Not able to get Webapp working fully with Konnectd over TCP

fbartels

@EtherMan said in Not able to get Webapp working fully with Konnectd over TCP:

Hunting down various various errors, having to manually create the user store for the users and so on

There was an error in a nightly build a while back where stores would not be auto created. Are you still on that version? Which versions (kopano-server, kopano-webapp, kopano-konnect) are you using at all?

I just did a quick test with the containers produced through (which also auto configured sso via Konnect) and could successfully log in and out with the latest containers.

EtherMan

Using the latest images on dockerhub so that’s not the issue at least. More specifically, it’s using:

kopano/kopano_core 4e4c34e51b32a935f5dfc4a2d73cfbc5da8169da99023be0ade7482150e2e9ca
kopano/kopano_konnect b465e0245e2c6016eb7985b432b27d3b4c87651aa2c69944a777c76989b11fbd
kopano/kopano_webapp 3787e3f46faa79becd2cb067b6678192c972c952ebcf7c895ec1d4cff7771b82

These all correspond(ed) to the :latest tag (up until a few seconds ago as of this writing since I see a new image was pushed to core at least). What versions of kopano that corresponds to behind that, I’m not entirely sure.

EtherMan

Ok so I’ve updated to the latest image now as well and tested and still the same. I did notice now though that after logging out. Even though it does let me in. The dev tools console still does have the error that I’m not logged in. So it is detecting to some extent that I’m not logged in anymore. It just for some reason is letting me in anyway

(index):22089 oidc signin silent failed ErrorResponse: IdentifierIdentityManager: not signed in
    at new ErrorResponse (ErrorResponse.js:14)
    at ResponseValidator._processSigninParams (ResponseValidator.js:104)
    at ResponseValidator.validateSigninResponse (ResponseValidator.js:29)
    at OidcClient.js:113

fbartels

Hi @EtherMan,

ah based on your earlier posts I was 100% expecting that you are building your own containers. Can you share your configuration?

EtherMan

server.cfg:

root@kopano-server-586845f56b-lr2qg:/kopano/path# cat /tmp/kopano/server.cfg
# See the kopano-server.cfg(5) manpage for details and more directives.

# If a directive is not used (i.e. commented out), the built-in server default
# is used, so to disable certain features, the empty string value must explicitly be
# set on them.

# Space-separated list of address:port specifiers with optional %interface
# infix for where the server should listen for connections.
server_listen = 0.0.0.0:236
server_listen_tls = 0.0.0.0:237
server_ssl_key_file = /certs/server/combo.pem
#server_ssl_key_pass =
server_ssl_ca_file = /certs/ca/ca.crt
#server_ssl_ca_path =
#server_tls_min_proto = tls1.2
# Path of SSL Public keys of clients
sslkeys_path = /certs/clients/

# Name for identifying the server in a multi-server environment. Need
# not be a DNS name, but this name needs to be present on a LDAP
# kopano-server object's cn value.
server_name = kopano
# Multi-server
#enable_distributed_kopano = false
database_engine = mysql
mysql_host = mysql-cluster1.pxc
mysql_port = 3306
mysql_user = kopano
mysql_password = <hidden>
mysql_database = kopano

# Allow connections from normal users through the Unix socket
#allow_local_users = yes

# Space-separated list of users that are considered Kopano admins.
local_admin_users = root kopano

#log_method = auto
#log_file = -
# Loglevel (0(none), 1(crit), 2(err), 3(warn), 4(notice), 5(info), 6(debug))
log_level = 6
#log_timestamp = yes

# Attachment backend driver type: "database", "files", "files_v2", "s3"
#attachment_storage = files
#attachment_path = /var/lib/kopano/attachments

#attachment_s3_hostname = s3-eu-west-1.amazonaws.com
# The region where the bucket is located, e.g. "eu-west-1"
#attachment_s3_region =
# The protocol that should be used to connect to S3, 'http' or 'https' (preferred)
#attachment_s3_protocol =
# The URL style of the bucket, "virtualhost" or "path"
#attachment_s3_uristyle =
# The access key id of your S3 account
#attachment_s3_accesskeyid =
# The secret access key of your S3 account
#attachment_s3_secretaccesskey =
# The bucket name in which the files will be stored
#attachment_s3_bucketname =

# User backend driver type: "db", "unix", "ldap"
user_plugin = ldap
#user_plugin_config = /etc/kopano/ldap.cfg
enable_sso = yes
# Hostname override for Kerberos SSO
server_hostname = <hidden>

