Infos:
- Used Zammad version: 3.6.0-15
- Used Zammad installation source: (source, package, …)
- Operating system: RHEL
- Browser + version:latest Chrome and Firefox
Expected behavior:
I"m trying to setup zammad with OAuth. Currenty I use the latest version of zammad with docker-compose. For HTTPS I use reverse nginx proxy, which redirects the requests to zammad. Unfortunately i got stuck with the OAuth 2.0 setup.
I use authorization code grant flow.
I saw a few posts, that the Generic Oauth is kind of broken. Even you mention a removal in this issue: Generic oAuth2 login provider is unusable · Issue #2951 · zammad/zammad · GitHub. This would be really sad, If that’s the case.
Actual behavior:
- I receive an error: OAuth2::Error, invalid_grant: redirect_uri value must be identical to the value included in the authorization request.
It seems zammad doesn’t like the redirect_url, which contains code and a state:
Logs:
I, [2021-01-23T01:24:33.149276 #1-69942977133340] INFO – : Started GET “/auth/oauth2/callback?code=[FILTERED]&state=67bbb861f0b67e25110461071” for 172.18.0.1 at 2021-01-23 01:24:33 +0000
I, [2021-01-23T01:24:33.153498 #1-69942977133340] INFO – : (oauth2) Callback phase initiated.
E, [2021-01-23T01:24:33.240668 #1-69942977133340] ERROR – : (oauth2) Authentication failure! invalid_credentials: OAuth2::Error, invalid_grant: redirect_uri value must be identical to the value included in the authorization request.
{“error_description”:“redirect_uri value must be identical to the value included in the authorization request.”,“error”:“invalid_grant”}
I, [2021-01-23T01:24:33.276491 #1-46913160226040] INFO – : Started GET “/auth/failure?message=invalid_credentials&origin=https%3A%2F%2Fmydomain.com%2F&strategy=oauth2” for 172.18.0.1 at 2021-01-23 01:24:33 +0000
I, [2021-01-23T01:24:33.280971 #1-46913160226040] INFO – : Processing by SessionsController#failure_omniauth as HTML
I, [2021-01-23T01:24:33.281030 #1-46913160226040] INFO – : Parameters: {“message”=>“invalid_credentials”, “origin”=>“https://mydomain.com/”, “strategy”=>“oauth2”}
E, [2021-01-23T01:24:33.281411 #1-46913160226040] ERROR – : Message from oauth2: invalid_credentials (Exceptions::UnprocessableEntity)
/opt/zammad/app/controllers/sessions_controller.rb:109:infailure_omniauth' /usr/local/bundle/gems/actionpack-5.2.4.4/lib/action_controller/metal/basic_implicit_render.rb:6:in
send_action’
/usr/local/bundle/gems/actionpack-5.2.4.4/lib/abstract_controller/base.rb:194:inprocess_action' /usr/local/bundle/gems/actionpack-5.2.4.4/lib/action_controller/metal/rendering.rb:30:in
process_action’
/usr/local/bundle/gems/actionpack-5.2.4.4/lib/abstract_controller/callbacks.rb:42:inblock in process_action' /usr/local/bundle/gems/activesupport-5.2.4.4/lib/active_support/callbacks.rb:109:in
block in run_callbacks’
/opt/zammad/app/controllers/application_controller/has_secure_content_security_policy_for_downloads.rb:18:inblock (4 levels) in <module:HasSecureContentSecurityPolicyForDownloads>' /usr/local/bundle/gems/activesupport-5.2.4.4/lib/active_support/notifications.rb:180:in
subscribed’
/opt/zammad/app/controllers/application_controller/has_secure_content_security_policy_for_downloads.rb:17:inblock (3 levels) in <module:HasSecureContentSecurityPolicyForDownloads>' /usr/local/bundle/gems/activesupport-5.2.4.4/lib/active_support/notifications.rb:180:in
subscribed’
/opt/zammad/app/controllers/application_controller/has_secure_content_security_policy_for_downloads.rb:16:inblock (2 levels) in <module:HasSecureContentSecurityPolicyForDownloads>' /usr/local/bundle/gems/activesupport-5.2.4.4/lib/active_support/callbacks.rb:118:in
