Oauth2 invalid_credentials

Infos:

• Used Zammad version: Version 3.6.x
• Used Zammad installation source: package
• Operating system: Debian 10
• Browser + version: Safari Version 14.0.3 (16610.4.3.1.4)

Expected behavior:

I link my account via “Profiles → Linked Accounts”.

Actual behavior:

When I try to link my account I get the following error message
422: The change you wanted was rejected.
Message from oauth2: invalid_credentials

Steps to reproduce the behavior:

1. In Security → Third-Party Applications → Login via Generic OAuth2 I entered the data from Mailcow.
2. Go to my profile and try to connect my account there.

Additional:

I have already entered OAuth2 at Nextcloud, there it runs without problems. (of course a separate entry at Mailcow)

Log:

I, [2021-03-09T00:06:07.288616 #16987-47451524202240] INFO -- : Started POST "/auth/oauth2" for 93.212.28.116 at 2021-03-09 00:06:07 +0100

I, [2021-03-09T00:06:07.292764 #16987-47451524202240] INFO -- : (oauth2) Request phase initiated.

I, [2021-03-09T00:06:08.599148 #16987-47451524201800] INFO -- : Started GET "/auth/oauth2/callback?code=[FILTERED]&state=a88c6173ed972d90b5eec9f7a4e2775f7779ec15457827bb" for 93.212.28.116 at 2021-03-09 00:06:08 +0100

I, [2021-03-09T00:06:08.601837 #16987-47451524201800] INFO -- : (oauth2) Callback phase initiated.

E, [2021-03-09T00:06:08.640925 #16987-47451524201800] ERROR -- : (oauth2) Authentication failure! invalid_credentials: OAuth2::Error, redirect_uri_mismatch: The redirect URI is missing or do not match

{"error":"redirect_uri_mismatch","error_description":"The redirect URI is missing or do not match","error_uri":"http:\/\/tools.ietf.org\/html\/rfc6749#section-4.1.3"}

I, [2021-03-09T00:06:08.674490 #16987-47451524202020] INFO -- : Started GET "/auth/failure?message=invalid_credentials&origin=https%3A%2F%2FZAMMAD%2F&strategy=oauth2" for 93.212.28.116 at 2021-03-09 00:06:08 +0100

I, [2021-03-09T00:06:08.678661 #16987-47451524202020] INFO -- : Processing by SessionsController#failure_omniauth as HTML

I, [2021-03-09T00:06:08.678712 #16987-47451524202020] INFO -- : Parameters: {"message"=>"invalid_credentials", "origin"=>"https://ZAMMAD/", "strategy"=>"oauth2"}

E, [2021-03-09T00:06:08.681917 #16987-47451524202020] ERROR -- : Message from oauth2: invalid_credentials (Exceptions::UnprocessableEntity)

/opt/zammad/app/controllers/sessions_controller.rb:109:in `failure_omniauth'

/opt/zammad/vendor/bundle/ruby/2.6.0/gems/actionpack-5.2.4.5/lib/action_controller/metal/basic_implicit_render.rb:6:in `send_action'

/opt/zammad/vendor/bundle/ruby/2.6.0/gems/actionpack-5.2.4.5/lib/abstract_controller/base.rb:194:in `process_action'

/opt/zammad/vendor/bundle/ruby/2.6.0/gems/actionpack-5.2.4.5/lib/action_controller/metal/rendering.rb:30:in `process_action'

/opt/zammad/vendor/bundle/ruby/2.6.0/gems/actionpack-5.2.4.5/lib/abstract_controller/callbacks.rb:42:in `block in process_action'

/opt/zammad/vendor/bundle/ruby/2.6.0/gems/activesupport-5.2.4.5/lib/active_support/callbacks.rb:109:in `block in run_callbacks'

/opt/zammad/app/controllers/application_controller/has_secure_content_security_policy_for_downloads.rb:18:in `block (4 levels) in <module:HasSecureContentSecurityPolicyForDownloads>'

/opt/zammad/vendor/bundle/ruby/2.6.0/gems/activesupport-5.2.4.5/lib/active_support/notifications.rb:180:in `subscribed'

/opt/zammad/app/controllers/application_controller/has_secure_content_security_policy_for_downloads.rb:17:in `block (3 levels) in <module:HasSecureContentSecurityPolicyForDownloads>'

/opt/zammad/vendor/bundle/ruby/2.6.0/gems/activesupport-5.2.4.5/lib/active_support/notifications.rb:180:in `subscribed'

/opt/zammad/app/controllers/application_controller/has_secure_content_security_policy_for_downloads.rb:16:in `block (2 levels) in <module:HasSecureContentSecurityPolicyForDownloads>'

