planka icon indicating copy to clipboard operation
planka copied to clipboard
verified publisher icon plankanban

OIDC with FortiAuthenticator

Open nicedevil007 opened this issue 1 year ago • 8 comments

Hey guys, I'm trying to get OIDC working with our FortiAuthenticator. Unfortunately I can't get anything up and running.

My planka systemd service stops with the following message:

Apr 08 12:00:56 planka npm[2627]: > start
Apr 08 12:00:56 planka npm[2627]: > nodemon
Apr 08 12:00:56 planka npm[2639]: [nodemon] 3.0.1
Apr 08 12:00:56 planka npm[2639]: [nodemon] to restart at any time, enter `rs`
Apr 08 12:00:56 planka npm[2639]: [nodemon] watching path(s): *.*
Apr 08 12:00:56 planka npm[2639]: [nodemon] watching extensions: js,mjs,cjs,json
Apr 08 12:00:56 planka npm[2639]: [nodemon] starting `node app.js`
Apr 08 12:00:57 planka npm[2652]: 2024-04-08 12:00:57 [E] A hook (`oidc`) failed to load!
Apr 08 12:00:57 planka npm[2652]: 2024-04-08 12:00:57 [E] Failed to lift app: expected 200 OK, got: 301 Moved Permanently
Apr 08 12:00:57 planka npm[2639]: [nodemon] clean exit - waiting for changes before restart

Here is my config:

## Required

BASE_URL=https://planka.mydomain.org
DATABASE_URL=postgresql://planka:<SECRET>@localhost/planka
SECRET_KEY=<SECRET>

## Optional

TRUST_PROXY=1
#TOKEN_EXPIRES_IN=14 # In days

# related: https://github.com/knex/knex/issues/2354
# As knex does not pass query parameters from the connection string we
# have to use environment variables in order to pass the desired values, e.g.
# PGSSLMODE=<value>

# Configure knex to accept SSL certificates
# KNEX_REJECT_UNAUTHORIZED_SSL_CERTIFICATE=false

#[email protected] # Do not remove if you want to prevent this user from being edited/deleted
#DEFAULT_ADMIN_PASSWORD=demo
#DEFAULT_ADMIN_NAME=Demo Demo
#DEFAULT_ADMIN_USERNAME=demo

# Email Notifications (https://nodemailer.com/smtp/)
SMTP_HOST=my.mydomain.org
SMTP_PORT=465
SMTP_SECURE=true
#SMTP_USER=
#SMTP_PASSWORD=
SMTP_FROM="Planka" <[email protected]>

OIDC_ISSUER=https://auth.mydomain.org/api/v1/oauth
OIDC_CLIENT_ID=<SECRET>
OIDC_CLIENT_SECRET=<SECRET>
OIDC_SCOPES=openid email profile
# OIDC_ADMIN_ROLES=admin
#OIDC_EMAIL_ATTRIBUTE=email
#OIDC_NAME_ATTRIBUTE=name
#OIDC_USERNAME_ATTRIBUTE=preferred_username
#OIDC_ROLES_ATTRIBUTE=groups
# OIDC_IGNORE_USERNAME=true
# OIDC_IGNORE_ROLES=true
# OIDC_ENFORCED=true

## Do not edit this

TZ=UTC

So here a quick overview of the network that is all this in:

Network A: planka is hosted on seperate Ubuntu VM (it is installed with manual install method) Network B: Nginx Proxy Manager that forwards traffic going to https://planka.email.server to the Network A VM with Planka running on it Network C: FortiAuthenticator

Ofc: All firewall rules to reach the one or other Network are up and running and nothing is blocked so far (at least this is what my logs tell me ;D)

If I disable all OIDC env variables it is working with local logins.

nicedevil007 avatar Apr 08 '24 12:04 nicedevil007

Hi! It looks like openid-client can't discover the issuer by the provided URL:

const issuer = await openidClient.Issuer.discover(sails.config.custom.oidcIssuer);

Please try to navigate to the address of your issuer https://auth.mydomain.org/api/v1/oauth in a browser and see where you will be redirected to and specify the final address. It's also possible that you need to put a slash at the end of https://auth.mydomain.org/api/v1/oauth/ (but it's just a guess why redirection is done).

meltyshev avatar Apr 08 '24 19:04 meltyshev

Ok I tested this with / and without. Not working at all.

