OpenId Connect - SSO Authentication - AUTH IS NULL, SERVICE NOT LINKED TO ACCOUNT

JoachimVeulemans · August 3, 2021, 8:37am

Hi

While trying to set up OpenId Connect in my Zammad installation, I think I encountered a bug on the error page. The text is not formatted and the template glitches out.

I am getting AUTH IS NULL, SERVICE NOT LINKED TO ACCOUNT and undefined method [] for nil:NilClass (NoMethodError).

Am I doing something wrong in my configuration? Many thanks in advance!

Infos:

Used Zammad version: 4.1.0-6
Installation method (source, package, …): Docker compose
Operating system: Ubuntu 21.04
Database + version: Postgres 4.1.0-6
Elasticsearch version: 4.1.0-6
Browser + version: Brave Versie 1.27.109 Chromium: 92.0.4515.115

Stacktrace:

I, [2021-08-03T07:18:54.755567 #1-47292219813420]  INFO -- : Started GET "/auth/sso/callback?code=[FILTERED]&scope=openid&state=sit95BJ6PADamslplDbP7CkzBMs&session_state=aqZp8K9bkkT-JZq0wjZJVPyauo7rKtd4NXPWWmThHXY.3377962944B7B6454654278A39F011E1" for REDACTED_IP at 2021-08-03 07:18:54 +0000
I, [2021-08-03T07:18:54.759852 #1-47292219813420]  INFO -- : Processing by SessionsController#create_omniauth as HTML
I, [2021-08-03T07:18:54.760047 #1-47292219813420]  INFO -- :   Parameters: {"code"=>"[FILTERED]", "scope"=>"openid", "state"=>"sit95BJ6PADamslplDbP7CkzBMs", "session_state"=>"aqZp8K9bkkT-JZq0wjZJVPyauo7rKtd4NXPWWmThHXY.3377962944B7B6454654278A39F011E1", "provider"=>"sso"}
I, [2021-08-03T07:18:54.760482 #1-47292219813420]  INFO -- : AUTH IS NULL, SERVICE NOT LINKED TO ACCOUNT
I, [2021-08-03T07:18:54.760733 #1-47292219813420]  INFO -- : Redirected to https://REDACTED_DOMAIN/
E, [2021-08-03T07:18:54.760943 #1-47292219813420] ERROR -- : undefined method `[]' for nil:NilClass (NoMethodError)
/opt/zammad/app/models/authorization.rb:13:in `find_from_hash'
/opt/zammad/app/controllers/sessions_controller.rb:85:in `create_omniauth'
/usr/local/bundle/gems/actionpack-5.2.4.6/lib/action_controller/metal/basic_implicit_render.rb:6:in `send_action'
/usr/local/bundle/gems/actionpack-5.2.4.6/lib/abstract_controller/base.rb:194:in `process_action'
/usr/local/bundle/gems/actionpack-5.2.4.6/lib/action_controller/metal/rendering.rb:30:in `process_action'
/usr/local/bundle/gems/actionpack-5.2.4.6/lib/abstract_controller/callbacks.rb:42:in `block in process_action'
/usr/local/bundle/gems/activesupport-5.2.4.6/lib/active_support/callbacks.rb:109:in `block in run_callbacks'
/opt/zammad/app/controllers/application_controller/has_secure_content_security_policy_for_downloads.rb:18:in `block (4 levels) in <module:HasSecureContentSecurityPolicyForDownloads>'
/usr/local/bundle/gems/activesupport-5.2.4.6/lib/active_support/notifications.rb:180:in `subscribed'
/opt/zammad/app/controllers/application_controller/has_secure_content_security_policy_for_downloads.rb:17:in `block (3 levels) in <module:HasSecureContentSecurityPolicyForDownloads>'
/usr/local/bundle/gems/activesupport-5.2.4.6/lib/active_support/notifications.rb:180:in `subscribed'
/opt/zammad/app/controllers/application_controller/has_secure_content_security_policy_for_downloads.rb:16:in `block (2 levels) in <module:HasSecureContentSecurityPolicyForDownloads>'
/usr/local/bundle/gems/activesupport-5.2.4.6/lib/active_support/callbacks.rb:118:in `instance_exec'
/usr/local/bundle/gems/activesupport-5.2.4.6/lib/active_support/callbacks.rb:118:in `block in run_callbacks'
/opt/zammad/app/controllers/application_controller/handles_transitions.rb:14:in `handle_transaction'
/usr/local/bundle/gems/activesupport-5.2.4.6/lib/active_support/callbacks.rb:118:in `block in run_callbacks'
/usr/local/bundle/gems/activesupport-5.2.4.6/lib/active_support/callbacks.rb:136:in `run_callbacks'
/usr/local/bundle/gems/actionpack-5.2.4.6/lib/abstract_controller/callbacks.rb:41:in `process_action'
