Not able to get Webapp working fully with Konnectd over TCP

EtherMan

Right, so fqdn. Then those are different… But so then, what is needed to be different? The issuer identifier in Server, is oidc.domain.tld. The issuer identifier in konnect is oidc.domain.tld, the issuer identifier in webapp is oidc.domain.tld, the konnectd-identifier-registration.yaml urls, are all webapp.domain.tld. Though technically, I’d prefer components not communicating in between them over those urls because then they go over the reverse proxy, so just more points of failures. Hence why they’re defined with just the internal hostnames of kopano-server in that case. The invalid origin line of the log from konnect though, does not even have the /webapp at the end though, but I’ve not specified any such url anywhere.

fbartels

It needs to be a publicly reachable domain, because that is what users use to reach WebApp and make use of oidc.

EtherMan

Hmm… I tried adding another origin to the konnectd-identifier-registration.yaml without the /webapp at the end… And now it works to log out it seems. I got that file layout from the guides somewhere though which didn’t have any entry for without /webapp

So much confusing stuff in this. It’s still not auto creating stores for users though. So have to manually go into the server container and run kopano-cli commands, which randomly fail, and when they fail, I have to detach, delete and recreate the store because it creates them in a faulty state for whatever reason… It’s weird… But for now at least, it works.

And webapp and oidc are both publicly accessible domains. And server is also on a publicly accessible domain. Webapp and konnectd just isn’t speaking to server over that.

EtherMan

Hmm nope. No no no no… Very very wrong now. Two major errors. Logging in and out currently works (sort of). But first issue is that passwords are not verified… Like, at all. As long as username is provided, it logs you in as that user regardless of password provided. The second issue is that while it works in Brave, Chrome and Firefox, but Internet Explorer does not.

Navigation Event Separator

DOM7011: The code on this page disabled back and forward caching. For more information, see: http://go.microsoft.com/fwlink/?LinkID=291337
identifier
HTML1300: Navigation occurred.
webapp
DOM7011: The code on this page disabled back and forward caching. For more information, see: http://go.microsoft.com/fwlink/?LinkID=291337
identifier
UserManager.ctor: monitorSession is configured, setting up session monitor
WebStorageStateStore.get user:https://oidc.domain.tld:kopano-webapp
OidcClient.clearStaleState
WebStorageStateStore.getAllKeys
WebStorageStateStore.get user:https://oidc.domain.tld:kopano-webapp
UserManager._loadUser: no user storageString
State.clearStaleState: got keys 90bfa86e086f45ab9622a73e06a8de4c,b5939eabb4524f6dbf5bc5b878a8eb22,3fe4607b89af4b4cb9b386c926f5624c,040c38c35ea84605b3497181cec670f8,ebfd152f0a8e43ac86ccf3a4364ebaf5
   "State.clearStaleState: got keys"
   [
      0: "90bfa86e086f45ab9622a73e06a8de4c",
      1: "b5939eabb4524f6dbf5bc5b878a8eb22",
      2: "3fe4607b89af4b4cb9b386c926f5624c",
      3: "040c38c35ea84605b3497181cec670f8",
      4: "ebfd152f0a8e43ac86ccf3a4364ebaf5",
      length: 5
   ]

WebStorageStateStore.get 90bfa86e086f45ab9622a73e06a8de4c
WebStorageStateStore.get b5939eabb4524f6dbf5bc5b878a8eb22
WebStorageStateStore.get 3fe4607b89af4b4cb9b386c926f5624c
WebStorageStateStore.get 040c38c35ea84605b3497181cec670f8
WebStorageStateStore.get ebfd152f0a8e43ac86ccf3a4364ebaf5
State.clearStaleState: waiting on promise count: 5
UserManager._loadUser: no user storageString
UserManager.getUser: user not found in storage
State.fromStorageString
State.clearStaleState: got item from key:  90bfa86e086f45ab9622a73e06a8de4c 1588690106
State.clearStaleState: removed item for key:  90bfa86e086f45ab9622a73e06a8de4c
WebStorageStateStore.remove 90bfa86e086f45ab9622a73e06a8de4c
State.fromStorageString
State.clearStaleState: got item from key:  b5939eabb4524f6dbf5bc5b878a8eb22 1588690944
State.fromStorageString
State.clearStaleState: got item from key:  3fe4607b89af4b4cb9b386c926f5624c 1588690954
State.fromStorageString
State.clearStaleState: got item from key:  040c38c35ea84605b3497181cec670f8 1588690997
State.fromStorageString
State.clearStaleState: got item from key:  ebfd152f0a8e43ac86ccf3a4364ebaf5 1588691007
UserManager.getUser: user not found in storage
WebStorageStateStore.get user:https://oidc.domain.tld:kopano-webapp
UserManager._loadUser: no user storageString
UserManager._signinStart: got navigator window handle
OidcClient.createSigninRequest
MetadataService.getMetadataProperty for: authorization_endpoint
MetadataService.getMetadata: getting metadata from https://oidc.domain.tld/.well-known/openid-configuration
JsonService.getJson, url:  https://oidc.domain.tld/.well-known/openid-configuration
JsonService.getJson: HTTP response received, status 200
MetadataService.getMetadata: json received
MetadataService.getMetadataProperty: metadata recieved
OidcClient.createSigninRequest: Received authorization endpoint https://oidc.domain.tld/signin/v1/identifier/_/authorize
SigninState.toStorageString
WebStorageStateStore.set 8093038336874e04847b6bee5349a740
UserManager._signinStart: got signin request
IFrameWindow.navigate: Using timeout of: 10000
SCRIPT1002: Syntax error
webapp (22066,31)
IFrameWindow.timeout
IFrameWindow: cleanup
Frame window timed out
UserManager._signinStart: Error after preparing navigator, closing navigator window
oidc signin silent failed Error: Frame window timed out
   "oidc signin silent failed"
   {
      [functions]: ,
      __proto__: { },
      description: "Frame window timed out",
      message: "Frame window timed out",
      name: "Error",
      stack: "Error: Frame window timed out
   at Anonymous function (https://webapp.domain.tld/webapp/:21341:17)
   at run (https://webapp.domain.tld/webapp/:13361:13)
   at Anonymous function (https://webapp.domain.tld/webapp/:13378:30)
   at flush (https://webapp.domain.tld/webapp/:9195:9)"
   }

