I’m trying to set up a Drupal 8 site as my Oauth/OpenID Connect provider. The module’s documentation is sparse, as is my understanding of all the pieces. I am reading up on OAuth and OpenID Connect so I can hopefully be smarter in my troubleshooting, but in the meantime, help would be appreciated.
I know the module works as an Open ID Connect provider. I was able to configure a different Drupal 8 site to connect via the OpenID Connect module. I only needed the authorize, token, and userinfo endpoints to make it work.
Here are the module docs
The module’s routing file lists these routes:
- ‘/oauth2/authorize’
- ‘/oauth2/token’
- ‘/oauth2/tokens/{oauth2_server_token}’
- ‘/oauth2/UserInfo’
- ‘/oauth2/certificates’
The OAuth2 Server module has you configure a server, and then you configure individual clients for that server.
The server config:
The client config:
The module does not provide a .well-known
endpoint, so I am using provider-params
as documented here.
Here is my OwnCloud config:
$CONFIG['openid-connect'] = [
'autoRedirectOnLoginPage' => false,
'client-id' => 'owncloud_example_org',
'client-secret' => 'secret',
'loginButtonName' => 'OpenId Connect',
'mode' => 'userid',
'provider-params' => [
'authorization_endpoint' => 'https://drupal.example.org/oauth2/authorize',
//'end_session_endpoint' => '...',
//'jwks_uri' => '...',
//'registration_endpoint' => '...',
'token_endpoint' => 'https://drupal.example.org/oauth2/token',
//'token_endpoint_auth_methods_supported' => '...',
'userinfo_endpoint' => 'https://drupal.example.org/oauth2/UserInfo'
],
'provider-url' => 'https://drupal.example.org',
'search-attribute' => 'sub',
'use-token-introspection-endpoint' => true,
'insecure' => true,
];
I left settings I didn’t know about commented out.
When I click the OpenId Connect button, I am successfully sent to the Drupal site’s authorization page. But after hitting the “authorize” button and being redirected back to OwnCloud, I hit an error message.
Error in OpenIdConnect:Unable to determine state
The url looks like: https://owncloud.example.org/apps/openidconnect/redirect?code=< hash >&state=< hash2 >
In the owncloud log file I see:
{"reqId":"kB2PmFbDrPQJnJptNLyi","level":3,"time":"2021-04-16T22:01:24+00:00","remoteAddr":"192.168.122.1","user":"--","app":"OpenID","method":"GET","url":"\/apps\/openidconnect\/redirect?code=276d452e31bc1a761e3c41ac302e6024a8e715a4&state=4812593433c06ac171f1a5d17b51d822","message":"Exception: {\"Exception\":\"Jumbojett\\\\OpenIDConnectClientException\",\"Message\":\"Unable to determine state\",\"Code\":0,\"Trace\":\"#0 \\\/var\\\/www\\\/owncloud\\\/apps\\\/openidconnect\\\/lib\\\/Client.php(164): Jumbojett\\\\OpenIDConnectClient->authenticate()\\n#1 \\\/var\\\/www\\\/owncloud\\\/apps\\\/openidconnect\\\/lib\\\/Controller\\\/LoginFlowController.php(124): OCA\\\\OpenIdConnect\\\\Client->authenticate()\\n#2 \\\/var\\\/www\\\/owncloud\\\/lib\\\/private\\\/AppFramework\\\/Http\\\/Dispatcher.php(153): OCA\\\\OpenIdConnect\\\\Controller\\\\LoginFlowController->login(*** sensitive parameters replaced ***)\\n#3 \\\/var\\\/www\\\/owncloud\\\/lib\\\/private\\\/AppFramework\\\/Http\\\/Dispatcher.php(85): OC\\\\AppFramework\\\\Http\\\\Dispatcher->executeController()\\n#4 \\\/var\\\/www\\\/owncloud\\\/lib\\\/private\\\/AppFramework\\\/App.php(100): OC\\\\AppFramework\\\\Http\\\\Dispatcher->dispatch()\\n#5 \\\/var\\\/www\\\/owncloud\\\/lib\\\/private\\\/AppFramework\\\/Routing\\\/RouteActionHandler.php(47): OC\\\\AppFramework\\\\App::main()\\n#6 \\\/var\\\/www\\\/owncloud\\\/lib\\\/private\\\/Route\\\/Router.php(341): OC\\\\AppFramework\\\\Routing\\\\RouteActionHandler->__invoke()\\n#7 \\\/var\\\/www\\\/owncloud\\\/lib\\\/base.php(915): OC\\\\Route\\\\Router->match()\\n#8 \\\/var\\\/www\\\/owncloud\\\/index.php(54): OC::handleRequest()\\n#9 {main}\",\"File\":\"\\\/var\\\/www\\\/owncloud\\\/apps\\\/openidconnect\\\/vendor\\\/jumbojett\\\/openid-connect-php\\\/src\\\/OpenIDConnectClient.php\",\"Line\":312}"}
Any suggestions on troubleshooting steps? I have tried a bunch of different combinations of settings, but nothing worked. And I didn’t do it in a smart way, so no notes…
Is the app expecting different parameters in the url? Is there a way to tell it which parameters to use?
Thanks in advance!