Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Mattermost auth failure - Invalid state #79

Open
nikolaysu opened this issue Jun 30, 2021 · 8 comments
Open

Mattermost auth failure - Invalid state #79

nikolaysu opened this issue Jun 30, 2021 · 8 comments
Assignees
@Crivaledaz
Labels
bug

Comments

@nikolaysu
Copy link

Describe the bug
Authorization does not work in a fresh installation. "Invalid state"

To Reproduce
Steps to reproduce the behavior:

  1. Install mattermost Version: 5.36.1 Build Number: 5.36.1
  2. Install Mattermost-LDAP on the same server as Bare metal (Apache/2.4.46 port 8443 over SSL, PHP 7.0.33-0+deb9u6)
  3. Open mattermost login page, click gitlab, redirected to https://mm.example.com:8443/oauth/. Eneter ldap login and password.

Provide commands, Mattermost and PHP logs or configuration file if possible.
172.20.1.6 - client ip, mm.example.com:8065 - mattermost server, mm.example.com:8443 -
Mattermost-LDAP web page

Mattermost logs in debug mode

{"level":"debug","ts":1625024999.5828278,"caller":"web/handlers.go:107","msg":"Received HTTP request","method":"GET","url":"/oauth/gitlab/login","request_id":"wrw3p3dc4inn5p84rtrhh4q5qr","host":"mm.example.com:8065","scheme":"","status_code":"302"}
{"level":"debug","ts":1625025008.811365,"caller":"mlog/log.go:230","msg":"Invalid state","path":"/signup/gitlab/complete","request_id":"wj1xym7qspgj8b8yeftrdwr55e","ip_addr":"172.20.1.16","user_id":"","method":"GET","err_where":"AuthorizeOAuthUser","http_code":400,"err_details":""}
{"level":"debug","ts":1625025008.8446581,"caller":"web/handlers.go:107","msg":"Received HTTP request","method":"GET","url":"/signup/gitlab/complete","request_id":"wj1xym7qspgj8b8yeftrdwr55e","host":"mm.example.com:8065","scheme":"","status_code":"400"}
{"level":"debug","ts":1625025009.055701,"caller":"web/handlers.go:107","msg":"Received HTTP request","method":"GET","url":"/error","request_id":"mpucaqfdxfn5tyc7haxm548jee","host":"mm.example.com:8065","scheme":"","status_code":"200"}
{"level":"debug","ts":1625025010.0175362,"caller":"web/handlers.go:107","msg":"Received HTTP request","method":"GET","url":"/api/v4/config/client","request_id":"pnocb59j9pdni818a83doqke8a","host":"mm.example.com:8065","scheme":"","status_code":"200"}
{"level":"debug","ts":1625025010.0197144,"caller":"web/handlers.go:107","msg":"Received HTTP request","method":"GET","url":"/api/v4/license/client","request_id":"cdogz56mep8r5fwkabwrqwjazc","host":"mm.example.com:8065","scheme":"","status_code":"200"}
{"level":"debug","ts":1625025010.0702233,"caller":"web/handlers.go:107","msg":"Received HTTP request","method":"GET","url":"/api/v4/plugins/webapp","request_id":"qr39g15nfprq5k1bt71335esec","host":"mm.example.com:8065","scheme":"","status_code":"200"}

