Troubles setting OAuth 2 with zammad

Infos:

  • Used Zammad version: 3.6.0-15
  • Used Zammad installation source: (source, package, …)
  • Operating system: RHEL
  • Browser + version:latest Chrome and Firefox

Expected behavior:

I"m trying to setup zammad with OAuth. Currenty I use the latest version of zammad with docker-compose. For HTTPS I use reverse nginx proxy, which redirects the requests to zammad. Unfortunately i got stuck with the OAuth 2.0 setup.

I use authorization code grant flow.

I saw a few posts, that the Generic Oauth is kind of broken. Even you mention a removal in this issue: Removal of generic oAuth2 · Issue #2951 · zammad/zammad · GitHub. This would be really sad, If that’s the case.

Actual behavior:

  • I receive an error: OAuth2::Error, invalid_grant: redirect_uri value must be identical to the value included in the authorization request.

It seems zammad doesn’t like the redirect_url, which contains code and a state:

https://mydomain.com/auth/oauth2/callback?code=o8JJ8M9wVr5oiJ7iJIGKZ2oeMIMDwKoT7idrLxv1&state=1b0f518adfb3391a1b671213e3275770cc2fd975187f6991

Logs:

I, [2021-01-23T01:24:33.149276 #1-69942977133340] INFO – : Started GET “/auth/oauth2/callback?code=[FILTERED]&state=67bbb861f0b67e25110461071” for 172.18.0.1 at 2021-01-23 01:24:33 +0000
I, [2021-01-23T01:24:33.153498 #1-69942977133340] INFO – : (oauth2) Callback phase initiated.
E, [2021-01-23T01:24:33.240668 #1-69942977133340] ERROR – : (oauth2) Authentication failure! invalid_credentials: OAuth2::Error, invalid_grant: redirect_uri value must be identical to the value included in the authorization request.
{“error_description”:“redirect_uri value must be identical to the value included in the authorization request.”,“error”:“invalid_grant”}
I, [2021-01-23T01:24:33.276491 #1-46913160226040] INFO – : Started GET “/auth/failure?message=invalid_credentials&origin=https%3A%2F%2Fmydomain.com%2F&strategy=oauth2” for 172.18.0.1 at 2021-01-23 01:24:33 +0000
I, [2021-01-23T01:24:33.280971 #1-46913160226040] INFO – : Processing by SessionsController#failure_omniauth as HTML
I, [2021-01-23T01:24:33.281030 #1-46913160226040] INFO – : Parameters: {“message”=>“invalid_credentials”, “origin”=>“https://mydomain.com/”, “strategy”=>“oauth2”}
E, [2021-01-23T01:24:33.281411 #1-46913160226040] ERROR – : Message from oauth2: invalid_credentials (Exceptions::UnprocessableEntity)
/opt/zammad/app/controllers/sessions_controller.rb:109:in failure_omniauth' /usr/local/bundle/gems/actionpack-5.2.4.4/lib/action_controller/metal/basic_implicit_render.rb:6:in send_action’
/usr/local/bundle/gems/actionpack-5.2.4.4/lib/abstract_controller/base.rb:194:in process_action' /usr/local/bundle/gems/actionpack-5.2.4.4/lib/action_controller/metal/rendering.rb:30:in process_action’
/usr/local/bundle/gems/actionpack-5.2.4.4/lib/abstract_controller/callbacks.rb:42:in block in process_action' /usr/local/bundle/gems/activesupport-5.2.4.4/lib/active_support/callbacks.rb:109:in block in run_callbacks’
/opt/zammad/app/controllers/application_controller/has_secure_content_security_policy_for_downloads.rb:18:in block (4 levels) in <module:HasSecureContentSecurityPolicyForDownloads>' /usr/local/bundle/gems/activesupport-5.2.4.4/lib/active_support/notifications.rb:180:in subscribed’
/opt/zammad/app/controllers/application_controller/has_secure_content_security_policy_for_downloads.rb:17:in block (3 levels) in <module:HasSecureContentSecurityPolicyForDownloads>' /usr/local/bundle/gems/activesupport-5.2.4.4/lib/active_support/notifications.rb:180:in subscribed’
