Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Ocis with keycloak&nginx problem #3540

Closed
rtest12 opened this issue Apr 16, 2022 · 8 comments · Fixed by #3860
Closed

Ocis with keycloak&nginx problem #3540

rtest12 opened this issue Apr 16, 2022 · 8 comments · Fixed by #3860
Assignees
Labels
Category:Defect Existing functionality is not working as expected Priority:p2-high Escalation, on top of current planning, release blocker Type:Bug Type:Regression

Comments

@rtest12
Copy link

rtest12 commented Apr 16, 2022

Please, help(
I’m trying to run ocis in docker with my own keycloak (also in docker, that was installed before) and nginx.
I get error when logging in

Login Error
Your user session is invalid or has expired.
If you like to login with a different user please proceed to exit.
Attention: this will log you out from all applications you are running in this browser with your current user.

docker log

{“level”:“error”,“service”:“proxy”,“error”:“401 Unauthorized: {“error”:“invalid_token”,“error_description”:“Token verification failed”}”,“time”:“2022-04-14T19:11:27Z”,“message”:“Failed to get userinfo”}

My yml

version: “3.7”

services:
ocis:
image: owncloud/ocis:latest
networks:
ocis_net:
entrypoint:
- /bin/sh
- /entrypoint-override.sh
environment:
# Keycloak IDP specific configuration
PROXY_AUTOPROVISION_ACCOUNTS: “true”
PROXY_OIDC_ISSUER: https://keycloak.mydomain.com/auth/realms/myrealm
WEB_OIDC_AUTHORITY: https://keycloak.mydomain.com/auth/realms/myrealm

  WEB_OIDC_CLIENT_ID: ocis
  WEB_OIDC_METADATA_URL: https://keycloak.mydomain.com/auth/realms/myrealm/.well-known/openid-configuration
  STORAGE_OIDC_ISSUER: https://keycloak.mydomain.com/auth/realms/myrealm
  STORAGE_LDAP_IDP: https://keycloak.mydomain.com/auth/realms/myralm
  # general config
  OCIS_URL: https://myocis.mydomain.com
  OCIS_LOG_LEVEL: ${OCIS_LOG_LEVEL:-error} # make oCIS less verbose
  PROXY_TLS: "false" # do not use SSL between Traefik and oCIS
  ACCOUNTS_DEMO_USERS_AND_GROUPS: "false" # don't generate demo users
  # change default secrets
  IDP_LDAP_BIND_PASSWORD: *************
  STORAGE_LDAP_BIND_PASSWORD: ********************************
  OCIS_JWT_SECRET: ********************************
  STORAGE_TRANSFER_SECRET: *********************************
  OCIS_MACHINE_AUTH_API_KEY: *********************************

  OCIS_INSECURE: "false"
volumes:
  - ./config/ocis/entrypoint-override.sh:/entrypoint-override.sh
  - ocis-data:/var/lib/ocis
ports:
  - "9200:9200"
     restart: always
volumes:
  ocis-data:
networks:
  ocis-net:

In nginx

        location /.well-known/openid-configuration {
                proxy_pass https://keycloak.exam.com/auth/realms/Myrealm/.well-known/openid-configuration;
                proxy_set_header X-Forwarded-For $remote_addr;
        }



        location / {
                        proxy_pass http://localhost:9200/;
    proxy_set_header Host $host;
    proxy_set_header X-Real-IP $remote_addr;
    proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
    proxy_http_version 1.1;
    proxy_set_header Connection “”;
    proxy_buffering off;
    client_max_body_size 0;
    proxy_read_timeout 36000s;
    proxy_redirect off;
    proxy_set_header    X-Forwarded-Server $host;
    proxy_set_header    X-Forwarded-Port   443;
    proxy_set_header    X-Forwarded-Proto  https;
    proxy_buffer_size   128k;
    proxy_buffers   4 256k;
    proxy_busy_buffers_size   256k;

        }

}
@rtest12
Copy link
Author

rtest12 commented Apr 17, 2022

Please help...