Apache logs

172.20.1.16 - - [30/Jun/2021:06:49:59 +0300] "GET /oauth/authorize.php?response_type=code&client_id=116311075dc0e9848caf9c881d9fa2598b0fe7030d068f9eff22af7368094b81&redirect_uri=http%3A%2F%2Fmm.example.com%3A8065%2Fsignup%2Fgitlab%2Fcomplete&state=eyJhY3Rpb24iOiJsb2dpbiIsImlzTW9iaWxlIjoiZmFsc2UiLCJ0b2tlbiI6Im13eXFleWVzZG03ZmtnYnR5bXlkdWRmYWdjZ21mdXRvcjhtM3Q4am5yMzRzdXdrZXJzMW4xbjlqeTZhbTNyeGIifQ%3D%3D HTTP/1.1" 302 6150 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/91.0.4472.124 Safari/537.36"
172.20.1.16 - - [30/Jun/2021:06:49:59 +0300] "GET /oauth/index.php HTTP/1.1" 200 1029 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/91.0.4472.124 Safari/537.36"
172.20.1.16 - - [30/Jun/2021:06:49:59 +0300] "GET /oauth/style.css HTTP/1.1" 200 1711 "https://mm.example.com:8443/oauth/index.php" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/91.0.4472.124 Safari/537.36"
172.20.1.16 - - [30/Jun/2021:06:49:59 +0300] "GET /oauth/images/prompt_icon.png HTTP/1.1" 304 209 "https://mm.example.com:8443/oauth/index.php" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/91.0.4472.124 Safari/537.36"
172.20.1.16 - - [30/Jun/2021:06:50:08 +0300] "POST /oauth/index.php HTTP/1.1" 302 1210 "https://mm.example.com:8443/oauth/index.php" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/91.0.4472.124 Safari/537.36"
172.20.1.16 - - [30/Jun/2021:06:50:08 +0300] "GET /oauth/authorize.php?response_type=code&client_id=116311075dc0e9848caf9c881d9fa2598b0fe7030d068f9eff22af7368094b81&redirect_uri=http%3A%2F%2Fmm.example.com%3A8065%2Fsignup%2Fgitlab%2Fcomplete&state=eyJhY3Rpb24iOiJsb2dpbiIsImlzTW9iaWxlIjoiZmFsc2UiLCJ0b2tlbiI6Im13eXFleWVzZG03ZmtnYnR5bXlkdWRmYWdjZ21mdXRvcjhtM3Q4am5yMzRzdXdrZXJzMW4xbjlqeTZhbTNyeGIifQ%3D%3D HTTP/1.1" 302 609 "https://mm.example.com:8443/oauth/index.php" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/91.0.4472.124 Safari/537.36"
172.20.1.16 - - [30/Jun/2021:06:50:28 +0300] "-" 408 511 "-" "-"

Mttermost config

 "GitLabSettings": {
        "Enable": true,
        "Secret": "4a77dabc75f336c464964996a596c8307ee1cc6df6c10f727ac43d9a294c6e86",
        "Id": "116311075dc0e9848caf9c881d9fa2598b0fe7030d068f9eff22af7368094b81",
        "Scope": "",
        "AuthEndpoint": "https://mm.example.com:8443/oauth/authorize.php",
        "TokenEndpoint": "https://mm.example.com:8443/oauth/token.php",
        "UserApiEndpoint": "https://mm.example.com:8443/oauth/resource.php",
        "DiscoveryEndpoint": "",
        "ButtonText": "",
        "ButtonColor": ""
    },

In oauth_db (postgres)

sudo -u postgres psql -d oauth_db -c "select * from oauth_clients;"
client_id                             |                          client_secret                           |                 redirect_uri                  |    grant_types     | scope | user_id
------------------------------------------------------------------+------------------------------------------------------------------+-----------------------------------------------+--------------------+-------+---------
 116311075dc0e9848caf9c881d9fa2598b0fe7030d068f9eff22af7368094b81 | 4a77dabc75f336c464964996a596c8307ee1cc6df6c10f727ac43d9a294c6e86 | http://mm.example.com:8065/signup/gitlab/complete | authorization_code | api   |
  • OS: Debian 9 strech
  • Chrome 91.0.4472.124
@nikolaysu nikolaysu added the bug label Jun 30, 2021
@Crivaledaz
Copy link
Owner

Hi,

Thank you for using Mattermost-LDAP and for the detailed you provide on your issue.

I can't find what goes wrong in your setup by reading the logs. There are no error logs. Only the last Apache log is intriguing. I don't know what is going on, if I understand you get a 408 error (HTTP_REQUEST_TIME_OUT), but I don't know what was the request.

In your Apache logs, there is no logs about token.php or resource.php pages. It seems that the Mattermost server does not contact the Oauth server, but I don't see a misconfiguration that explains why.

I remark you are using HTTPS for the Oauth server. Maybe you also run Mattermost server with HTTPS. In this case, the redirect_uri parameter in the oauth_clients table, should be in HTTPS too. Furthermore, be sure Matermost server trust the Oauth' SSL certificate, else it will not perform authentication against Oauth.

Your error is very strange because Mattermost classifies the "Invalid state" as a debug level. I am afraid you will need to inspect the network exchanges between Oauth and Mattermost, to understand what is going on. For this, you could use Wireshark or Tshark.

For your information, I have successfully run Mattermost 5.36.1 with Mattermost-LDAP using the demo docker-compose.