# scripts which create stores for users from an external source
#createuser_script = /usr/lib/kopano/userscripts/createuser
#deleteuser_script = /usr/lib/kopano/userscripts/deleteuser
#creategroup_script = /usr/lib/kopano/userscripts/creategroup
#deletegroup_script = /usr/lib/kopano/userscripts/deletegroup
#createcompany_script = /usr/lib/kopano/userscripts/createcompany
#deletecompany_script = /usr/lib/kopano/userscripts/deletecompany
# Skip creation/deletion of users for testing purposes, instead log it.
#user_safe_mode = no

# Multi-tenancy
#enable_hosted_kopano = false
# Display format of store name
# Allowed variables:
#  %u Username
#  %f Full name
#  %c Tenant's name
storename_format = %u

# Loginname format for multi-tenancy installations
# When the user does not login through a system-wide unique
# username (like the email address) a unique name is created
# by combining the username and the tenantname.
# With this configuration option you can set how the
# loginname should be built up.
#
# Note: Do not use the = character in the format.
#
# Allowed variables:
#  %u Username
#  %c Teantname
#
#loginname_format = %u

#enable_gab = yes
# Whether to hide/show the special GAB "Everyone" group that contains
# every user and group for non-admins.
hide_everyone = yes
# Whether to hide/show the special GAB "SYSTEM" user for non-admins.
#hide_system = yes
# Synchronize GAB users on every open of the GAB (otherwise, only on
# kopano-admin --sync)
#sync_gab_realtime = yes

# Use indexing service for faster searching.
# Enabling this option requires kopano-indexd or kopano-search to be active.
#search_enabled = yes
search_socket = https://kopano-search:239
#search_timeout = 10

# Disable features for users. This list is space separated.
# Currently valid values: imap pop3 mobile outlook webapp
disabled_features = imap pop3

coredump_enabled = false
audit_log_enabled = yes
enable_sql_procedures = yes
softdelete_lifetime = 7
attachment_compression = 0
system_email_address = postmaster@<hidden>
restrict_admin_permissions = yes
kcoidc_issuer_identifier = https://<hidden>
embedded_attachment_limit = 10
server_pipe_enabled = true
session_ip_check = no

config.php:

<?php
        // The config file for the webapp.
        // All possible web client settings can be set in this file. Some settings
        // (language) can also be set per user or logon.

        // Comment next line to disable the config check (or set FALSE to log the config errors)
        define("CONFIG_CHECK", TRUE);

        // Use these options to optionally disable some PHP configuration checks.
        // WARNING: these checks will disable checks regarding the security of the WebApp site configuration,
        // only change them if you know the consequences - improper use will lead to an insecure installation!
        define("CONFIG_CHECK_COOKIES_HTTP", FALSE);
        define("CONFIG_CHECK_COOKIES_SSL", FALSE);

        // Depending on your setup, it might be advisable to change the lines below to one defined with your
        // default socket location.
        // Normally "default:" points to the default setting ("file:///var/run/kopano/server.sock")
        // Examples:    define('DEFAULT_SERVER', 'https://kopano-server:237');
        //      define('DEFAULT_SERVER', 'https://kopano-server:237');
        //      define('DEFAULT_SERVER', 'https://kopano-server:237');
        //      define('DEFAULT_SERVER', 'https://kopano-server:237');
        define('DEFAULT_SERVER', 'https://kopano-server:237');

        // When using a single-signon system on your webserver, but Kopano Core is on another server
        // you can use https to access the Kopano server, and authenticate using an SSL certificate.
        define('SSLCERT_FILE', '/certs/webapp/combo.pem');
        define('SSLCERT_PASS', '');

        // Set to true to disable login with Single Sign-On (SSO) on SSO environments.
        define("DISABLE_REMOTE_USER_LOGIN", false);

        // OIDC Server Configuration, introduced in Kopano Core 8.7.0
        define('OIDC_ISS', '<hidden>');
        define('OIDC_CLIENT_ID', 'kopano-webapp');
        define('OIDC_SCOPE', 'openid profile email kopano/gc');

        // set to 'true' to strip domain from login name found from Single Sign-On webservers
        define("LOGINNAME_STRIP_DOMAIN", false);

        // Name of the cookie that is used for the session
        define('COOKIE_NAME', 'KOPANO_WEBAPP');

        // Set to 'true' to disable secure session cookies and to allow log-in without HTTPS.
        define('INSECURE_COOKIES', true);

