Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

OIDC: 403 error on callback #9430

Open
Ezehkiel opened this issue Jan 7, 2025 · 2 comments
Open

OIDC: 403 error on callback #9430

Ezehkiel opened this issue Jan 7, 2025 · 2 comments
Assignees
@AMoreaux

Comments

@Ezehkiel
Copy link

Ezehkiel commented Jan 7, 2025
edited
Loading

Bug Description

When trying to use an external SSO with OIDC I got a 403 error on the callback URL. I tried with a custom SSO and with Google OIDC -> same behaviours :(

I added logs in the code and I was able to get the error :

Error: did not find expected authorization request details in session, req.session["64b2967b-5c9b-4cc5-860f-d4e16733084d"] is undefined
server-1                |     at /app/node_modules/openid-client/lib/passport_strategy.js:132:13
server-1                |     at OIDCAuthStrategy.authenticate (/app/node_modules/openid-client/lib/passport_strategy.js:191:5)
server-1                |     at OIDCAuthStrategy.authenticate (/app/packages/twenty-server/dist/src/engine/core-modules/auth/strategies/oidc.auth.strategy.js:26:22)
server-1                |     at attempt (/app/node_modules/passport/lib/middleware/authenticate.js:378:16)
server-1                |     at authenticate (/app/node_modules/passport/lib/middleware/authenticate.js:379:7)
server-1                |     at /app/node_modules/@nestjs/passport/dist/auth.guard.js:97:3
server-1                |     at new Promise (<anonymous>)
server-1                |     at /app/node_modules/@nestjs/passport/dist/auth.guard.js:89:83
server-1                |     at OIDCAuthGuard.<anonymous> (/app/node_modules/@nestjs/passport/dist/auth.guard.js:50:36)
server-1                |     at Generator.next (<anonymous>)

I'm not sure but my investigation point that the line that produce the error is

twenty/packages/twenty-server/src/engine/core-modules/auth/guards/oidc-auth.guard.ts

Line 63 in edf0a18

return (await super.canActivate(context)) as boolean;

I tried this on version v0.35.0 with a fresh install with docker. Here are my config files:

TAG=v0.35.0

#PGUSER_SUPERUSER=postgres
PGPASSWORD_SUPERUSER=-0Q2yWrpWQs16E3lKuE5gEgpf2JbgT0l

#PG_DATABASE_HOST=db
#REDIS_URL=redis://redis:6379

SERVER_URL=https://crm.test.ch

# Use openssl rand -base64 32 for each secret
APP_SECRET=jow5n7BsjOhYA97hM+ElyT7UZjaOY9oadWaH2QIndkU=
SIGN_IN_PREFILLED=true
AUTH_SSO_ENABLED=true
ENTERPRISE_KEY=foo
LOG_LEVELS=verbose
LOGGER_IS_BUFFER_ENABLED=false

STORAGE_TYPE=s3
STORAGE_S3_REGION=us-east-1
STORAGE_S3_NAME=twenty
STORAGE_S3_ENDPOINT=https://s3.test.ch
STORAGE_S3_ACCESS_KEY_ID=twenty_user
STORAGE_S3_SECRET_ACCESS_KEY=secret-key

name: twenty

services:
 change-vol-ownership:
   image: ubuntu
   user: root
   volumes:
     - server-local-data:/tmp/server-local-data
     - docker-data:/tmp/docker-data
   command: >
     bash -c "
     chown -R 1000:1000 /tmp/server-local-data
     && chown -R 1000:1000 /tmp/docker-data"

 server:
   image: twentycrm/twenty:${TAG}
   volumes:
     - server-local-data:/app/packages/twenty-server/${STORAGE_LOCAL_PATH:-.local-storage}
     - docker-data:/app/docker-data
   ports:
     - "80:3000"
   environment:
     PORT: 3000
     PG_DATABASE_URL: postgres://${PGUSER_SUPERUSER:-postgres}:${PGPASSWORD_SUPERUSER}@${PG_DATABASE_HOST:-db:5432}/default
     SERVER_URL: ${SERVER_URL}
     REDIS_URL: ${REDIS_URL:-redis://redis:6379}

