Troubles setting OAuth 2 with zammad

Infos:

  • Used Zammad version: 3.6.0-15
  • Used Zammad installation source: (source, package, …)
  • Operating system: RHEL
  • Browser + version:latest Chrome and Firefox

Expected behavior:

I"m trying to setup zammad with OAuth. Currenty I use the latest version of zammad with docker-compose. For HTTPS I use reverse nginx proxy, which redirects the requests to zammad. Unfortunately i got stuck with the OAuth 2.0 setup.

I use authorization code grant flow.

I saw a few posts, that the Generic Oauth is kind of broken. Even you mention a removal in this issue: Removal of generic oAuth2 · Issue #2951 · zammad/zammad · GitHub. This would be really sad, If that’s the case.

Actual behavior:

  • I receive an error: OAuth2::Error, invalid_grant: redirect_uri value must be identical to the value included in the authorization request.

It seems zammad doesn’t like the redirect_url, which contains code and a state:

https://mydomain.com/auth/oauth2/callback?code=o8JJ8M9wVr5oiJ7iJIGKZ2oeMIMDwKoT7idrLxv1&state=1b0f518adfb3391a1b671213e3275770cc2fd975187f6991

Logs:

I, [2021-01-23T01:24:33.149276 #1-69942977133340] INFO – : Started GET “/auth/oauth2/callback?code=[FILTERED]&state=67bbb861f0b67e25110461071” for 172.18.0.1 at 2021-01-23 01:24:33 +0000
I, [2021-01-23T01:24:33.153498 #1-69942977133340] INFO – : (oauth2) Callback phase initiated.
E, [2021-01-23T01:24:33.240668 #1-69942977133340] ERROR – : (oauth2) Authentication failure! invalid_credentials: OAuth2::Error, invalid_grant: redirect_uri value must be identical to the value included in the authorization request.
{“error_description”:“redirect_uri value must be identical to the value included in the authorization request.”,“error”:“invalid_grant”}
I, [2021-01-23T01:24:33.276491 #1-46913160226040] INFO – : Started GET “/auth/failure?message=invalid_credentials&origin=https%3A%2F%2Fmydomain.com%2F&strategy=oauth2” for 172.18.0.1 at 2021-01-23 01:24:33 +0000
I, [2021-01-23T01:24:33.280971 #1-46913160226040] INFO – : Processing by SessionsController#failure_omniauth as HTML
I, [2021-01-23T01:24:33.281030 #1-46913160226040] INFO – : Parameters: {“message”=>“invalid_credentials”, “origin”=>“https://mydomain.com/”, “strategy”=>“oauth2”}
E, [2021-01-23T01:24:33.281411 #1-46913160226040] ERROR – : Message from oauth2: invalid_credentials (Exceptions::UnprocessableEntity)
/opt/zammad/app/controllers/sessions_controller.rb:109:in failure_omniauth' /usr/local/bundle/gems/actionpack-5.2.4.4/lib/action_controller/metal/basic_implicit_render.rb:6:in send_action’
/usr/local/bundle/gems/actionpack-5.2.4.4/lib/abstract_controller/base.rb:194:in process_action' /usr/local/bundle/gems/actionpack-5.2.4.4/lib/action_controller/metal/rendering.rb:30:in process_action’
/usr/local/bundle/gems/actionpack-5.2.4.4/lib/abstract_controller/callbacks.rb:42:in block in process_action' /usr/local/bundle/gems/activesupport-5.2.4.4/lib/active_support/callbacks.rb:109:in block in run_callbacks’
/opt/zammad/app/controllers/application_controller/has_secure_content_security_policy_for_downloads.rb:18:in block (4 levels) in <module:HasSecureContentSecurityPolicyForDownloads>' /usr/local/bundle/gems/activesupport-5.2.4.4/lib/active_support/notifications.rb:180:in subscribed’
/opt/zammad/app/controllers/application_controller/has_secure_content_security_policy_for_downloads.rb:17:in block (3 levels) in <module:HasSecureContentSecurityPolicyForDownloads>' /usr/local/bundle/gems/activesupport-5.2.4.4/lib/active_support/notifications.rb:180:in subscribed’
