Bugs: OAuth2 can not be disabled (was: OAuth2 maps only to the account "admin")

[bnalpay]

Issue

Server Setup Information:

• Did you test in newest Wekan?: Yes
• Wekan version: 1.39.0
• If this is about old version of Wekan, what upgrade problem you have?:
• Operating System: Centos 7
• Deployment Method(snap/docker/sandstorm/mongodb bundle/source): Snap
• Http frontend if any (Caddy, Nginx, Apache, see config examples from Wekan GitHub wiki first): Caddy + Nginx
• Node Version: 8.12.0
• MongoDB Version:
• ROOT_URL environment variable http(s)://(subdomain).example.com(/suburl): https://kanban.fevzigandur.com/wekan

Problem description:
oauth maps only to the account "admin" regardless of the user credentials entered in oauth implemantation

• Explain steps how to reproduce
  wekan <-Oauth-> rocketchat <--ldap-->AD

• Attach log files in .zip file)

[xet7]

@salleman33

Can you look at this?

[salleman33]

Hi,
strange... the only way to make an account admin is when there is 0 account : the first created is admin.

[xet7]

@salleman33

On my Wekan install, there is multiple existing users, but anyone logging in with oauth logs in as me, first admin user.

[bnalpay]

I wonder if the mapping logic checks the verification status (tab named "verified" in people section) of the account ? and even tough there's no verified account including the default admin account all users can login with their local accounts but not with oauth

[xet7]

@bnalpay

Wekan user verifying is broken #1426 , users are not verified.

[salleman33]

There may be a problem with datas returned by meteor-accounts-oidc.
Could you check the content of user.services.oidc in models/users.js line 491 ?

[xet7]

@salleman33

It seems to try to find only those that have verified true. But most have verified false on Wekan.

[xet7]

@salleman33

I have 2 users at Rocket.Chat and Wekan: xet7 and test.

1. When I remove verified=true:

$ git diff
diff --git a/models/users.js b/models/users.js
index 01673e4..5c4c041 100644
--- a/models/users.js
+++ b/models/users.js
@@ -492,7 +492,7 @@ if (Meteor.isServer) {
       const email = user.services.oidc.email.toLowerCase();
 
       user.username = user.services.oidc.username;
-      user.emails = [{ address: email, verified: true }];
+      user.emails = [{ address: email }];
       const initials = user.services.oidc.fullname.match(/\b[a-zA-Z]/g).join('').toUpperCase();
       user.profile = { initials, fullname: user.services.oidc.fullname };

2. Then login using test user to to Rocket.Chat https://github.com/wekan/wekan/wiki/OAuth2

3. Then login with Oidc button using Rocket.Chat auth to Wekan

4. Then Wekan shows test user Authorize window

5. But when clicking Authorize, test user still logins as xet7 user.

[salleman33]

do you test this with a private window ?

[xet7]

@salleman33

Yes, in private window it behaves same way.

[salleman33]

@xet7
Why you remove "verified: true" ? does it change the problem ?

[xet7]

@salleman33

Because currrently in Standalone Wekan Admin Panel all users seems to be not verified, because setting somebody verified does not work. I was thinking that your code would only work for user that are set as verified. But removing "verified:true" did not change anything, and did not fix anything, everyone always logins as first admin user.

[salleman33]

Verified property does not effect authentification. My code sets it to true because the account come from oAuth identity provider who checks the email.
Could you display the content user.services.oidc in models/users.js line 491 when you log in please ?

[xet7]

@salleman33

I don't get any output. I added these console.log lines:

diff --git a/models/users.js b/models/users.js
index 01673e4..4652395 100644
--- a/models/users.js
+++ b/models/users.js
@@ -490,7 +490,9 @@ if (Meteor.isServer) {
 
     if (user.services.oidc) {
       const email = user.services.oidc.email.toLowerCase();
-
+      console.log("Email: " + user.services.oidc.email);
+      console.log("Username: " + user.services.oidc.username);
+      console.log("Fullname: " + user.services.oidc.fullname);
       user.username = user.services.oidc.username;
       user.emails = [{ address: email, verified: true }];
       const initials = user.services.oidc.fullname.match(/\b[a-zA-Z]/g).join('').toUpperCase();

I don't even know where you check and validate info that is coming from oidc. There seems to be some code on create user, but I probably would need to go through oidc documentation to figure it out.