        // Use Kopano Core for HTML filtering, introduced in 8.5.0
        define("KC_FILTERED_BODY", false);

        // Use DOMPurify to filter HTML
        define("ENABLE_DOMPURIFY_FILTER", false);

        // The timeout (in seconds) for the session. User will be logged out of WebApp
        // when he has not actively used the WebApp for this time.
        // Set to 0 (or remove) for no timeout during browser session.
        define("CLIENT_TIMEOUT", 0);

        // Defines the domains from which cross domain authentication requests
        // are allowed. E.g. if WebMeetings runs under a different domain than
        // the WebApp then add this domain here. Add http(s):// to the domains
        // and separate domains with spaces.
        // Set to empty string (default) to only allow authentication requests
        // from within the same domain.
        // Set to "*" to allow authentication requests from any domain. (not
        // recommended)
        define('CROSS_DOMAIN_AUTHENTICATION_ALLOWED_DOMAINS', 'https://<hidden>');

        // Defines the domains to which redirection after login is allowed.
        // Add http(s):// to the domains and separate domains with spaces.
        // Note: The domain under which WebApp runs, is always allowed and does
        // not need to be added here.
        define("REDIRECT_ALLOWED_DOMAINS", "");

        // Defines the base url and end with a slash.
        $base_url = dirname($_SERVER["PHP_SELF"]);
        if(substr($base_url,-1)!="/") $base_url .="/";
        define("BASE_URL", $base_url);

        // Defines the temp path (absolute). Here uploaded attachments will be saved.
        // The web client doesn't work without this directory.
        define("TMP_PATH", "/var/lib/kopano-webapp/tmp");

        // Define the path to the plugin directory (No slash at the end)
        define("PATH_PLUGIN_DIR", "plugins");

        // Enable the plugins
        define("ENABLE_PLUGINS", true);

        // Define list of disabled plugins separated by semicolon
        // Plugin directory name should be used in this list.
        define("DISABLED_PLUGINS_LIST", "");

        // Define a list of plugins that cannot be disabled by users.
        // Plugins should be seperated by a semicolon (;). A wildcard (*)
        // can be used to identify multiple plugins.
        // Plugin directory name should be used in this list.
        define("ALWAYS_ENABLED_PLUGINS_LIST", "");

        // General WebApp theme. This will be loaded by default for every user
        // (if the theme is installed as a plugin)
        // Users can override the 'logged-in' theme in the settings.
        define("THEME", "");

        // General WebApp icon set. This will be loaded by default for every user.
        // Users can override the iconset in the settings.
        define("ICONSET", "breeze");

        // The title that will be shown in the title bar of the browser
        define("WEBAPP_TITLE", "Kopano WebApp");

        // Set addressbook for GAB not to show any users unless searching for a specific user
        define("DISABLE_FULL_GAB", false);

        // Set a maximum number of (search) results for the addressbook
        // When more results are found no results will be displayed in the client.
        // Set to 0 to disable this feature and show all results.
        define("MAX_GAB_RESULTS", 0);

        // Set true to hide public contact folders in address-book folder list,
        // false will show public contact folders in address-book folder list.
        define('DISABLE_PUBLIC_CONTACT_FOLDERS', false);

        // Set true to show public folders in hierarchy, false will disable public folders in hierarchy.
        define("ENABLE_PUBLIC_FOLDERS", true);

        // Set true to hide shared contact folders in address-book folder list,
        // false will show shared contact folders in address-book folder list.
        define('DISABLE_SHARED_CONTACT_FOLDERS', false);

        // Set to true to give users the option to enable conversation view in their settings
        // Set to false to hide the setting and disable conversation view for all users
        define("ENABLE_CONVERSATION_VIEW", false);

        // Set to true to give users the possiblity to edit, create, and delete mail filters on the store
        // of other users. The user needs owner permissions on the store of the other user.
        define('ENABLE_SHARED_RULES', true);

        // Booking method (true = direct booking, false = send meeting request)
        define("ENABLE_DIRECT_BOOKING", true);

        // Enable GZIP compression for responses
        define("ENABLE_RESPONSE_COMPRESSION", true);

        // When set to true this disables the welcome screen to be shown for first time users.
        define('DISABLE_WELCOME_SCREEN', true);

        // Set to true to disable the "What's new dialog" that will be shown to users to introduce new features.
        define("DISABLE_WHATS_NEW_DIALOG", false);

        // When set to false it will disable showing of advanced settings.
        define('ENABLE_ADVANCED_SETTINGS', true);

