Navigation

    Kopano
    • Register
    • Login
    • Search
    • Categories
    • Get Official Kopano Support
    • Recent
    Statement regarding the closure of the Kopano community forum and the end of the community edition

    Can we use external OIDC provider?

    Kopano Groupware Core
    3
    14
    1419
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • longsleep
      longsleep Kopano last edited by longsleep

      @ecylmz said in Can we use different OIDC provider?:

      Kopano version: 8.7.0-3 (installed from debian repositories)

      Well for anything related to OIDC you need to use Kopano built packages since the Debian downstream does not include support for it.

      Alternatively, rebuild the Debian package while having https://stash.kopano.io/projects/KC/repos/libkcoidc/browse installed.

      1 Reply Last reply Reply Quote 0
      • ecylmz
        ecylmz last edited by

        I will try the Kopano built packages and let you know.

        Thanks.

        1 Reply Last reply Reply Quote 0
        • ecylmz
          ecylmz last edited by ecylmz

          Hi,

          I encountered an error while using external OIDC provider.
          When I log in using an external OIDC provider, the Konnect application fails.

          Here’s my configuration:

          # /etc/kopano/konnectd.cfg
          oidc_issuer_identifier=https://mail.vagrant.ga
          identifier_registration_conf = /etc/kopano/konnectd-identifier-registration.yaml
          log_level = debug
          
          # /etc/kopano/server.cfg
          enable_sso = yes
          kcoidc_issuer_identifier = https://mail.vagrant.ga
          kcoidc_insecure_skip_verify = yes
          
          # /etc/kopano/konnectd-identifier-registration.yaml
          clients:
            - id: konnect
              name: OIDC Playground
              application_type: web
              redirect_uris:
                 - https://mail.vagrant.ga
              origins:
                 - https://mail.vagrant.ga
          authorities:
            - name: lemonldap
              default: yes
              iss: https://auth.sso.vagrant.ga
              client_id: konnect
              client_secret: konnect
              authority_type: oidc
              discover: true
              response_type: id_token
              insecure: true
              identity_claim_name: sub
              scopes:
                - openid
                - profile
                - email
          
          # /etc/kopano/webapp/config.php
          ...
                  define('OIDC_ISS', 'https://mail.vagrant.ga');
                  define('OIDC_CLIENT_ID', 'konnect');
                  define('OIDC_SCOPE', 'openid profile email kopano/gc');
          ...
          

          Other options have default values.

          Konnect log:

          Oct  2 13:42:42 server kopano-konnectd[4587]: level=debug msg="fetching OIDC provider discover document: https://auth.sso.vagrant.ga/.well-known/openid-configuration\n" id=lemonldap type=oidc
          Oct  2 13:42:42 server kopano-konnectd[4587]: level=debug msg="ODIC provider discover document loaded, expires: 1m0s\n" id=lemonldap type=oidc
          Oct  2 13:42:42 server kopano-konnectd[4587]: level=debug msg="OIDC provider discover document updated\n" id=lemonldap type=oidc
          Oct  2 13:42:42 server kopano-konnectd[4587]: level=debug msg="OIDC provider triggering update" id=lemonldap type=oidc
          Oct  2 13:42:42 server kopano-konnectd[4587]: level=debug msg="fetching OIDC provider jwks: https://auth.sso.vagrant.ga/oauth2/jwks" id=lemonldap type=oidc
          Oct  2 13:42:42 server kopano-konnectd[4587]: level=debug msg="OIDC provider jwks loaded, expires: 1m0s\n" id=lemonldap type=oidc
          Oct  2 13:42:42 server kopano-konnectd[4587]: level=debug msg="ODIC provider jwks updated\n" id=lemonldap type=oidc
          Oct  2 13:42:42 server kopano-konnectd[4587]: level=debug msg="OIDC provider triggering update" id=lemonldap type=oidc
          Oct  2 13:42:58 server kopano-konnectd[4587]: level=debug msg="identifier oauth2 cb without state" error="state not found"
          

          Browser screenshot:

          d34d8302-ea69-4f28-9ee0-70787bc27546-image.png

          1 Reply Last reply Reply Quote 0
          • longsleep
            longsleep Kopano last edited by

            Thanks for testing. Looks like the response uses the fragment response mode which cannot work with server server side oidc. Since you used an implcit response type , the fragment more is the default and it seem that this cannot be configured yet in the authority configuration of Konnect. So maybe you can switch to code flow so that the callback includes the parameters as query. It should not be particularly hard to extend the authority configuration by an optional response_mode request parameter as well (so non-defaults, can be set).

            1 Reply Last reply Reply Quote 0
            • ecylmz
              ecylmz last edited by ecylmz

              I tried to switch code flow:

              # /etc/kopano/konnectd-identifier-registration.yaml
              ...
              authorities:
                - name: lemonldap
                  default: yes
                  iss: https://auth.sso.vagrant.ga
                  client_id: konnect
                  client_secret: konnect
                  authority_type: oidc
                  discover: true
                  response_type: code
                  insecure: true
                  identity_claim_name: sub
                  scopes:
                    - openid
                    - profile
                    - email
              

              No luck, i see the following error in the log:

              Oct  2 19:06:54 server kopano-konnectd[1321]: level=warning msg="identifier ignoring validation error for insecure authority" client_id=konnect error="token contains an invalid number of segments"
              Oct  2 19:06:54 server kopano-konnectd[1321]: 2019/10/02 19:06:54 http: panic serving 127.0.0.1:55724: runtime error: invalid memory address or nil pointer dereference
              Oct  2 19:06:54 server kopano-konnectd[1321]: goroutine 392 [running]:
              Oct  2 19:06:54 server kopano-konnectd[1321]: net/http.(*conn).serve.func1(0xc0001305a0)
              Oct  2 19:06:54 server kopano-konnectd[1321]: #011net/http/server.go:1767 +0x139
              Oct  2 19:06:54 server kopano-konnectd[1321]: panic(0xab5100, 0x10f99e0)
              Oct  2 19:06:54 server kopano-konnectd[1321]: #011runtime/panic.go:679 +0x1b2
              Oct  2 19:06:54 server kopano-konnectd[1321]: stash.kopano.io/kc/konnect/identifier.(*Identifier).newOAuth2Cb(0xc000097300, 0xc7a400, 0xc00047e2a0, 0xc00023f300)
              Oct  2 19:06:54 server kopano-konnectd[1321]: #011stash.kopano.io/kc/konnect/identifier/handlers.go:735 +0xc7a
              Oct  2 19:06:54 server kopano-konnectd[1321]: stash.kopano.io/kc/konnect/identifier.(*Identifier).handleOAuth2Cb(0xc000097300, 0xc7a400, 0xc00047e2a0, 0xc00023f300)
              Oct  2 19:06:54 server kopano-konnectd[1321]: #011stash.kopano.io/kc/konnect/identifier/handlers.go:676 +0x122
              Oct  2 19:06:54 server kopano-konnectd[1321]: net/http.HandlerFunc.ServeHTTP(0xc000114ec0, 0xc7a400, 0xc00047e2a0, 0xc00023f300)
              Oct  2 19:06:54 server kopano-konnectd[1321]: #011net/http/server.go:2007 +0x44
              Oct  2 19:06:54 server kopano-konnectd[1321]: stash.kopano.io/kc/konnect/vendor/github.com/gorilla/mux.(*Router).ServeHTTP(0xc000264000, 0xc7a400, 0xc00047e2a0, 0xc00023f100)
              Oct  2 19:06:54 server kopano-konnectd[1321]: #011stash.kopano.io/kc/konnect/vendor/github.com/gorilla/mux/mux.go:212 +0xe2
              Oct  2 19:06:54 server kopano-konnectd[1321]: stash.kopano.io/kc/konnect/server.(*Server).AddContext.func1(0xc7a400, 0xc00047e2a0, 0xc00023f000)
              Oct  2 19:06:54 server kopano-konnectd[1321]: #011stash.kopano.io/kc/konnect/server/server.go:89 +0x181
              Oct  2 19:06:54 server kopano-konnectd[1321]: net/http.HandlerFunc.ServeHTTP(0xc000113a70, 0xc7a400, 0xc00047e2a0, 0xc00023f000)
              Oct  2 19:06:54 server kopano-konnectd[1321]: #011net/http/server.go:2007 +0x44
              Oct  2 19:06:54 server kopano-konnectd[1321]: net/http.serverHandler.ServeHTTP(0xc0002a2000, 0xc7a400, 0xc00047e2a0, 0xc00023f000)
              Oct  2 19:06:54 server kopano-konnectd[1321]: #011net/http/server.go:2802 +0xa4
              Oct  2 19:06:54 server kopano-konnectd[1321]: net/http.(*conn).serve(0xc0001305a0, 0xc7ca40, 0xc0001ce5c0)
              Oct  2 19:06:54 server kopano-konnectd[1321]: #011net/http/server.go:1890 +0x875
              Oct  2 19:06:54 server kopano-konnectd[1321]: created by net/http.(*Server).Serve
              Oct  2 19:06:54 server kopano-konnectd[1321]: #011net/http/server.go:2927 +0x38e
              

