Content
How to configure OmniAuth OpenID plugin for Google authentication.
Added by Brian Utterback about 7 years ago
I am new to OpenProject, Ruby and Rails. Ideally I would like to have my OpenProject server able to authenticate with Slack, but I don’t know if that is possible. But before I even attempt that, I want to get it working with Google authentication.
Unfortunately, I am unable to make hide nor hare of any of the myriad messages and discussions I have found from people who have attempted it and run into trouble. Often they don’t say what they did up until the point that their problems started, or what they do say doesn’t seem to match my installation (7.0.2). It seems like there are so many people who have posted about it that someone might have a “How To” document, but if there is one I don’t know where it is. There was even a reference on one page of using the settings page to configure it, but if that is possible I am afraid I can’t find it. Can anyone help me out?
Replies (2)
After quite a bit of experimentation, I finally got the Google auth request partially working. I can see the Google option in the sign in drop down and when I click it it takes me to the google page. But after I select an account, I get an Openproject “Internal Error” page at the /auth/callback address. The system syslog says this:
Jun 30 23:35:07 host1 openproject-web-1.service[1162]: I, [2017-06-30T23:35:07.363121 #1719] INFO — omniauth: (google) Callback phase initiated.
Jun 30 23:35:07 host1 openproject-web-1.service[1162]: E, [2017-06-30T23:35:07.363792 #1719] ERROR — omniauth: (google) Authentication failure! missing_code: OmniAuth::OpenIDConnect::MissingCodeError, immediate_failed
Jun 30 23:35:07 host1 openproject-web-1.service[1162]: I, [2017-06-30T23:35:07.412697 #1719] INFO — omniauth: (google) Request phase initiated.
Jun 30 23:35:15 host1 openproject-web-1.service[1162]: I, [2017-06-30T23:35:15.510725 #1719] INFO — omniauth: (google) Callback phase initiated.
The other_vhosts_access.log file has this:
host1:443 xx.69.254.fff - - [30/Jun/2017:23:35:07 –0400] “GET /auth/google HTTP/1.1” 302 1373 “https://host1/” “Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/58.0.3029.110 Safari/537.36”
host1:443 xx.69.254.fff - - [30/Jun/2017:23:35:07 –0400] “GET /auth/google/callback?state=75lotsofhexstuffad51&error_subtype=access_denied&error=immediate_failed HTTP/1.1” 302 684 “https://host1/” “Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/58.0.3029.110 Safari/537.36”
host1:443 xx.69.254.fff - - [30/Jun/2017:23:35:07 –0400] “GET /auth/google?origin=https%3A%2F%2Fhost1%2F&prompt=login HTTP/1.1” 302 1223 “https://host1/” “Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/58.0.3029.110 Safari/537.36”
host1:443 xx.69.254.fff - - [30/Jun/2017:23:35:15 –0400] “GET /auth/google/callback?state=25b9lotofhexstuffd4e&code=4/SfRkmorehexA3X-juhexhex1llGI&authuser=0&hd=mydomain.org&session_state=eeadehexstuff48d90c..50e3&prompt=none HTTP/1.1” 500 2352 “https://accounts.google.com/signin/oauth/oauthchooseaccount?client_id=10digits23-r5krandomchars8lmj.apps.googleusercontent.com&as=365hexf0&destination=https%3A%2F%2Fhost1&approval_state=!ChRVVThIR09RUzBlotsofrandomcharsiRHp4VQ%E2%88%99ADiIGyEAAAAAWVhp66Zd__fiRFV2wTuXPNkS8VsK7WND&xsrfsig=AHgIfE-2TMj5C-Cdastuffw&flowName=GeneralOAuthFlow” “Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/58.0.3029.110 Safari/537.36”
I changed my sites FQDN to host1, and replaced the middle of the strings for security reasons, since I don’t know what might leak important info.
And finally the production.log file has this:
W, [2017-06-30T23:50:45.476377 #1719] WARN — : You are setting a key that conflicts with a built-in method OmniAuth::Strategy::Options#display defined in Kernel. This can cause unexpected behavior when accessing the key via as a property. You can still access the key via the #[] method.
F, [2017-06-30T23:50:45.600656 #1719] FATAL — :
F, [2017-06-30T23:50:45.600733 #1719] FATAL — : JSON::JWS::VerificationFailed (JSON::JWS::VerificationFailed):
F, [2017-06-30T23:50:45.600757 #1719] FATAL — :
F, [2017-06-30T23:50:45.600776 #1719] FATAL — : app/middleware/reset_current_user.rb:47:in `call’
The first line is repeated multiple times before that one with the same timestamp.
Any ideas?
I have the same problem, not with Google but when trying to set up our own provider.
Strangely, in the the provider admin panel (keycloak) I see the user as active session.
The redirect fails with internal server ewrror. the uri is of the form:
https://myopenproject-url/auth/puzzlesso/callback?session_state=…random.characters…&code=…random.characters..
production.log shows:
Anyone an idea what happened there?
These are thje settings I set within the rails console: