pgadmin4 icon indicating copy to clipboard operation
pgadmin4 copied to clipboard
verified publisher icon pgadmin-org

OAuth2 unable to login after version 8.6

Open jusblock00 opened this issue 1 year ago • 4 comments

Please note that security bugs or issues should be reported to [email protected].

Describe the bug

Previously working OAuth2 configuration now breaks after update from 8.5 -> 8.6.

Could be related to the authlib 1.2 -> 1.3 update during this time.

To Reproduce

  1. Setup OAuth2 configuration
  2. Login to pgadmin

Expected behavior

Access pgadmin

Error message

Server logs:

10.3.1.133 - - [12/Jun/2024:19:52:39 +0000] "POST /authenticate/login HTTP/1.1" 302 807 "https://pgadmin.<REDACTED>/login?next=/" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:126.0) Gecko/20100101 Firefox/126.0"
2024-06-12 19:52:42,590: ERROR	pgadmin:	invalid_client: Invalid client authentication credentials.
Traceback (most recent call last):
  File "/venv/lib/python3.11/site-packages/flask/app.py", line 880, in full_dispatch_request
    rv = self.dispatch_request()
         ^^^^^^^^^^^^^^^^^^^^^^^
  File "/venv/lib/python3.11/site-packages/flask/app.py", line 865, in dispatch_request
    return self.ensure_sync(self.view_functions[rule.endpoint])(**view_args)  # type: ignore[no-any-return]
           ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
  File "/pgadmin4/pgadmin/authenticate/oauth2.py", line 56, in oauth_authorize
    status, msg = auth_obj.login()
                  ^^^^^^^^^^^^^^^^
  File "/pgadmin4/pgadmin/authenticate/__init__.py", line 299, in login
    status, msg = self.source.login(self.form)
                  ^^^^^^^^^^^^^^^^^^^^^^^^^^^^
  File "/pgadmin4/pgadmin/authenticate/oauth2.py", line 136, in login
    profile = self.get_user_profile()
              ^^^^^^^^^^^^^^^^^^^^^^^
  File "/pgadmin4/pgadmin/authenticate/oauth2.py", line 211, in get_user_profile
    self.oauth2_current_client].authorize_access_token()
                                ^^^^^^^^^^^^^^^^^^^^^^^^
  File "/venv/lib/python3.11/site-packages/authlib/integrations/flask_client/apps.py", line 101, in authorize_access_token
    token = self.fetch_access_token(**params, **kwargs)
            ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
  File "/venv/lib/python3.11/site-packages/authlib/integrations/base_client/sync_app.py", line 342, in fetch_access_token
    token = client.fetch_token(token_endpoint, **params)
            ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
  File "/venv/lib/python3.11/site-packages/authlib/oauth2/client.py", line 211, in fetch_token
    return self._fetch_token(
           ^^^^^^^^^^^^^^^^^^
  File "/venv/lib/python3.11/site-packages/authlib/oauth2/client.py", line 368, in _fetch_token
    return self.parse_response_token(resp)
           ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
  File "/venv/lib/python3.11/site-packages/authlib/oauth2/client.py", line 344, in parse_response_token
    raise self.oauth_error_class(
authlib.integrations.base_client.errors.OAuthError: invalid_client: Invalid client authentication credentials.
10.3.1.133 - - [12/Jun/2024:19:52:42 +0000] "GET /oauth2/authorize?code=<REDACTED>&locale=en&state=<REDACTED>&userState=Authenticated HTTP/1.1" 500 121 "https://auth.<REDACTED>/" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:126.0) Gecko/20100101 Firefox/126.0"

Screenshots Browser: image

Desktop (please complete the following information):

  • OS: linux
  • Version:
  • Mode: server
  • Browser (if running in server mode): firefox
  • Package type: container

Additional context OAuth provider is a self-hosted containerized FusionAuth instance.

FusionAuth and pgadmin are hosted inside the same kubernetes cluster.

Helm chart values:

  config_local.py: |-
    import os

    MASTER_PASSWORD_REQUIRED = False
    AUTHENTICATION_SOURCES = ['oauth2', 'internal']
    OAUTH2_AUTO_CREATE_USER = True
    OAUTH2_CONFIG = [
      {
        'OAUTH2_NAME': 'fusionauth',
        'OAUTH2_DISPLAY_NAME': 'FusionAuth',
        'OAUTH2_CLIENT_ID': os.environ['OAUTH2_CLIENT_ID'],
        'OAUTH2_CLIENT_SECRET': os.environ['OAUTH2_CLIENT_SECRET'],
        'OAUTH2_TOKEN_URL': os.environ['OAUTH2_TOKEN_URL'],
        'OAUTH2_AUTHORIZATION_URL': os.environ['OAUTH2_AUTHORIZATION_URL'],
        'OAUTH2_SERVER_METADATA_URL': os.environ['OAUTH2_SERVER_METADATA_URL'],
        'OAUTH2_API_BASE_URL': os.environ['OAUTH2_API_BASE_URL'],
        'OAUTH2_USERINFO_ENDPOINT': os.environ['OAUTH2_USERINFO_ENDPOINT'],
        'OAUTH2_SCOPE': 'openid profile email',
        'OAUTH2_ICON': 'fa-react',
        'OAUTH2_BUTTON_COLOR': '#0000ff'
      }
    ]

Environment variables:

  OAUTH2_API_BASE_URL: https://auth.<REDACTED>/oauth2
  OAUTH2_AUTHORIZATION_URL: https://auth.<REDACTED>/oauth2/authorize
  OAUTH2_CLIENT_ID: <REDACTED>
  OAUTH2_SERVER_METADATA_URL: https://auth.<REDACTED>/<REDACTED>/.well-known/openid-configuration
  OAUTH2_TOKEN_URL: https://auth.<REDACTED>/oauth2/token
  OAUTH2_USERINFO_ENDPOINT: https://auth.<REDACTED>/oauth2/userinfo
  OAUTH2_CLIENT_SECRET: <REDACTED>

jusblock00 avatar Jun 24 '24 19:06 jusblock00

I am not able to reproduce the issue. Error is clearly indicating that credentials are invalid. 'invalid_client: Invalid client authentication credentials.' Can you please login to your oauth2 provider in one tab and try logging in to pgadmin with OAuth2.

yogeshmahajan-1903 avatar Jun 25 '24 05:06 yogeshmahajan-1903

Worth noting that when we downgrade to the tag: "8.5" image, with the same settings/credentials it works fine again.

hoopty avatar Jul 03 '24 04:07 hoopty

@jusblock00, @hoopty, which OAuth2 provider are you using?

We haven't changed anything in OAuth2 behaviour; we just upgraded the Authlib library. We will raise this issue with the upstream.

khushboovashi avatar Jul 03 '24 05:07 khushboovashi

We are using FusionAuth (https://fusionauth.io/docs/lifecycle/authenticate-users/oauth/)

hoopty avatar Jul 13 '24 19:07 hoopty