              bfc051af-c455-4fa1-a434-8666cf13bd1c-image.png

              The external OIDC provider configuration is as follows. Maybe it is useful information.

              {"request_parameter_supported":true,"scopes_supported":["openid","profile","email","address","phone"],"grant_types_supported":["authorization_code","implicit","hybrid"],"frontchannel_logout_supported":true,"code_challenge_methods_supported":["plain","S256"],"response_types_supported":["code","id_token","id_token token","code id_token","code token","code id_token token"],"token_endpoint":"https://auth.sso.vagrant.ga/oauth2/token","check_session_iframe":"https://auth.sso.vagrant.ga/oauth2/checksession.html","introspection_endpoint_auth_methods_supported":["client_secret_post","client_secret_basic"],"frontchannel_logout_session_supported":true,"token_endpoint_auth_methods_supported":["client_secret_post","client_secret_basic"],"require_request_uri_registration":false,"issuer":"https://auth.sso.vagrant.ga","request_uri_parameter_supported":true,"end_session_endpoint":"https://auth.sso.vagrant.ga/oauth2/logout","userinfo_endpoint":"https://auth.sso.vagrant.ga/oauth2/userinfo","authorization_endpoint":"https://auth.sso.vagrant.ga/oauth2/authorize","introspection_endpoint":"https://auth.sso.vagrant.ga/oauth2/introspect","subject_types_supported":["public"],"userinfo_signing_alg_values_supported":["none","HS256","HS384","HS512","RS256","RS384","RS512"],"jwks_uri":"https://auth.sso.vagrant.ga/oauth2/jwks","claims_supported":["sub","iss","auth_time","acr"],"backchannel_logout_supported":true,"backchannel_logout_session_supported":true,"acr_values_supported":["loa-1","loa-5","loa-4","loa-2","loa-3"],"id_token_signing_alg_values_supported":["none","HS256","HS384","HS512","RS256","RS384","RS512"]}
              

              Is there anything I can do for this problem?

              1 Reply Last reply Reply Quote 0
              • longsleep
                longsleep Kopano last edited by

                Ok that is better but you can see that this code path is experimental.

                The callback handler cannot parse the IDToken value - most likely because it is not returned since you provided response_type code.

                So instead of code try code id_token - that should make the external provided return the IDToken value directly and since its still code flow, (technically hybrid flow) it should default to query mode.

                Look at https://stash.kopano.io/projects/KC/repos/konnect/browse/identifier/handlers.go#679 to see the corresponding source code. It is not hard to fix if there should be still problems - pull requests welcome :)

                1 Reply Last reply Reply Quote 0
                • ecylmz
                  ecylmz last edited by

                  I also tried to response_type: code id_token

                  I get this error again:

                  level=debug msg="identifier oauth2 cb without state" error="state not found"
                  

                  Look at https://stash.kopano.io/projects/KC/repos/konnect/browse/identifier/handlers.go#679 to see the corresponding source code. It is not hard to fix if there should be still problems - pull requests welcome :)

                  It’s hard for me but i will try my best. :)

                  longsleep 1 Reply Last reply Reply Quote 0
                  • longsleep
                    longsleep Kopano @ecylmz last edited by

                    @ecylmz said in Can we use external OIDC provider?:

                    I get this error again

                    Well Response mode needs to be query. Check your external providers config - maybe the default can be changed there. If no IDToken returning response type can be found, this hits a blocker until the response mode can be configured on the konnect client side.

                    1 Reply Last reply Reply Quote 0
                    • ecylmz
                      ecylmz last edited by

                      My external OIDC provider (LemonLDAP) doesn’t support query mode in implicit response_type. Their default is fragment. You can check theirs code: OpenIDConnect.pm#L326

                      I changed this line on LemonLDAP server:

                      my $response_url = "$redirect_uri#" with my $response_url = "$redirect_uri?.

                      So I thought it would support query mode.

                      And then, i changed my configuration like that:

                      ---
                      # /etc/kopano/konnectd-identifier-registration.yaml
                      clients:
                        - id: webapp
                          name: OIDC Playground
                          application_type: web
                          trusted: yes
                          redirect_uris:
                            - https://mail.sso.vagrant.ga
                      authorities:
                        - name: lemonldap
                          default: yes
                          iss: https://auth.sso.vagrant.ga
                          client_id: konnect
                          client_secret: konnect
                          authority_type: oidc
                          discover: true
                          response_type: id_token # implicit flow
                          insecure: true
                          identity_claim_name: sub
                          scopes:
                            - openid
                            - profile
                            - email
                      
                      # /etc/kopano/webapp/config.php
                      define('OIDC_ISS', 'https://mail.sso.vagrant.ga');
                      define('OIDC_CLIENT_ID', 'webapp');
                      define('OIDC_SCOPE', 'openid profile email kopano/gc');
                      

                      When i try to login kopano webapp(https://mail.sso.vagrant.ga), redirecting to lemonldap’s login page with these parameters:

                      https://auth.sso.vagrant.ga/oauth2/authorize?client_id=konnect&code_challenge=L0dUsCs-qks19uzY9o31STSRCuEKVksB4mDdz2R9wDA%3D&code_challenge_method=S256&nonce=YJO362T_NamOyLo5Y5LM5l0A8wm1DeMoN3CqtMAYs_c%3D&redirect_uri=https%3A%2F%2Fmail.sso.vagrant.ga%2Fsignin%2Fv1%2Fidentifier%2Foauth2%2Fcb&response_mode=query&response_type=id_token+token&scope=openid+profile+email&state=YquREhexvC5C90vDs7fqadLZSqU12MEW4HT4DPV0K8I%3D
                      

                      When I enter my username and password, I get redirected to Konnect, but Konnect goes into an infinit redirect loop.

                      https://mail.sso.vagrant.ga/signin/v1/identifier?client_id=webapp&flow=oidc&nonce=1a8ae1088f9d426eb727c0740e913250&redirect_uri=https%3A%2F%2Fmail.sso.vagrant.ga%2F%23oidc-callback%26error%3Daccess_denied%26error_description%3Didentifier%2520failed%2520to%2520authenticate%26state%3D87c5e2ccdc4c4238bc578d6cf9351e9c%2F%2523oidc-callback%26error%3Daccess_denied%26error_description%3Didentifier%2520failed%2520to%2520authenticate%26state%3D0c61f0122e654031a6c252c7073086b9%2F%2523oidc-callback%26error%3Daccess_denied%26error_description%3Didentifier%2520failed%2520to%2520authenticate%26state%3Df97f7c0545d44cb3b647a2b4fa1442dc%2F%2523oidc-callback%26error%3Daccess_denied%26error_description%3Didentifier%2520failed%2520to%2520authenticate%26state%3Da6cbd9f523cb4ebdb8c4a9b81c4e16c3%2F%2523oidc-callback%26error%3Daccess_denied%26error_description%3Didentifier%2520failed%2520to%2520authenticate%26state%3D25c1f054d8744c72a6eebc0534389ba9%2F%2523oidc-callback%26error%3Daccess_denied%26error_description%3Didentifier%2520failed%2520to%2520authenticate%26state%3D5b11efd2e51a4977a10b62153c2e2a64%2F%2523oidc-callback%26error%3Daccess_denied%26error_description%3Didentifier%2520failed%2520to%2520authenticate%26state%3Da7337ff866f945cdbdca3a41f6de9285%2F%2523oidc-callback%26error%3Daccess_denied%26error_description%3Didentifier%2520failed%2520to%2520authenticate%26state%3Dcdf44f75d6fc49cd8265b27c06569c16%2F%2523oidc-callback%26error%3Daccess_denied%26error_description%3Didentifier%2520failed%2520to%2520authenticate%26state%3D4f33b4cba05d4386bd830042db8b3589%2F%2523oidc-callback%26error%3Daccess_denied%26error_description%3Didentifier%2520failed%2520to%2520authenticate%26state%3D2d8cbc6984944c84bff6148c4da1ec64%2F%2523oidc-callback%26error%3Daccess_denied%26error_description%3Didentifier%2520failed%2520to%2520authenticate%26state%3D49e64c75538a4a2f949a4680b20f0c38%2F%2523oidc-callback%26error%3Daccess_denied%26error_description%3Didentifier%2520failed%2520to%2520authenticate%26state%3D4911693579b04a6583e0e241276c0ac9%2F%2523oidc-callback%26error%3Daccess_denied%26error_description%3Didentifier%2520failed%2520to%2520authenticate%26state%3D1cfd3faf39454102ac092438abcd1e8f%2F%23oidc-callback&response_type=id_token+token&scope=openid+profile+email+kopano%2Fgc&state=dd99908adb744117afd99659b1d676e5
                      