     SIGN_IN_PREFILLED: ${SIGN_IN_PREFILLED}
     STORAGE_TYPE: ${STORAGE_TYPE}
     STORAGE_S3_REGION: ${STORAGE_S3_REGION}
     STORAGE_S3_NAME: ${STORAGE_S3_NAME}
     STORAGE_S3_ENDPOINT: ${STORAGE_S3_ENDPOINT}
     STORAGE_S3_ACCESS_KEY_ID: ${STORAGE_S3_ACCESS_KEY_ID}
     STORAGE_S3_SECRET_ACCESS_KEY: ${STORAGE_S3_SECRET_ACCESS_KEY}
     AUTH_SSO_ENABLED: ${AUTH_SSO_ENABLED}
     ENTERPRISE_KEY: ${ENTERPRISE_KEY}
     APP_SECRET: ${APP_SECRET}

     SENTRY_DSN: ${SENTRY_DSN}
     LOG_LEVELS: ${LOG_LEVELS}
     LOGGER_IS_BUFFER_ENABLED: ${LOGGER_IS_BUFFER_ENABLED}
     DEBUG_MODE: "true"
   sysctls:
     net.ipv6.conf.all.disable_ipv6: 1
   depends_on:
     change-vol-ownership:
       condition: service_completed_successfully
     db:
       condition: service_healthy
   healthcheck:
     test: curl --fail http://localhost:3000/healthz
     interval: 5s
     timeout: 5s
     retries: 10
   restart: always

 worker:
   image: twentycrm/twenty:${TAG}
   command: ["yarn", "worker:prod"]
   environment:
     PG_DATABASE_URL: postgres://${PGUSER_SUPERUSER:-postgres}:${PGPASSWORD_SUPERUSER}@${PG_DATABASE_HOST:-db:5432}/default
     SERVER_URL: ${SERVER_URL}
     REDIS_URL: ${REDIS_URL:-redis://redis:6379}
     DISABLE_DB_MIGRATIONS: "true" # it already runs on the server

     STORAGE_TYPE: ${STORAGE_TYPE}
     STORAGE_S3_REGION: ${STORAGE_S3_REGION}
     STORAGE_S3_NAME: ${STORAGE_S3_NAME}
     STORAGE_S3_ENDPOINT: ${STORAGE_S3_ENDPOINT}
     STORAGE_S3_ACCESS_KEY_ID: ${STORAGE_S3_ENDPOINT}
     STORAGE_S3_SECRET_ACCESS_KEY: ${STORAGE_S3_SECRET_ACCESS_KEY}
     AUTH_SSO_ENABLED: ${AUTH_SSO_ENABLED}
     ENTERPRISE_KEY: ${ENTERPRISE_KEY}
     APP_SECRET: ${APP_SECRET}

     SENTRY_DSN: ${SENTRY_DSN}
     LOG_LEVELS: ${LOG_LEVELS}
     LOGGER_IS_BUFFER_ENABLED: ${LOGGER_IS_BUFFER_ENABLED}
     DEBUG_MODE: "true"
   sysctls:
     net.ipv6.conf.all.disable_ipv6: 1
   depends_on:
     db:
       condition: service_healthy
     server:
       condition: service_healthy
   restart: always

 db:
   image: twentycrm/twenty-postgres-spilo:${TAG}
   volumes:
     - db-data:/home/postgres/pgdata
   environment:
     PGUSER_SUPERUSER: ${PGUSER_SUPERUSER:-postgres}
     PGPASSWORD_SUPERUSER: ${PGPASSWORD_SUPERUSER:-postgres}
     ALLOW_NOSSL: "true"
     SPILO_PROVIDER: "local"
   healthcheck:
     test: pg_isready -U ${PGUSER_SUPERUSER:-postgres} -h localhost -d postgres
     interval: 5s
     timeout: 5s
     retries: 10
   restart: always

 redis:
   image: redis
   restart: always

volumes:
 docker-data:
 db-data:
 server-local-data:

Expected behavior

The expected behavior is that the user can connect himself to the application.
@AMoreaux
Copy link
Contributor

AMoreaux commented Jan 7, 2025

Hi @Ezehkiel

I see that your config doesn't enable Redis. Is it expected?

Could you try with redis enable:

REDIS_URL=redis://redis:6379

@AMoreaux AMoreaux self-assigned this Jan 7, 2025
@Ezehkiel
Copy link
Author

Ezehkiel commented Jan 8, 2025

Hi @AMoreaux,

This is expected, because in the docker compose there is the default value which is the same. If I display the variable inside the container, the endpoint is correct, cf :

Image

But I also tried uncommenting it in the .env file, unfortunately, no change.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@AMoreaux AMoreaux

Labels
None yet
Projects
Product development ✅
Status: 🆕 New
Milestone
No milestone
Development

No branches or pull requests
2 participants
@AMoreaux @Ezehkiel