401 Unauthorized from $server->getResponse()

Question

401 Unauthorized from $server->getResponse()

emiltorp opened this issue 4 years ago · comments

I tried setting up Mattermost-LDAP on our internal network. I configured LDAP and tested it, it worked. I configured the db with the config_init.sh, where I used everything default except the password. And I use the same password in config_db.php. And tested the credentials and they worked. However, when I press the GitLab button all I get is a 401.

I did some further digging into it, and it seems like it crashes here in oauth/Resource.php:

// Handle a request to a resource and authenticate the access token
if (!$server->verifyResourceRequest(OAuth2\Request::createFromGlobals())) {
    $server->getResponse()->send();
    die;
}

from the getResponse() query I get a 401. And then the send() part doesn't work.

If I run echo on the getResponse() this is exactly what I get:

HTTP/1.1 401 Unauthorized WWW-Authenticate: Bearer realm="Service"

I use a fresh clone from this repo, RHEL 7 with nginx as a server (using php72-fpm). PostgreSQL 11.5 as a database. Mattermost 5.27 but that is most likely not the issue since I get the 401 before the tokens are even verified.

I am gladly taking any suggestions on where to look? Any logs where I can find the issue?

In case it is a nginx error, my config looks like this:

proxy_cache_path /var/cache/nginx levels=1:2 keys_zone=mattermost_cache:10m max_size=3g inactive=120m use_temp_path=off;

  upstream mattermost {
    server 127.0.0.1:8065;
    keepalive 32;
  }

  upstream php {
    server 127.0.0.1:9000;
  }

  server {
    listen   80;
    server_name  mattermost.<REDACTED>.local;
    root         /var/www/html;
    index index.php index.html index.htm;

    #ssl on;
    #ssl_certificate     <path to cert>;
    #ssl_certificate_key <path to key>;


    location ~ /api/v[0-9]+/(users/)?websocket$ {
       proxy_set_header Upgrade $http_upgrade;
       proxy_set_header Connection "upgrade";
       client_max_body_size 50M;
       proxy_set_header Host $http_host;
       proxy_set_header X-Real-IP $remote_addr;
       proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
       proxy_set_header X-Forwarded-Proto $scheme;
       proxy_set_header X-Frame-Options SAMEORIGIN;
       proxy_buffers 256 16k;
       proxy_buffer_size 16k;
       client_body_timeout 60;
       send_timeout 300;
       lingering_timeout 5;
       proxy_connect_timeout 90;
       proxy_send_timeout 300;
       proxy_read_timeout 90s;
       proxy_pass http://mattermost;
    }

    location /oauth/gitlab/ {
      client_max_body_size 50M;
      proxy_set_header Connection "";
      proxy_set_header Host $host;
      proxy_set_header X-Real-IP $remote_addr;
      proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
      proxy_set_header X-Forwarded-Proto $scheme;
      proxy_set_header X-Frame-Options SAMEORIGIN;
      proxy_buffers 256 16k;
      proxy_buffer_size 16k;
      proxy_read_timeout 600s;
      proxy_cache mattermost_cache;
      proxy_cache_revalidate on;
      proxy_cache_min_uses 2;
      proxy_cache_use_stale timeout;
      proxy_cache_lock on;
      proxy_pass http://mattermost;
    }

    location ~ /oauth/.*\.php$ {
      try_files $uri =404;
      fastcgi_pass php;
      fastcgi_index index.php;
      fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
      include fastcgi_params;
    }

    location /oauth/ {
      try_files $uri $uri/ =404;
    }

    location / {
      #sub_filter 'GitLab' 'MyAuth';
      #sub_filter_types *;
      client_max_body_size 50M;
      proxy_set_header Connection "";
      proxy_set_header Host $http_host;
      proxy_set_header X-Real-IP $remote_addr;
      proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
      proxy_set_header X-Forwarded-Proto $scheme;
      proxy_set_header X-Frame-Options SAMEORIGIN;
      proxy_buffers 256 16k;
      proxy_buffer_size 16k;
      proxy_read_timeout 600s;
      proxy_cache mattermost_cache;
      proxy_cache_revalidate on;
      proxy_cache_min_uses 2;
      proxy_cache_use_stale timeout;
      proxy_cache_lock on;
      proxy_http_version 1.1;
      proxy_pass http://mattermost;
    }
  }

Denis CLAVIER · Answer 1 · Tue Oct 13 2020 17:07:23 GMT+0800 (China Standard Time)

Hi,

The error "401 Unauthorized" is certainly raised by Nginx server. I think the problem is not from Mattermost, neither Mattermost-LDAP. You need to check Nginx and PHP are working on your server. For that, you can create a file phpinfo.php in the Nginx Oauth directory (/var/www/html/oauth). In this file, add the following line <?php phpinfo() ?>. In your web browser, try to access this file : http://<hostname>/oauth/phpinfo.php. You should see your PHP configuration.

If this works, you can check Oauth files permission and owner, then in your web browser, try to reach the Oauth server directly : http://<hostname>/oauth/index.php. You should reach a login form where you can sign in with your LDAP credentials. If all these steps are working, you should check GitLab parameters in Mattermost configuration, it is possible you make a mistake in Oauth URL. For reminder, configuration in Mattermost config.json should be :

 "GitLabSettings": {
        "Enable": true,
        "Secret": "fedcba987654321fedcba987654321",
        "Id": "123456789abcdef123456789abcdef",
        "Scope": "",
        "AuthEndpoint": "http://<hostname>/oauth/authorize.php",
        "TokenEndpoint": "http://<hostname>/oauth/token.php",
        "UserApiEndpoint": "http://<hostname>/oauth/resource.php"
    },

For your information, when you press the GitLab button you should be redirected to the Oauth authorize.php, which redirect you to the login form on index.php. Once you are authenticated and you have authorized Mattermost to access your data, you are redirected to Mattermost. Then Mattermost retrieve a token by calling the Oauth token.php page and finally Mattermost gets your data from the resources.php page. Your browser does not reach the resources.php page, since only Mattermost do it. So you should not get directly an error from this page, but you can see client errors from this page in Mattermost logs.

You can also debug the Oauth server using the curl command. For more information about this, you can refer to my answer in issue #5.

I hope this will help you to solve your issue, let me know and do not hesitate to get back to me if you need more help.

Regards.

Emil Torp · Answer 2 · Tue Nov 03 2020 09:12:59 GMT+0800 (China Standard Time)

Of course it was a configuration isse, I had the AuthEndpoint and UserApiEndpoint mixed up, so the resource.php was called instead of authorize.php. Great step by step guide you created for me.

After that I got stuck at some Token issue, but that was solved with looking at #43 , i had to put my ssl cert in not only in nginx, but also within RHEL.

Now everything works, so the next step is figuring out how to force every existing user to use Gitlab auth instead of email auth without having them do it themself.
Thanks for all the help :)