{"level":"error","service":"accounts","error":"jackfan.us.kg.owncloud.ocis.protogen.gen.ocis.messages.accounts.v0.Account with Id=95cb8724-03b2-11eb-a0a6-c33ef8ef53ad does already exist","time":"2022-04-17T15:35:16Z","message":"service user was configured but failed to be added to the index"}
process idp terminated##################################################
change default secrets:
##################################################
##################################################
delete demo users
##################################################
{"level":"error","service":"proxy","error":"401 Unauthorized: {\"error\":\"invalid_token\",\"error_description\":\"Token verification failed\"}","time":"2022-04-17T15:35:36Z","message":"Failed to get userinfo"}
{"level":"error","service":"proxy","error":"401 Unauthorized: {\"error\":\"invalid_token\",\"error_description\":\"Token verification failed\"}","time":"2022-04-17T15:35:37Z","message":"Failed to get userinfo"}
{"level":"error","service":"proxy","error":"401 Unauthorized: {\"error\":\"invalid_token\",\"error_description\":\"Token verification failed\"}","time":"2022-04-17T15:35:38Z","message":"Failed to get userinfo"}
{"level":"error","service":"proxy","error":"401 Unauthorized: {\"error\":\"invalid_token\",\"error_description\":\"Token verification failed\"}","time":"2022-04-17T15:35:46Z","message":"Failed to get userinfo"}
{"level":"error","service":"proxy","error":"401 Unauthorized: {\"error\":\"invalid_token\",\"error_description\":\"Token verification failed\"}","time":"2022-04-17T15:35:49Z","message":"Failed to get userinfo"}
{"level":"error","service":"proxy","error":"401 Unauthorized: {\"error\":\"invalid_token\",\"error_description\":\"Token verification failed\"}","time":"2022-04-17T15:35:49Z","message":"Failed to get userinfo"}
{"level":"error","service":"proxy","error":"401 Unauthorized: {\"error\":\"invalid_token\",\"error_description\":\"Token verification failed\"}","time":"2022-04-17T15:35:50Z","message":"Failed to get userinfo"}
{"level":"error","service":"proxy","error":"401 Unauthorized: {\"error\":\"invalid_token\",\"error_description\":\"Token verification failed\"}","time":"2022-04-17T15:35:52Z","message":"Failed to get userinfo"}
{"level":"error","service":"proxy","error":"401 Unauthorized: {\"error\":\"invalid_token\",\"error_description\":\"Token verification failed\"}","time":"2022-04-17T15:41:22Z","message":"Failed to get userinfo"}
{"level":"error","service":"proxy","error":"401 Unauthorized: {\"error\":\"invalid_token\",\"error_description\":\"Token verification failed\"}","time":"2022-04-17T15:41:22Z","message":"Failed to get userinfo"}
{"level":"error","service":"proxy","error":"401 Unauthorized: {\"error\":\"invalid_token\",\"error_description\":\"Token verification failed\"}","time":"2022-04-17T15:41:23Z","message":"Failed to get userinfo"}
{"level":"error","service":"proxy","error":"401 Unauthorized: {\"error\":\"invalid_token\",\"error_description\":\"Token verification failed\"}","time":"2022-04-17T15:41:30Z","message":"Failed to get userinfo"}
{"level":"error","service":"proxy","error":"gateway: grpc failed with code CODE_PERMISSION_DENIED","time":"2022-04-17T15:41:30Z","message":"error when calling Createhome"}
{"level":"error","service":"proxy","error":"gateway: grpc failed with code CODE_PERMISSION_DENIED","time":"2022-04-17T15:41:30Z","message":"error when calling Createhome"}
{"level":"error","service":"ocis","error":"error: permission denied: create container: error: permission denied: ","time":"2022-04-17T15:41:31Z","message":"error initializing metadata client"}
{"level":"error","service":"ocis","error":"error: permission denied: create container: error: permission denied: ","time":"2022-04-17T15:41:31Z","message":"error initializing metadata client"}
{"level":"error","service":"ocis","error":"error: permission denied: create container: error: permission denied: ","time":"2022-04-17T15:41:31Z","message":"error initializing metadata client"}
{"level":"error","service":"ocis","error":"error: permission denied: create container: error: permission denied: ","time":"2022-04-17T15:41:31Z","message":"error initializing metadata client"}

@rtest12
Copy link
Author

rtest12 commented Apr 19, 2022

But what happens in general, you even have the same error on the demo stand!
ocis_error

@henniaufmrenni
Copy link

henniaufmrenni commented Apr 20, 2022

I also encountered this issue, after upgrading from 1.18 to 1.20. After some testing, it seems there is a regression which was introduced in 1.19. Rolling back to 1.18 solved the issue for me.

@rtest12
Copy link
Author

rtest12 commented Apr 20, 2022

I also encountered this issue, after upgrading from 1.18 to 1.20. After some testing, it seems there is a regression which was introduced in 1.19. Rolling back to 1.18 solved the issue for me.