This is what I have available as URL on my FortiAuthenticator.

{
    "issuer": "https://auth.mydomain.org/api/v1/oauth",
    "authorization_endpoint": "https://auth.mydomain.org/api/v1/oauth/authorize/",
    "token_endpoint": "https://auth.mydomain.org/api/v1/oauth/token/",
    "userinfo_endpoint": "https://auth.mydomain.org/api/v1/oauth/userinfo/",
    "jwks_uri": "https://auth.mydomain.org/api/v1/oauth/.well-known/keys/",
    "response_types_supported": [
        "code",
        "token",
        "id_token",
        "id_token token",
        "code token",
        "code id_token",
        "code id_token token"
    ],
    "subject_types_supported": [
        "public"
    ],
    "id_token_signing_alg_values_supported": [
        "RS256"
    ],
    "token_endpoint_auth_methods_supported": [
        "client_secret_post",
        "client_secret_basic"
    ]
}

So what should I take from these ones?

nicedevil007 avatar Apr 09 '24 11:04 nicedevil007

The response looks correct. It's very hard to say why this might be happening. We'll try to test with FortiAuthenticator sometime or maybe someone has already encountered this and can tell us how to solve it.

meltyshev avatar Apr 10 '24 11:04 meltyshev

Ok got a bit further but without succesfull login. I just changed the OIDC_ISSUER URL to this here:

OIDC_ISSUER=https://auth.mydomain.org/api/v1/oauth/.well-known/openid-configuration

Now our fortiauthenticator tells me (after succesfull login to the FAC) image

Is it even possible to not use the auto config method but use the method where we have to add all URI's by ourselfes?

nicedevil007 avatar Jun 10 '24 12:06 nicedevil007

Got a bit further, now Planka tells me that an unknown error appeared, where can I find those logs to get a bit more information about the error?

image

nicedevil007 avatar Jun 24 '24 19:06 nicedevil007

Found this in the docker logs:

2024-06-24 19:03:45 [W] Error while exchanging OIDC code: RPError: iss mismatch, expected https://auth.*******.org/api/v1/oauth, got: https://auth.*******.org/api/v1/oauth/.well-known/openid-configuration/
2024-06-24 19:03:45 [W] Invalid code or nonce! (IP: *******)
2024-06-24 19:04:08 [W] Error while exchanging OIDC code: RPError: iss mismatch, expected https://auth.*******.org/api/v1/oauth, got: https://auth.*******.org/api/v1/oauth/.well-known/openid-configuration/
2024-06-24 19:04:08 [W] Invalid code or nonce! (IP: *******)

nicedevil007 avatar Jun 24 '24 19:06 nicedevil007

Found this in the docker logs:

2024-06-24 19:03:45 [W] Error while exchanging OIDC code: RPError: iss mismatch, expected https://auth.*******.org/api/v1/oauth, got: https://auth.*******.org/api/v1/oauth/.well-known/openid-configuration/
2024-06-24 19:03:45 [W] Invalid code or nonce! (IP: *******)
2024-06-24 19:04:08 [W] Error while exchanging OIDC code: RPError: iss mismatch, expected https://auth.*******.org/api/v1/oauth, got: https://auth.*******.org/api/v1/oauth/.well-known/openid-configuration/
2024-06-24 19:04:08 [W] Invalid code or nonce! (IP: *******)

If I do what is telling me the error message (removing /.well-known/openid-configuration/ from the expected URI) it leads to this error in the docker logs:

2024-06-24 20:10:30 [E] A hook (`oidc`) failed to load!
2024-06-24 20:10:30 [E] Failed to lift app: expected 200 OK, got: 301 Moved Permanently

Now I would assume this is an error because planka is behind a reverseproxy?

nicedevil007 avatar Jun 24 '24 20:06 nicedevil007