vouch-proxy with Gitea working on v0.17.4 but stops working on v0.18.0+

[layanto]

Describe the problem Getting 400 Bad Request after successful login to Gitea. Using exactly the same nginx, Gitea and vouch config, all working with vouch v0.17.4 (or earlier) but with vouch v0.18.0 (or later), I get 400 Bad Request. I have tried testing: true and all the redirects worked as expected, though still getting 400 Bad Request. It appears that the change between vouch v0.18.0 and v0.17.4 caused Gitea to respond oauth with

2020-12-23T23:22:32.753Z ERROR /auth Error while retreiving user info after successful login at the OAuth provider: oauth2: cannot fetch token: 400 Bad Request

Response: {"error":"unauthorized_client","error_description":"client is not authorized"}

Expected behavior No 400 Bad Request on vouch v0.18.0 (or later) just like how it was with vouch v0.17.4 (or earlier),

Desktop (please complete the following information):

• OS: Windows 10
• Browser: Firefox
• Version: 84.0.1

[bnfinet]

@layanto thanks for the report. Can you please use the latest version of VP and post a full log to a gist as per the README?

[eldondev]

I am also seeing this. I will try to get the requested logs. For the record, I am using the latest tag from docker hub for both gitea/gitea and voucher/vouch. Also, if I create a brand new oauth app, and update the vouch config to use that oauth client id/secret it works for a little while. I have the provider configured as "github" in the vouch config, as per a previous issue on gitea/vouch.

[layanto]

I was also using gitea and vouch latest docker image. As workaround, I now use 0.17.4 tag for vouch docker image.

Trying to figure out how to use the ./do.sh with vouch docker image.

[bnfinet]

@layanto any chance you could supply that log for the most recent version? I'm happy to help work the issue.

wrt to ./do.sh for 0.17.4 you should be able to adjust the IMAGE variable.

https://github.com/vouch/vouch-proxy/blob/master/do.sh#L12

[layanto]

Will try tonight. I am presently only using the vouch docker image. To use the do.sh, do I need to git checkout this repo and then run the do.sh? Maybe easier just to take the log as is and then change my oauth key in gitea?

[layanto]

Couldn't figure out how to use the do.sh so I ended up manually sanitizing the debug log. Gists below: vouch 0.17.4 (working): https://gist.github.com/layanto/13d921fe303bf094cf606d11ce2f268f vouch 0.19.1 (not working): https://gist.github.com/layanto/7598de4cb54fbb0bd578ae9d5de908ec

I changed my domain to domain.com, gitea URL to gitea.domain.com, vouch URL to vouch.domain.com, application URL protected by vouch to protected.domain.com, username to username, email to [email protected] and various secrets, client_id, token, etc to vvv, www, xxx, etc. Hopefully I haven't messed up the debug log too badly.

[layanto]

Would be a great feature if via config option, vouch can generate sanitized debug.log as a file in /data. This way the log file can be access in docker's host machine. Vouch already knows all the sensitive information (already in config or environment variables) so should be able to sanitize them without additional info from user (such as via do.sh which I couldn't figure out how to use).

[bnfinet]

@eldondev @layanto could you please try adjusting your oauth config with..

code_challenge_method: (blank) and then code_challenge_method: plain

I suspect that gitea does not support PKCE which was added to v0.18.0 via #307

[layanto]

Still not working - exactly the same error. I tried both (blank) and plain for code_challenge_method under oauth config.

[bnfinet]

@layanto looks like gitea supports OIDC, what happens if you try oauth.provider: oidc (with and without code_challenge).

https://docs.gitea.io/en-us/oauth2-provider/

[layanto]

using oidc as oauth provider, Gitea works with v0.17.4 and latest. I didn't need to add the code_challenge_method. With github as oauth provider, Gitea only works with v0.17.4 or earlier and doesn't work with v0.18.0 or later.

@eldondev Can you check if you observe the same behaviour as above?

[mvivaldi]

Hi, with gitea 1.13.1 vouch latest and provider oidc everything is working again.

[bnfinet]

@mvivaldi @layanto thanks for testing that out.

In your opinion should we consider this a docu-fix as "always use oauth.provider: oidc for Gitea"? OIDC does not currently support the group features that are in the github provider. Are those important?

My suspicion is that if this line were commented out it might work for Gitea as provider: github https://github.com/vouch/vouch-proxy/blob/master/pkg/cfg/oauth.go#L205

Would either of you be in a position to test that?

[layanto]

I am using vouch docker from dockerhub. Not sure how to test commenting out a line in vouch's go code. I am not sure if Gitea is using or supporting the group features.

[bnfinet]

@layanto understood...

If you cared to build the container locally ./do.sh dbuild would do it.

[eldondev]

Just followed up here. The switch to OIDC also seems to work for me. One alternative might be to see if gitea would support that code challenge method (if that is indeed the issue).

[eldondev]

@bnfinet Hey, I dug into the gitea source/docs a little bit, it looks like they expect PKCE support to work Also, they mention S256 in the source of the oauth provider , so, while frankly I don't expect them to be critical for my use case, I'd be willing to give diving into this issue a shot, if I could provide some sort of debug output or something that would help.

[bnfinet]

Thanks @eldondev ...

If you could provide conf and logs as described in the README and then take that line out and do it again that would be a solid start towards trying to diagnose the issue.

[FunDeckHermit]

Hi, I seem to have the same problem and thought the problem originated from Gitea itself. I therefore opened an issue on their repository. After reading this thread I think I might be wrong with my assumption.

I will try the OIDC route and keep you updated.

[FunDeckHermit]

I got Vouch Proxy + Gitea working again by changing my Vouch Proxy config to:

oauth:
  provider: oidc
  client_id: {id}
  client_secret: {secret}
  auth_url: https://auth.domain.com/login/oauth/authorize
  token_url: https://auth.domain.com/login/oauth/access_token
  user_info_url: https://auth.domain.com/login/oauth/userinfo
  scopes:
    - openid
    - email
    - profile
  callback_url: https://vouch.domain.com/auth

Changing only the provider and the user_info_url.

[bnfinet]

@mindfuucker thanks for the info, glad to have another confirmation that it's working with provider: oidc

The only reason this is still open and flagged as a bug is due to the usage of groups with vouch.teamWhitelist when configured with provider: github

If anyone wants that feature to work (or to just get the provider: github to work with Gitea) I hope they'll take the time to provide a good bug report in the manner described in the README.

[krumelmonster]

oauth:
  provider: oidc
  client_id: {id}
  client_secret: {secret}
  auth_url: https://auth.domain.com/login/oauth/authorize
  token_url: https://auth.domain.com/login/oauth/access_token
  user_info_url: https://auth.domain.com/login/oauth/userinfo
  scopes:
    - openid
    - email
    - profile
  callback_url: https://vouch.domain.com/auth

This unlike provider: github works for me too and I suggest to update config.yml_example_gitea to oidc for now