/usr/local/bundle/gems/actionpack-5.2.4.6/lib/action_controller/metal/rescue.rb:22:in `process_action'
/usr/local/bundle/gems/actionpack-5.2.4.6/lib/action_controller/metal/instrumentation.rb:34:in `block in process_action'
/usr/local/bundle/gems/activesupport-5.2.4.6/lib/active_support/notifications.rb:168:in `block in instrument'
/usr/local/bundle/gems/activesupport-5.2.4.6/lib/active_support/notifications/instrumenter.rb:23:in `instrument'
/usr/local/bundle/gems/activesupport-5.2.4.6/lib/active_support/notifications.rb:168:in `instrument'
/usr/local/bundle/gems/actionpack-5.2.4.6/lib/action_controller/metal/instrumentation.rb:32:in `process_action'
/usr/local/bundle/gems/actionpack-5.2.4.6/lib/action_controller/metal/params_wrapper.rb:256:in `process_action'
/usr/local/bundle/gems/activerecord-5.2.4.6/lib/active_record/railties/controller_runtime.rb:24:in `process_action'
/usr/local/bundle/gems/actionpack-5.2.4.6/lib/abstract_controller/base.rb:134:in `process'
/usr/local/bundle/gems/actionview-5.2.4.6/lib/action_view/rendering.rb:32:in `process'
/usr/local/bundle/gems/actionpack-5.2.4.6/lib/action_controller/metal.rb:191:in `dispatch'
/usr/local/bundle/gems/actionpack-5.2.4.6/lib/action_controller/metal.rb:252:in `dispatch'
/usr/local/bundle/gems/actionpack-5.2.4.6/lib/action_dispatch/routing/route_set.rb:52:in `dispatch'
/usr/local/bundle/gems/actionpack-5.2.4.6/lib/action_dispatch/routing/route_set.rb:34:in `serve'
/usr/local/bundle/gems/actionpack-5.2.4.6/lib/action_dispatch/journey/router.rb:52:in `block in serve'
/usr/local/bundle/gems/actionpack-5.2.4.6/lib/action_dispatch/journey/router.rb:35:in `each'
/usr/local/bundle/gems/actionpack-5.2.4.6/lib/action_dispatch/journey/router.rb:35:in `serve'
/usr/local/bundle/gems/actionpack-5.2.4.6/lib/action_dispatch/routing/route_set.rb:840:in `call'
/usr/local/bundle/gems/omniauth-1.9.1/lib/omniauth/strategy.rb:420:in `call_app!'
/usr/local/bundle/gems/omniauth-saml-1.10.1/lib/omniauth/strategies/saml.rb:89:in `other_phase'
/usr/local/bundle/gems/omniauth-1.9.1/lib/omniauth/strategy.rb:190:in `call!'
/usr/local/bundle/gems/omniauth-1.9.1/lib/omniauth/strategy.rb:169:in `call'
/usr/local/bundle/gems/omniauth-1.9.1/lib/omniauth/strategy.rb:192:in `call!'
/usr/local/bundle/gems/omniauth-1.9.1/lib/omniauth/strategy.rb:169:in `call'
/usr/local/bundle/gems/omniauth-1.9.1/lib/omniauth/strategy.rb:192:in `call!'
/usr/local/bundle/gems/omniauth-1.9.1/lib/omniauth/strategy.rb:169:in `call'
/usr/local/bundle/gems/omniauth-1.9.1/lib/omniauth/strategy.rb:192:in `call!'
/usr/local/bundle/gems/omniauth-1.9.1/lib/omniauth/strategy.rb:169:in `call'
/usr/local/bundle/gems/omniauth-1.9.1/lib/omniauth/strategy.rb:192:in `call!'
/usr/local/bundle/gems/omniauth-1.9.1/lib/omniauth/strategy.rb:169:in `call'
/usr/local/bundle/gems/omniauth-1.9.1/lib/omniauth/strategy.rb:192:in `call!'
/usr/local/bundle/gems/omniauth-1.9.1/lib/omniauth/strategy.rb:169:in `call'
/usr/local/bundle/gems/omniauth-1.9.1/lib/omniauth/strategy.rb:192:in `call!'
/usr/local/bundle/gems/omniauth-1.9.1/lib/omniauth/strategy.rb:169:in `call'
/usr/local/bundle/gems/omniauth-1.9.1/lib/omniauth/strategy.rb:192:in `call!'
/usr/local/bundle/gems/omniauth-1.9.1/lib/omniauth/strategy.rb:169:in `call'
/usr/local/bundle/gems/omniauth-1.9.1/lib/omniauth/strategy.rb:192:in `call!'
/usr/local/bundle/gems/omniauth-1.9.1/lib/omniauth/strategy.rb:169:in `call'
/usr/local/bundle/gems/omniauth-1.9.1/lib/omniauth/builder.rb:45:in `call'
/usr/local/bundle/gems/rack-2.2.3/lib/rack/tempfile_reaper.rb:15:in `call'
/usr/local/bundle/gems/rack-2.2.3/lib/rack/etag.rb:27:in `call'
/usr/local/bundle/gems/rack-2.2.3/lib/rack/conditional_get.rb:27:in `call'
/usr/local/bundle/gems/rack-2.2.3/lib/rack/head.rb:12:in `call'
/usr/local/bundle/gems/actionpack-5.2.4.6/lib/action_dispatch/http/content_security_policy.rb:18:in `call'
