OCIS gives out 400 error while trying to login

poscat · October 23, 2023, 6:34am

Steps to reproduce

Install and configure OCIS
Point nginx to OCIS
Open the page

Expected behaviour

There should be no error

Actual behaviour

After configured OCIS, nginx and started the OCIS systemd service, accessing the web UI gave the error Failed to connect to server. Unexpected HTTP response: 400. Please check your connection and try again. Checking the network log using developer tool shows that it’s caused by OCIS returning 400 to a request to https://own.poscat.moe:8443/signin/v1/identifier/_/hello

the full request (curl):

curl 'https://own.poscat.moe:8443/signin/v1/identifier/_/hello' \
  -H 'authority: own.poscat.moe:8443' \
  -H 'accept: application/json, text/plain, */*' \
  -H 'accept-language: en-US,en;q=0.9,zh-CN;q=0.8,zh;q=0.7' \
  -H 'content-type: application/json' \
  -H 'dnt: 1' \
  -H 'kopano-konnect-xsrf: 1' \
  -H 'origin: https://own.poscat.moe:8443' \
  -H 'referer: https://own.poscat.moe:8443/signin/v1/identifier?client_id=web&code_challenge=A9SqOyxCR6XuhoUoGTtc7pjcFmpcn1CD_dDg1qXqtMM&code_challenge_method=S256&flow=oidc&redirect_uri=https%3A%2F%2Fown.poscat.moe%3A8443%2Foidc-callback.html&response_mode=query&response_type=code&scope=openid+profile+email&state=8231e81eaa774580b7d2506c4d9caa0a' \
  -H 'sec-ch-ua: "Chromium";v="118", "Microsoft Edge";v="118", "Not=A?Brand";v="99"' \
  -H 'sec-ch-ua-mobile: ?0' \
  -H 'sec-ch-ua-platform: "macOS"' \
  -H 'sec-fetch-dest: empty' \
  -H 'sec-fetch-mode: cors' \
  -H 'sec-fetch-site: same-origin' \
  -H 'sec-gpc: 1' \
  -H 'user-agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/118.0.0.0 Safari/537.36 Edg/118.0.2088.61' \
  --data-raw '{"scope":"openid profile email","client_id":"web","redirect_uri":"https://own.poscat.moe:8443/oidc-callback.html","flow":"oidc","state":"1af6fa0644598a8b"}' \
  --compressed

Corresponding log:

WRN rejecting identifier HTTP request error="origin does not match request URL" host=own.poscat.moe line=github.com/owncloud/ocis/v2/ocis-pkg/log/logrus_wrapper.go:50 origin=https://own.poscat.moe:8443 referer=https://own.poscat.moe:8443/signin/v1/identifier?client_id=web&code_challenge=Uehc87BUoZL8kooEVQ3-y7Ic_A2fB0FoMGCDe2UBf8c&code_challenge_method=S256&flow=oidc&redirect_uri=https%3A%2F%2Fown.poscat.moe%3A8443%2Foidc-callback.html&response_mode=query&response_type=code&scope=openid+profile+email&state=f1284dd17b5446afa716c5bcbaf6d942 service=idp user-agent="Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/118.0.0.0 Safari/537.36 Edg/118.0.2088.61"

Server configuration

Operating system:
NixOS 23.05

Web server:
Nginx

Database:
N/A

PHP version:
N/A

ownCloud version: (see ownCloud admin page)
OCIS 4.0.2

Updated from an older ownCloud or fresh install:
No

Where did you install ownCloud from:
Downloaded the binary from official site.

Client configuration

Browser:
Edge

Operating system:
MacOS

poscat · October 23, 2023, 6:59am

After some code digging, it seems that it’s because the server is hosted on non-standard port. When golang’s net/url parses the referrer url, the returned url’s host is actually host:port, which makes the check in vendor/github.com/libregraph/lico/identifier/handlers.go#L96 (ffs why can’t I post links) to fail. Not sure if I should submit a bug report to OCIS or upstream though.

rhaferkamp · October 23, 2023, 3:16pm

Just for completeness. Here is corresponding github issue: Login page shows error 400 when hosted on a non-standard port · Issue #7563 · owncloud/ocis · GitHub