        // Freebusy start offset that will be used to load freebusy data in appointments, number is subtracted from current time
        define("FREEBUSY_LOAD_START_OFFSET", 7);

        // Freebusy end offset that will be used to load freebusy data in appointments, number is added to current time
        define("FREEBUSY_LOAD_END_OFFSET", 90);

        // Maximum eml files to be included in a single ZIP archive
        define("MAX_EML_FILES_IN_ZIP", 50);

        // Set true to default soft delete the shared store items
        define("ENABLE_DEFAULT_SOFT_DELETE", false);

        // Additional color schemes for the calendars can be added by uncommenting and editing the following define.
        // The format is the same as the format of COLOR_SCHEMES which is defined in default.php
        // To change the default colors, COLOR_SCHEMES can also be defined here.
        // Note: Every color should have a unique name, because it is used to identify the color
        // define("ADDITIONAL_COLOR_SCHEMES", json_encode(array(
        //              array(
        //                      'name' => 'pink',
        //                      'displayName' => _('Pink'),
        //                      'base' => '#ff0099'
        //              )
        // )));

        // Additional categories can be added by uncommenting and editing the following define.
        // The format is the same as the format of DEFAULT_CATEGORIES which is defined in default.php
        // To change the default categories, DEFAULT_CATEGORIES can also be defined here.
        // Note: Every category should have a unique name, because it is used to identify the category
        // define("ADDITIONAL_CATEGORIES", json_encode(array(
        //              array(
        //                      'name' => _('Family'),
        //                      'color' => '#000000',
        //                      'quickAccess' => true,
        //                      'sortIndex' => 10
        //              )
        // )));

        // Additional Prefix for the Contact name can be added by uncommenting and editing the following define.
        // define("CONTACT_PREFIX", json_encode(array(
        //      array(_('Er.')),
        //      array(_('Gr.'))
        // )));

        // Additional Suffix for the Contact name can be added by uncommenting and editing the following define.
        // define("CONTACT_SUFFIX", json_encode(array(
        //      array(_('A')),
        //      array(_('B'))
        // )));

        // Define the polling interval in minutes for unread mail in shared stores.
        define("SHARED_STORE_POLLING_INTERVAL", 15);

        // Define the amount of emails to load in the background, in batches of 10 emails per request every x seconds
        // defined by PREFETCH_EMAIL_INTERVAL until the defined amount of items is loaded. Setting this value to zero
        // disables this feature.
        define("PREFETCH_EMAIL_COUNT", 10);

        // Define the interval between loading of new emails in the background.
        define("PREFETCH_EMAIL_INTERVAL", 30);

        /**************************************\
        * Memory usage and timeouts            *
        \**************************************/

        // This sets the maximum time in seconds that is allowed to run before it is terminated by the parser.
        ini_set("max_execution_time", 300); // 5 minutes

        // BLOCK_SIZE (in bytes) is used for attachments by mapi_stream_read/mapi_stream_write
        define("BLOCK_SIZE", 1048576);

        // Time that static files may exist in the client's cache (13 weeks)
        define("EXPIRES_TIME", 60*60*24*7*13);

        // Time that the state files are allowed to survive (in seconds)
        // For filesystems on which relatime is used, this value should be larger then the relatime_interval
        // for kernels 2.6.30 and above relatime is enabled by default, and the relatime_interval is set to
        // 24 hours.
        define("STATE_FILE_MAX_LIFETIME", 28*60*60);

        // Time that attachments are allowed to survive (in seconds)
        define("UPLOADED_ATTACHMENT_MAX_LIFETIME", 6*60*60);

        /**********************************************************************************
         *  Logging settings
         *
         *  Possible LOG_USER_LEVEL values are:
         *  LOGLEVEL_OFF            - no logging
         *  LOGLEVEL_FATAL          - log only critical errors
         *  LOGLEVEL_ERROR          - logs events which might require corrective actions
         *  LOGLEVEL_WARN           - might lead to an error or require corrective actions in the future
         *  LOGLEVEL_INFO           - usually completed actions
         *  LOGLEVEL_DEBUG          - debugging information, typically only meaningful to developers
         *
         *  The verbosity increases from top to bottom. More verbose levels include less verbose
         *  ones, e.g. setting to LOGLEVEL_DEBUG will also output LOGLEVEL_FATAL, LOGLEVEL_ERROR,
         *  LOGLEVEL_WARN and LOGLEVEL_INFO level entries.
         *
         **************************************************************************************/
        define('LOG_USER_LEVEL', 'LOGLEVEL_WARN');