/usr/local/bundle/gems/rack-2.2.3/lib/rack/session/abstract/id.rb:266:in `context'
/usr/local/bundle/gems/rack-2.2.3/lib/rack/session/abstract/id.rb:260:in `call'
/usr/local/bundle/gems/actionpack-5.2.4.6/lib/action_dispatch/middleware/cookies.rb:670:in `call'
/usr/local/bundle/gems/actionpack-5.2.4.6/lib/action_dispatch/middleware/callbacks.rb:28:in `block in call'
/usr/local/bundle/gems/activesupport-5.2.4.6/lib/active_support/callbacks.rb:98:in `run_callbacks'
/usr/local/bundle/gems/actionpack-5.2.4.6/lib/action_dispatch/middleware/callbacks.rb:26:in `call'
/usr/local/bundle/gems/actionpack-5.2.4.6/lib/action_dispatch/middleware/debug_exceptions.rb:61:in `call'
/usr/local/bundle/gems/actionpack-5.2.4.6/lib/action_dispatch/middleware/show_exceptions.rb:33:in `call'
/usr/local/bundle/gems/railties-5.2.4.6/lib/rails/rack/logger.rb:38:in `call_app'
/usr/local/bundle/gems/railties-5.2.4.6/lib/rails/rack/logger.rb:26:in `block in call'
/usr/local/bundle/gems/activesupport-5.2.4.6/lib/active_support/tagged_logging.rb:71:in `block in tagged'
/usr/local/bundle/gems/activesupport-5.2.4.6/lib/active_support/tagged_logging.rb:28:in `tagged'
/usr/local/bundle/gems/activesupport-5.2.4.6/lib/active_support/tagged_logging.rb:71:in `tagged'
/usr/local/bundle/gems/railties-5.2.4.6/lib/rails/rack/logger.rb:26:in `call'
/usr/local/bundle/gems/actionpack-5.2.4.6/lib/action_dispatch/middleware/remote_ip.rb:81:in `call'
/usr/local/bundle/gems/actionpack-5.2.4.6/lib/action_dispatch/middleware/request_id.rb:27:in `call'
/usr/local/bundle/gems/rack-2.2.3/lib/rack/method_override.rb:24:in `call'
/usr/local/bundle/gems/rack-2.2.3/lib/rack/runtime.rb:22:in `call'
/usr/local/bundle/gems/activesupport-5.2.4.6/lib/active_support/cache/strategy/local_cache_middleware.rb:29:in `call'
/usr/local/bundle/gems/actionpack-5.2.4.6/lib/action_dispatch/middleware/executor.rb:14:in `call'
/usr/local/bundle/gems/rack-2.2.3/lib/rack/sendfile.rb:110:in `call'
/usr/local/bundle/gems/railties-5.2.4.6/lib/rails/engine.rb:524:in `call'
/usr/local/bundle/gems/puma-4.3.8/lib/puma/configuration.rb:228:in `call'
/usr/local/bundle/gems/puma-4.3.8/lib/puma/server.rb:718:in `handle_request'
/usr/local/bundle/gems/puma-4.3.8/lib/puma/server.rb:472:in `process_client'
/usr/local/bundle/gems/puma-4.3.8/lib/puma/server.rb:328:in `block in run'
/usr/local/bundle/gems/puma-4.3.8/lib/puma/thread_pool.rb:134:in `block in spawn_thread'
/usr/local/bundle/gems/logging-2.2.2/lib/logging/diagnostic_context.rb:474:in `block in create_with_logging_context'
E, [2021-08-03T07:18:54.762718 #1-47292219813420] ERROR -- : Error ID KUxqTPlW: undefined method `[]' for nil:NilClass
I, [2021-08-03T07:18:54.763189 #1-47292219813420]  INFO -- : Completed 500 Internal Server Error in 3ms (ActiveRecord: .0ms)
F, [2021-08-03T07:18:54.763673 #1-47292219813420] FATAL -- :   
F, [2021-08-03T07:18:54.763700 #1-47292219813420] FATAL -- : AbstractController::DoubleRenderError (Render and/or redirect were called multiple times in this action. Please note that you may only call render OR redirect, and at most once per action. Also note that neither redirect nor render terminate execution of the action, so if you want to exit an action after redirecting, you need to do something like "redirect_to(...) and return".):
F, [2021-08-03T07:18:54.763716 #1-47292219813420] FATAL -- :   
F, [2021-08-03T07:18:54.763740 #1-47292219813420] FATAL -- : app/controllers/application_controller/handles_errors.rb:74:in `block (2 levels) in respond_to_exception'
[de25c39f-b8ed-4698-909e-180214edb863] app/controllers/application_controller/handles_errors.rb:66:in `respond_to_exception'
[de25c39f-b8ed-4698-909e-180214edb863] app/controllers/application_controller/handles_errors.rb:32:in `internal_server_error'
I, [2021-08-03T07:19:05.094599 #1-47292219814240]  INFO -- : Completed 200 OK in 25026ms (Views: 0.4ms | ActiveRecord: 2.4ms)

