fab-manager icon indicating copy to clipboard operation
fab-manager copied to clipboard
verified publisher icon sleede

OpenID SSO never gets activated - stays "pending"

Open vmario89 opened this issue 7 months ago • 3 comments

Hi,

in latest Fab-manager 6.4.9 i tried to add our SSO from Synology NAS, but i dont know how to activate that thing.

I added a new strategy here:

Image

i properly prepared a new SSO application at synology first, creating identifier and secret. i am only unsure about the redirect URI.

Image

after adding all values and saving, the status always stays pending. I don't see any button or way how to activate. I exspected to see some SSO button on the front page as soon as i add the new auth strategy.

Image Image Image

The docker logs and logs in /opt/fabmanager/log don't give errors about something special.

i already messed in database to check what happens if i change status manually, but no difference:

docker exec -it fabmanager-postgres-1 psql -U postgres
\c fablab_production
\dt
select * from auth_providers;
update auth_providers set status = 'active' where status = 'pending';

vmario89 avatar Aug 20 '25 07:08 vmario89

The json from SSO endpoint is:

{
   "authorization_endpoint" : "https://REDACTED_URL/webman/sso/SSOOauth.cgi",
   "claims_supported" : [ "aud", "email", "exp", "groups", "iat", "iss", "sub", "username" ],
   "code_challenge_methods_supported" : [ "S256", "plain" ],
   "grant_types_supported" : [ "authorization_code", "implicit" ],
   "id_token_signing_alg_values_supported" : [ "RS256" ],
   "issuer" : "https://REDACTED_URL/webman/sso",
   "jwks_uri" : "https://REDACTED_URL/webman/sso/openid-jwks.json",
   "response_types_supported" : [ "code", "code id_token", "id_token", "id_token token" ],
   "scopes_supported" : [ "email", "groups", "openid" ],
   "subject_types_supported" : [ "public" ],
   "token_endpoint" : "https://REDACTED_URL/webman/sso/SSOAccessToken.cgi",
   "token_endpoint_auth_methods_supported" : [ "client_secret_basic", "client_secret_post" ],
   "userinfo_endpoint" : "https://REDACTED_URL/webman/sso/SSOUserInfo.cgi"
}

vmario89 avatar Aug 20 '25 07:08 vmario89

Hello @vmario89

To activate your new authentication provider, execute the following command within your fabmanager Docker container:

rails fablab:auth:switch_provider[NAME OF PROVIDER]

After running this command, a container restart is required for the changes to take effect.

Note: Any modifications to the provider parameters necessitate a container restart.

gnepud avatar Aug 22 '25 08:08 gnepud

Hi, thank you very much for your feedback. Indeed i was nearly sucessful to login with SSO now, but there is still sth. missing. I was able to configure everything to passthrough from login button to SSO and back to fabmanager again. But after entering the correct login data, the frontend does nothing.

the log file app-stdout.log says the following:

D, [2025-08-24T19:12:57.513910 #7] DEBUG -- : [47534c8e-d825-423c-bfc3-2b50c3699ae2] User Create (0.8ms) INSERT INTO "users" ("email", "encrypted_password", "reset_password_token", "reset_password_sent_at", "remember_created_at", "sign_in_count", "current_sign_in_at", "last_sign_in_at", "confirmation_token", "confirmed_at", "confirmation_sent_at", "unconfirmed_email", "failed_attempts", "unlock_token", "locked_at", "created_at", "updated_at", "is_allow_contact", "group_id", "username", "slug", "is_active", "provider", "uid", "auth_token", "merged_at", "is_allow_newsletter", "current_sign_in_ip", "last_sign_in_ip", "mapped_from_sso", "validated_at", "supporting_documents_reminder_sent_at") VALUES ($1, $2, $3, $4, $5, $6, $7, $8, $9, $10, $11, $12, $13, $14, $15, $16, $17, $18, $19, $20, $21, $22, $23, $24, $25, $26, $27, $28, $29, $30, $31, $32) RETURNING "id" [["email", "[email protected]"], ["encrypted_password", "$2a$10$REDACTED"], ["reset_password_token", nil], ["reset_password_sent_at", nil], ["remember_created_at", nil], ["sign_in_count", 0], ["current_sign_in_at", nil], ["last_sign_in_at", nil], ["confirmation_token", nil], ["confirmed_at", "2025-08-24 19:12:57.506350"], ["confirmation_sent_at", nil], ["unconfirmed_email", nil], ["failed_attempts", 0], ["unlock_token", nil], ["locked_at", nil], ["created_at", "2025-08-24 19:12:57.506580"], ["updated_at", "2025-08-24 19:12:57.506580"], ["is_allow_contact", true], ["group_id", nil], ["username", "REDACTED"], ["slug", nil], ["is_active", true], ["provider", "openidconnect-login-REDACTED"], ["uid", "[email protected]"], ["auth_token", nil], ["merged_at", nil], ["is_allow_newsletter", nil], ["current_sign_in_ip", nil], ["last_sign_in_ip", nil], ["mapped_from_sso", "user.email,user.username"], ["validated_at", nil], ["supporting_documents_reminder_sent_at", nil]]

it contains an sql create statement but it seems to be always rolled back. the created entry does not appear in the database. But the log does not contain any error.

sudo docker exec -it fabmanager-postgres-1 psql -U postgres -d fablab_production -c 'select username, email, uid, mapped_from_sso, provider from users;'

vmario89 avatar Aug 24 '25 19:08 vmario89