/opt/zammad/app/controllers/application_controller/has_secure_content_security_policy_for_downloads.rb:16:in block (2 levels) in <module:HasSecureContentSecurityPolicyForDownloads>' /usr/local/bundle/gems/activesupport-5.2.4.4/lib/active_support/callbacks.rb:118:in instance_exec’
/usr/local/bundle/gems/activesupport-5.2.4.4/lib/active_support/callbacks.rb:118:in block in run_callbacks' /usr/local/bundle/gems/activesupport-5.2.4.4/lib/active_support/callbacks.rb:136:in run_callbacks’
/usr/local/bundle/gems/actionpack-5.2.4.4/lib/abstract_controller/callbacks.rb:41:in process_action' /usr/local/bundle/gems/actionpack-5.2.4.4/lib/action_controller/metal/rescue.rb:22:in process_action’
/usr/local/bundle/gems/actionpack-5.2.4.4/lib/action_controller/metal/instrumentation.rb:34:in block in process_action' /usr/local/bundle/gems/activesupport-5.2.4.4/lib/active_support/notifications.rb:168:in block in instrument’
/usr/local/bundle/gems/activesupport-5.2.4.4/lib/active_support/notifications/instrumenter.rb:23:in instrument' /usr/local/bundle/gems/activesupport-5.2.4.4/lib/active_support/notifications.rb:168:in instrument’
/usr/local/bundle/gems/actionpack-5.2.4.4/lib/action_controller/metal/instrumentation.rb:32:in process_action' /usr/local/bundle/gems/actionpack-5.2.4.4/lib/action_controller/metal/params_wrapper.rb:256:in process_action’
/usr/local/bundle/gems/activerecord-5.2.4.4/lib/active_record/railties/controller_runtime.rb:24:in process_action' /usr/local/bundle/gems/actionpack-5.2.4.4/lib/abstract_controller/base.rb:134:in process’
/usr/local/bundle/gems/actionview-5.2.4.4/lib/action_view/rendering.rb:32:in process' /usr/local/bundle/gems/actionpack-5.2.4.4/lib/action_controller/metal.rb:191:in dispatch’
/usr/local/bundle/gems/actionpack-5.2.4.4/lib/action_controller/metal.rb:252:in dispatch' /usr/local/bundle/gems/actionpack-5.2.4.4/lib/action_dispatch/routing/route_set.rb:52:in dispatch’
/usr/local/bundle/gems/actionpack-5.2.4.4/lib/action_dispatch/routing/route_set.rb:34:in serve' /usr/local/bundle/gems/actionpack-5.2.4.4/lib/action_dispatch/journey/router.rb:52:in block in serve’
/usr/local/bundle/gems/actionpack-5.2.4.4/lib/action_dispatch/journey/router.rb:35:in each' /usr/local/bundle/gems/actionpack-5.2.4.4/lib/action_dispatch/journey/router.rb:35:in serve’
/usr/local/bundle/gems/actionpack-5.2.4.4/lib/action_dispatch/routing/route_set.rb:840:in call' /usr/local/bundle/gems/omniauth-1.9.1/lib/omniauth/strategy.rb:420:in call_app!’
/usr/local/bundle/gems/omniauth-saml-1.10.1/lib/omniauth/strategies/saml.rb:89:in other_phase' /usr/local/bundle/gems/omniauth-1.9.1/lib/omniauth/strategy.rb:190:in call!’
/usr/local/bundle/gems/omniauth-1.9.1/lib/omniauth/strategy.rb:169:in call' /usr/local/bundle/gems/omniauth-1.9.1/lib/omniauth/strategy.rb:192:in call!’
/usr/local/bundle/gems/omniauth-1.9.1/lib/omniauth/strategy.rb:169:in call' /usr/local/bundle/gems/omniauth-1.9.1/lib/omniauth/strategy.rb:192:in call!’
/usr/local/bundle/gems/omniauth-1.9.1/lib/omniauth/strategy.rb:169:in call' /usr/local/bundle/gems/omniauth-1.9.1/lib/omniauth/strategy.rb:192:in call!’
/usr/local/bundle/gems/omniauth-1.9.1/lib/omniauth/strategy.rb:169:in call' /usr/local/bundle/gems/omniauth-1.9.1/lib/omniauth/strategy.rb:192:in call!’
/usr/local/bundle/gems/omniauth-1.9.1/lib/omniauth/strategy.rb:169:in call' /usr/local/bundle/gems/omniauth-1.9.1/lib/omniauth/strategy.rb:192:in call!’
/usr/local/bundle/gems/omniauth-1.9.1/lib/omniauth/strategy.rb:169:in call' /usr/local/bundle/gems/omniauth-1.9.1/lib/omniauth/strategy.rb:192:in call!’
/usr/local/bundle/gems/omniauth-1.9.1/lib/omniauth/strategy.rb:169:in call' /usr/local/bundle/gems/omniauth-1.9.1/lib/omniauth/strategy.rb:192:in call!’