/opt/zammad/app/controllers/application_controller/has_secure_content_security_policy_for_downloads.rb:16:in block (2 levels) in <module:HasSecureContentSecurityPolicyForDownloads>' /usr/local/bundle/gems/activesupport-5.2.4.4/lib/active_support/callbacks.rb:118:in instance_exec’
/usr/local/bundle/gems/activesupport-5.2.4.4/lib/active_support/callbacks.rb:118:in block in run_callbacks' /usr/local/bundle/gems/activesupport-5.2.4.4/lib/active_support/callbacks.rb:136:in run_callbacks’
/usr/local/bundle/gems/actionpack-5.2.4.4/lib/abstract_controller/callbacks.rb:41:in process_action' /usr/local/bundle/gems/actionpack-5.2.4.4/lib/action_controller/metal/rescue.rb:22:in process_action’
/usr/local/bundle/gems/actionpack-5.2.4.4/lib/action_controller/metal/instrumentation.rb:34:in block in process_action' /usr/local/bundle/gems/activesupport-5.2.4.4/lib/active_support/notifications.rb:168:in block in instrument’
/usr/local/bundle/gems/activesupport-5.2.4.4/lib/active_support/notifications/instrumenter.rb:23:in instrument' /usr/local/bundle/gems/activesupport-5.2.4.4/lib/active_support/notifications.rb:168:in instrument’
/usr/local/bundle/gems/actionpack-5.2.4.4/lib/action_controller/metal/instrumentation.rb:32:in process_action' /usr/local/bundle/gems/actionpack-5.2.4.4/lib/action_controller/metal/params_wrapper.rb:256:in process_action’
/usr/local/bundle/gems/activerecord-5.2.4.4/lib/active_record/railties/controller_runtime.rb:24:in process_action' /usr/local/bundle/gems/actionpack-5.2.4.4/lib/abstract_controller/base.rb:134:in process’
/usr/local/bundle/gems/actionview-5.2.4.4/lib/action_view/rendering.rb:32:in process' /usr/local/bundle/gems/actionpack-5.2.4.4/lib/action_controller/metal.rb:191:in dispatch’
/usr/local/bundle/gems/actionpack-5.2.4.4/lib/action_controller/metal.rb:252:in dispatch' /usr/local/bundle/gems/actionpack-5.2.4.4/lib/action_dispatch/routing/route_set.rb:52:in dispatch’
/usr/local/bundle/gems/actionpack-5.2.4.4/lib/action_dispatch/routing/route_set.rb:34:in serve' /usr/local/bundle/gems/actionpack-5.2.4.4/lib/action_dispatch/journey/router.rb:52:in block in serve’
/usr/local/bundle/gems/actionpack-5.2.4.4/lib/action_dispatch/journey/router.rb:35:in each' /usr/local/bundle/gems/actionpack-5.2.4.4/lib/action_dispatch/journey/router.rb:35:in serve’
/usr/local/bundle/gems/actionpack-5.2.4.4/lib/action_dispatch/routing/route_set.rb:840:in call' /usr/local/bundle/gems/omniauth-1.9.1/lib/omniauth/strategy.rb:420:in call_app!’
/usr/local/bundle/gems/omniauth-saml-1.10.1/lib/omniauth/strategies/saml.rb:89:in other_phase' /usr/local/bundle/gems/omniauth-1.9.1/lib/omniauth/strategy.rb:190:in call!’
/usr/local/bundle/gems/omniauth-1.9.1/lib/omniauth/strategy.rb:169:in call' /usr/local/bundle/gems/omniauth-1.9.1/lib/omniauth/strategy.rb:192:in call!’
/usr/local/bundle/gems/omniauth-1.9.1/lib/omniauth/strategy.rb:169:in call' /usr/local/bundle/gems/omniauth-1.9.1/lib/omniauth/strategy.rb:192:in call!’
/usr/local/bundle/gems/omniauth-1.9.1/lib/omniauth/strategy.rb:169:in call' /usr/local/bundle/gems/omniauth-1.9.1/lib/omniauth/strategy.rb:192:in call!’
/usr/local/bundle/gems/omniauth-1.9.1/lib/omniauth/strategy.rb:169:in call' /usr/local/bundle/gems/omniauth-1.9.1/lib/omniauth/strategy.rb:192:in call!’
/usr/local/bundle/gems/omniauth-1.9.1/lib/omniauth/strategy.rb:169:in call' /usr/local/bundle/gems/omniauth-1.9.1/lib/omniauth/strategy.rb:192:in call!’
/usr/local/bundle/gems/omniauth-1.9.1/lib/omniauth/strategy.rb:169:in call' /usr/local/bundle/gems/omniauth-1.9.1/lib/omniauth/strategy.rb:192:in call!’
