Oauth - Not found. Authentication passthru

darkjavi · Janvier 30, 2021, 11:30

I’m trying to use zammad as authentication backend for fabmanager trough oauth2,I’ve followed fab-manager/sso_with_github.md at master · sleede/fab-manager · GitHub’ after generating the keys, filling the endpoint and switching auth provider to the new one I;m getting « Not found. Authentication passthru » when clicking the login button in the interface.

I’ve also followed the tutorial step by step for github and also getting « Not found. Authentication passthru ».

Further researching the issue I’ve found and active bug on the devise and oauth gem that colud be the issue:
Error: Not found. Authentication passthru. with any Omniauth strategy · Issue #5236 · heartcombo/devise · GitHub

Some post states that adding "OmniAuth - Rails CSRF Protection’ gem to the gemfile could fix it but the actual Gemfile already includes that gem so I’m not sure if that is the source of the problem.

Someone around has experience with the oauth integration?

Sylvain · Février 1, 2021, 7:44

Hi Javier,

I though that I’ve already saw this error in the past but I can’t remember exactly what I did to solve it. Can you post here an extract of /apps/fabmanager/log/app-stdout.log at the moment when the error is shown?

darkjavi · Février 1, 2021, 3:51

Hola Sylvain!

Here is the output of /apps/fabmanager/log/app-stdout.log

  Rendering application/sso_redirect.html.erb
  OAuth2Provider Load (0.2ms)  SELECT  "o_auth2_providers".* FROM "o_auth2_providers" WHERE "o_auth2_providers"."id" = $1 LIMIT $2  [["id", 4], ["LIMIT", 1]]
  Rendered application/sso_redirect.html.erb (0.9ms)
Completed 200 OK in 2ms (Views: 0.9ms | ActiveRecord: 0.4ms | Elasticsearch: 0.0ms)
Started GET "/users/auth/oauth2-github" for 172.20.0.4 at 2021-02-01 15:34:34 +0000
Processing by Users::OmniauthCallbacksController#passthru as HTML
  Rendering text template
  Rendered text template (0.0ms)
Completed 404 Not Found in 0ms (Views: 0.1ms | ActiveRecord: 0.0ms | Elasticsearch: 0.0ms)

I noticed something interesting, the url I’m landing when clicking sign-in is /users/auth/oauth2-github , on the tutorial the url ends with /callback so I tried/users/auth/oauth2-github/callback on the browser and I get directed to github for login, after giving credentials It gets stuck in a loop, here is the log output:

Started GET "/users/auth/oauth2-github/callback" for 172.20.0.4 at 2021-02-01 15:40:59 +0000
I, [2021-02-01T15:40:59.160586 #9]  INFO -- omniauth: (oauth2-github) Callback phase initiated.
E, [2021-02-01T15:40:59.160777 #9] ERROR -- omniauth: (oauth2-github) Authentication failure! csrf_detected: OmniAuth::Strategies::OAuth2::CallbackError, csrf_detected | CSRF detected
Processing by Users::OmniauthCallbacksController#failure as HTML
Redirected to https://fabmanager.mapache.xyz/users/sign_in
Completed 302 Found in 1ms (ActiveRecord: 0.0ms | Elasticsearch: 0.0ms)
Started GET "/users/sign_in" for 172.20.0.4 at 2021-02-01 15:40:59 +0000
Processing by SessionsController#new as HTML
  AuthProvider Load (0.1ms)  SELECT  "auth_providers".* FROM "auth_providers" WHERE "auth_providers"."status" = $1 LIMIT $2  [["status", "active"], ["LIMIT", 1]]
  OAuth2Provider Load (0.1ms)  SELECT  "o_auth2_providers".* FROM "o_auth2_providers" WHERE "o_auth2_providers"."id" = $1 LIMIT $2  [["id", 4], ["LIMIT", 1]]
  Rendering html template
  Rendered html template (0.0ms)
Completed 200 OK in 2ms (Views: 0.2ms | ActiveRecord: 0.2ms | Elasticsearch: 0.0ms)
Started POST "/users/auth/oauth2-github" for 172.20.0.4 at 2021-02-01 15:40:59 +0000
I, [2021-02-01T15:40:59.223341 #9]  INFO -- omniauth: (oauth2-github) Request phase initiated.
Started GET "/api/notifications/polling?last_poll=2021-02-01T15:35:37.202Z" for 172.20.0.4 at 2021-02-01 15:41:07 +0000
Processing by API::NotificationsController#polling as JSON
  Parameters: {"last_poll"=>"2021-02-01T15:35:37.202Z"}
  User Load (0.2ms)  SELECT  "users".* FROM "users" WHERE "users"."id" = $1 ORDER BY "users"."id" ASC LIMIT $2  [["id", 1], ["LIMIT", 1]]
  Setting Load (0.1ms)  SELECT  "settings".* FROM "settings" WHERE "settings"."name" = $1 LIMIT $2  [["name", "confirmation_required"], ["LIMIT", 1]]
  HistoryValue Load (0.1ms)  SELECT  "history_values".* FROM "history_values" WHERE "history_values"."setting_id" = $1 ORDER BY "history_values"."created_at" DESC LIMIT $2  [["setting_id", 50], ["LIMIT", 1]]
   (0.2ms)  SELECT COUNT(*) FROM "notifications" WHERE "notifications"."receiver_id" = $1 AND "notifications"."receiver_type" = $2  [["receiver_id", 1], ["receiver_type", "User"]]
   (0.2ms)  SELECT COUNT(*) FROM "notifications" WHERE "notifications"."receiver_id" = $1 AND "notifications"."receiver_type" = $2 AND "notifications"."is_read" = $3  [["receiver_id", 1], ["receiver_type", "User"], ["is_read", false]]
  Rendering api/notifications/index.json.jbuilder
  Notification Load (0.2ms)  SELECT "notifications".* FROM "notifications" WHERE "notifications"."receiver_id" = $1 AND "notifications"."receiver_type" = $2 AND (is_read = false AND created_at >= '2021-02-01T15:35:37.202Z') ORDER BY created_at DESC  [["receiver_id", 1], ["receiver_type", "User"]]
  Rendered api/notifications/index.json.jbuilder (0.4ms)
Completed 200 OK in 4ms (Views: 0.5ms | ActiveRecord: 1.0ms | Elasticsearch: 0.0ms)
Started GET "/users/sign_in?error=redirect_uri_mismatch&error_description=The+redirect_uri+MUST+match+the+registered+callback+URL+for+this+application.&error_uri=https%3A%2F%2Fdocs.github.com%2Fapps%2Fmanaging-oauth-apps%2Ftroubleshooting-authorization-request-errors%2F%23redirect-uri-mismatch&state=cfda60f5489035a77b518800534932dfebc949330e5253f5" for 172.20.0.4 at 2021-02-01 15:41:29 +0000
Processing by SessionsController#new as HTML
  Parameters: {"error"=>"redirect_uri_mismatch", "error_description"=>"The redirect_uri MUST match the registered callback URL for this application.", "error_uri"=>"https://docs.github.com/apps/managing-oauth-apps/troubleshooting-authorization-request-errors/#redirect-uri-mismatch", "state"=>"cfda60f5489035a77b518800534932dfebc949330e5253f5"}
  AuthProvider Load (0.2ms)  SELECT  "auth_providers".* FROM "auth_providers" WHERE "auth_providers"."status" = $1 LIMIT $2  [["status", "active"], ["LIMIT", 1]]
  OAuth2Provider Load (0.1ms)  SELECT  "o_auth2_providers".* FROM "o_auth2_providers" WHERE "o_auth2_providers"."id" = $1 LIMIT $2  [["id", 4], ["LIMIT", 1]]
  Rendering html template
  Rendered html template (0.0ms)
Completed 200 OK in 2ms (Views: 0.2ms | ActiveRecord: 0.3ms | Elasticsearch: 0.0ms)
Started POST "/users/auth/oauth2-github" for 172.20.0.4 at 2021-02-01 15:41:29 +0000
I, [2021-02-01T15:41:29.894739 #9]  INFO -- omniauth: (oauth2-github) Request phase initiated.
Started GET "/users/sign_in?error=redirect_uri_mismatch&error_description=The+redirect_uri+MUST+match+the+registered+callback+URL+for+this+application.&error_uri=https%3A%2F%2Fdocs.github.com%2Fapps%2Fmanaging-oauth-apps%2Ftroubleshooting-authorization-request-errors%2F%23redirect-uri-mismatch&state=1ea9de47fea8be5167d0cd2a1d7097ee1bbed8dc9b446912" for 172.20.0.4 at 2021-02-01 15:41:30 +0000
Processing by SessionsController#new as HTML
  Parameters: {"error"=>"redirect_uri_mismatch", "error_description"=>"The redirect_uri MUST match the registered callback URL for this application.", "error_uri"=>"https://docs.github.com/apps/managing-oauth-apps/troubleshooting-authorization-request-errors/#redirect-uri-mismatch", "state"=>"1ea9de47fea8be5167d0cd2a1d7097ee1bbed8dc9b446912"}

Sylvain · Février 8, 2021, 7:18

Interesting, indeed!
I’ll take a look at this and keep you updated asap