instance_exec’
/usr/local/bundle/gems/activesupport-5.2.4.4/lib/active_support/callbacks.rb:118:inblock in run_callbacks' /usr/local/bundle/gems/activesupport-5.2.4.4/lib/active_support/callbacks.rb:136:in
run_callbacks’
/usr/local/bundle/gems/actionpack-5.2.4.4/lib/abstract_controller/callbacks.rb:41:inprocess_action' /usr/local/bundle/gems/actionpack-5.2.4.4/lib/action_controller/metal/rescue.rb:22:in
process_action’
/usr/local/bundle/gems/actionpack-5.2.4.4/lib/action_controller/metal/instrumentation.rb:34:inblock in process_action' /usr/local/bundle/gems/activesupport-5.2.4.4/lib/active_support/notifications.rb:168:in
block in instrument’
/usr/local/bundle/gems/activesupport-5.2.4.4/lib/active_support/notifications/instrumenter.rb:23:ininstrument' /usr/local/bundle/gems/activesupport-5.2.4.4/lib/active_support/notifications.rb:168:in
instrument’
/usr/local/bundle/gems/actionpack-5.2.4.4/lib/action_controller/metal/instrumentation.rb:32:inprocess_action' /usr/local/bundle/gems/actionpack-5.2.4.4/lib/action_controller/metal/params_wrapper.rb:256:in
process_action’
/usr/local/bundle/gems/activerecord-5.2.4.4/lib/active_record/railties/controller_runtime.rb:24:inprocess_action' /usr/local/bundle/gems/actionpack-5.2.4.4/lib/abstract_controller/base.rb:134:in
process’
/usr/local/bundle/gems/actionview-5.2.4.4/lib/action_view/rendering.rb:32:inprocess' /usr/local/bundle/gems/actionpack-5.2.4.4/lib/action_controller/metal.rb:191:in
dispatch’
/usr/local/bundle/gems/actionpack-5.2.4.4/lib/action_controller/metal.rb:252:indispatch' /usr/local/bundle/gems/actionpack-5.2.4.4/lib/action_dispatch/routing/route_set.rb:52:in
dispatch’
/usr/local/bundle/gems/actionpack-5.2.4.4/lib/action_dispatch/routing/route_set.rb:34:inserve' /usr/local/bundle/gems/actionpack-5.2.4.4/lib/action_dispatch/journey/router.rb:52:in
block in serve’
/usr/local/bundle/gems/actionpack-5.2.4.4/lib/action_dispatch/journey/router.rb:35:ineach' /usr/local/bundle/gems/actionpack-5.2.4.4/lib/action_dispatch/journey/router.rb:35:in
serve’
/usr/local/bundle/gems/actionpack-5.2.4.4/lib/action_dispatch/routing/route_set.rb:840:incall' /usr/local/bundle/gems/omniauth-1.9.1/lib/omniauth/strategy.rb:420:in
call_app!’
/usr/local/bundle/gems/omniauth-saml-1.10.1/lib/omniauth/strategies/saml.rb:89:inother_phase' /usr/local/bundle/gems/omniauth-1.9.1/lib/omniauth/strategy.rb:190:in
call!’
/usr/local/bundle/gems/omniauth-1.9.1/lib/omniauth/strategy.rb:169:incall' /usr/local/bundle/gems/omniauth-1.9.1/lib/omniauth/strategy.rb:192:in
call!’
/usr/local/bundle/gems/omniauth-1.9.1/lib/omniauth/strategy.rb:169:incall' /usr/local/bundle/gems/omniauth-1.9.1/lib/omniauth/strategy.rb:192:in
call!’
/usr/local/bundle/gems/omniauth-1.9.1/lib/omniauth/strategy.rb:169:incall' /usr/local/bundle/gems/omniauth-1.9.1/lib/omniauth/strategy.rb:192:in
call!’
/usr/local/bundle/gems/omniauth-1.9.1/lib/omniauth/strategy.rb:169:incall' /usr/local/bundle/gems/omniauth-1.9.1/lib/omniauth/strategy.rb:192:in
call!’
/usr/local/bundle/gems/omniauth-1.9.1/lib/omniauth/strategy.rb:169:incall' /usr/local/bundle/gems/omniauth-1.9.1/lib/omniauth/strategy.rb:192:in
call!’
/usr/local/bundle/gems/omniauth-1.9.1/lib/omniauth/strategy.rb:169:incall' /usr/local/bundle/gems/omniauth-1.9.1/lib/omniauth/strategy.rb:192:in
call!’
/usr/local/bundle/gems/omniauth-1.9.1/lib/omniauth/strategy.rb:169:incall' /usr/local/bundle/gems/omniauth-1.9.1/lib/omniauth/strategy.rb:192:in
call!’
/usr/local/bundle/gems/omniauth-1.9.1/lib/omniauth/strategy.rb:169:incall' /usr/local/bundle/gems/omniauth-1.9.1/lib/omniauth/strategy.rb:192:in
call!’