                      Nginx Access log:

                      10.0.3.1 - - [04/Oct/2019:11:11:57 +0300] "GET /signin/v1/identifier/oauth2/cb?id_token=eyJ0eXAiOiJKV1QiLCJhbGciOiJSUzI1NiJ9.eyJub25jZSI6IllKTzM2MlRfTmFtT3lMbzVZNUxNNWwwQTh3bTFEZU1vTjNDcXRNQ
                      VlzX2M9IiwiaWF0IjoxNTcwMTc2NzE3LCJhenAiOiJrb25uZWN0IiwiYXV0aF90aW1lIjoxNTcwMTc2NzE3LCJzdWIiOiJqb2huIiwiYXVkIjpbImtvbm5lY3QiXSwiYWNyIjoibG9hLTIiLCJpc3MiOiJodHRwczovL2F1dGguc3NvLnZhZ3JhbnQuZ2E
                      iLCJleHAiOjE1NzAxODAzMTcsImF0X2hhc2giOiJQajJVQ1gzX01qOVZlblhoM1h0UHhBIn0.l7XrACVYvKVDK-F6D6yE03IIy67YW0bT9xHVK-1mPo3YYctVPtVYoN7SFW1wdmof8LKG0-sEPKO3KgoWyKOlIUdCBbxZmZORKgXu1CK7iMRV-3P-R-YPM
                      JLo_zaGkE5qblkstuNjbUtas9PiACw9V4oy3Gn0gmmMU7h-Q8fVF7mUoPIa3udKJCJdo1VKKdbIus-wGxprJ2u93YnpmYxoVLGjn4XUtmrLy1BFwGYiiiLYeuEruJHJWgfrQJmkLnbrLJ4AiJAEsXEHhgljgngmxgwKMR1TA3J1ugiiy1yDsb8Tjy-6i0I
                      w8OPJrUSmLY__kxI_RT5vLifgLo0Wa8kPBra-mBIDvbA9Jef1_vuSOx7_EPXQsqZBJzCU7tRqg0Gj3Vxf2k7Xv4FFgnCORgcsRNT2ka5jt3M9PiaG6uHugwzKA2um5f_Xi55a_CKUUJJ2FnSUmaHRLLakfBeIM5Qd8uxgXzf2fV6AscgAe3JhxYC4Cev7PMRtJW9q38ootebSDEb2Z9Fq6qky9OTTZy0QKUb4mbZ_DI8hhbvU6a6qCirUobh3MDN_C-h-LhWlLNSuO7HojeV0uC0JvInbEF6MX1JbzyQWLh8V02HmlOIYCvvuDFLWfJ1pNIYkXBgnpnT-LK_wTjpXtnzfaXyiOcI45fZiLb5rFlOWmaqzWmJuurc&token_type=bearer&access_token=d9f8382cc2a0812bb44fd3f25099f1144b93ae6e57581f0e89d078c6003dfa24&expires_in=3600&state=YquREhexvC5C90vDs7fqadLZSqU12MEW4HT4DPV0K8I%3D&session_state=fNQ4pOrb%2F6%2Bqkl1WbqnBfWdA0ao%2FG6bUwNncwF76jDI%3D.QmhRYVd5ZXpmTk10Vm43NWt4bFl0T25kVC9jeWNiaFRjWmltN3c1K3kwek81NzBLc3d3M1l4OW5iUTBReWdxT2FUUEs3eVIzTi85clJ5WXplRGZ3a1E9PQ HTTP/1.1" 302 0 "https://auth.sso.vagrant.ga/oauth2/authorize?client_id=konnect&code_challenge=L0dUsCs-qks19uzY9o31STSRCuEKVksB4mDdz2R9wDA%3D&code_challenge_method=S256&nonce=YJO362T_NamOyLo5Y5LM5l0A8wm1DeMoN3CqtMAYs_c%3D&redirect_uri=https%3A%2F%2Fmail.sso.vagrant.ga%2Fsignin%2Fv1%2Fidentifier%2Foauth2%2Fcb&response_mode=query&response_type=id_token+token&scope=openid+profile+email&state=YquREhexvC5C90vDs7fqadLZSqU12MEW4HT4DPV0K8I%3D" "Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/68.0.3440.84 Safari/537.36"
                      