/opt/zammad/vendor/bundle/ruby/2.6.0/gems/activesupport-5.2.4.5/lib/active_support/callbacks.rb:118:in `instance_exec'

/opt/zammad/vendor/bundle/ruby/2.6.0/gems/activesupport-5.2.4.5/lib/active_support/callbacks.rb:118:in `block in run_callbacks'

/opt/zammad/app/controllers/application_controller/handles_transitions.rb:14:in `handle_transaction'

/opt/zammad/vendor/bundle/ruby/2.6.0/gems/activesupport-5.2.4.5/lib/active_support/callbacks.rb:118:in `block in run_callbacks'

/opt/zammad/vendor/bundle/ruby/2.6.0/gems/activesupport-5.2.4.5/lib/active_support/callbacks.rb:136:in `run_callbacks'

/opt/zammad/vendor/bundle/ruby/2.6.0/gems/actionpack-5.2.4.5/lib/abstract_controller/callbacks.rb:41:in `process_action'

/opt/zammad/vendor/bundle/ruby/2.6.0/gems/actionpack-5.2.4.5/lib/action_controller/metal/rescue.rb:22:in `process_action'

/opt/zammad/vendor/bundle/ruby/2.6.0/gems/actionpack-5.2.4.5/lib/action_controller/metal/instrumentation.rb:34:in `block in process_action'

/opt/zammad/vendor/bundle/ruby/2.6.0/gems/activesupport-5.2.4.5/lib/active_support/notifications.rb:168:in `block in instrument'

/opt/zammad/vendor/bundle/ruby/2.6.0/gems/activesupport-5.2.4.5/lib/active_support/notifications/instrumenter.rb:23:in `instrument'

/opt/zammad/vendor/bundle/ruby/2.6.0/gems/activesupport-5.2.4.5/lib/active_support/notifications.rb:168:in `instrument'

/opt/zammad/vendor/bundle/ruby/2.6.0/gems/actionpack-5.2.4.5/lib/action_controller/metal/instrumentation.rb:32:in `process_action'

/opt/zammad/vendor/bundle/ruby/2.6.0/gems/actionpack-5.2.4.5/lib/action_controller/metal/params_wrapper.rb:256:in `process_action'

/opt/zammad/vendor/bundle/ruby/2.6.0/gems/activerecord-5.2.4.5/lib/active_record/railties/controller_runtime.rb:24:in `process_action'

/opt/zammad/vendor/bundle/ruby/2.6.0/gems/actionpack-5.2.4.5/lib/abstract_controller/base.rb:134:in `process'

/opt/zammad/vendor/bundle/ruby/2.6.0/gems/actionview-5.2.4.5/lib/action_view/rendering.rb:32:in `process'

/opt/zammad/vendor/bundle/ruby/2.6.0/gems/actionpack-5.2.4.5/lib/action_controller/metal.rb:191:in `dispatch'

/opt/zammad/vendor/bundle/ruby/2.6.0/gems/actionpack-5.2.4.5/lib/action_controller/metal.rb:252:in `dispatch'

/opt/zammad/vendor/bundle/ruby/2.6.0/gems/actionpack-5.2.4.5/lib/action_dispatch/routing/route_set.rb:52:in `dispatch'

/opt/zammad/vendor/bundle/ruby/2.6.0/gems/actionpack-5.2.4.5/lib/action_dispatch/routing/route_set.rb:34:in `serve'

/opt/zammad/vendor/bundle/ruby/2.6.0/gems/actionpack-5.2.4.5/lib/action_dispatch/journey/router.rb:52:in `block in serve'

/opt/zammad/vendor/bundle/ruby/2.6.0/gems/actionpack-5.2.4.5/lib/action_dispatch/journey/router.rb:35:in `each'

/opt/zammad/vendor/bundle/ruby/2.6.0/gems/actionpack-5.2.4.5/lib/action_dispatch/journey/router.rb:35:in `serve'

/opt/zammad/vendor/bundle/ruby/2.6.0/gems/actionpack-5.2.4.5/lib/action_dispatch/routing/route_set.rb:840:in `call'

/opt/zammad/vendor/bundle/ruby/2.6.0/gems/omniauth-1.9.1/lib/omniauth/strategy.rb:420:in `call_app!'

/opt/zammad/vendor/bundle/ruby/2.6.0/gems/omniauth-saml-1.10.1/lib/omniauth/strategies/saml.rb:89:in `other_phase'

/opt/zammad/vendor/bundle/ruby/2.6.0/gems/omniauth-1.9.1/lib/omniauth/strategy.rb:190:in `call!'