/usr/local/bundle/gems/omniauth-1.9.1/lib/omniauth/strategy.rb:169:incall' /usr/local/bundle/gems/omniauth-1.9.1/lib/omniauth/strategy.rb:192:in
call!’
/usr/local/bundle/gems/omniauth-1.9.1/lib/omniauth/strategy.rb:169:incall' /usr/local/bundle/gems/omniauth-1.9.1/lib/omniauth/builder.rb:45:in
call’
/usr/local/bundle/gems/rack-2.2.3/lib/rack/tempfile_reaper.rb:15:incall' /usr/local/bundle/gems/rack-2.2.3/lib/rack/etag.rb:27:in
call’
/usr/local/bundle/gems/rack-2.2.3/lib/rack/conditional_get.rb:27:incall' /usr/local/bundle/gems/rack-2.2.3/lib/rack/head.rb:12:in
call’
/usr/local/bundle/gems/actionpack-5.2.4.4/lib/action_dispatch/http/content_security_policy.rb:18:incall' /usr/local/bundle/gems/rack-2.2.3/lib/rack/session/abstract/id.rb:266:in
context’
/usr/local/bundle/gems/rack-2.2.3/lib/rack/session/abstract/id.rb:260:incall' /usr/local/bundle/gems/actionpack-5.2.4.4/lib/action_dispatch/middleware/cookies.rb:670:in
call’
/usr/local/bundle/gems/actionpack-5.2.4.4/lib/action_dispatch/middleware/callbacks.rb:28:inblock in call' /usr/local/bundle/gems/activesupport-5.2.4.4/lib/active_support/callbacks.rb:98:in
run_callbacks’
/usr/local/bundle/gems/actionpack-5.2.4.4/lib/action_dispatch/middleware/callbacks.rb:26:incall' /usr/local/bundle/gems/actionpack-5.2.4.4/lib/action_dispatch/middleware/debug_exceptions.rb:61:in
call’
/usr/local/bundle/gems/actionpack-5.2.4.4/lib/action_dispatch/middleware/show_exceptions.rb:33:incall' /usr/local/bundle/gems/railties-5.2.4.4/lib/rails/rack/logger.rb:38:in
call_app’
/usr/local/bundle/gems/railties-5.2.4.4/lib/rails/rack/logger.rb:28:incall' /usr/local/bundle/gems/actionpack-5.2.4.4/lib/action_dispatch/middleware/remote_ip.rb:81:in
call’
/usr/local/bundle/gems/actionpack-5.2.4.4/lib/action_dispatch/middleware/request_id.rb:27:incall' /usr/local/bundle/gems/rack-2.2.3/lib/rack/method_override.rb:24:in
call’
/usr/local/bundle/gems/rack-2.2.3/lib/rack/runtime.rb:22:incall' /usr/local/bundle/gems/activesupport-5.2.4.4/lib/active_support/cache/strategy/local_cache_middleware.rb:29:in
call’
/usr/local/bundle/gems/actionpack-5.2.4.4/lib/action_dispatch/middleware/executor.rb:14:incall' /usr/local/bundle/gems/rack-2.2.3/lib/rack/sendfile.rb:110:in
call’
/usr/local/bundle/gems/railties-5.2.4.4/lib/rails/engine.rb:524:incall' /usr/local/bundle/gems/puma-3.12.6/lib/puma/configuration.rb:227:in
call’
/usr/local/bundle/gems/puma-3.12.6/lib/puma/server.rb:706:inhandle_request' /usr/local/bundle/gems/puma-3.12.6/lib/puma/server.rb:476:in
process_client’
/usr/local/bundle/gems/puma-3.12.6/lib/puma/server.rb:334:inblock in run' /usr/local/bundle/gems/puma-3.12.6/lib/puma/thread_pool.rb:135:in
block in spawn_thread’
/usr/local/bundle/gems/logging-2.2.2/lib/logging/diagnostic_context.rb:474:in `block in create_with_logging_context’
I, [2021-01-23T01:24:33.282031 #1-46913160226040] INFO – : Rendering inline template
I, [2021-01-23T01:24:33.282611 #1-46913160226040] INFO – : Rendered inline template (0.5ms)
I, [2021-01-23T01:24:33.282775 #1-46913160226040] INFO – : Completed 422 Unprocessable Entity in 2ms (Views: 0.8ms | ActiveRecord: 0.0ms)
I would appreciate every hint in order to make it working! Thank you.