Yes, thanks for the tip, I figured that out too.

@wkloucek
Copy link
Contributor

I also encountered this issue, after upgrading from 1.18 to 1.20. After some testing, it seems there is a regression which was introduced in 1.19. Rolling back to 1.18 solved the issue for me.

Yes, that's indeed a regression. Sorry for the inconvenience.

I'm not exactly sure when we'll be able to provide a fixed version, since we're currently in the process of switching to a new user backend (We're replacing the accounts and glauth service with the IDM / identity management service).

I'll let you know when this bug is fixed.

We're also about to enter BETA phase (currently we're in the Tech Preview phase of oCIS), therefore we will no longer have such breaking changes, soon.

@wkloucek wkloucek added the Category:Defect Existing functionality is not working as expected label Apr 26, 2022
@rtest12 rtest12 mentioned this issue May 2, 2022
45 tasks
@micbar micbar added the Priority:p2-high Escalation, on top of current planning, release blocker label May 4, 2022
@rhafer rhafer self-assigned this May 12, 2022
rhafer added a commit to rhafer/ocis that referenced this issue May 24, 2022
When removing the accounts service we lost the user autoprovision
feature. This re-introduces it. When autoprovisioning is enabled (via
PROXY_AUTOPROVISION_ACCOUNTS, as in the past) accounts that are not
resolvable via cs3 will be provsioned via the libregraph API.

Closes: owncloud#3540
rhafer added a commit to rhafer/ocis that referenced this issue May 24, 2022
When removing the accounts service we lost the user autoprovision
feature. This re-introduces it. When autoprovisioning is enabled (via
PROXY_AUTOPROVISION_ACCOUNTS, as in the past) accounts that are not
resolvable via cs3 will be provsioned via the libregraph API.

Closes: owncloud#3540
rhafer added a commit to rhafer/ocis that referenced this issue May 24, 2022
When removing the accounts service we lost the user autoprovision
feature. This re-introduces it. When autoprovisioning is enabled (via
PROXY_AUTOPROVISION_ACCOUNTS, as in the past) accounts that are not
resolvable via cs3 will be provsioned via the libregraph API.

Closes: owncloud#3540
rhafer added a commit that referenced this issue May 24, 2022
When removing the accounts service we lost the user autoprovision
feature. This re-introduces it. When autoprovisioning is enabled (via
PROXY_AUTOPROVISION_ACCOUNTS, as in the past) accounts that are not
resolvable via cs3 will be provsioned via the libregraph API.

Closes: #3540
dragonchaser pushed a commit that referenced this issue Jun 1, 2022
When removing the accounts service we lost the user autoprovision
feature. This re-introduces it. When autoprovisioning is enabled (via
PROXY_AUTOPROVISION_ACCOUNTS, as in the past) accounts that are not
resolvable via cs3 will be provsioned via the libregraph API.

Closes: #3540
@suderman
Copy link

suderman commented Jun 1, 2022

Apologies if this is the wrong place to ask, but I have a question about user sessions.

Every time I restart my OCIS service (based on the docker compose example with traefik), all my clients are logged out. It says "the connection's access token has expired or become invalid". Is this intended behaviour, or am I doing something wrong? Are all my clients supposed to re-authenticate after every image update?

@wkloucek
Copy link
Contributor

wkloucek commented Jun 2, 2022

You're using the built-in IDP and no Keycloak? You can generate a certificate and a secret, so that your sessions survive a restart:

openssl rand -out /etc/ocis/idp-encryption.key 32
openssl genpkey -algorithm RSA -out /etc/ocis/idp-private-key.pem -pkeyopt rsa_keygen_bits:4096

Then you need to configure the IDP to use them:

IDP_SIGNING_PRIVATE_KEY_FILES=/etc/ocis/idp-private-key.pem
IDP_ENCRYPTION_SECRET_FILE=/etc/ocis/idp-encryption.key

I filed an issue so that we can do this automatically in the future: #3909

@suderman
Copy link

suderman commented Jun 7, 2022

Thank you, @wkloucek! I'm new to OCIS and wouldn't have discovered that for a long time. Works like a charm! ^_^

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
Category:Defect Existing functionality is not working as expected Priority:p2-high Escalation, on top of current planning, release blocker Type:Bug Type:Regression
Projects
Archived in project
Development

Successfully merging a pull request may close this issue.

7 participants