openid-connect-generic
openid-connect-generic copied to clipboard
oidc-wp
Some problems with Gitlab connection
I tried to connect with gitlab, the login was successful, but there are some problems
-
After logging in successfully, it will be automatically logged out from time to time.
-
When the user's email in Gitlab is not set to public, the login will be wrong.
-
When used with the plugin "WP Statistics", it will be logged out immediately after login(Normal when logging in with local users). The dashboard interface seen is as follows:
Click anywhere to return to the login page
Some error logs:
object(WP_Error)#7893 (2) {
["errors"]=>
array(1) {
["invalid_grant"]=>
array(1) {
[0]=>
string(165) "The provided authorization grant is invalid, expired, revoked, does not match the redirection URI used in the authorization request, or was issued to another client."
}
}
["error_data"]=>
array(1) {
["invalid_grant"]=>
array(6) {
["headers"]=>
object(Requests_Utility_CaseInsensitiveDictionary)#7894 (1) {
["data":protected]=>
array(12) {
["server"]=>
string(5) "nginx"
["date"]=>
string(29) "Thu, 15 Nov 2018 14:39:29 GMT"
["content-type"]=>
string(31) "application/json; charset=utf-8"
["content-length"]=>
string(3) "213"
["cache-control"]=>
string(8) "no-store"
["pragma"]=>
string(8) "no-cache"
["www-authenticate"]=>
string(235) "Bearer realm="Doorkeeper", error="invalid_grant", error_description="The provided authorization grant is invalid, expired, revoked, does not match the redirection URI used in the authorization request, or was issued to another client.""
["x-content-type-options"]=>
string(7) "nosniff"
["x-frame-options"]=>
string(10) "SAMEORIGIN"
["x-request-id"]=>
string(36) "53f2c373-9815-46e1-b10f-25286d11e0a7"
["x-runtime"]=>
string(8) "0.007743"
["x-xss-protection"]=>
string(13) "1; mode=block"
}
}
["body"]=>
string(213) "{"error":"invalid_grant","error_description":"The provided authorization grant is invalid, expired, revoked, does not match the redirection URI used in the authorization request, or was issued to another client."}"
["response"]=>
array(2) {
["code"]=>
int(401)
["message"]=>
string(12) "Unauthorized"
}
["cookies"]=>
array(0) {
}
["filename"]=>
NULL
["http_response"]=>
object(WP_HTTP_Requests_Response)#7895 (5) {
["response":protected]=>
object(Requests_Response)#7896 (10) {
["body"]=>
string(213) "{"error":"invalid_grant","error_description":"The provided authorization grant is invalid, expired, revoked, does not match the redirection URI used in the authorization request, or was issued to another client."}"
["raw"]=>
string(847) "HTTP/1.1 401 Unauthorized
Server: nginx
Date: Thu, 15 Nov 2018 14:39:29 GMT
Content-Type: application/json; charset=utf-8
Content-Length: 213
Connection: close
Cache-Control: no-store
Pragma: no-cache
Www-Authenticate: Bearer realm="Doorkeeper", error="invalid_grant", error_description="The provided authorization grant is invalid, expired, revoked, does not match the redirection URI used in the authorization request, or was issued to another client."
X-Content-Type-Options: nosniff
X-Frame-Options: SAMEORIGIN
X-Request-Id: 53f2c373-9815-46e1-b10f-25286d11e0a7
X-Runtime: 0.007743
X-Xss-Protection: 1; mode=block
{"error":"invalid_grant","error_description":"The provided authorization grant is invalid, expired, revoked, does not match the redirection URI used in the authorization request, or was issued to another client."}"
["headers"]=>
object(Requests_Response_Headers)#7897 (1) {
["data":protected]=>
array(12) {
["server"]=>
array(1) {
[0]=>
string(5) "nginx"
}
["date"]=>
array(1) {
[0]=>
string(29) "Thu, 15 Nov 2018 14:39:29 GMT"
}
["content-type"]=>
array(1) {
[0]=>
string(31) "application/json; charset=utf-8"
}
["content-length"]=>
array(1) {
[0]=>
string(3) "213"
}
["cache-control"]=>
array(1) {
[0]=>
string(8) "no-store"
}
["pragma"]=>
array(1) {
[0]=>
string(8) "no-cache"
}
["www-authenticate"]=>
array(1) {
[0]=>
string(235) "Bearer realm="Doorkeeper", error="invalid_grant", error_description="The provided authorization grant is invalid, expired, revoked, does not match the redirection URI used in the authorization request, or was issued to another client.""