Expected behavior:

Shows error page with traceback and possibly SSO integration works resulting in a session being created.

Actual behavior:

The text is not formatted and the template glitches out.

image729×888 27.8 KB

Steps to reproduce the behavior:

Run latest docker-compose.yml
Create Apache container with Dockerfile:

FROM ubuntu:20.04

ARG DEBIAN_FRONTEND=noninteractive

RUN apt-get update && apt-get upgrade
RUN apt-get install -y apache2 --no-install-recommends

RUN apt-get install -y krb5-user libapache2-mod-auth-openidc

RUN a2enmod auth_openidc rewrite proxy proxy_http proxy_balancer proxy_wstunnel headers

COPY apache2.conf /etc/apache2/sites-available/000-default.conf
RUN rm /etc/apache2/sites-available/default-ssl.conf

ENV APACHE_RUN_USER www-data
ENV APACHE_RUN_GROUP www-data
ENV APACHE_LOG_DIR /var/log/apache2
ENV APACHE_RUN_DIR /etc/apache2

EXPOSE 80

ENTRYPOINT ["/usr/sbin/apache2"]
CMD ["-D", "FOREGROUND"]

Create apache.conf with configuration:

# security - prevent information disclosure about server version
ServerTokens Prod

<VirtualHost *:80>
    ServerName REDACTED_DOMAIN

    ErrorLog /dev/stdout
    CustomLog /dev/stdout combined
    LogLevel debug

OIDCProviderMetadataURL https://REDACTED_DOMAIN/.well-known/openid-configuration
OIDCClientID REDACTED_ID
OIDCClientSecret REDACTED_SECRET
OIDCSSLValidateServer 0
OIDCRedirectURI https://REDACTED_DOMAIN/auth/sso/callback
OIDCCryptoPassphrase REDACTED_SECRET

<Location /auth/sso>
   AuthType openid-connect
   Require valid-user

   RewriteEngine On
   RewriteCond %{LA-U:REMOTE_USER} (.+)
   RewriteRule . - [E=RU:%1,NS]
   RequestHeader set X-Forwarded-User "%{RU}e" env=RU
</Location>

    ProxyPreserveHost On
    ProxyRequests Off
    ProxyPass        /ws ws://REDACTED_IP:8080/
    ProxyPass        /   http://REDACTED_IP:8080/
    ProxyPassReverse /   http://REDACTED_IP:8080/

    RewriteEngine on
    RewriteCond %{HTTP:UPGRADE} ^WebSocket$ [NC]
    RewriteCond %{HTTP:CONNECTION} Upgrade$ [NC]
    RequestHeader set X-Forwarded-Proto "https"
    RequestHeader set Host REDACTED_DOMAIN
    RewriteRule /(.*) http://REDACTED_IP:8080/$1 [P,l]
</VirtualHost>

Enable SSO in Zammad

MrGeneration · August 11, 2021, 9:46pm

This is the thinking mistake you’re on.
You’re using docker-compose which does come with a pre shipped nginx container you’re using.

The compose uses our default config for nginx - for security reasons and to protect undesired SSO activations we have a line disabling it within web server:

github.com

zammad/zammad/blob/develop/contrib/nginx/zammad.conf#L51-L52


      
          proxy_set_header CLIENT_IP $remote_addr;
          proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;

So you either go around that container or use a package installation as example.

JoachimVeulemans · August 13, 2021, 7:05am

Hi

Thank you for your answer. I have changed the nginx section in the docker-compose.yml with the following:

  zammad-nginx:
    build: ./containers/nginx
    command: ["zammad-nginx"]
    expose:
      - "8080"
    depends_on:
      - zammad-railsserver
    #image: ${IMAGE_REPO}:zammad${VERSION}
    links:
      - zammad-railsserver
      - zammad-websocket
    restart: ${RESTART}
    volumes:
      - zammad-data:/opt/zammad
    environment:
      - RAILS_TRUSTED_PROXIES=['127.0.0.1', '::1']
      - NGINX_SERVER_SCHEME=https

This is the Dockerfile I am using for the nginx:

FROM zammad/zammad-docker-compose:zammad-4.1.0-6

COPY zammad.conf /contrib/nginx/zammad.conf

The zammad.conf I am copying is the default config but with the following line removed like you suggested:

proxy_set_header X-Forwarded-User "";

The only difference I’m seeing with my other applications is that the OIDC mod in apache2 is not sending a code_challenge (PKCE). In my IdP, I see that PKCE is NOT required so it should not be a problem I think.