                      10.0.3.1 - - [04/Oct/2019:11:11:57 +0300] "GET /signin/v1/identifier/_/authorize?client_id=webapp&error=access_denied&error_description=identifier+failed+to+authenticate&nonce=dadab8f92ff148b18941a9c803a6f9cd&redirect_uri=https%3A%2F%2Fmail.sso.vagrant.ga%2F%23oidc-callback&response_type=id_token+token&scope=openid+profile+email+kopano%2Fgc&state=87c5e2ccdc4c4238bc578d6cf9351e9c HTTP/1.1" 302 0 "https://auth.sso.vagrant.ga/oauth2/authorize?client_id=konnect&code_challenge=L0dUsCs-qks19uzY9o31STSRCuEKVksB4mDdz2R9wDA%3D&code_challenge_method=S256&nonce=YJO362T_NamOyLo5Y5LM5l0A8wm1DeMoN3CqtMAYs_c%3D&redirect_uri=https%3A%2F%2Fmail.sso.vagrant.ga%2Fsignin%2Fv1%2Fidentifier%2Foauth2%2Fcb&response_mode=query&response_type=id_token+token&scope=openid+profile+email&state=YquREhexvC5C90vDs7fqadLZSqU12MEW4HT4DPV0K8I%3D" "Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/68.0.3440.84 Safari/537.36"
                      
                      10.0.3.1 - - [04/Oct/2019:11:11:57 +0300] "GET /client/resources/css/external/login.css HTTP/1.1" 200 3902 "https://mail.sso.vagrant.ga/" "Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/68.0.3440.84 Safari/537.36"
                      
                      10.0.3.1 - - [04/Oct/2019:11:11:57 +0300] "GET / HTTP/1.1" 200 674067 "https://auth.sso.vagrant.ga/" "Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/68.0.3440.84 Safari/537.36"
                      
                      10.0.3.1 - - [04/Oct/2019:11:11:57 +0300] "GET /.well-known/openid-configuration HTTP/1.1" 200 1893 "https://mail.sso.vagrant.ga/" "Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/68.0.3440.84 Safari/537.36"
                      
                      10.0.3.1 - - [04/Oct/2019:11:11:57 +0300] "GET /client/resources/images/loginbg_daybreak.jpg HTTP/1.1" 200 105681 "https://mail.sso.vagrant.ga/client/resources/css/external/login.css" "Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/68.0.3440.84 Safari/537.36"
                      
                      10.0.3.1 - - [04/Oct/2019:11:11:57 +0300] "GET /client/resources/images/background.svg HTTP/1.1" 200 47662 "https://mail.sso.vagrant.ga/client/resources/css/external/login.css" "Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/68.0.3440.84 Safari/537.36"
                      
                      10.0.3.1 - - [04/Oct/2019:11:11:57 +0300] "GET /signin/v1/identifier/_/authorize?client_id=webapp&redirect_uri=https%3A%2F%2Fmail.sso.vagrant.ga%2F%23oidc-callback%26error%3Daccess_denied%26error_description%3Didentifier%2520failed%2520to%2520authenticate%26state%3D87c5e2ccdc4c4238bc578d6cf9351e9c%2F%23oidc-callback&response_type=id_token%20token&scope=openid%20profile%20email%20kopano%2Fgc&state=0c61f0122e654031a6c252c7073086b9&nonce=1cc0c62b456c4eb4bfecc206875a25c4 HTTP/1.1" 302 0 "https://mail.sso.vagrant.ga/" "Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/68.0.3440.84 Safari/537.36"
                      