/usr/local/bundle/gems/omniauth-1.9.1/lib/omniauth/strategy.rb:169:in call' /usr/local/bundle/gems/omniauth-1.9.1/lib/omniauth/strategy.rb:192:in call!’
/usr/local/bundle/gems/omniauth-1.9.1/lib/omniauth/strategy.rb:169:in call' /usr/local/bundle/gems/omniauth-1.9.1/lib/omniauth/strategy.rb:192:in call!’
/usr/local/bundle/gems/omniauth-1.9.1/lib/omniauth/strategy.rb:169:in call' /usr/local/bundle/gems/omniauth-1.9.1/lib/omniauth/builder.rb:45:in call’
/usr/local/bundle/gems/rack-2.2.3/lib/rack/tempfile_reaper.rb:15:in call' /usr/local/bundle/gems/rack-2.2.3/lib/rack/etag.rb:27:in call’
/usr/local/bundle/gems/rack-2.2.3/lib/rack/conditional_get.rb:27:in call' /usr/local/bundle/gems/rack-2.2.3/lib/rack/head.rb:12:in call’
/usr/local/bundle/gems/actionpack-5.2.4.4/lib/action_dispatch/http/content_security_policy.rb:18:in call' /usr/local/bundle/gems/rack-2.2.3/lib/rack/session/abstract/id.rb:266:in context’
/usr/local/bundle/gems/rack-2.2.3/lib/rack/session/abstract/id.rb:260:in call' /usr/local/bundle/gems/actionpack-5.2.4.4/lib/action_dispatch/middleware/cookies.rb:670:in call’
/usr/local/bundle/gems/actionpack-5.2.4.4/lib/action_dispatch/middleware/callbacks.rb:28:in block in call' /usr/local/bundle/gems/activesupport-5.2.4.4/lib/active_support/callbacks.rb:98:in run_callbacks’
/usr/local/bundle/gems/actionpack-5.2.4.4/lib/action_dispatch/middleware/callbacks.rb:26:in call' /usr/local/bundle/gems/actionpack-5.2.4.4/lib/action_dispatch/middleware/debug_exceptions.rb:61:in call’
/usr/local/bundle/gems/actionpack-5.2.4.4/lib/action_dispatch/middleware/show_exceptions.rb:33:in call' /usr/local/bundle/gems/railties-5.2.4.4/lib/rails/rack/logger.rb:38:in call_app’
/usr/local/bundle/gems/railties-5.2.4.4/lib/rails/rack/logger.rb:28:in call' /usr/local/bundle/gems/actionpack-5.2.4.4/lib/action_dispatch/middleware/remote_ip.rb:81:in call’
/usr/local/bundle/gems/actionpack-5.2.4.4/lib/action_dispatch/middleware/request_id.rb:27:in call' /usr/local/bundle/gems/rack-2.2.3/lib/rack/method_override.rb:24:in call’
/usr/local/bundle/gems/rack-2.2.3/lib/rack/runtime.rb:22:in call' /usr/local/bundle/gems/activesupport-5.2.4.4/lib/active_support/cache/strategy/local_cache_middleware.rb:29:in call’
/usr/local/bundle/gems/actionpack-5.2.4.4/lib/action_dispatch/middleware/executor.rb:14:in call' /usr/local/bundle/gems/rack-2.2.3/lib/rack/sendfile.rb:110:in call’
/usr/local/bundle/gems/railties-5.2.4.4/lib/rails/engine.rb:524:in call' /usr/local/bundle/gems/puma-3.12.6/lib/puma/configuration.rb:227:in call’
/usr/local/bundle/gems/puma-3.12.6/lib/puma/server.rb:706:in handle_request' /usr/local/bundle/gems/puma-3.12.6/lib/puma/server.rb:476:in process_client’
/usr/local/bundle/gems/puma-3.12.6/lib/puma/server.rb:334:in block in run' /usr/local/bundle/gems/puma-3.12.6/lib/puma/thread_pool.rb:135:in block in spawn_thread’
/usr/local/bundle/gems/logging-2.2.2/lib/logging/diagnostic_context.rb:474:in `block in create_with_logging_context’
I, [2021-01-23T01:24:33.282031 #1-46913160226040] INFO – : Rendering inline template
I, [2021-01-23T01:24:33.282611 #1-46913160226040] INFO – : Rendered inline template (0.5ms)
I, [2021-01-23T01:24:33.282775 #1-46913160226040] INFO – : Completed 422 Unprocessable Entity in 2ms (Views: 0.8ms | ActiveRecord: 0.0ms)

I would appreciate every hint in order to make it working! Thank you.

I was able to use SAML 2.0

1 Like

SAML is the way to go - oAuth2 is broken and will be removed in future versions.
This state has not changed.

This topic was automatically closed 120 days after the last reply. New replies are no longer allowed.