OIDC login - Internal Server Error
-
We are trying to use the OIDC auth plugin to enable login to our Xen Orchestra without local accounts.
We registered a client with our identity provider and got a client id, client secret and the auto-discovery url. That we used to configure the plugin.
However, if we login we get redirected back from the identity provider to the XO callback url and receive then an "Internal Server Error"
The callback URL is as follow:
In the log file we see then the following 4 lines:
mrt 25 12:29:25 vm-xoa xo-server[2618522]: Expected values to be strictly equal: mrt 25 12:29:25 vm-xoa xo-server[2618522]: + actual - expected mrt 25 12:29:25 vm-xoa xo-server[2618522]: + 'undefined' mrt 25 12:29:25 vm-xoa xo-server[2618522]: - 'string'If we change both the username field and the scope to email, we get the same Internal Server Error, but with a different single log line:
mrt 25 13:18:04 vm-xoa xo-server[2618522]: Cannot read properties of undefined (reading '0')Because we are getting redirected back from our identity provider to Xen Orchestra we guess that the issue is not there. We also get in the browser a SAML response with the userdata.
Running a wireshark on the server shows also traffic between Xen Orchestra and the identity provider, but unfortunately we cannot look in the contents of that traffic stream.
Setting the log level to debug does unfortunately not produce more (error) output.
We are running Xen Orchestra with commit c3dcb and the auth-oidc (v0.4.2) plugin
Is there an other way to figure out what is going wrong?
-
Hi,
Probably giving more context on which OIDC provider you are using and how do you fill the fields in the configuration, XO version too (commit or XOA branch) etc.
-
Are the users from the oidc provider unique and not already present as local users? I ran into this issue because my already existing local user was the same as the oidc provided user
-
We are running Xen Orchestra with commit c3dcb and the auth-oidc (v0.4.2) plugin.
The users that login are unique and not yet present as local users.
The OICD provider is SURF with SRAM: https://www.surf.nl/en/services/identity-access-management/surf-research-access-management
They support the following attributes/scopes: https://servicedesk.surf.nl/wiki/spaces/IAM/pages/74226142/Attributes+in+SRAM
There are some IPs that need to be accessable: https://servicedesk.surf.nl/wiki/spaces/IAM/pages/74226067/IP+addresses#IPaddresses-OIDC . Outgoing traffic from the server to port 443 is open and works.
We did try several settings for the Username field and scopes.
For example the following:
This should create a user R123456789
The logging shows the following:
mrt 27 09:29:48 vm-xoa xo-server[2641104]: Expected values to be strictly equal: mrt 27 09:29:48 vm-xoa xo-server[2641104]: + actual - expected mrt 27 09:29:48 vm-xoa xo-server[2641104]: + 'undefined' mrt 27 09:29:48 vm-xoa xo-server[2641104]: - 'string'If we change it to:
The following shows up:
mrt 27 09:32:21 vm-xoa xo-server[2641104]: Cannot read properties of undefined (reading '0')I hope this helps to understand the problem. Thanks.
-
@carloum70 are the scopes email and uid provided by the source (are they delivered to xo by surfnet)?
By default only the openid scope is provided, without email or uid
https://servicedesk.surf.nl/wiki/spaces/IAM/pages/74226151/Connect+using+OpenID+Connect
Hello! It looks like you're interested in this conversation, but you don't have an account yet.
Getting fed up of having to scroll through the same posts each visit? When you register for an account, you'll always come back to exactly where you were before, and choose to be notified of new replies (either via email, or push notification). You'll also be able to save bookmarks and upvote posts to show your appreciation to other community members.
With your input, this post could be even better 💗
Register Login