On the error page I get:

OpenID Connect Provider error: Error in handling response type.

I am using the ‘code’ response type. This is also set to code in my IdP.

I am still getting the following error in the railsserver container:

I, [2021-08-13T06:59:29.266128 #1-46975302594080]  INFO -- : Started GET "/auth/sso/callback?code=[FILTERED]&scope=openid&state=cccavNLVM3FVGJRJ9ulBFP6ndb4&session_state=mOas8Eg2tBg479to6GuXhaUyVXBbtCG7DQuJ1k79prw.3BF5C757FBA91C0158FDACB500B921E8" for REDACTED_IP at 2021-08-13 06:59:29 +0000,
I, [2021-08-13T06:59:29.271833 #1-46975302594080]  INFO -- : Processing by SessionsController#create_omniauth as HTML,
I, [2021-08-13T06:59:29.272072 #1-46975302594080]  INFO -- :   Parameters: {"code"=>"[FILTERED]", "scope"=>"openid", "state"=>"cccavNLVM3FVGJRJ9ulBFP6ndb4", "session_state"=>"mOas8Eg2tBg479to6GuXhaUyVXBbtCG7DQuJ1k79prw.3BF5C757FBA91C0158FDACB500B921E8", "provider"=>"sso"},
I, [2021-08-13T06:59:29.272540 #1-46975302594080]  INFO -- : AUTH IS NULL, SERVICE NOT LINKED TO ACCOUNT,
I, [2021-08-13T06:59:29.272815 #1-46975302594080]  INFO -- : Redirected to https://REDACTED_DOMAIN/,
E, [2021-08-13T06:59:29.273058 #1-46975302594080] ERROR -- : undefined method `[]' for nil:NilClass (NoMethodError),
/opt/zammad/app/models/authorization.rb:13:in `find_from_hash',
/opt/zammad/app/controllers/sessions_controller.rb:85:in `create_omniauth',
/usr/local/bundle/gems/actionpack-5.2.4.6/lib/action_controller/metal/basic_implicit_render.rb:6:in `send_action',
/usr/local/bundle/gems/actionpack-5.2.4.6/lib/abstract_controller/base.rb:194:in `process_action',
/usr/local/bundle/gems/actionpack-5.2.4.6/lib/action_controller/metal/rendering.rb:30:in `process_action',
/usr/local/bundle/gems/actionpack-5.2.4.6/lib/abstract_controller/callbacks.rb:42:in `block in process_action',
/usr/local/bundle/gems/activesupport-5.2.4.6/lib/active_support/callbacks.rb:109:in `block in run_callbacks',
/opt/zammad/app/controllers/application_controller/has_secure_content_security_policy_for_downloads.rb:18:in `block (4 levels) in <module:HasSecureContentSecurityPolicyForDownloads>',
/usr/local/bundle/gems/activesupport-5.2.4.6/lib/active_support/notifications.rb:180:in `subscribed',
/opt/zammad/app/controllers/application_controller/has_secure_content_security_policy_for_downloads.rb:17:in `block (3 levels) in <module:HasSecureContentSecurityPolicyForDownloads>',
/usr/local/bundle/gems/activesupport-5.2.4.6/lib/active_support/notifications.rb:180:in `subscribed',
/opt/zammad/app/controllers/application_controller/has_secure_content_security_policy_for_downloads.rb:16:in `block (2 levels) in <module:HasSecureContentSecurityPolicyForDownloads>',
/usr/local/bundle/gems/activesupport-5.2.4.6/lib/active_support/callbacks.rb:118:in `instance_exec',
/usr/local/bundle/gems/activesupport-5.2.4.6/lib/active_support/callbacks.rb:118:in `block in run_callbacks',
/opt/zammad/app/controllers/application_controller/handles_transitions.rb:14:in `handle_transaction',
/usr/local/bundle/gems/activesupport-5.2.4.6/lib/active_support/callbacks.rb:118:in `block in run_callbacks',
/usr/local/bundle/gems/activesupport-5.2.4.6/lib/active_support/callbacks.rb:136:in `run_callbacks',
/usr/local/bundle/gems/actionpack-5.2.4.6/lib/abstract_controller/callbacks.rb:41:in `process_action',
/usr/local/bundle/gems/actionpack-5.2.4.6/lib/action_controller/metal/rescue.rb:22:in `process_action',
/usr/local/bundle/gems/actionpack-5.2.4.6/lib/action_controller/metal/instrumentation.rb:34:in `block in process_action',
/usr/local/bundle/gems/activesupport-5.2.4.6/lib/active_support/notifications.rb:168:in `block in instrument',