/opt/zammad/vendor/bundle/ruby/2.6.0/gems/omniauth-1.9.1/lib/omniauth/strategy.rb:169:in `call'

/opt/zammad/vendor/bundle/ruby/2.6.0/gems/omniauth-1.9.1/lib/omniauth/strategy.rb:192:in `call!'

/opt/zammad/vendor/bundle/ruby/2.6.0/gems/omniauth-1.9.1/lib/omniauth/strategy.rb:169:in `call'

/opt/zammad/vendor/bundle/ruby/2.6.0/gems/omniauth-1.9.1/lib/omniauth/strategy.rb:192:in `call!'

/opt/zammad/vendor/bundle/ruby/2.6.0/gems/omniauth-1.9.1/lib/omniauth/strategy.rb:169:in `call'

/opt/zammad/vendor/bundle/ruby/2.6.0/gems/omniauth-1.9.1/lib/omniauth/strategy.rb:192:in `call!'

/opt/zammad/vendor/bundle/ruby/2.6.0/gems/omniauth-1.9.1/lib/omniauth/strategy.rb:169:in `call'

/opt/zammad/vendor/bundle/ruby/2.6.0/gems/omniauth-1.9.1/lib/omniauth/strategy.rb:192:in `call!'

/opt/zammad/vendor/bundle/ruby/2.6.0/gems/omniauth-1.9.1/lib/omniauth/strategy.rb:169:in `call'

/opt/zammad/vendor/bundle/ruby/2.6.0/gems/omniauth-1.9.1/lib/omniauth/strategy.rb:192:in `call!'

/opt/zammad/vendor/bundle/ruby/2.6.0/gems/omniauth-1.9.1/lib/omniauth/strategy.rb:169:in `call'

/opt/zammad/vendor/bundle/ruby/2.6.0/gems/omniauth-1.9.1/lib/omniauth/strategy.rb:192:in `call!'

/opt/zammad/vendor/bundle/ruby/2.6.0/gems/omniauth-1.9.1/lib/omniauth/strategy.rb:169:in `call'

/opt/zammad/vendor/bundle/ruby/2.6.0/gems/omniauth-1.9.1/lib/omniauth/strategy.rb:192:in `call!'

/opt/zammad/vendor/bundle/ruby/2.6.0/gems/omniauth-1.9.1/lib/omniauth/strategy.rb:169:in `call'

/opt/zammad/vendor/bundle/ruby/2.6.0/gems/omniauth-1.9.1/lib/omniauth/strategy.rb:192:in `call!'

/opt/zammad/vendor/bundle/ruby/2.6.0/gems/omniauth-1.9.1/lib/omniauth/strategy.rb:169:in `call'

/opt/zammad/vendor/bundle/ruby/2.6.0/gems/omniauth-1.9.1/lib/omniauth/strategy.rb:192:in `call!'

/opt/zammad/vendor/bundle/ruby/2.6.0/gems/omniauth-1.9.1/lib/omniauth/strategy.rb:169:in `call'

/opt/zammad/vendor/bundle/ruby/2.6.0/gems/omniauth-1.9.1/lib/omniauth/builder.rb:45:in `call'

/opt/zammad/vendor/bundle/ruby/2.6.0/gems/rack-2.2.3/lib/rack/tempfile_reaper.rb:15:in `call'

/opt/zammad/vendor/bundle/ruby/2.6.0/gems/rack-2.2.3/lib/rack/etag.rb:27:in `call'

/opt/zammad/vendor/bundle/ruby/2.6.0/gems/rack-2.2.3/lib/rack/conditional_get.rb:27:in `call'

/opt/zammad/vendor/bundle/ruby/2.6.0/gems/rack-2.2.3/lib/rack/head.rb:12:in `call'

/opt/zammad/vendor/bundle/ruby/2.6.0/gems/actionpack-5.2.4.5/lib/action_dispatch/http/content_security_policy.rb:18:in `call'

/opt/zammad/vendor/bundle/ruby/2.6.0/gems/rack-2.2.3/lib/rack/session/abstract/id.rb:266:in `context'

/opt/zammad/vendor/bundle/ruby/2.6.0/gems/rack-2.2.3/lib/rack/session/abstract/id.rb:260:in `call'

/opt/zammad/vendor/bundle/ruby/2.6.0/gems/actionpack-5.2.4.5/lib/action_dispatch/middleware/cookies.rb:670:in `call'

/opt/zammad/vendor/bundle/ruby/2.6.0/gems/actionpack-5.2.4.5/lib/action_dispatch/middleware/callbacks.rb:28:in `block in call'

