Content
OpenID Connect Issues (Insufficient Scope)
Added by Aaron Connell about 9 years ago
I am trying to get OpenID Connect auth working with Google but running into an issue that I have not been able to find info on.
The error I get is:
==> /var/log/openproject/web-1.log <== I, [2016-01-29T12:18:28.446317 #5197] INFO -- omniauth: (google) Callback phase initiated.
==> /var/log/openproject/production.log <== F, [2016-01-29T12:18:28.706161 #5197] FATAL -- : OpenIDConnect::Forbidden (Insufficient Scope): app/middleware/params_parser_with_exclusion.rb:40:in `call'
I am running OpenProject 5.0.10 (Mysql2) on Ubuntu 14.04 (installed via package manager).
I have went through the configuration of the OpenID-Connect plugin as per documentation both in these forums as well as the git page for the plugin (https://github.com/finnlabs/openproject-openid_connect).
I am doing this with the plugin that was installed with OpenProject when installing via package method.
I have added the following to the configuration.yml:
openid_connect: google: identifier: "<my oath identifier from google>" secret: "<my oauth key from google>" icon: "openid_connect/auth_provider-google.png" display_name: "Google"
When I go to the app homepage and click on sign-on, I do see the option to use google. I click on it and I am directed to select my google account and then enter credentials. Once I click on credentials, I am brought back to configured callback URL. This is when the error is displayed in the logs above. Also, the error displayed in the browser is below:
Internal error An error occurred on the page you were trying to access. If you continue to experience problems please contact your OpenProject administrator for assistance. If you are the OpenProject administrator, check your log files for details about the error. Back
Additionally, and maybe or maybe not related, the callback URL that is sent to google does use the configured protocol. I have https configured as the protocol, but the callback sent is http. I have temporarily changed the setting,protocol in the following file:
vendored-plugins/openproject-openid_connect/lib/open_project/openid_connect/engine.rb
from:
Providers.configure base_redirect_uri: "#{Setting.protocol}://#{Setting.host_name}"
to:
Providers.configure base_redirect_uri: "https://#{Setting.host_name}"
to see if it would help, but while it does send the correct protocol over with the callback url, it still presents the same Insufficient Scope error noted above. I am not sure why Setting.protocol is not returning the configured protocol, and also not sure if this points any clues as to why I am getting the scope error.
I changed the protocol from http to https in the UI and it seems to have resolved the callback url being sent as http instead of https. Not sure why setting it via openproject config:set did not take even though openproject config listed protocol as https after.
Still getting the Insufficient Scope message though.
Looking for any tips or suggestions on what I have missed in the setup or possible solutions to resolve the scope error.
Replies (4)
Hey Aaron,
mh it doesn’t look like you are doing anything wrong.
Let’s try to debug this. Can you please open the rails console and run
pp OmniAuth::OpenIDConnect::Google.new('google', OpenProject::Configuration['openid_connect']['google']).optionsand post the result here (minus the identifier and secret of course!)?It should look something like this:
{ :display_name=>"Google", :name=>"google", :scope=>[:openid, :email, :profile], :client_options=> { :authorization_endpoint=>"/o/oauth2/auth", :token_endpoint=>"/o/oauth2/token", :userinfo_endpoint=>"https://www.googleapis.com/plus/v1/people/me/openIdConnect", :identifier=>"<identifier>", :secret=>"<secret>", :scheme=>"https", :host=>"accounts.google.com", :port=>443, :redirect_uri=>"http://localhost:3000/auth/google/callback" }, :client_auth_method=>:not_basic, :send_nonce=>false, :state=> #<Proc:0x00000009c91cc0@/.../omniauth-openid_connect-providers-86f3670e127e/lib/omniauth/openid_connect/google.rb:11 (lambda)> }If that is correct - maybe you have not configured the Google API correctly? Have you activated the Google Plus API in developer console?
Markus,
Thanks for the reply. The issue was as you expected, I did not enable the Google+ API. Once I did this everything is working smoothly.
I was not sure what API’s were needed other than the credential and was going down the very wrong path of setting up Identity Connect API - which was getting me nowhere fast :-)
I do have one additional question though: is there a way to restrict google auth to a domain? I was looking at the documentation for google and see you can pass a hd url parameter, but I am not sure where I would setup that parameter on the open project side, or if it is even the right approach with this setup.
It is possible to do this with a small code hack.
Remove the highlighted lines in this file and replace them with the following (make sure you edit YOUR.DOMAIN.HERE properly), then restart OpenProject.
auth_hash[:info][:email] =~ /@(.*)$/ user_domain = $1 if user_domain == 'YOUR.DOMAIN.HERE' decision = OpenProject::OmniAuth::Authorization.authorized? auth_hash if decision.approve? authorization_successful user, auth_hash else authorization_failed user, decision.message end else authorization_failed(user, "User Domain '#{user_domain}' not allowed") endThat’s right Trevor. You don’t even have to touch existing code necessarily, though.
A cleaner way would be the following through use of
OpenProject::OmniAuth::Authorization:OpenProject::OmniAuth::Authorization.authorize_user do |dec, auth| auth.info.email =~ /@(.*)$/ user_domain = $1 if user_domain == 'YOUR.DOMAIN.HERE' dec.approve else dec.reject "User Domain '#{user_domain}' not allowed" end endYou could just add this in an initializer under
config/initializers/limit_user_domain.rbfor instance.