}
["x-content-type-options"]=>
array(1) {
[0]=>
string(7) "nosniff"
}
["x-frame-options"]=>
array(1) {
[0]=>
string(10) "SAMEORIGIN"
}
["x-request-id"]=>
array(1) {
[0]=>
string(36) "53f2c373-9815-46e1-b10f-25286d11e0a7"
}
["x-runtime"]=>
array(1) {
[0]=>
string(8) "0.007743"
}
["x-xss-protection"]=>
array(1) {
[0]=>
string(13) "1; mode=block"
}
}
}
["status_code"]=>
int(401)
["protocol_version"]=>
float(1.1)
["success"]=>
bool(false)
["redirects"]=>
int(0)
["url"]=>
string(36) "https://git.forchange.cn/oauth/token"
["history"]=>
array(0) {
}
["cookies"]=>
object(Requests_Cookie_Jar)#7898 (1) {
["cookies":protected]=>
array(0) {
}
}
}
["filename":protected]=>
NULL
["data"]=>
NULL
["headers"]=>
NULL
["status"]=>
NULL
}
}
}
}
What should I do?
config:
Have the same problem. The session is invalidated after one minute (cron-job?) or immediately when any next admin-page is accessed - so when redirection is turned off, it will only log out when you go to admin.
Looking into the error The provided authorization grant is invalid, expired, revoked, does not match the redirection URI used in the authorization request, or was issued to another client , I found that the error is given by "doorkeeper" used by Gitlab.
[FILTERED] Gitlab logs show multiple refresh tokens:
Started GET "/oauth/authorize?response_type=code&scope=read_user+openid+profile+email&client_id=[FILTERED]&state=[FILTERED]&redirect_uri=[FILTERED]%2Fopenid-connect-authorize"
Processing by Oauth::AuthorizationsController#new as HTML
Parameters: {"response_type"=>"code", "scope"=>"read_user openid profile email", "client_id"=>"[FILTERED]", "state"=>"[FILTERED]", "redirect_uri"=>"[FILTERED]/openid-connect-authorize"}
Redirected to [FILTERED]/openid-connect-authorize?code=[FILTERED]&state=[FILTERED]
Started POST "/oauth/token"
Processing by Doorkeeper::TokensController#create as */*
Parameters: {"code"=>"[FILTERED]", "client_id"=>"[FILTERED]", "client_secret"=>"[FILTERED]", "redirect_uri"=>"[FILTERED]/openid-connect-authorize", "grant_type"=>"authorization_code", "scope"=>"read_user openid profile email"}
Completed 200 OK in 44ms
Started POST "/oauth/userinfo"
Processing by Doorkeeper::OpenidConnect::UserinfoController#show as */*
Started POST "/oauth/token"
Processing by Doorkeeper::TokensController#create as */*
Parameters: {"refresh_token"=>"[FILTERED]", "client_id"=>"[FILTERED]", "client_secret"=>"[FILTERED]", "grant_type"=>"refresh_token"}
Completed 200 OK in 44ms
Started POST "/oauth/token"
Processing by Doorkeeper::TokensController#create as */*
Parameters: {"refresh_token"=>"[FILTERED]", "client_id"=>"[FILTERED]", "client_secret"=>"[FILTERED]", "grant_type"=>"refresh_token"}
Completed 200 OK in 46ms
Started POST "/oauth/token"
Processing by Doorkeeper::TokensController#create as */*
Parameters: {"refresh_token"=>"[FILTERED]", "client_id"=>"[FILTERED]", "client_secret"=>"[FILTERED]", "grant_type"=>"refresh_token"}
Completed 200 OK in 35ms
Started POST "/oauth/token"
Processing by Doorkeeper::TokensController#create as */*
Parameters: {"refresh_token"=>"[FILTERED]", "client_id"=>"[FILTERED]", "client_secret"=>"[FILTERED]", "grant_type"=>"refresh_token"}
Started POST "/oauth/token"
Processing by Doorkeeper::TokensController#create as */*
Parameters: {"refresh_token"=>"[FILTERED]", "client_id"=>"[FILTERED]", "client_secret"=>"[FILTERED]", "grant_type"=>"refresh_token"}
Completed 401 Unauthorized in 241ms
Completed 200 OK in 401ms
Started POST "/oauth/token"
Processing by Doorkeeper::TokensController#create as */*
Parameters: {"refresh_token"=>"[FILTERED]", "client_id"=>"[FILTERED]", "client_secret"=>"[FILTERED]", "grant_type"=>"refresh_token"}
Completed 401 Unauthorized in 2ms
Why multiple refresh-tokens? Could it mean that the code-injection for checking the "are you logged in" creates problems? So how big is the chance for "issued to another client"?