/usr/local/bundle/gems/activesupport-5.2.4.6/lib/active_support/notifications/instrumenter.rb:23:in `instrument',
/usr/local/bundle/gems/activesupport-5.2.4.6/lib/active_support/notifications.rb:168:in `instrument',
/usr/local/bundle/gems/actionpack-5.2.4.6/lib/action_controller/metal/instrumentation.rb:32:in `process_action',
/usr/local/bundle/gems/actionpack-5.2.4.6/lib/action_controller/metal/params_wrapper.rb:256:in `process_action',
/usr/local/bundle/gems/activerecord-5.2.4.6/lib/active_record/railties/controller_runtime.rb:24:in `process_action',
/usr/local/bundle/gems/actionpack-5.2.4.6/lib/abstract_controller/base.rb:134:in `process',
/usr/local/bundle/gems/actionview-5.2.4.6/lib/action_view/rendering.rb:32:in `process',
/usr/local/bundle/gems/actionpack-5.2.4.6/lib/action_controller/metal.rb:191:in `dispatch',
/usr/local/bundle/gems/actionpack-5.2.4.6/lib/action_controller/metal.rb:252:in `dispatch',
/usr/local/bundle/gems/actionpack-5.2.4.6/lib/action_dispatch/routing/route_set.rb:52:in `dispatch',
/usr/local/bundle/gems/actionpack-5.2.4.6/lib/action_dispatch/routing/route_set.rb:34:in `serve',
/usr/local/bundle/gems/actionpack-5.2.4.6/lib/action_dispatch/journey/router.rb:52:in `block in serve',
/usr/local/bundle/gems/actionpack-5.2.4.6/lib/action_dispatch/journey/router.rb:35:in `each',
/usr/local/bundle/gems/actionpack-5.2.4.6/lib/action_dispatch/journey/router.rb:35:in `serve',
/usr/local/bundle/gems/actionpack-5.2.4.6/lib/action_dispatch/routing/route_set.rb:840:in `call',
/usr/local/bundle/gems/omniauth-1.9.1/lib/omniauth/strategy.rb:420:in `call_app!',
/usr/local/bundle/gems/omniauth-saml-1.10.1/lib/omniauth/strategies/saml.rb:89:in `other_phase',
/usr/local/bundle/gems/omniauth-1.9.1/lib/omniauth/strategy.rb:190:in `call!',
/usr/local/bundle/gems/omniauth-1.9.1/lib/omniauth/strategy.rb:169:in `call',
/usr/local/bundle/gems/omniauth-1.9.1/lib/omniauth/strategy.rb:192:in `call!',
/usr/local/bundle/gems/omniauth-1.9.1/lib/omniauth/strategy.rb:169:in `call',
/usr/local/bundle/gems/omniauth-1.9.1/lib/omniauth/strategy.rb:192:in `call!',
/usr/local/bundle/gems/omniauth-1.9.1/lib/omniauth/strategy.rb:169:in `call',
/usr/local/bundle/gems/omniauth-1.9.1/lib/omniauth/strategy.rb:192:in `call!',
/usr/local/bundle/gems/omniauth-1.9.1/lib/omniauth/strategy.rb:169:in `call',
/usr/local/bundle/gems/omniauth-1.9.1/lib/omniauth/strategy.rb:192:in `call!',
/usr/local/bundle/gems/omniauth-1.9.1/lib/omniauth/strategy.rb:169:in `call',
/usr/local/bundle/gems/omniauth-1.9.1/lib/omniauth/strategy.rb:192:in `call!',
/usr/local/bundle/gems/omniauth-1.9.1/lib/omniauth/strategy.rb:169:in `call',
/usr/local/bundle/gems/omniauth-1.9.1/lib/omniauth/strategy.rb:192:in `call!',
/usr/local/bundle/gems/omniauth-1.9.1/lib/omniauth/strategy.rb:169:in `call',
/usr/local/bundle/gems/omniauth-1.9.1/lib/omniauth/strategy.rb:192:in `call!',
/usr/local/bundle/gems/omniauth-1.9.1/lib/omniauth/strategy.rb:169:in `call',
/usr/local/bundle/gems/omniauth-1.9.1/lib/omniauth/strategy.rb:192:in `call!',
/usr/local/bundle/gems/omniauth-1.9.1/lib/omniauth/strategy.rb:169:in `call',
/usr/local/bundle/gems/omniauth-1.9.1/lib/omniauth/builder.rb:45:in `call',
/usr/local/bundle/gems/rack-2.2.3/lib/rack/tempfile_reaper.rb:15:in `call',
/usr/local/bundle/gems/rack-2.2.3/lib/rack/etag.rb:27:in `call',
/usr/local/bundle/gems/rack-2.2.3/lib/rack/conditional_get.rb:27:in `call',
/usr/local/bundle/gems/rack-2.2.3/lib/rack/head.rb:12:in `call',
/usr/local/bundle/gems/actionpack-5.2.4.6/lib/action_dispatch/http/content_security_policy.rb:18:in `call',
/usr/local/bundle/gems/rack-2.2.3/lib/rack/session/abstract/id.rb:266:in `context',
/usr/local/bundle/gems/rack-2.2.3/lib/rack/session/abstract/id.rb:260:in `call',