                      10.0.3.1 - - [04/Oct/2019:11:11:57 +0300] "GET /signin/v1/identifier?client_id=webapp&flow=oidc&nonce=1cc0c62b456c4eb4bfecc206875a25c4&redirect_uri=https%3A%2F%2Fmail.sso.vagrant.ga%2F%23oidc-callback%26error%3Daccess_denied%26error_description%3Didentifier%2520failed%2520to%2520authenticate%26state%3D87c5e2ccdc4c4238bc578d6cf9351e9c%2F%23oidc-callback&response_type=id_token+token&scope=openid+profile+email+kopano%2Fgc&state=0c61f0122e654031a6c252c7073086b9 HTTP/1.1" 302 0 "https://mail.sso.vagrant.ga/" "Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/68.0.3440.84 Safari/537.36"
                      
                      10.0.3.1 - - [04/Oct/2019:11:11:57 +0300] "GET /signin/v1/identifier/oauth2/cb?id_token=eyJ0eXAiOiJKV1QiLCJhbGciOiJSUzI1NiJ9.eyJzdWIiOiJqb2huIiwiYXVkIjpbImtvbm5lY3QiXSwiYWNyIjoibG9hLTIiLCJhenAiOiJrb25uZWN0IiwiYXV0aF90aW1lIjoxNTcwMTc2NzE3LCJub25jZSI6Inp4SURUMWxhTXFlR3gtMUpqODdRY1ZSZVg5bUJpRUJoa1RVSklzUUZocUk9IiwiaWF0IjoxNTcwMTc2NzE3LCJhdF9oYXNoIjoiVlNXVDZKaUZ2NlQ4RDVFV05yRUJBUSIsImV4cCI6MTU3MDE4MDMxNywiaXNzIjoiaHR0cHM6Ly9hdXRoLnNzby52YWdyYW50LmdhIn0.T6VFhugk5s8OHn1pnTxVjyoEVeNlJdSP80J1759vZfP_934lpYqP0YYJ8_Qzkv-7YvR1eafACvvy3FVze65TqcOv14CZrtHIi1UZp7YZuXG2QTfFg-Z7j31X9yyjdZKOwOPLspcvwCbBDhrIuqqjb2bbo_iwgc75okOUMtEBZuyXB1k3dEJXx7iZdg7FnQVRu3OyeNphTgkt3sVxjCFhzg-0mK1q1SFJW6Ryh9mgtxMx7JHCI7VJ2WEnyGhCpP_p3drl_hmdYcx3b93AWerFHOHHkHlzUjTOW4gcZY_32QkdXK5RMhCX7tfJAf36yTXMAWZko2iFvU4-qIT_ZAqSBUWJ_Adg0ujmErQJynW9SgLW0jVL5hFM8ds0FQ-_l6bkxhoHO9NP6LFfh7sLuZN1ABX0iklMBldQ17qxr1RCCEJVKufZlXa1XYM4_tAoC6e2eDAC6b4v2_ayUG0ZbAswvurTrsrK9v27eDAcNB-9TDl0g7Dhk6HWlZdY0aGSE3kh4b7EYD30vqH5tHK0QejsySS9TXlJ9OliEgyvQAb7nlalTb-K_RYMcs2YiwS80Co6W7jJKK0oP1306oOTeikAlElxOqy-wH_pvxr9BLJDtj_-UO2YVNJoNuh9RIWew5371OskS6LhAyPKeY6s7OUBqGSBhtAQqX-Aen3Jt0VDqgE&token_type=bearer&access_token=875410d86c060ec272b60df34287e7e69eebb15b0a5543ef88d29b105279c587&expires_in=3600&state=laItkUtgFC9GWZ382Rq7qsW0pDJFI1VjpKDh7al-caI%3D&session_state=p3LsmNx9cdbQl6baMK0Gsi5Paao8aAbb9MpOSptG63Q%3D.Q2YyS3dxZjlQenR3UG1QdWFhSElzdE9jeEQzR09yanNPejc3MURVSS9QaTlxWmwxVGFUNW9nSi9LS09IVEsrb0RvaXg3U01zSHdneGlTQWhoU0dMS0E9PQ HTTP/1.1" 302 0 "https://mail.sso.vagrant.ga/" "Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/68.0.3440.84 Safari/537.36"
                      