Keep me informed,

Regards

@nikolaysu
Copy link
Author

Thanks for the answer!

mattermost and oauth on one server, and I don’t understand what can disturb network exchange

I set up SSL on mattermost. (There shouldn't be any problems with certificates. This is my domain's honest wildcard certificate)
and i got another error - "Bad response from token request"
{"level":"error","ts":1625044594.2157342,"caller":"mlog/log.go:251","msg":"Bad response from token request.","path":"/signup/gitlab/complete","request_id":"tw6jfkyqr3frtdz8u9rrmpw4wo","ip_addr":"172.20.1.16","user_id":"","method":"GET","err_where":"AuthorizeOAuthUser","http_code":500,"err_details":"response_body= {\"error\":\"redirect_uri_mismatch\",\"error_description\":\"The redirect URI is missing or do not match\",\"error_uri\":\"http:\\/\\/tools.ietf.org\\/html\\/rfc6749#section-4.1.3\"}, status_code=400"}

And apache log

172.20.1.16 - - [30/Jun/2021:12:47:10 +0300] "-" 408 5785 "-" "-"
172.20.1.16 - - [30/Jun/2021:12:47:39 +0300] "GET /oauth/authorize.php?response_type=code&client_id=116311075dc0e9848caf9c881d9fa2598b0fe7030d068f9eff22af7368094b81&redirect_uri=https%3A%2F%2Fmm.example.com%2Fsignup%2Fgitlab%2Fcomplete&state=eyJhY3Rpb24iOiJsb2dpbiIsImlzTW9iaWxlIjoiZmFsc2UiLCJ0b2tlbiI6IjE1cWprZzY2YTZqY2ZoaTg1aHc1OHBoeTU0bTRhZGVvZWRpYm9tMTR6Z3M2NnA5aG1heDRoNnpqOHN0emM4a2gifQ%3D%3D HTTP/1.1" 302 876 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/91.0.4472.124 Safari/537.36"
172.20.1.16 - - [30/Jun/2021:12:47:39 +0300] "GET /oauth/index.php HTTP/1.1" 200 1029 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/91.0.4472.124 Safari/537.36"
172.20.1.16 - - [30/Jun/2021:12:47:39 +0300] "GET /oauth/style.css HTTP/1.1" 200 1711 "https://mm.example.com:8443/oauth/index.php" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/91.0.4472.124 Safari/537.36"
172.20.1.16 - - [30/Jun/2021:12:47:39 +0300] "GET /oauth/images/prompt_icon.png HTTP/1.1" 304 209 "https://mm.example.com:8443/oauth/index.php" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/91.0.4472.124 Safari/537.36"
172.20.1.16 - - [30/Jun/2021:12:47:51 +0300] "POST /oauth/index.php HTTP/1.1" 302 1204 "https://mm.example.com:8443/oauth/index.php" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/91.0.4472.124 Safari/537.36"
172.20.1.16 - - [30/Jun/2021:12:47:51 +0300] "GET /oauth/authorize.php?response_type=code&client_id=116311075dc0e9848caf9c881d9fa2598b0fe7030d068f9eff22af7368094b81&redirect_uri=https%3A%2F%2Fmm.example.com%2Fsignup%2Fgitlab%2Fcomplete&state=eyJhY3Rpb24iOiJsb2dpbiIsImlzTW9iaWxlIjoiZmFsc2UiLCJ0b2tlbiI6IjE1cWprZzY2YTZqY2ZoaTg1aHc1OHBoeTU0bTRhZGVvZWRpYm9tMTR6Z3M2NnA5aG1heDRoNnpqOHN0emM4a2gifQ%3D%3D HTTP/1.1" 302 605 "https://mm.example.com:8443/oauth/index.php" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/91.0.4472.124 Safari/537.36"
172.18.101.55 - - [30/Jun/2021:12:47:51 +0300] "POST /oauth/token.php HTTP/1.1" 400 6127 "-" "Mattermost-Bot/1.1"
172.20.1.16 - - [30/Jun/2021:12:48:11 +0300] "-" 408 511 "-" "-"

until I understand where I could go wrong......

@Crivaledaz
Copy link
Owner

This time the Mattermost error is clearer :

"error":"redirect_uri_mismatch","error_description":"The redirect URI is missing or do not match"

In the Apache logs, you can see the authorize request (from client to /oauth/authorize.php). Among query parameters, there is the redirect_uri built by Mattermost form the site_url server parameter and its value is https://mm.example.com/signup/gitlab/complete. However, if you does not change the entry in the oauth_clients table, Oauth server expects the following value : http://mm.example.com/signup/gitlab/complete. For more information about this, refer to issue #66 (relevant answer).

To summarize, the redirect_uri in the database must be the same as the authorize request parameter. To update the database, use the following command :

UPDATE oauth_clients SET redirect_uri = 'https://mm.example.com/signup/gitlab/complete' WHERE client_id='116311075dc0e9848caf9c881d9fa2598b0fe7030d068f9eff22af7368094b81';

I hope this will solve your problem,

Regards

@nikolaysu
Copy link
Author

after setting the ssl in Mattermost i changed the values in the oauth database

oauth_db=# select * from oauth_clients;
                            client_id                             |                          client_secret                           |               redirect_uri                |    grant_types     | scope | user_id
------------------------------------------------------------------+------------------------------------------------------------------+-------------------------------------------+--------------------+-------+---------
 116311075dc0e9848caf9c881d9fa2598b0fe7030d068f9eff22af7368094b81 | 4a77dabc75f336c464964996a596c8307ee1cc6df6c10f727ac43d9a294c6e86 | https://mm.example.com/signup/gitlab/complete | authorization_code | api   |
(1 строка)

I also want to try up a nginx as proxy in front of Mattermost and see what requests go to Mattermost from oauth

@nikolaysu
Copy link
Author

nikolaysu commented Jun 30, 2021
edited
Loading

I set up a proxy for nginx as I wrote earlier. Surprisingly, I have not found any requests from oauth(ip: 172.18.101.55) to Mattermost(nginx). True, perhaps this is normal, I do not fully understand this mechanism.