        // To save e.g. user activity data only for selected users, provide the username followed by semicolon.
        // The data will be saved into a dedicated file per user in the LOG_FILE_DIR
        // Users have to be encapsulated in quotes, several users are semicolon separated, like:
        // define('LOG_USERS', 'user1;user2;user3');
        define("LOG_USERS", "");

        // Location of the log directory
        // e.g /var/log/webapp-userslog/users/
        // The directory will be created when it does not exist.
        // Webserver user should have permissions to write in this folder
        define("LOG_FILE_DIR", "");

        /**************************************\
        * Languages                            *
        \**************************************/

        // Location to the translations
        define("LANGUAGE_DIR", "server/language/");

        // Defines the default interface language. This can be overridden by the user.
        if (isset($_ENV['LANG']) && $_ENV['LANG']!="C") {
                define('LANG', $_ENV["LANG"]); // This means the server environment language determines the web client language.
        } else {
                define('LANG', 'en_US.UTF-8'); // default fallback language
        }

        // List of languages that should be enabled in the logon
        // screen's language drop down.  Languages should be specified
        // using <languagecode>_<regioncode>[.UTF-8], and separated with
        // semicolon.  A list of available languages can be found in
        // the manual or by looking at the list of directories in
        // /usr/share/kopano-webapp/server/language .
        define("ENABLED_LANGUAGES", "cs_CZ;da_DK;de_DE;en_GB;en_US;es_CA;es_ES;fi_FI;fr_FR;hu_HU;it_IT;ja_JP;nb_NO;nl_NL;pl_PL;pt_BR;ru_RU;sl_SI;tr_TR;zh_TW");

        // Defines the default time zone
        if (!ini_get('date.timezone')) {
                date_default_timezone_set('Europe/Amsterdam');
        }

        /**************************************\
        * Powerpaste                           *
        \**************************************/

        // Options for TinyMCE's powerpaste plugin, see https://www.tiny.cloud/docs/plugins/powerpaste/#configurationoptions
        // for more details.
        define("POWERPASTE_WORD_IMPORT", "merge");
        define("POWERPASTE_HTML_IMPORT", "merge");
        define("POWERPASTE_ALLOW_LOCAL_IMAGES", true);

        /**************************************\
        * Debugging                            *
        \**************************************/

        // Do not log errors into stdout, since this generates faulty JSON responses.
        ini_set("display_errors", false);

        ini_set("log_errors", true);
        error_reporting(E_ERROR);

        // Log successful logins
        define("LOG_SUCCESSFUL_LOGINS", false);

        if (file_exists('debug.php')) {
                include_once('debug.php');
        } else {
                // define empty dump function in case we still use it somewhere
                function dump(){}
        }
?>

Konnectd, since that isn’t using a config file for some reason, but this is the commandline it uses.

konnectd serve --signing-private-key=/extras/konnectd-signing-private-key.pem --encryption-secret=/extras/konnectd-encryption-secret.key --identifier-registration-conf /cm/konnectd-identifier-registration.yaml --identifier-scopes-conf /etc/kopano/konnectd-identifier-scopes.yaml --iss=https://<hidden> --log-level=debug kc

konnectd-identifier-registration.yaml

clients:
  - id: kopano-webapp
    trusted: yes
    application_type: web
    redirect_uris:
      - https://<hidden>/webapp/
      - https://<hidden>/webapp/index.php
      - https://<hidden>/webapp/index.php?logout
      - https://<hidden>/webapp/oidc-silent-refresh.php
    origins:
      - https://<hidden>/webapp

Hopfully I’ve censored all the sensitive stuff and only the sensitive stuff. And that those are all the configs used. Don’t remember any more at the top of my head at least :/

fbartels

Hi @EtherMan,

this is the reason you get logged in without having a Token from Konnect:

@EtherMan said in Not able to get Webapp working fully with Konnectd over TCP:

define(‘SSLCERT_FILE’, ‘/certs/webapp/combo.pem’);

WebApp uses the ssl certificate to log into your server. The When using a single-signon comment only applies when authentication is enforced on the webserver level, e.g. when using mod_kerberos or shibboleth.

You only need to remove the cert and should be fine afterwards.

@EtherMan said in Not able to get Webapp working fully with Konnectd over TCP:

konnectd-identifier-registration.yaml

This is technically not necessary, when <hidden> is also the domain that is set as the issuer in connect. apps running on the same domain are automatically trusted.

EtherMan

Eh? Now you’re making me REALLY confused here. So without that line… How does Webapp communicate with Server? It also doesn’t match description since description basically says it’s needed when using SSO (which I am since I’m using konnectd), and speak to the kopano-server using SSL, which I am.

Testing it with that line removed though, does work in so far as it still allows me to log in… Though I’m not sure why it would allow that. It has had absolutely zero effect on what happens after logging out though. It has made one change it seems though. I’m now getting an error in konnectd that “time=“2020-05-05T12:17:44Z” level=debug msg=“IdentifierIdentityManager: id_token_hint does not match request” error=“invalid origin: https://<webapp base domain url>””

fbartels

@EtherMan said in Not able to get Webapp working fully with Konnectd over TCP:

It also doesn’t match description since description basically says it’s needed when using SSO (which I am since I’m using konnectd), and speak to the kopano-server using SSL,

the important part comes after the above two statements “and authenticate using an SSL certificate.” You don’t authenticate with an ssl certificate when doing an oidc login. you actually authenticate through oidc. And like I said before login with an ssl certificate is only needed when your webserver is your gatekeeper (e.g. when using kerberos or saml). Although I have not checked, I would be surprised if the documentation tells you something different.

@EtherMan said in Not able to get Webapp working fully with Konnectd over TCP:

https://<webapp base domain url>

So is <webapp base domain url> the same domain that you have Konnect listening under? Is it the same domain that you have prevously masked with <hidden>?

EtherMan

Err… The Webapp system is authing using SSL certs no? Every other component is after all. And I don’t get what you mean by webserver being the gatekeeper… Ofc it is? It’s the webserver serving the content so ofc it’s the gatekeeper? That would be the case regardless of who or what is lending you to the key.

And webapp base domain url and all <hidden> domains are the same domain, but not all the same subdomains. Konnect is on oidc.domain.tld while webapp is on webapp.domain.tld, server on kopano.domain.tld

fbartels

@EtherMan said in Not able to get Webapp working fully with Konnectd over TCP:

The Webapp system is authing using SSL certs no?

No. The users authenticate through oidc. It is not WebApp that is authenticating itself to the server (which is what components such as dagent or search are doing).

Ok just pretend I did not say “domain”, but “fully qualified domain name”. You must use the precise domain and any subdomain or toplevel domain in the identifier registration.

EtherMan

Right, so fqdn. Then those are different… But so then, what is needed to be different? The issuer identifier in Server, is oidc.domain.tld. The issuer identifier in konnect is oidc.domain.tld, the issuer identifier in webapp is oidc.domain.tld, the konnectd-identifier-registration.yaml urls, are all webapp.domain.tld. Though technically, I’d prefer components not communicating in between them over those urls because then they go over the reverse proxy, so just more points of failures. Hence why they’re defined with just the internal hostnames of kopano-server in that case. The invalid origin line of the log from konnect though, does not even have the /webapp at the end though, but I’ve not specified any such url anywhere.

fbartels

It needs to be a publicly reachable domain, because that is what users use to reach WebApp and make use of oidc.

EtherMan

Hmm… I tried adding another origin to the konnectd-identifier-registration.yaml without the /webapp at the end… And now it works to log out it seems. I got that file layout from the guides somewhere though which didn’t have any entry for without /webapp

So much confusing stuff in this. It’s still not auto creating stores for users though. So have to manually go into the server container and run kopano-cli commands, which randomly fail, and when they fail, I have to detach, delete and recreate the store because it creates them in a faulty state for whatever reason… It’s weird… But for now at least, it works.

And webapp and oidc are both publicly accessible domains. And server is also on a publicly accessible domain. Webapp and konnectd just isn’t speaking to server over that.

EtherMan

Hmm nope. No no no no… Very very wrong now. Two major errors. Logging in and out currently works (sort of). But first issue is that passwords are not verified… Like, at all. As long as username is provided, it logs you in as that user regardless of password provided. The second issue is that while it works in Brave, Chrome and Firefox, but Internet Explorer does not.