                      10.0.3.1 - - [04/Oct/2019:11:11:57 +0300] "GET /signin/v1/identifier/_/authorize?client_id=webapp&error=access_denied&error_description=identifier+failed+to+authenticate&nonce=1cc0c62b456c4eb4bfecc206875a25c4&redirect_uri=https%3A%2F%2Fmail.sso.vagrant.ga%2F%23oidc-callback%26error%3Daccess_denied%26error_description%3Didentifier%2520failed%2520to%2520authenticate%26state%3D87c5e2ccdc4c4238bc578d6cf9351e9c%2F%23oidc-callback&response_type=id_token+token&scope=openid+profile+email+kopano%2Fgc&state=0c61f0122e654031a6c252c7073086b9 HTTP/1.1" 302 0 "https://mail.sso.vagrant.ga/" "Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/68.0.3440.84 Safari/537.36"
                      ...
                      ...
                      ...
                      

                      i see the following error in the syslog:

                      Oct  4 11:11:57 server kopano-konnectd[112]: level=warning msg="identifier ignoring validation error for insecure authority" client_id=konnect error="No kid header"
                      Oct  4 11:11:57 server kopano-konnectd[112]: level=debug msg="identifier failed to resolve oauth2 cb user with backend" error="kc identifier backend resolve user error: no server session" us
                      ername=john
                      Oct  4 11:11:57 server kopano-konnectd[112]: level=debug msg="oauth2 cb error" desc="failed to resolve user" error=access_denied
                      Oct  4 11:11:57 server kopano-konnectd[112]: level=warning msg="identifier ignoring validation error for insecure authority" client_id=konnect error="No kid header"
                      Oct  4 11:11:57 server kopano-konnectd[112]: level=debug msg="identifier failed to resolve oauth2 cb user with backend" error="kc identifier backend resolve user error: no server session" us
                      ername=john
                      Oct  4 11:11:57 server kopano-konnectd[112]: level=debug msg="oauth2 cb error" desc="failed to resolve user" error=access_denied
                      Oct  4 11:11:57 server kopano-konnectd[112]: level=warning msg="identifier ignoring validation error for insecure authority" client_id=konnect error="No kid header"
                      Oct  4 11:11:57 server kopano-konnectd[112]: level=debug msg="identifier failed to resolve oauth2 cb user with backend" error="kc identifier backend resolve user error: no server session" us
                      ername=john
                      Oct  4 11:11:57 server kopano-konnectd[112]: level=debug msg="oauth2 cb error" desc="failed to resolve user" error=access_denied
                      Oct  4 11:11:58 server kopano-konnectd[112]: level=warning msg="identifier ignoring validation error for insecure authority" client_id=konnect error="No kid header"
                      Oct  4 11:11:58 server kopano-konnectd[112]: level=debug msg="identifier failed to resolve oauth2 cb user with backend" error="kc identifier backend resolve user error: no server session" us
                      ername=john
                      

                      John is present in ldap and I can log in without SSO.

                      I’m still working on it.

                      longsleep 1 Reply Last reply Reply Quote 0
                      • longsleep
                        longsleep Kopano @ecylmz last edited by

                        @ecylmz said in Can we use external OIDC provider?:

                        level=warning msg=“identifier ignoring validation error for insecure authority” client_id=konnect error=“No kid header”

                        There is no kid claim in the JWT header of the IDToken provided by your external OIDC. It is required (see https://stash.kopano.io/projects/KC/repos/konnect/browse/identity/authorities/authorities.go#116) in this mode of operation.

                        I suggest you get in touch with our support since this experimental mode of operation is clearly currently lacking some bits and pieces here and there.

                        1 Reply Last reply Reply Quote 0
                        • tiredofit
                          tiredofit last edited by

                          @ecylmz Were you able to get this functioning? I’m encountering a similar issue trying to let a 3rd party provider authenticate for Konnect (I was trying SAML), but wondered if you were successful with LLNG in one of its more recent releases (2.0.9 is out now).
                          Regards

                          1 Reply Last reply Reply Quote 0
                          • First post
                            Last post