 172.20.1.16 - - [30/Jun/2021:18:38:26 +0300] "GET /login HTTP/2.0" 200 1201 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/91.0.4472.124 Safari/537.36"
172.20.1.16 - - [30/Jun/2021:18:38:27 +0300] "GET /static/main.ecb2bd8cff7ad3980df1.js.map HTTP/2.0" 200 2500104 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/91.0.4472.124 Safari/537.36"
172.20.1.16 - - [30/Jun/2021:18:38:27 +0300] "GET /static/main.e9f8e271c946b9faf8f2.css.map HTTP/2.0" 200 256015 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/91.0.4472.124 Safari/537.36"
172.20.1.16 - - [30/Jun/2021:18:38:27 +0300] "GET /static/628.8f0677f14f85b647fa7b.css.map HTTP/2.0" 200 50304 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/91.0.4472.124 Safari/537.36"
172.20.1.16 - - [30/Jun/2021:18:38:27 +0300] "GET /static/892.051fead3bae5700a1cc3.js.map HTTP/2.0" 200 1630671 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/91.0.4472.124 Safari/537.36"
172.20.1.16 - - [30/Jun/2021:18:38:28 +0300] "GET /api/v4/config/client?format=old HTTP/2.0" 200 1191 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/91.0.4472.124 Safari/537.36"
172.20.1.16 - - [30/Jun/2021:18:38:28 +0300] "GET /api/v4/license/client?format=old HTTP/2.0" 200 22 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/91.0.4472.124 Safari/537.36"
172.20.1.16 - - [30/Jun/2021:18:38:28 +0300] "GET /static/628.28c5bfeb2fc15185b133.js.map HTTP/2.0" 200 1345082 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/91.0.4472.124 Safari/537.36"
172.20.1.16 - - [30/Jun/2021:18:38:28 +0300] "GET /api/v4/plugins/webapp HTTP/2.0" 200 1200 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/91.0.4472.124 Safari/537.36"
172.20.1.16 - - [30/Jun/2021:18:38:28 +0300] "GET /plugins/com.mattermost.plugin-incident-management/api/v0/settings HTTP/2.0" 401 15 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/91.0.4472.124 Safari/537.36"
172.20.1.16 - - [30/Jun/2021:18:38:28 +0300] "GET /static/plugins/com.mattermost.plugin-incident-management/main.js.map HTTP/2.0" 200 1461861 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/91.0.4472.124 Safari/537.36"
172.20.1.16 - - [30/Jun/2021:18:38:28 +0300] "GET /static/77.deb1b5fd78339c68b2e9.js.map HTTP/2.0" 200 1914 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/91.0.4472.124 Safari/537.36"
172.20.1.16 - - [30/Jun/2021:18:38:28 +0300] "GET /static/424.b43d4c62bbe783182341.js.map HTTP/2.0" 200 15969 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/91.0.4472.124 Safari/537.36"
172.20.1.16 - - [30/Jun/2021:18:38:30 +0300] "GET /oauth/gitlab/login HTTP/2.0" 302 0 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/91.0.4472.124 Safari/537.36"
172.20.1.16 - - [30/Jun/2021:18:38:39 +0300] "GET /signup/gitlab/complete?code=ef18343d66d5669f921e98b296b7c3b1204a24c7&state=eyJhY3Rpb24iOiJsb2dpbiIsImlzTW9iaWxlIjoiZmFsc2UiLCJ0b2tlbiI6Ijl1eDN3ZWVhODlwd3Nja2N4cnNkemM5azM3eWI5OGJkYmRleXR3Y2Vpa2M5azZqdHk0bWJzOW9hNTU3ZW53YXAifQ%3D%3D HTTP/2.0" 500 1077 "https://mm.example.com:8443/" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/91.0.4472.124 Safari/537.36"
172.20.1.16 - - [30/Jun/2021:18:38:39 +0300] "GET /error?message=%D0%9F%D0%BB%D0%BE%D1%85%D0%BE%D0%B9+%D0%BE%D1%82%D0%B2%D0%B5%D1%82+%D0%BE%D1%82+%D0%B7%D0%B0%D0%BF%D1%80%D0%BE%D1%81%D0%B0+%D1%82%D0%BE%D0%BA%D0%B5%D0%BD%D0%B0.&s=MEUCIG58KTwuj_TKB2etgjolI8xinKBvq_oyC58qWYaDvEqLAiEA1DWYrqcbFaWmEZrTdM_KcGGmGq0jkfRBjrQfoy2eHvw= HTTP/2.0" 200 1201 "https://mm.example.com/signup/gitlab/complete?code=ef18343d66d5669f921e98b296b7c3b1204a24c7&state=eyJhY3Rpb24iOiJsb2dpbiIsImlzTW9iaWxlIjoiZmFsc2UiLCJ0b2tlbiI6Ijl1eDN3ZWVhODlwd3Nja2N4cnNkemM5azM3eWI5OGJkYmRleXR3Y2Vpa2M5azZqdHk0bWJzOW9hNTU3ZW53YXAifQ%3D%3D" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/91.0.4472.124 Safari/537.36"
172.20.1.16 - - [30/Jun/2021:18:38:40 +0300] "GET /static/main.ecb2bd8cff7ad3980df1.js.map HTTP/2.0" 200 2500104 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/91.0.4472.124 Safari/537.36"
172.20.1.16 - - [30/Jun/2021:18:38:40 +0300] "GET /static/main.e9f8e271c946b9faf8f2.css.map HTTP/2.0" 200 256015 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/91.0.4472.124 Safari/537.36"
172.20.1.16 - - [30/Jun/2021:18:38:40 +0300] "GET /static/628.8f0677f14f85b647fa7b.css.map HTTP/2.0" 200 50304 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/91.0.4472.124 Safari/537.36"
172.20.1.16 - - [30/Jun/2021:18:38:40 +0300] "GET /static/892.051fead3bae5700a1cc3.js.map HTTP/2.0" 200 1630671 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/91.0.4472.124 Safari/537.36"
172.20.1.16 - - [30/Jun/2021:18:38:41 +0300] "GET /api/v4/config/client?format=old HTTP/2.0" 200 1191 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/91.0.4472.124 Safari/537.36"
172.20.1.16 - - [30/Jun/2021:18:38:41 +0300] "GET /api/v4/license/client?format=old HTTP/2.0" 200 22 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/91.0.4472.124 Safari/537.36"
172.20.1.16 - - [30/Jun/2021:18:38:41 +0300] "GET /api/v4/plugins/webapp HTTP/2.0" 200 1200 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/91.0.4472.124 Safari/537.36"
172.20.1.16 - - [30/Jun/2021:18:38:41 +0300] "GET /static/628.28c5bfeb2fc15185b133.js.map HTTP/2.0" 200 1345082 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/91.0.4472.124 Safari/537.36"
172.20.1.16 - - [30/Jun/2021:18:38:41 +0300] "GET /plugins/com.mattermost.plugin-incident-management/api/v0/settings HTTP/2.0" 401 15 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/91.0.4472.124 Safari/537.36"
172.20.1.16 - - [30/Jun/2021:18:38:42 +0300] "GET /static/385.7e11ef31ea9f0aed4749.js.map HTTP/2.0" 200 5921 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/91.0.4472.124 Safari/537.36"
172.20.1.16 - - [30/Jun/2021:18:38:42 +0300] "GET /static/plugins/com.mattermost.plugin-incident-management/main.js.map HTTP/2.0" 200 1461861 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/91.0.4472.124 Safari/537.36"
172.20.1.16 - - [30/Jun/2021:18:38:42 +0300] "GET /static/835.b416dddd19bf5e1bf202.js.map HTTP/2.0" 200 531715 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/91.0.4472.124 Safari/537.36"