Navigation Event Separator

oidc signin silent did not return a user
UserManager._signinStart: got navigator window handle
OidcClient.createSigninRequest
MetadataService.getMetadataProperty for: authorization_endpoint
MetadataService.getMetadata: Returning metadata from settings
MetadataService.getMetadataProperty: metadata recieved
OidcClient.createSigninRequest: Received authorization endpoint https://oidc.domain.tld/signin/v1/identifier/_/authorize
SigninState.toStorageString
WebStorageStateStore.set ba0f70623489445ba330a55be4c0b43e
UserManager._signinStart: got signin request
DOM7011: The code on this page disabled back and forward caching. For more information, see: http://go.microsoft.com/fwlink/?LinkID=291337
webapp
HTML1300: Navigation occurred.
authorize
UserManager.signinRedirect: successful
oidc signing redirect undefined
DOM7011: The code on this page disabled back and forward caching. For more information, see: http://go.microsoft.com/fwlink/?LinkID=291337
webapp
Kopano Identifier build version: 0.33.0
Kopano Kpop build version: 2.2.0
SCRIPT5009: 'Promise' is undefined
main.23aaf6b8.chunk.js (1,384)

The errors keep getting weirder and weirder @fbartels >_<

fbartels

@EtherMan said in Not able to get Webapp working fully with Konnectd over TCP:

but Internet Explorer does not.

Who still wants to use Internet Explorer?

You have not specified it about but my bet would be that you also use an SSL client certificate in Konnect. In that case the described behaviour is expected (you have seen the exact same with WebApp if you remember).

You only need an SSL certificate for services that need to authenticate themselves. In Konnect the user provides the authentication.

EtherMan

Ok that did indeed solve that one. Though I don’t quite understand this… Because basically, this means Server is accepting and speaking with… Well, anything? As in, anyone could set up say a webapp server that serves from my server, even if they themselves don’t even have an account? I understand they wouldn’t have user access to actually log in without an account and such, but it seems a pretty big deal to me that just anyone is allowed to set up frontends nilly willy. Especially considering that’s essentially giving people permission to do mitm attacks against users, with a live system that for all intents and purposes does work. Different components should auth themselves, as themselves, and have user authentication done inside of that authentication :/

As for who wants to use IE. Well, my parents do for one. I’m not about to teach two 80+ year olds about the wonders of new browsers. You’re not going to tell me that konnectd doesn’t work for IE are you? Please don’t >_<

fbartels

@EtherMan said in Not able to get Webapp working fully with Konnectd over TCP:

Because basically, this means Server is accepting and speaking with… Well, anything?

Yeah. Just like connecting with an imap server, a webserver. If you can reach it, you can authenticate, you can use it. If you don’t want other to connect to it, you need to close it to the external world.

@EtherMan said in Not able to get Webapp working fully with Konnectd over TCP:

You’re not going to tell me that konnectd doesn’t work for IE are you? Please don’t >_<

https://documentation.kopano.io/support_lifecycle_policy/webapp_support_lifecycle.html#browser-support

EtherMan

Oh yea, it’s Edge that is the normal browser in Windows these days. And that works. Will have to check if they perhaps use that these days or they really are still using IE. Same icon so what is IE to them, may actually be Edge. Though “WebApp is supported for all production versions of Firefox, Chrome, Internet Explorer, Edge and Safari” does indicate that IE should still be supported, since it still is being shipped and updated.

As for imap comparison. The difference there is that if I use an IMAP client, I authenticate to the server, as myself, for myself. If I set up a Webapp frontend, I’m letting other users authenticate as themselves, to another service. A service I don’t need any account to in order to set up Webapp for. As in, there is no “you can authenticate”, because without client certificates being used by webapp to auth itself, setting up webapp does NOT require you to authenticate yourself to kopano, it just requires that the user wanting to log in does. And closing it to the world isn’t an option, since ofc, I still need to have my own webapp.

fbartels

@EtherMan said in Not able to get Webapp working fully with Konnectd over TCP:

Though “[…]” does indicate that IE should still be supported, since it still is being shipped and updated.

Have a look at the bottom note.

@EtherMan said in Not able to get Webapp working fully with Konnectd over TCP:

The difference there is that if I use an IMAP client, I authenticate to the server, as myself, for myself

Not quite. You can also install e.g. roundcube on a server and as long as the server is the php imap module you can use this roundcube to log into the imap server that the admin configured in its configuration file.

I don’t fully understand your argument. Additionally you could host your own webapp at a location where this port can be reached, it just does not need to be publicly reachable.

EtherMan

Right, and I understand. I’m just saying that what I quoted contradicts what the table and the bottom note says.

As for roundcube, that is just an IMAP client though, it’s just web hosted. It is my understanding that WebApp is quite a lot more than just a client.

fbartels

No, I would say essentially WebApp is “just” a client as well. It may be a powerful client, but in the end it also just uses a defined api to talk to the server backend.