/usr/local/bundle/gems/actionpack-5.2.4.6/lib/action_dispatch/middleware/cookies.rb:670:in `call',
/usr/local/bundle/gems/actionpack-5.2.4.6/lib/action_dispatch/middleware/callbacks.rb:28:in `block in call',
/usr/local/bundle/gems/activesupport-5.2.4.6/lib/active_support/callbacks.rb:98:in `run_callbacks',
/usr/local/bundle/gems/actionpack-5.2.4.6/lib/action_dispatch/middleware/callbacks.rb:26:in `call',
/usr/local/bundle/gems/actionpack-5.2.4.6/lib/action_dispatch/middleware/debug_exceptions.rb:61:in `call',
/usr/local/bundle/gems/actionpack-5.2.4.6/lib/action_dispatch/middleware/show_exceptions.rb:33:in `call',
/usr/local/bundle/gems/railties-5.2.4.6/lib/rails/rack/logger.rb:38:in `call_app',
/usr/local/bundle/gems/railties-5.2.4.6/lib/rails/rack/logger.rb:26:in `block in call',
/usr/local/bundle/gems/activesupport-5.2.4.6/lib/active_support/tagged_logging.rb:71:in `block in tagged',
/usr/local/bundle/gems/activesupport-5.2.4.6/lib/active_support/tagged_logging.rb:28:in `tagged',
/usr/local/bundle/gems/activesupport-5.2.4.6/lib/active_support/tagged_logging.rb:71:in `tagged',
/usr/local/bundle/gems/railties-5.2.4.6/lib/rails/rack/logger.rb:26:in `call',
/usr/local/bundle/gems/actionpack-5.2.4.6/lib/action_dispatch/middleware/remote_ip.rb:81:in `call',
/usr/local/bundle/gems/actionpack-5.2.4.6/lib/action_dispatch/middleware/request_id.rb:27:in `call',
/usr/local/bundle/gems/rack-2.2.3/lib/rack/method_override.rb:24:in `call',
/usr/local/bundle/gems/rack-2.2.3/lib/rack/runtime.rb:22:in `call',
/usr/local/bundle/gems/activesupport-5.2.4.6/lib/active_support/cache/strategy/local_cache_middleware.rb:29:in `call',
/usr/local/bundle/gems/actionpack-5.2.4.6/lib/action_dispatch/middleware/executor.rb:14:in `call',
/usr/local/bundle/gems/rack-2.2.3/lib/rack/sendfile.rb:110:in `call',
/usr/local/bundle/gems/railties-5.2.4.6/lib/rails/engine.rb:524:in `call',
/usr/local/bundle/gems/puma-4.3.8/lib/puma/configuration.rb:228:in `call',
/usr/local/bundle/gems/puma-4.3.8/lib/puma/server.rb:718:in `handle_request',
/usr/local/bundle/gems/puma-4.3.8/lib/puma/server.rb:472:in `process_client',
/usr/local/bundle/gems/puma-4.3.8/lib/puma/server.rb:328:in `block in run',
/usr/local/bundle/gems/puma-4.3.8/lib/puma/thread_pool.rb:134:in `block in spawn_thread',
/usr/local/bundle/gems/logging-2.2.2/lib/logging/diagnostic_context.rb:474:in `block in create_with_logging_context',
E, [2021-08-13T06:59:29.274170 #1-46975302594080] ERROR -- : Error ID GBP2i_8X: undefined method `[]' for nil:NilClass,
I, [2021-08-13T06:59:29.277053 #1-46975302594080]  INFO -- : Completed 500 Internal Server Error in 5ms (ActiveRecord: 0.0ms),
F, [2021-08-13T06:59:29.277624 #1-46975302594080] FATAL -- :   ,
F, [2021-08-13T06:59:29.277732 #1-46975302594080] FATAL -- : AbstractController::DoubleRenderError (Render and/or redirect were called multiple times in this action. Please note that you may only call render OR redirect, and at most once per action. Also note that neither redirect nor render terminate execution of the action, so if you want to exit an action after redirecting, you need to do something like "redirect_to(...) and return".):,
F, [2021-08-13T06:59:29.277845 #1-46975302594080] FATAL -- :   ,
F, [2021-08-13T06:59:29.277941 #1-46975302594080] FATAL -- : app/controllers/application_controller/handles_errors.rb:74:in `block (2 levels) in respond_to_exception',
[89207123-cb9a-4c5d-b2cf-9d64cb5b1ec1] app/controllers/application_controller/handles_errors.rb:66:in `respond_to_exception',
[89207123-cb9a-4c5d-b2cf-9d64cb5b1ec1] app/controllers/application_controller/handles_errors.rb:32:in `internal_server_error'