[HLFH]

It should be interesting to be able to disable the Oidc feature & button directly in the Wekan config.

[xet7]

@HLFH

Yes sure. But first the feature needs to be fixed so that it works.

[salleman33]

Could you give me an account to rocket.chat to debug this problem please ? Trial is disabled on rocket.chat currently...

[xet7]

@salleman33

Yes, send me email to x@xet7.org

[rjevnikar]

Is it possible to hide the "Sign in with Oidc" button until this feature works and there is a way of disabling the feature?

[xet7]

@rjevnikar

I will add sometime in near future check to code, that if OAuth2 is not configured, Oidc button is not shown.

[xet7]

@HLFH @rjevnikar

Wekan v1.49 has now been released, it has IFTTT and OAuth2 removed. Their development continues at wekan repo edge branch, until they work.

This is how to use snap stable channel, that most Wekan users have installed:

sudo snap refresh wekan --stable --amend

This is how to use snap edge channel:

sudo snap refresh wekan --edge --amend

[salleman33]

Hi,
the problem is that identity providers (facebook, google, rocketchat) are there own data structure which is send to oauth client.
When I wrote the oauth2 authentification for wekan, i used a personnal identity provider and the package salleman:accounts-oidc works for it. But if you want connect with facebook, google, etc., you have to use an other package like accounts-google for google, accounts-facebook for facebook, and accounts-rocketchat for rocket
then, you have to put a service configuration in server/authentification.js in replace for exemple with rocketchat :
ServiceConfiguration.configurations.upsert( // eslint-disable-line no-undef { service: 'oidc' },
by
ServiceConfiguration.configurations.upsert( // eslint-disable-line no-undef { service: 'rocketchat' },

Could you test ?

[xet7]

@salleman33

What personal identity provider you used for oidc?

Is it open source?

[salleman33]

I use doorkeeper (https://github.com/doorkeeper-gem/doorkeeper)

[xet7]

Thanks ! I will test.

[xet7]

@salleman33

Does this work well for you with doorkeeper?

Does my change oidc username to preferred_username fix or break something?
734e4e5

[xet7]

@danpatdav

Admin creation logic would go to wekan/server/authentication.js where Wekan would check is env variables set and create admin user.

[xet7]

Do you have ideas what is problem with Auth0?

Auth0 OIDC settings:

{"issuer":"https://example.eu.auth0.com/","authorization_endpoint":"https://example.eu.auth0.com/authorize","token_endpoint":"https://example.eu.auth0.com/oauth/token","userinfo_endpoint":"https://example.eu.auth0.com/userinfo","mfa_challenge_endpoint":"https://example.eu.auth0.com/mfa/challenge","jwks_uri":"https://example.eu.auth0.com/.well-known/jwks.json","registration_endpoint":"https://example.eu.auth0.com/oidc/register","revocation_endpoint":"https://example.eu.auth0.com/oauth/revoke","scopes_supported":["openid","profile","offline_access","name","given_name","family_name","nickname","email","email_verified","picture","created_at","identities","phone","address"],"response_types_supported":["code","token","id_token","code token","code id_token","token id_token","code token id_token"],"response_modes_supported":["query","fragment","form_post"],"subject_types_supported":["public"],"id_token_signing_alg_values_supported":["HS256","RS256"],"token_endpoint_auth_methods_supported":["client_secret_basic","client_secret_post"],"claims_supported":["aud","auth_time","created_at","email","email_verified","exp","family_name","given_name","iat","identities","iss","name","nickname","phone_number","picture","sub"],"request_uri_parameter_supported":false}

I get this error:

2019-02-12T13:44:29Z wekan.wekan[2190]:   token_type: 'Bearer' }
2019-02-12T13:44:29Z wekan.wekan[2190]: XXX: getUserInfo response:  { sub: 'google-oauth2|1234567890' }
2019-02-12T13:44:29Z wekan.wekan[2190]: XXX: userinfo: { sub: 'google-oauth2|1234567890' }
2019-02-12T13:44:29Z wekan.wekan[2190]: {"line":"431","file":"oauth.js","message":"Error in OAuth Server: id is not defined","time":{"$date":1549979069363},"level":"warn"}
2019-02-12T13:44:29Z wekan.wekan[2190]: Exception while invoking method 'login' ReferenceError: id is not defined
2019-02-12T13:44:29Z wekan.wekan[2190]:     at Object.handleOauthRequest (packages/salleman_oidc.js:39:68)
2019-02-12T13:44:29Z wekan.wekan[2190]:     at OAuth._requestHandlers.(anonymous function) (packages/oauth2.js:27:31)
2019-02-12T13:44:29Z wekan.wekan[2190]:     at middleware (packages/oauth.js:203:5)
2019-02-12T13:44:29Z wekan.wekan[2190]:     at packages/oauth.js:176:5

I have tried this, but still get error:

sudo snap set oauth2-map-id='email'

[danpatdav]

Happy to help debug where I can. The first thing I notice is that the sub (object?) looks different than mine for both the getUserInfo and userInfo debug statement:

Yours => { sub: 'google-oauth2|1234567890' }
Mine => { sub: 'CVchEPRpvLz6vNNVpAAmUxu4eKT_G4d_wLrm7M1Mbmc' }

In my logs I also see the detail from the userinfo endpoint right afterwards:

XXX: getUserInfo response:  { sub: 'CVchEPRpvLz6vNNVpAAmUxu4eKT_G4d_wLrm7M1Mbmc',
--
  | name: 'Lastname, Firstname',
  | family_name: 'MYLASTNAME',
  | given_name: 'MYFIRSTNAME',
  | picture: 'https://graph.microsoft.com/v1.0/me/photo/$value' ,
  | email: 'me@email.com' }

Possibly the OAUTH2_ parameters are not correct for Auth0? Was this working prior to v2.21?

Here are my ENV variables:

OAUTH2_AUTH_ENDPOINT = /oauth2/v2.0/authorize
OAUTH2_USERINFO_ENDPOINT = https://graph.microsoft.com/oidc/userinfo
OAUTH2_TOKEN_ENDPOINT = /oauth2/v2.0/token

[xet7]

No, Auth0 has not worked yet for me. There is also existing Auth0 issue with some more details. I have been trying to get Auth0 working for some months.

[danpatdav]

I tried converting my acceptance wekan deployment over to auth0, but our firewalls block the necessary callbacks. Maybe I can spin up a stand-alone instance at home and get it to work. Let you know what I find.

…

On Feb 12, 2019, at 1:00 PM, Lauri Ojansivu ***@***.***> wrote: No, Auth0 has not worked yet for me. There is also existing Auth0 issue with some more details. I have been trying to get Auth0 working for some months. — You are receiving this because you were mentioned. Reply to this email directly, view it on GitHub, or mute the thread.

[gil0109]

@xet7 Looks like the recent updates for OIDC (post v11 haha) broke my keycloak instance. Actually it made it better and easier. I will re-test and fix the documentation. I think with the recent mapping additions, it will be much easier to get Keycloak up and running.

Any chance there is a way to hide the email login and registration from the startup? Is there an email variable that we can set to FALSE?

[gil0109]

@xet7 I updated the wiki for keycloak. Thanks to the newer OAUTH2 commit (bdbbb12) , the setup for keycloak is much simpler.

[gil0109]

@xet7 The v2.24 image broke OAUTH2 for Keycloak with this error:

Uncaught TypeError: a.join is not a function
at Object.requestCredential (a33a650939723c9124573489e1dd465fe973fdc8.js?meteor_js_resource=true:175)
at e.isClient.e.loginWithOidc (a33a650939723c9124573489e1dd465fe973fdc8.js?meteor_js_resource=true:177)
at Object.click button (a33a650939723c9124573489e1dd465fe973fdc8.js?meteor_js_resource=true:155)
at a33a650939723c9124573489e1dd465fe973fdc8.js?meteor_js_resource=true:59
at Function.e._withTemplateInstanceFunc (a33a650939723c9124573489e1dd465fe973fdc8.js?meteor_js_resource=true:59)
at f.View. (a33a650939723c9124573489e1dd465fe973fdc8.js?meteor_js_resource=true:59)
at a33a650939723c9124573489e1dd465fe973fdc8.js?meteor_js_resource=true:59
at Object.f._withCurrentView (a33a650939723c9124573489e1dd465fe973fdc8.js?meteor_js_resource=true:59)
at f._DOMRange. (a33a650939723c9124573489e1dd465fe973fdc8.js?meteor_js_resource=true:59)
at HTMLButtonElement. (a33a650939723c9124573489e1dd465fe973fdc8.js?meteor_js_resource=true:59)

[gil0109]

@xet7 Thank you.

[gil0109]

I looked in the yaml file and did not see anything, is there a variable to disable login/register by Email and force only OAUTH2?

Similar to OAUTH2=true

[xet7]

@gil0109

I will add disabling Email. It's not in Wekan yet, so I'll start coding it now.

[tiagoefreitas]

The new method doesn't work with nextcloud, because the user information is nested.

My code that works is like this:
var userinfodata = userinfo.ocs.data;
serviceData.id = userinfodata.id;

but the new userinfo[process.env.OAUTH2_ID_MAP]
becomes userinfo[ocs.data.id] that doesn't work.

Any idea to make it work with the variables?

[xet7]

@tiagoefreitas

Is that only change required? Or is there more?
I could add new variable like NEXTCLOUD_ENABLED=true that would use those.

[tiagoefreitas]

@xet7 that would work, even if it's not very elegant, I don't know enough javascript to understand if this is possible using reflection or something to get the fields from the parameter string.

full code is in my previous comment, here it is:
line 16:

var userinfodata = userinfo.ocs.data;
serviceData.id = userinfodata.id;
serviceData.username = userinfodata.id;
serviceData.fullname = userinfodata['display-name'];
serviceData.accessToken = accessToken;
serviceData.expiresAt = expiresAt;
serviceData.email = userinfodata.email;

And line 34:

profile.name = userinfodata['display-name'];
profile.email = userinfodata.email;

[bogie]

@tiagoefreitas

Is that only change required? Or is there more?
I could add new variable like NEXTCLOUD_ENABLED=true that would use those.

In https://github.com/wekan/wekan/blob/master/packages/wekan-oidc/oidc_server.js at line 13:

if (userinfo.ocs) userinfo = userinfo.ocs.data; // Nextcloud hack

should do it. We can then use the mapping config properly. I am trying to get a dev environment working, but my homeserver is taking ages to build wekan.

As for a sample config:

#-----------------------------------------------------------------
# ==== OAUTH2 Nextcloud ====
# go to https://your.nextcloud/settings/admin/security
# create a new OAUTH2 client with callback: https://your.wekan/_oauth/oidc
# copy client identifier and secret and paste them below:
- OAUTH2_ENABLED=true
- OAUTH2_LOGIN_STYLE=redirect
# Application GUID captured during app registration:
- OAUTH2_CLIENT_ID=<from Nextcloud webinterface>
# Secret key generated during app registration:
- OAUTH2_SECRET=<from Nextcloud webinterface>
- OAUTH2_SERVER_URL=https://yourdomain.com
- OAUTH2_AUTH_ENDPOINT=/index.php/apps/oauth2/authorize
- OAUTH2_USERINFO_ENDPOINT=/ocs/v2.php/cloud/user?format=json
- OAUTH2_TOKEN_ENDPOINT=/index.php/apps/oauth2/api/v1/token
# The claim name you want to map to the unique ID field:
- OAUTH2_ID_MAP=id
# The claim name you want to map to the username field:
- OAUTH2_USERNAME_MAP=id
# The claim name you want to map to the full name field:
- OAUTH2_FULLNAME_MAP=display-name
# The claim name you want to map to the email field:
- OAUTH2_EMAIL_MAP=email

In the end this is to circumvent the fact, that nextcloud does not provide a proper userinfo endpoint. I do not know why, but here we are.

[xet7]

About original issue, disabling OAuth2:

sudo snap unset wekan oauth2-enabled

[xet7]

I wrote to top of https://github.com/wekan/wekan/wiki/Keycloak

NOTE: Is that preffered_username setting wrong? Correct settings should be for OIDC login:

sudo snap set wekan oauth2-username-map='email'
sudo snap set wekan oauth2-email-map='email'

I think that preffered_username related settings are wrong, because there could be many users with same username, and it causes to login as wrong user. Only email address is unique, and should be used.

For OIDC login tor work correcty, username and email both need to be set to be email. This is similar how OAuth2 login works at Azure login and Google login.