Then I found https://gitlab.com/gitlab-org/gitlab-foss/commit/02709334d4013073dffe5b6c2fd6ff7377b87ba9 - see the last remark:
Since upgrading to a version of gitlab that has this, I now see this when I try to auth:
Response: {"error":"invalid_grant","error_description":"The provided authorization grant is invalid, expired, revoked, does not match the redirection URI used in the authorization request, or was issued to another client."}
Logically I tried to disable reuse_access_token and then do gitlab-ctl reconfigure, but it did not help.
Anyone ever found a solution? I'm using gitlab to login, everything works fine but as soon as I try to do something in my mainwp dashboard I get the doorkeeper invalid_grant error and the action can't continue.
@Kiina this wasn't on my radar. I have a testing environment setup to connect to OIDC providers. I'll see if I can setup a connection to GitLab and perform some testing, after I read through this issue.
With normal login or other providers (tested google now) it works without issues, but gitlab seems to have some. The most consistent way I found to trigger this issue is with a mainwp dashboard using the "sync dashboards with child sites". It will fail on gitlab as a provider but not with google or normal login.
Did anyone ever test with turning off the refresh token option in the plugin settings. Some IDPs don't support refresh tokens and believe by turning that feature off in the plugin it should prevent users from being logged out once authenticated.
Without refresh token: ERROR (invalid-state): Invalid state.
With refresh token I just get back at the login-page. This is the log form the plugin, which seems right:
@VincentSC an invalid state error wouldn't have anything to do with the refresh token setting. Did it take longer than 3 minutes for you to complete your login as the generated state is only valid for 3 minutes, or based on the value set in the plugin settings.
Yes, you're right. I checked multiple times now and the error message did not pop up anymore.
Now the funny thing. I checked /wp-admin and at one point I was logged in! More good news: I managed to reproduce and can now log in with some manual steps.
These are my mappings, slightly different from what the original poster has:
Steps to make it work:
- go to
<domain>/wp-login.php?action=logout. Without the forced logout it won't work!! - press the OpenID login button
- go to
<domain>/wp-adminmanually - enjoy
I tested with the refresh-token on and off. Works with both.
So seemingly something goes wrong in the plugin itself, as the session is validated as correct and then the login-page is shown. I have the latest Wordpress version, version 3.8.4 of the OpenID Connect Generic plugin.
Noticed the same thing with the login page with google as a provider, think it started with the last update. Switched to gitlab without refresh tokens and it seems to work up to now, but the redirect issue is still there.
@Kiina is the redirect issue you are seeing present in the 3.8.3 version of the plugin? The 3.8.4 update fixed an issue that remained in the 3.8.3 version, but then an additional error has come up in the latest release, and I believe it is specific to the auto-login. I will dig into this with some more testing today.
Well in 3.8.3 I don't get redirected to the page I wanted to visit but the main page (even if the Redirect Back to Origin Page option is on), but in 3.8.4 I get redirected to the login page again. But I used the button login, not the auto login option. I think 3.8.2 was working correctly with the redirects.
Latest update seems to fix the redirect issues. Thanks!
@Kiina excellent, glad to hear it's working.