JoachimVeulemans · August 13, 2021, 7:32am

Hi

I resolved the above error. It seems that my client secrets were not the same in both configurations. When I removed special characters like *, @ and ^ from the secret, I am no longer getting the error mentioned above.

The new error I am getting is:

Missing SSO ENV REMOTE_USER or X-Forwarded-User header

So I think the problem is somewhere in the configuration of apache2:?

<Location /auth/sso>
   AuthType openid-connect
   Require valid-user

   RewriteEngine On
   RewriteCond %{LA-U:REMOTE_USER} (.+)
   RewriteRule . - [E=RU:%1,NS]
   RequestHeader set X-Forwarded-User "%{RU}e" env=RU
</Location>

In the logs of apache2, I am seeing that the ‘Require valid-user’ is ‘granted’:

[Fri Aug 13 07:26:01.334013 2021] [authz_core:debug] [pid 6:tid 140480813778688] mod_authz_core.c(817): [client REDACTED_IP:59506] AH01626: authorization result of Require valid-user : granted, referer: https://REDACTED_DOMAIN/,
[Fri Aug 13 07:26:01.358906 2021] [proxy:debug] [pid 6:tid 140480813778688] proxy_util.c(2340): AH00943: http: has released connection for (REDACTED_IP),
[Fri Aug 13 07:26:01.334066 2021] [authz_core:debug] [pid 6:tid 140480813778688] mod_authz_core.c(817): [client REDACTED_IP:59506] AH01626: authorization result of <RequireAny>: granted, referer: https://REDACTED_DOMAIN/,
[Fri Aug 13 07:26:01.338061 2021] [proxy:debug] [pid 6:tid 140480813778688] mod_proxy.c(1253): [client REDACTED_IP:59506] AH01143: Running scheme http handler (attempt 0), referer: https://REDACTED_DOMAIN/,
[Fri Aug 13 07:26:01.338090 2021] [proxy:debug] [pid 6:tid 140480813778688] proxy_util.c(2325): AH00942: HTTP: has acquired connection for (REDACTED_IP),
[Fri Aug 13 07:26:01.338099 2021] [proxy:debug] [pid 6:tid 140480813778688] proxy_util.c(2379): [client REDACTED_IP:59506] AH00944: connecting http://REDACTED_IP:8080/auth/sso to REDACTED_IP:8080, referer: https://REDACTED_DOMAIN/,
[Fri Aug 13 07:26:01.338107 2021] [proxy:debug] [pid 6:tid 140480813778688] proxy_util.c(2588): [client REDACTED_IP:59506] AH00947: connected /auth/sso to REDACTED_IP:8080, referer: https://REDACTED_DOMAIN/,
[Fri Aug 13 07:26:01.383487 2021] [proxy:debug] [pid 7:tid 140480629126912] proxy_util.c(2340): AH00943: WS: has released connection for (REDACTED_IP),
REDACTED_IP - REDACTED_EMAIL@REDACTED_DOMAIN_IDP [13/Aug/2021:07:26:01 +0000] "GET /auth/sso HTTP/1.1" 401 1374 "https://REDACTED_DOMAIN/" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/92.0.4515.131 Safari/537.36",
REDACTED_IP - - [13/Aug/2021:07:25:59 +0000] "GET /ws HTTP/1.1" 200 255 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/92.0.4515.131 Safari/537.36"

Many thanks in advance.

MrGeneration · August 26, 2021, 11:22pm

If you’re still using the nginx container so two proxies, it’s more likely that it’s still fishing away the required ENVs. Personally, if I’d be you, I’d rule out the nginx container or at least bypass it.

You can use one of our apache contrib vhost files to learn how it works for apache - you’ll need to adapt the localhost stuff and ports probably.

github.com

zammad/zammad/blob/develop/contrib/apache2/zammad_ssl.conf

#
# this is an example apache 2.4 config for zammad
# Please visit https://docs.zammad.org for further input on how to configure
# your apache to work with Zammad
#

# security - prevent information disclosure about server version
ServerTokens Prod

<VirtualHost *:80>
    ServerName example.com
    Redirect permanent / https://example.com
</VirtualHost>

<VirtualHost *:443>
    SSLEngine on
    SSLProtocol all -SSLv2 -SSLv3
    SSLCipherSuite EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH

    SSLCertificateFile /etc/letsencrypt/live/example.com-0000/fullchain.pem

This file has been truncated. show original

If you still receive Missing SSO ENV […] error ensure your apache did get the changes.
The rewrite engine part from our documentation has been verified to work - no matter if kerberos or not it should do the trick. Possibly the openid-connect auth may use different headers. While I doubt it I can’t tell for sure because that’s out of my horizon.

system · December 24, 2021, 11:22pm

This topic was automatically closed 120 days after the last reply. New replies are no longer allowed.