I managed to connect Indico (test installation) to our SSO system, even if I obtain an error in the OAuth2 flow, more specifically when the client tries to retrieve the token.
This i what i do:
- Click on SSO login button on Indico
- This redirects me to our authentication portal: here I click on eduGAIN button and then I’m redirected to our organization IdP
- I insert my credentials in the form and then I’m redirected back to Indico
- At this point I obtain the following error: Something went wrong HTTPError: 401 Client Error: Unauthorized for url: https://<base_autorization_server_url>/auth/oauth2/token
From the logs I see the following (I’ve obfuscated some fields):
2022-10-12 10:19:24,388 INFO 594cf5d2c5f64e93 - indico.rh GET /multipass/authlib/rap-sso?code=<the_code>=&scope=openid%20email%20read:gms%20read:rap&state=<the_state_string> [IP=XX.YYY.ZZ.K] [PID=2014]
2022-10-12 10:19:24,451 ERROR 594cf5d2c5f64e93 - indico.flask 401 Client Error: Unauthorized for url: https://<base_autorization_server_url>/auth/oauth2/token
Traceback (most recent call last):
File "/opt/indico/.venv/lib/python3.9/site-packages/flask/app.py", line 1517, in full_dispatch_request
rv = self.dispatch_request()
File "/opt/indico/.venv/lib/python3.9/site-packages/flask/app.py", line 1503, in dispatch_request
return self.ensure_sync(self.view_functions[rule.endpoint])(**req.view_args)
File "/opt/indico/.venv/lib/python3.9/site-packages/indico/web/rh.py", line 333, in wrapper
return rh.process()
File "/opt/indico/.venv/lib/python3.9/site-packages/indico/web/rh.py", line 281, in process
res = self._do_process()
File "/opt/indico/.venv/lib/python3.9/site-packages/indico/web/rh.py", line 252, in _do_process
rv = self._process()
File "/opt/indico/.venv/lib/python3.9/site-packages/indico/web/rh.py", line 322, in _process
rv = self.func()
File "/opt/indico/.venv/lib/python3.9/site-packages/flask_multipass/util.py", line 119, in decorator
return func(*args, **kwargs)
File "/opt/indico/.venv/lib/python3.9/site-packages/flask_multipass/providers/authlib.py", line 119, in _authorize_callback
token_data = self.authlib_client.authorize_access_token()
File "/opt/indico/.venv/lib/python3.9/site-packages/authlib/integrations/flask_client/apps.py", line 103, in authorize_access_token
token = self.fetch_access_token(**params, **kwargs)
File "/opt/indico/.venv/lib/python3.9/site-packages/authlib/integrations/base_client/sync_app.py", line 341, in fetch_access_token
token = client.fetch_token(token_endpoint, **params)
File "/opt/indico/.venv/lib/python3.9/site-packages/authlib/oauth2/client.py", line 202, in fetch_token
return self._fetch_token(
File "/opt/indico/.venv/lib/python3.9/site-packages/authlib/oauth2/client.py", line 353, in _fetch_token
resp.raise_for_status()
File "/opt/indico/.venv/lib/python3.9/site-packages/requests/models.py", line 1021, in raise_for_status
raise HTTPError(http_error_msg, response=self)
requests.exceptions.HTTPError: 401 Client Error: Unauthorized for url: https://<base_autorization_server_url>/auth/oauth2/token
It seems the client receives the code (I can see it on the URL bar of the browser), but for some reason it cannot exchange it for the token.
My configuration is the following:
AUTH_PROVIDERS = {
'rap-sso': {
'type': 'authlib',
'title': 'SSO',
'authlib_args': {
'client_id': 'my_client_id',
'client_secret': 'xxxxxxxxx',
'client_kwargs': {'scope': 'openid email read:gms read:rap'},
'authorize_url': 'https://<base_autorization_server_url>/auth/oauth2/authorize',
'access_token_url': 'https://<base_autorization_server_url>/auth/oauth2/token',
'userinfo_endpoint': 'https://<base_autorization_server_url>/ws/user',
'callback_uri': 'https://<IP_of_Indico_test_installation>/multipass/authlib/rap-sso'
}
}
IDENTITY_PROVIDERS = {
'rap-sso': {
'type': 'authlib',
'title': 'SSO',
'identifier_field': 'email',
'mapping': {
'first_name': 'given_name',
'last_name': 'family_name'
},
'trusted_email': True,
'synced_fields': {'first_name', 'last_name'}
}
}
MULTIPASS_PROVIDER_MAP = {
'rap-sso': 'rap-sso'
}
A similar issue was encountered by a developer that tried to communicate with our authorization portal via OAuth2.
At that time he obtained an unauthorized error because he was sending client_id and secret into the body of the HTTP request and not in the header. As in this case, he was able to receive the code, but not to obtain the token.
At that time he solved by setting the following header:
"Authorization": "Basic " + b64encode(client_id:client_secret)
Is this modification possible in some way?
Thank you in advance,
Cristiano.