0200] "GET /api.php/authorize?response_type=code&client_id=xxxxxxxxxxxxxx&redirect_uri=%2Fapi.php%2Fswagger-oauth-redirect&state=zzzzzzzzzzz%3D HTTP/1.1" 302 1106 "https://glpimain.local/api.php/v2/doc" "Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/129.0.0.0 Safari/537.36"
127.0.0.1 - - [04/Oct/2024:12:20:07 +0200] "GET /?redirect=https%3A%2F%2Fglpimain.local%2Fapi.php%2Fv2%2Fauthorize%3Fscope%3D%26client_id%3Dxxxxxxxxxxxxxx%26response_type%3Dcode%26redirect_uri%3D%252Fapi.php%252Fswagger-oauth-redirect HTTP/1.1" 302 1003 "https://glpimain.local/api.php/v2/doc" "Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/129.0.0.0 Safari/537.36"

flegastelois avatar Oct 04 '24 10:10 flegastelois

if we do not check any "scope", we get a "Too many redirect" error

@flegastelois Strangely, with the fixes in #18008, I can trigger the "infinite redirection" no matter how many scope are selected 🤔

Pierstoval avatar Oct 04 '24 14:10 Pierstoval

if we do not check any "scope", we get a "Too many redirect" error

@flegastelois Strangely, with the fixes in #18008, I can trigger the "infinite redirection" no matter how many scope are selected 🤔

@Pierstoval Yes, I confirm, I no longer have error 500 with the corrections of the PR, but on the other hand I have the infinite loop (with or without checking the scopes).

flegastelois avatar Oct 09 '24 07:10 flegastelois