/usr/local/bundle/gems/omniauth-1.9.1/lib/omniauth/strategy.rb:169:in call' /usr/local/bundle/gems/omniauth-1.9.1/lib/omniauth/strategy.rb:192:in call!’
/usr/local/bundle/gems/omniauth-1.9.1/lib/omniauth/strategy.rb:169:in call' /usr/local/bundle/gems/omniauth-1.9.1/lib/omniauth/strategy.rb:192:in call!’
/usr/local/bundle/gems/omniauth-1.9.1/lib/omniauth/strategy.rb:169:in call' /usr/local/bundle/gems/omniauth-1.9.1/lib/omniauth/strategy.rb:192:in call!’
/usr/local/bundle/gems/omniauth-1.9.1/lib/omniauth/strategy.rb:169:in call' /usr/local/bundle/gems/omniauth-1.9.1/lib/omniauth/builder.rb:45:in call’
/usr/local/bundle/gems/rack-2.2.3/lib/rack/tempfile_reaper.rb:15:in call' /usr/local/bundle/gems/rack-2.2.3/lib/rack/etag.rb:27:in call’
/usr/local/bundle/gems/rack-2.2.3/lib/rack/conditional_get.rb:27:in call' /usr/local/bundle/gems/rack-2.2.3/lib/rack/head.rb:12:in call’
/usr/local/bundle/gems/actionpack-5.2.4.4/lib/action_dispatch/http/content_security_policy.rb:18:in call' /usr/local/bundle/gems/rack-2.2.3/lib/rack/session/abstract/id.rb:266:in context’
/usr/local/bundle/gems/rack-2.2.3/lib/rack/session/abstract/id.rb:260:in call' /usr/local/bundle/gems/actionpack-5.2.4.4/lib/action_dispatch/middleware/cookies.rb:670:in call’
/usr/local/bundle/gems/actionpack-5.2.4.4/lib/action_dispatch/middleware/callbacks.rb:28:in block in call' /usr/local/bundle/gems/activesupport-5.2.4.4/lib/active_support/callbacks.rb:98:in run_callbacks’
/usr/local/bundle/gems/actionpack-5.2.4.4/lib/action_dispatch/middleware/callbacks.rb:26:in call' /usr/local/bundle/gems/actionpack-5.2.4.4/lib/action_dispatch/middleware/debug_exceptions.rb:61:in call’
/usr/local/bundle/gems/actionpack-5.2.4.4/lib/action_dispatch/middleware/show_exceptions.rb:33:in call' /usr/local/bundle/gems/railties-5.2.4.4/lib/rails/rack/logger.rb:38:in call_app’
/usr/local/bundle/gems/railties-5.2.4.4/lib/rails/rack/logger.rb:28:in call' /usr/local/bundle/gems/actionpack-5.2.4.4/lib/action_dispatch/middleware/remote_ip.rb:81:in call’
/usr/local/bundle/gems/actionpack-5.2.4.4/lib/action_dispatch/middleware/request_id.rb:27:in call' /usr/local/bundle/gems/rack-2.2.3/lib/rack/method_override.rb:24:in call’
/usr/local/bundle/gems/rack-2.2.3/lib/rack/runtime.rb:22:in call' /usr/local/bundle/gems/activesupport-5.2.4.4/lib/active_support/cache/strategy/local_cache_middleware.rb:29:in call’
/usr/local/bundle/gems/actionpack-5.2.4.4/lib/action_dispatch/middleware/executor.rb:14:in call' /usr/local/bundle/gems/rack-2.2.3/lib/rack/sendfile.rb:110:in call’
/usr/local/bundle/gems/railties-5.2.4.4/lib/rails/engine.rb:524:in call' /usr/local/bundle/gems/puma-3.12.6/lib/puma/configuration.rb:227:in call’
/usr/local/bundle/gems/puma-3.12.6/lib/puma/server.rb:706:in handle_request' /usr/local/bundle/gems/puma-3.12.6/lib/puma/server.rb:476:in process_client’
/usr/local/bundle/gems/puma-3.12.6/lib/puma/server.rb:334:in block in run' /usr/local/bundle/gems/puma-3.12.6/lib/puma/thread_pool.rb:135:in block in spawn_thread’
/usr/local/bundle/gems/logging-2.2.2/lib/logging/diagnostic_context.rb:474:in `block in create_with_logging_context’
I, [2021-01-23T01:24:33.282031 #1-46913160226040] INFO – : Rendering inline template
I, [2021-01-23T01:24:33.282611 #1-46913160226040] INFO – : Rendered inline template (0.5ms)
I, [2021-01-23T01:24:33.282775 #1-46913160226040] INFO – : Completed 422 Unprocessable Entity in 2ms (Views: 0.8ms | ActiveRecord: 0.0ms)

I would appreciate every hint in order to make it working! Thank you.

I was able to use SAML 2.0

1 Like

SAML is the way to go - oAuth2 is broken and will be removed in future versions.
This state has not changed.