Navigation Event Separator

DOM7011: The code on this page disabled back and forward caching. For more information, see: http://go.microsoft.com/fwlink/?LinkID=291337
identifier
HTML1300: Navigation occurred.
webapp
DOM7011: The code on this page disabled back and forward caching. For more information, see: http://go.microsoft.com/fwlink/?LinkID=291337
identifier
UserManager.ctor: monitorSession is configured, setting up session monitor
WebStorageStateStore.get user:https://oidc.domain.tld:kopano-webapp
OidcClient.clearStaleState
WebStorageStateStore.getAllKeys
WebStorageStateStore.get user:https://oidc.domain.tld:kopano-webapp
UserManager._loadUser: no user storageString
State.clearStaleState: got keys 90bfa86e086f45ab9622a73e06a8de4c,b5939eabb4524f6dbf5bc5b878a8eb22,3fe4607b89af4b4cb9b386c926f5624c,040c38c35ea84605b3497181cec670f8,ebfd152f0a8e43ac86ccf3a4364ebaf5
   "State.clearStaleState: got keys"
   [
      0: "90bfa86e086f45ab9622a73e06a8de4c",
      1: "b5939eabb4524f6dbf5bc5b878a8eb22",
      2: "3fe4607b89af4b4cb9b386c926f5624c",
      3: "040c38c35ea84605b3497181cec670f8",
      4: "ebfd152f0a8e43ac86ccf3a4364ebaf5",
      length: 5
   ]

WebStorageStateStore.get 90bfa86e086f45ab9622a73e06a8de4c
WebStorageStateStore.get b5939eabb4524f6dbf5bc5b878a8eb22
WebStorageStateStore.get 3fe4607b89af4b4cb9b386c926f5624c
WebStorageStateStore.get 040c38c35ea84605b3497181cec670f8
WebStorageStateStore.get ebfd152f0a8e43ac86ccf3a4364ebaf5
State.clearStaleState: waiting on promise count: 5
UserManager._loadUser: no user storageString
UserManager.getUser: user not found in storage
State.fromStorageString
State.clearStaleState: got item from key:  90bfa86e086f45ab9622a73e06a8de4c 1588690106
State.clearStaleState: removed item for key:  90bfa86e086f45ab9622a73e06a8de4c
WebStorageStateStore.remove 90bfa86e086f45ab9622a73e06a8de4c
State.fromStorageString
State.clearStaleState: got item from key:  b5939eabb4524f6dbf5bc5b878a8eb22 1588690944
State.fromStorageString
State.clearStaleState: got item from key:  3fe4607b89af4b4cb9b386c926f5624c 1588690954
State.fromStorageString
State.clearStaleState: got item from key:  040c38c35ea84605b3497181cec670f8 1588690997
State.fromStorageString
State.clearStaleState: got item from key:  ebfd152f0a8e43ac86ccf3a4364ebaf5 1588691007
UserManager.getUser: user not found in storage
WebStorageStateStore.get user:https://oidc.domain.tld:kopano-webapp
UserManager._loadUser: no user storageString
UserManager._signinStart: got navigator window handle
OidcClient.createSigninRequest
MetadataService.getMetadataProperty for: authorization_endpoint
MetadataService.getMetadata: getting metadata from https://oidc.domain.tld/.well-known/openid-configuration
JsonService.getJson, url:  https://oidc.domain.tld/.well-known/openid-configuration
JsonService.getJson: HTTP response received, status 200
MetadataService.getMetadata: json received
MetadataService.getMetadataProperty: metadata recieved
OidcClient.createSigninRequest: Received authorization endpoint https://oidc.domain.tld/signin/v1/identifier/_/authorize
SigninState.toStorageString
WebStorageStateStore.set 8093038336874e04847b6bee5349a740
UserManager._signinStart: got signin request
IFrameWindow.navigate: Using timeout of: 10000
SCRIPT1002: Syntax error
webapp (22066,31)
IFrameWindow.timeout
IFrameWindow: cleanup
Frame window timed out
UserManager._signinStart: Error after preparing navigator, closing navigator window
oidc signin silent failed Error: Frame window timed out
   "oidc signin silent failed"
   {
      [functions]: ,
      __proto__: { },
      description: "Frame window timed out",
      message: "Frame window timed out",
      name: "Error",
      stack: "Error: Frame window timed out
   at Anonymous function (https://webapp.domain.tld/webapp/:21341:17)
   at run (https://webapp.domain.tld/webapp/:13361:13)
   at Anonymous function (https://webapp.domain.tld/webapp/:13378:30)
   at flush (https://webapp.domain.tld/webapp/:9195:9)"
   }

Navigation Event Separator

oidc signin silent did not return a user
UserManager._signinStart: got navigator window handle
OidcClient.createSigninRequest
MetadataService.getMetadataProperty for: authorization_endpoint
MetadataService.getMetadata: Returning metadata from settings
MetadataService.getMetadataProperty: metadata recieved
OidcClient.createSigninRequest: Received authorization endpoint https://oidc.domain.tld/signin/v1/identifier/_/authorize
SigninState.toStorageString
WebStorageStateStore.set ba0f70623489445ba330a55be4c0b43e
UserManager._signinStart: got signin request
DOM7011: The code on this page disabled back and forward caching. For more information, see: http://go.microsoft.com/fwlink/?LinkID=291337
webapp
HTML1300: Navigation occurred.
authorize
UserManager.signinRedirect: successful
oidc signing redirect undefined
DOM7011: The code on this page disabled back and forward caching. For more information, see: http://go.microsoft.com/fwlink/?LinkID=291337
webapp
Kopano Identifier build version: 0.33.0
Kopano Kpop build version: 2.2.0
SCRIPT5009: 'Promise' is undefined
main.23aaf6b8.chunk.js (1,384)

The errors keep getting weirder and weirder @fbartels >_<

fbartels

@EtherMan said in Not able to get Webapp working fully with Konnectd over TCP:

but Internet Explorer does not.

Who still wants to use Internet Explorer?

You have not specified it about but my bet would be that you also use an SSL client certificate in Konnect. In that case the described behaviour is expected (you have seen the exact same with WebApp if you remember).

You only need an SSL certificate for services that need to authenticate themselves. In Konnect the user provides the authentication.

EtherMan

Ok that did indeed solve that one. Though I don’t quite understand this… Because basically, this means Server is accepting and speaking with… Well, anything? As in, anyone could set up say a webapp server that serves from my server, even if they themselves don’t even have an account? I understand they wouldn’t have user access to actually log in without an account and such, but it seems a pretty big deal to me that just anyone is allowed to set up frontends nilly willy. Especially considering that’s essentially giving people permission to do mitm attacks against users, with a live system that for all intents and purposes does work. Different components should auth themselves, as themselves, and have user authentication done inside of that authentication :/

As for who wants to use IE. Well, my parents do for one. I’m not about to teach two 80+ year olds about the wonders of new browsers. You’re not going to tell me that konnectd doesn’t work for IE are you? Please don’t >_<

fbartels

@EtherMan said in Not able to get Webapp working fully with Konnectd over TCP:

Because basically, this means Server is accepting and speaking with… Well, anything?

Yeah. Just like connecting with an imap server, a webserver. If you can reach it, you can authenticate, you can use it. If you don’t want other to connect to it, you need to close it to the external world.

@EtherMan said in Not able to get Webapp working fully with Konnectd over TCP:

You’re not going to tell me that konnectd doesn’t work for IE are you? Please don’t >_<

https://documentation.kopano.io/support_lifecycle_policy/webapp_support_lifecycle.html#browser-support

EtherMan

Oh yea, it’s Edge that is the normal browser in Windows these days. And that works. Will have to check if they perhaps use that these days or they really are still using IE. Same icon so what is IE to them, may actually be Edge. Though “WebApp is supported for all production versions of Firefox, Chrome, Internet Explorer, Edge and Safari” does indicate that IE should still be supported, since it still is being shipped and updated.

As for imap comparison. The difference there is that if I use an IMAP client, I authenticate to the server, as myself, for myself. If I set up a Webapp frontend, I’m letting other users authenticate as themselves, to another service. A service I don’t need any account to in order to set up Webapp for. As in, there is no “you can authenticate”, because without client certificates being used by webapp to auth itself, setting up webapp does NOT require you to authenticate yourself to kopano, it just requires that the user wanting to log in does. And closing it to the world isn’t an option, since ofc, I still need to have my own webapp.

fbartels

@EtherMan said in Not able to get Webapp working fully with Konnectd over TCP:

Though “[…]” does indicate that IE should still be supported, since it still is being shipped and updated.

Have a look at the bottom note.

@EtherMan said in Not able to get Webapp working fully with Konnectd over TCP:

The difference there is that if I use an IMAP client, I authenticate to the server, as myself, for myself

Not quite. You can also install e.g. roundcube on a server and as long as the server is the php imap module you can use this roundcube to log into the imap server that the admin configured in its configuration file.

I don’t fully understand your argument. Additionally you could host your own webapp at a location where this port can be reached, it just does not need to be publicly reachable.

EtherMan

Right, and I understand. I’m just saying that what I quoted contradicts what the table and the bottom note says.

As for roundcube, that is just an IMAP client though, it’s just web hosted. It is my understanding that WebApp is quite a lot more than just a client.