Oauth2: mismatch beween positive browser and negative client reply

thommie · March 3, 2022, 2:39pm

(copied from ownCloud Talk as @wkloucek seems to be off)

Server:
“basic”: {
“license key”: “REMOVED SENSITIVE VALUE”,
“date”: “Thu, 03 Mar 2022 14:26:50 +0000”,
“ownCloud version”: “10.9.1.0”,
“ownCloud version string”: “10.9.1 RC1”,
“ownCloud edition”: “Enterprise”,
“server OS”: “Linux”,
“server OS version”: “Linux app3 5.13.19-2-pve #1 SMP PVE 5.13.19-4 (Mon, 29 Nov 2021 12:10:09 +0100) x86_64”,
“server SAPI”: “cli”,
“webserver version”: null,
“hostname”: null,
“logged-in user”: false

Client-Side V2.10

The browser verification for cloud.netzwissen.de works but never finishes. I get “you can close this windows now” but the client never starts syncing. Browser msg shows " Die Anwendung wurde erfolgreich autorisiert. Du kannst das Fenster nun schließen." (close window) after a successful login redirect and authorization. The client shows “Anmeldeinformationen nicht korrekt”

php occ oauth2:list-client is already checked and compared to a second instance which works. redirect-url for client is http://localhost:* which should be fine for the 2.10 client

In the client log I dont understand the

No 'Authorization: Basic' header found. Either the client didn't send one, or the server is misconfigured, No 'Authorization: Basic' header found. Either the client didn't send one, or the server is misconfigured, No 'Authorization: Bearer' header found. Either the client didn't send one, or the server is mis-configured * and the mismatch from the reply from the browser side (“client authenticated”) and from the client side (“login data incorrect”). -

Do we really have a misconfig on the server side? Or a bug in the client? At least the two messages about “authenticated or not” should be the same between browser and sync client …

client log available at https://talk.owncloud.com but i can also post it here if needed.

michaelstingl · March 3, 2022, 3:27pm

Follow-up for Oauth2 login error: "Anfrage nicht gültig" ?

Maybe check for the Apache modules:
Open Authentication (OAuth2) :: ownCloud Documentation

thommie · March 3, 2022, 3:57pm

Yes, sorry for opening a new thread.
Apache: both mod_headers and mod_rewrite are loaded:

root@app3:/var/www/owncloud# apachectl -M
Loaded Modules:
core_module (static)
so_module (static)
watchdog_module (static)
http_module (static)
[…]
headers_module (shared)
heartbeat_module (shared)
heartmonitor_module (shared)
http2_module (shared)
[…]
remoteip_module (shared)
reqtimeout_module (shared)
request_module (shared)
rewrite_module (shared)
[…]

michaelstingl · March 3, 2022, 4:17pm

Here you can find the flow, how the desktop sync client connects with OAuth 2.0:

https://github.com/owncloud/oauth2/wiki/OAuth-code-Flow-Sequence-Diagram

In your webbrowser, you open a link like this:

http://localhost:51714/?code=3wNnodduJmK702ZEYjnQTlPEcZg4NgSk01Ipmqfyv7wkDaprY7bEmZLcbE0Hn36N&state=WHem7eKmwYHzHeCvxfb0rUa6KbKbwY6HVO9-6CivrYk%3D

Desktop sync client started a local webserver, and listens to get the code=3wN…

Then it sends the code to the token endpoint, to get a set of access_token and refresh_token. This is successful in your log:

Request

03-02 09:46:41:730 [ info sync.httplogger ]:    "819dce8f-2787-403d-a9f5-f1de3e798612: 
Request: POST https://cloud.netzwissen.de/index.php/apps/oauth2/api/v1/token 
Header: { Authorization: Basic [redacted],
 Content-Type: application/x-www-form-urlencoded; charset=UTF-8,
 User-Agent: Mozilla/5.0 (Linux) mirall/2.10.0 (ownCloud, opensuse-tumbleweed-5.16.11-1-default ClientArchitecture: x86_64 OsArchitecture: x86_64),
 Accept: */*,
 X-Request-ID: 819dce8f-2787-403d-a9f5-f1de3e798612,
 Original-Request-ID: 819dce8f-2787-403d-a9f5-f1de3e798612,
 Content-Length: 480,
 Cookie: 52401d632a450=q07udjg2gjlses0v8cucqamr9b; oc_sessionPassphrase=%2BoYVIE%2F5X7q2eTOt7cSf4D7vPipC5KrKS1TMHaY01DHKTBH3VM68BeyDzUEIRa8In3%2B5Wh3pDevguZBbNWuzXRUlLgrkhGz8uJ4yP%2FuY8z6H8tpoxWlLRbfvFlVPPO29,
 } 
Data: [client_id=xdXOt13JKxym1B1QcEncf2XDkLAexMBFwiT9j6EfhhHFJhs2KM9jbjTmf8JBXE69&client_secret=UBntmLjC2yYCeHwsyj73Uwo9TAaecAetRwMw0xYcvNL9yRdLSUi0hUAHfvCHFeFh&scope=openid%20offline_access%20email%20profile&grant_type=authorization_code&code=3wNnodduJmK702ZEYjnQTlPEcZg4NgSk01Ipmqfyv7wkDaprY7bEmZLcbE0Hn36N&redirect_uri=http://localhost:39665&code_verifier=2lPHKWCmPFAUtGRuF9Y9NXD-wvtsKY2pllp7foB2V6l6TtwDhmR8Hx2G9UZmvKgzsdgsqnxNoEK5fvlX8Bbc5fOj-T4IlptpLnCnuUM7jcI0s2givLNzNAYxEoUr68Sj]"

Response

03-02 09:46:42:600 [ info sync.httplogger ]:    "819dce8f-2787-403d-a9f5-f1de3e798612: 
Response: POST 200 https://cloud.netzwissen.de/index.php/apps/oauth2/api/v1/token 
Header: { date: Wed, 02 Mar 2022 08:46:41 GMT,
 server: Apache/2.4.41 (Ubuntu),
 upgrade: h2,h2c,
 connection: Upgrade,
 expires: Thu, 19 Nov 1981 08:52:00 GMT,
 cache-control: no-cache, no-store, must-revalidate,
 pragma: no-cache,
 content-security-policy: default-src 'none';manifest-src 'self';script-src 'self' 'unsafe-eval';style-src 'self' 'unsafe-inline';img-src 'self'
 data: blob:;font-src 'self';connect-src 'self';media-src 'self',
 x-xss-protection: 0,
 x-content-type-options: nosniff,
 x-frame-options: SAMEORIGIN,
 x-robots-tag: none,
 x-download-options: noopen,
 x-permitted-cross-domain-policies: none,
 content-length: 324,
 content-type: application/json; charset=utf-8,
 strict-transport-security: max-age=16000000; includeSubDomains; preload;,
 } 
Data: [{\"access_token\":\"cXOEBEmRzETAUK23j2Fqs6ZiV5ap6HqpHz4waxas7O0f6bLI4lt550FNuEWy4U0D\",
"token_type\":\"Bearer\",
"expires_in\":3600,
"refresh_token\":\"tUjwtjhsCTjGnoaP7DwamjTMwAT53ZmT7VnScxyNsYSznQgcEKf0J1Mstts5CWAN\",
"user_id\":\"thommie4\",
"message_url\":\"https:\\/\\/cloud.netzwissen.de\\/index.php\\/apps\\/oauth2\\/authorization-successful\"}]"

Then the desktop client wants to use the access_token in the next PROPFIND, but this fails:

Request

03-02 09:46:42:711 [ info sync.httplogger ]:    "6f7309e1-be20-4813-a3bb-a06e330f5e33: 
Request: PROPFIND https://cloud.netzwissen.de/remote.php/webdav/ 
Header: { Depth: 0,
 Authorization: Bearer [redacted],
 User-Agent: Mozilla/5.0 (Linux) mirall/2.10.0 (ownCloud, opensuse-tumbleweed-5.16.11-1-default ClientArchitecture: x86_64 OsArchitecture: x86_64),
 Accept: */*,
 Content-Type: text/xml; charset=utf-8,
 X-Request-ID: 6f7309e1-be20-4813-a3bb-a06e330f5e33,
 Original-Request-ID: 6f7309e1-be20-4813-a3bb-a06e330f5e33,
 Content-Length: 117,
 Cookie: 52401d632a450=q07udjg2gjlses0v8cucqamr9b; oc_sessionPassphrase=%2BoYVIE%2F5X7q2eTOt7cSf4D7vPipC5KrKS1TMHaY01DHKTBH3VM68BeyDzUEIRa8In3%2B5Wh3pDevguZBbNWuzXRUlLgrkhGz8uJ4yP%2FuY8z6H8tpoxWlLRbfvFlVPPO29,
 } Data: [<?xml version=\"1.0\" encoding=\"utf-8\"?>
 <d:propfind xmlns:d=\"DAV:\">
 <d:prop>
 <d:getlastmodified/>
 </d:prop>M</d:propfind>
 ]"

Response

03-02 09:46:42:772 [ info sync.httplogger ]:    "6f7309e1-be20-4813-a3bb-a06e330f5e33: 
Response: PROPFIND 401 https://cloud.netzwissen.de/remote.php/webdav/ 
Header: { date: Wed, 02 Mar 2022 08:46:42 GMT,
 server: Apache/2.4.41 (Ubuntu),
 upgrade: h2,h2c,
 connection: Upgrade,
 expires: Thu, 19 Nov 1981 08:52:00 GMT,
 cache-control: no-store, no-cache, must-revalidate,
 pragma: no-cache,
 content-security-policy: default-src 'none';,
 x-xss-protection: 0,
 x-content-type-options: nosniff,
 x-frame-options: SAMEORIGIN,
 x-robots-tag: none,
 x-download-options: noopen,
 x-permitted-cross-domain-policies: none,
 www-authenticate: Basic realm=\"ownCloud\", charset=\"UTF-8\", Bearer realm=\"ownCloud\",
 content-length: 521,
 content-type: application/xml; charset=utf-8,
 strict-transport-security: max-age=16000000; includeSubDomains; preload;,
 } Data: [<?xml version=\"1.0\" encoding=\"utf-8\"?>
 <d:error xmlns:d=\"DAV:\" xmlns:s=\"http://sabredav.org/ns\">
   <s:exception>Sabre\\DAV\\Exception\
   otAuthenticated</s:exception>
   <s:message>No 'Authorization: Basic' header found. Either the client didn't send one, or the server is misconfigured,
 No 'Authorization: Basic' header found. Either the client didn't send one, or the server is misconfigured, No 'Authorization: Bearer' header found. Either the client didn't send one, or the server is mis-configured</s:message>
 </d:error>
 ]"

I’d guess there’s is nothing the desktop sync client can do here. When the desktop sync client sends a bearer token, no basic auth header should be needed. This is a server bug, or config issue. I’d recommend the check the owncloud.log for all lines with with the X-REQUEST-ID 6f7309e1-be20-4813-a3bb-a06e330f5e33 from this failure.

thommie · March 4, 2022, 9:40pm

Just for info: the issue is solved and - as always - the problem sat before the screen ;-)). the apache had the dav modules enabled and the config had no

   <IfModule mod_dav.c>
      Dav off
    </IfModule>

I now have the following modules loaded and also the “Dav off” block in the config.

root@app3:/etc/apache2# apachectl -M
Loaded Modules:
 core_module (static)
 so_module (static)
 watchdog_module (static)
 http_module (static)
 log_config_module (static)
 logio_module (static)
 version_module (static)
 unixd_module (static)
 access_compat_module (shared)
 alias_module (shared)
 auth_basic_module (shared)
 authn_core_module (shared)
 authz_core_module (shared)
 authz_host_module (shared)
 authz_user_module (shared)
 autoindex_module (shared)
 deflate_module (shared)
 dir_module (shared)
 env_module (shared)
 filter_module (shared)
 headers_module (shared)
 mime_module (shared)
 mpm_prefork_module (shared)
 negotiation_module (shared)
 php7_module (shared)
 proxy_module (shared)
 proxy_balancer_module (shared)
 proxy_http_module (shared)
 remoteip_module (shared)
 reqtimeout_module (shared)
 rewrite_module (shared)
 setenvif_module (shared)
 slotmem_shm_module (shared)
 socache_shmcb_module (shared)
 ssl_module (shared)
 status_module (shared)

system · June 2, 2022, 9:41pm

This topic was automatically closed 90 days after the last reply. New replies are no longer allowed.