Top Menu

Jump to content
Home
    Modules
      • Projects
      • Activity
      • Work packages
      • Gantt charts
      • Calendars
      • Team planners
      • Boards
      • News
    • Getting started
    • Introduction video
      Welcome to OpenProject Community
      Get a quick overview of project management and team collaboration with OpenProject. You can restart this video from the help menu.

    • Help and support
    • Upgrade to Enterprise edition
    • User guides
    • Videos
    • Shortcuts
    • Community forum
    • Enterprise support

    • Additional resources
    • Data privacy and security policy
    • Digital accessibility (DE)
    • OpenProject website
    • Security alerts / Newsletter
    • OpenProject blog
    • Release notes
    • Report a bug
    • Development roadmap
    • Add and edit translations
    • API documentation
  • Sign in
      Forgot your password?

      or sign in with your existing account

      Google

Side Menu

  • Overview
  • Activity
    Activity
  • Roadmap
  • Work packages
    Work packages
  • Gantt charts
    Gantt charts
  • Calendars
    Calendars
  • Team planners
    Team planners
  • Boards
    Boards
  • News
  • Forums

Content

Plugins
  1. OpenProject
  2. Forums
  3. Plugins
  4. OpenID Connect Issues (Insufficient Scope)

OpenID Connect Issues (Insufficient Scope)

Added by Aaron Connell over 9 years ago

I am trying to get OpenID Connect auth working with Google but running into an issue that I have not been able to find info on.

The error I get is:
==> /var/log/openproject/web-1.log <== I, [2016-01-29T12:18:28.446317 #5197] INFO -- omniauth: (google) Callback phase initiated.

==> /var/log/openproject/production.log <== F, [2016-01-29T12:18:28.706161 #5197] FATAL -- : OpenIDConnect::Forbidden (Insufficient Scope): app/middleware/params_parser_with_exclusion.rb:40:in `call'

I am running OpenProject 5.0.10 (Mysql2) on Ubuntu 14.04 (installed via package manager).

I have went through the configuration of the OpenID-Connect plugin as per documentation both in these forums as well as the git page for the plugin (https://github.com/finnlabs/openproject-openid_connect).

I am doing this with the plugin that was installed with OpenProject when installing via package method.

I have added the following to the configuration.yml:

openid_connect: google: identifier: "<my oath identifier from google>" secret: "<my oauth key from google>" icon: "openid_connect/auth_provider-google.png" display_name: "Google"

When I go to the app homepage and click on sign-on, I do see the option to use google. I click on it and I am directed to select my google account and then enter credentials. Once I click on credentials, I am brought back to configured callback URL. This is when the error is displayed in the logs above. Also, the error displayed in the browser is below:

Internal error

An error occurred on the page you were trying to access.
If you continue to experience problems please contact your OpenProject administrator for assistance.

If you are the OpenProject administrator, check your log files for details about the error.

Back

Additionally, and maybe or maybe not related, the callback URL that is sent to google does use the configured protocol. I have https configured as the protocol, but the callback sent is http. I have temporarily changed the setting,protocol in the following file:

vendored-plugins/openproject-openid_connect/lib/open_project/openid_connect/engine.rb

from:
Providers.configure base_redirect_uri: "#{Setting.protocol}://#{Setting.host_name}"

to:
Providers.configure base_redirect_uri: "https://#{Setting.host_name}"

to see if it would help, but while it does send the correct protocol over with the callback url, it still presents the same Insufficient Scope error noted above. I am not sure why Setting.protocol is not returning the configured protocol, and also not sure if this points any clues as to why I am getting the scope error.

I changed the protocol from http to https in the UI and it seems to have resolved the callback url being sent as http instead of https. Not sure why setting it via openproject config:set did not take even though openproject config listed protocol as https after.

Still getting the Insufficient Scope message though.

Looking for any tips or suggestions on what I have missed in the setup or possible solutions to resolve the scope error.


Replies (4)

RE: OpenID Connect Issues (Insufficient Scope) - Added by Markus Kahl over 9 years ago

Hey Aaron,

mh it doesn’t look like you are doing anything wrong.
Let’s try to debug this. Can you please open the rails console and run pp OmniAuth::OpenIDConnect::Google.new('google', OpenProject::Configuration['openid_connect']['google']).options and post the result here (minus the identifier and secret of course!)?

It should look something like this:

{
 :display_name=>"Google",
 :name=>"google",
 :scope=>[:openid, :email, :profile],
 :client_options=>
  {
   :authorization_endpoint=>"/o/oauth2/auth",
   :token_endpoint=>"/o/oauth2/token",
   :userinfo_endpoint=>"https://www.googleapis.com/plus/v1/people/me/openIdConnect",
   :identifier=>"<identifier>",
   :secret=>"<secret>",
   :scheme=>"https",
   :host=>"accounts.google.com",
   :port=>443,
   :redirect_uri=>"http://localhost:3000/auth/google/callback"
 },
 :client_auth_method=>:not_basic,
 :send_nonce=>false,
 :state=>
  #<Proc:0x00000009c91cc0@/.../omniauth-openid_connect-providers-86f3670e127e/lib/omniauth/openid_connect/google.rb:11 (lambda)>
}

If that is correct - maybe you have not configured the Google API correctly? Have you activated the Google Plus API in developer console?

RE: OpenID Connect Issues (Insufficient Scope) - Added by Aaron Connell over 9 years ago

Markus,

Thanks for the reply. The issue was as you expected, I did not enable the Google+ API. Once I did this everything is working smoothly.

I was not sure what API’s were needed other than the credential and was going down the very wrong path of setting up Identity Connect API - which was getting me nowhere fast :-)

I do have one additional question though: is there a way to restrict google auth to a domain? I was looking at the documentation for google and see you can pass a hd url parameter, but I am not sure where I would setup that parameter on the open project side, or if it is even the right approach with this setup.

RE: OpenID Connect Issues (Insufficient Scope) - Added by Trevor Vaughan over 8 years ago

It is possible to do this with a small code hack.

Remove the highlighted lines in this file and replace them with the following (make sure you edit YOUR.DOMAIN.HERE properly), then restart OpenProject.

auth_hash[:info][:email] =~ /@(.*)$/
    user_domain = $1
    if user_domain == 'YOUR.DOMAIN.HERE'
      decision = OpenProject::OmniAuth::Authorization.authorized? auth_hash
      if decision.approve?
        authorization_successful user, auth_hash
      else
        authorization_failed user, decision.message
      end
    else
      authorization_failed(user, "User Domain '#{user_domain}' not allowed")
    end

RE: OpenID Connect Issues (Insufficient Scope) - Added by Markus Kahl over 8 years ago

That’s right Trevor. You don’t even have to touch existing code necessarily, though.
A cleaner way would be the following through use of OpenProject::OmniAuth::Authorization:

OpenProject::OmniAuth::Authorization.authorize_user do |dec, auth|
  auth.info.email =~ /@(.*)$/
  user_domain = $1

  if user_domain == 'YOUR.DOMAIN.HERE'
    dec.approve
  else
    dec.reject "User Domain '#{user_domain}' not allowed"
  end
end

You could just add this in an initializer under config/initializers/limit_user_domain.rb for instance.

  • (1 - 4/4)
Loading...