/opt/zammad/vendor/bundle/ruby/2.6.0/gems/activesupport-5.2.4.5/lib/active_support/callbacks.rb:98:in `run_callbacks'

/opt/zammad/vendor/bundle/ruby/2.6.0/gems/actionpack-5.2.4.5/lib/action_dispatch/middleware/callbacks.rb:26:in `call'

/opt/zammad/vendor/bundle/ruby/2.6.0/gems/actionpack-5.2.4.5/lib/action_dispatch/middleware/debug_exceptions.rb:61:in `call'

/opt/zammad/vendor/bundle/ruby/2.6.0/gems/actionpack-5.2.4.5/lib/action_dispatch/middleware/show_exceptions.rb:33:in `call'

/opt/zammad/vendor/bundle/ruby/2.6.0/gems/railties-5.2.4.5/lib/rails/rack/logger.rb:38:in `call_app'

/opt/zammad/vendor/bundle/ruby/2.6.0/gems/railties-5.2.4.5/lib/rails/rack/logger.rb:26:in `block in call'

/opt/zammad/vendor/bundle/ruby/2.6.0/gems/activesupport-5.2.4.5/lib/active_support/tagged_logging.rb:71:in `block in tagged'

/opt/zammad/vendor/bundle/ruby/2.6.0/gems/activesupport-5.2.4.5/lib/active_support/tagged_logging.rb:28:in `tagged'

/opt/zammad/vendor/bundle/ruby/2.6.0/gems/activesupport-5.2.4.5/lib/active_support/tagged_logging.rb:71:in `tagged'

/opt/zammad/vendor/bundle/ruby/2.6.0/gems/railties-5.2.4.5/lib/rails/rack/logger.rb:26:in `call'

/opt/zammad/vendor/bundle/ruby/2.6.0/gems/actionpack-5.2.4.5/lib/action_dispatch/middleware/remote_ip.rb:81:in `call'

/opt/zammad/vendor/bundle/ruby/2.6.0/gems/actionpack-5.2.4.5/lib/action_dispatch/middleware/request_id.rb:27:in `call'

/opt/zammad/vendor/bundle/ruby/2.6.0/gems/rack-2.2.3/lib/rack/method_override.rb:24:in `call'

/opt/zammad/vendor/bundle/ruby/2.6.0/gems/rack-2.2.3/lib/rack/runtime.rb:22:in `call'

/opt/zammad/vendor/bundle/ruby/2.6.0/gems/activesupport-5.2.4.5/lib/active_support/cache/strategy/local_cache_middleware.rb:29:in `call'

/opt/zammad/vendor/bundle/ruby/2.6.0/gems/actionpack-5.2.4.5/lib/action_dispatch/middleware/executor.rb:14:in `call'

/opt/zammad/vendor/bundle/ruby/2.6.0/gems/actionpack-5.2.4.5/lib/action_dispatch/middleware/static.rb:127:in `call'

/opt/zammad/vendor/bundle/ruby/2.6.0/gems/rack-2.2.3/lib/rack/sendfile.rb:110:in `call'

/opt/zammad/vendor/bundle/ruby/2.6.0/gems/railties-5.2.4.5/lib/rails/engine.rb:524:in `call'

/opt/zammad/vendor/bundle/ruby/2.6.0/gems/puma-3.12.6/lib/puma/configuration.rb:227:in `call'

/opt/zammad/vendor/bundle/ruby/2.6.0/gems/puma-3.12.6/lib/puma/server.rb:706:in `handle_request'

/opt/zammad/vendor/bundle/ruby/2.6.0/gems/puma-3.12.6/lib/puma/server.rb:476:in `process_client'

/opt/zammad/vendor/bundle/ruby/2.6.0/gems/puma-3.12.6/lib/puma/server.rb:334:in `block in run'

/opt/zammad/vendor/bundle/ruby/2.6.0/gems/puma-3.12.6/lib/puma/thread_pool.rb:135:in `block in spawn_thread'

/opt/zammad/vendor/bundle/ruby/2.6.0/gems/logging-2.2.2/lib/logging/diagnostic_context.rb:474:in `block in create_with_logging_context'

Generic oAuth2 authentication is considered broken and even has been removed with Zammad 4.0.
Sorry.

Very sad, this is now the only service that doesn’t allow shared login of anything I host.

SAML or LDAP may be an alternative that’s central / shared as well.

Unfortunately, neither system exists consistently with the other web services.

This topic was automatically closed 120 days after the last reply. New replies are no longer allowed.