@minduxntep
Copy link

Same to me,
{"level":"error","ts":1625129338.0646713,"caller":"web/oauth.go:273","msg":"AuthorizeOAuthUser: Сбой запроса токена., Post \"http://mattermost.example.com:380/oauth/token.php\": dial tcp: i/o timeout"}

@GregpryA
Copy link

GregpryA commented Apr 12, 2023
edited
Loading

Similar story, but few differences. Don't understand the reason.
Docker installation, so DB is getting parameters from docker-compose.yaml.
Part from it:
redirect_uri: "https://mattermost.mysite.com/signup/gitlab/complete"

And indeed, it is getting things correctly:
`oauth_db=> select * from oauth_clients;
client_id | client_secret | redirect_uri | grant_types | scope | user_id

03e54d89fc383bb0cf | 30e9ce48a63cca38340ce58a42a1 | https://mattermost.mysite.com/signup/gitlab/complete | authorization_code | api |
(1 row)
`

Site configuration in Mattermost' config.json:
"SiteURL": "https://mattermost.mysite.com",

Access log from nginx on oauth:
``172.16.3.37 - - [12/Apr/2023:13:56:06 +0000] "GET /oauth/authorize.php?response_type=code&client_id=03e5430ad1868cb0a3e84352995550b39905d202b2f8bc291d1b89fc383bb0cf&redirect_uri=http%3A%2F%2Fmattermost.mysite.com%2Fsignup%2Fgitlab%2Fcomplete&state=eyJhY3Rpb24iOiJlbWFpbF90b19zc28iLCJlbWFpbCI6ImcuZ3VyZXZpY2hAY2FzaG1lcmUucnUiLCJ0b2tlbiI6Ink0amYxamdjZ2ZkcnlvMzZxeXFzZW9lYmY2c3lhYWhnaG1za3JyZ3gzZ2d6ajVneXVzbmZmazQ3aW1mODlhZGEifQ%3D%3D HTTP/1.1" 400 188 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/111.0.0.0 Safari/537.36 Edg/111.0.1661.62" "-"`

And same error -
"{"error":"redirect_uri_mismatch","error_description":"The redirect URI provided is missing or does not match","error_uri":"http:\/\/tools.ietf.org\/html\/rfc6749#section-3.1.2"}"}

What could be wrong? Replacement of slashes to %2F should not be culprit, as we see from the above comments.
Aby Ideas?

Interesting note: if I copy this request and do curl from Oauth server - I am getting error:
{"error":"invalid_client","error_description":"No client id supplied"}

And indeed, this URL does not include client ID which was configured on Matrermost and Oauth end!

But most strange responce is from any third server:

[1] 133844 [2] 133845 [3] 133846 [2]- Done client_id=03e5430ad1891d1b89fc383bb0cf (correct ID), I am pressing enter and... greg@sv-docker01:~$ {"error":"invalid_client","error_description":"No client id supplied"} [1]- Done curl https://auth.mysite.com/oauth/authorize.php?response_type=code [3]+ Done redirect_uri=https%3A%2F%2Fmattermost.mysite.com%2Fsignup%2Fgitlab%2Fcomplete
Totally don't understand.

@GregpryA
Copy link

My problem solved. Seems that some hidden character was included into Mattermost ID, or some other error occuring when copying it from docker config to Mattermost.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@Crivaledaz Crivaledaz

Labels
bug
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
4 participants
@nikolaysu @Crivaledaz @minduxntep @GregpryA