Invalid scopes: openid openid profile email groups

[axemann]

Describe your issue
I'm having a strange issue with the generic OIDC authStrategy, where it seems to be duplicating the 'oidc' scope on callback to the '/oidc-callback' path. I'm using Keycloak as the OIDC provider, with AD/LDAP as the backend for it. All other aspects of MC2 seem to be working properly (including its integrated LDAP/AD auth), so it may just be something in my config. I guess I should ping @mstrhakr on this, since this is kind of his baby. :-)

Thanks in advance. Let me know if you need additional info, and I'll get it in here ASAP.

Screenshots
OIDC enabled:

Error page after clicking OIDC button:

Text format of error page URL:

https://mc.example.com/oidc-callback?error=invalid_scope&error_description=Invalid+scopes%3A+openid+openid+profile+email+groups&state=qUCHg6QvI%2FLIgPAM7jHVGj0l

Server Software (please complete the following information):

• OS: Ubuntu 20.04
• Virtualization: Docker, latest containers for both MC2 and Keycloak
• Network: Both containers are behind Traefik v2
• Version: 1.0.7.9 (from ghcr.io/ylianst/meshcentral:latest)
• Node: v16.16.0 (baked-in to the container)

Client Device (please complete the following information):

• Device: Desktop/laptop/phone/tablet
• OS: Windows, Ubuntu, iOS
• Network: Occurs both on-LAN and from the WAN
• Browser: Google Chrome, Safari
• MeshCentralRouter Version: N/A

Your config.json file

{
  "settings": {
    "cert": "mc.example.com",
    "_WANonly": true,
    "minify": true,
    "port": 4430,
    "aliasport": 443,
    "redirport": 8080,
    "TrustedProxy": "x.x.x.x",
    "tlsoffload": "x.x.x.x"
  },
  "domains": {
    "": {
      "ManageAllDeviceGroups": [ "010500000000000515000000629c2b70fdfd67763639fd59040000" ],
      "certurl": "https://mc.example.com:443",
        "AgentConfig": [ "webSocketMaskOverride=1" ],
      "newaccounts": false,
      "auth": "ldap",
      "ldapUserName": "displayName",
      "ldapUserBinaryKey": "objectSid",
      "ldapOptions": {
      "url": [ "ldap://x.x.x.x:389" ],
      "bindDN": "CN=\"Bind User\",CN=\"Managed Service Accounts\",DC=XXX,DC=lan",
      "bindCredentials": "XXX",
      "searchBase": "DC=XXX,DC=lan",
      "searchFilter": "(&(objectCategory=Person)(sAMAccountName={{username}}))"
      },
      "AmtManager": {
        "AdminAccounts": [
          { "user": "admin", "pass": "xxxxx" },
          { "user": "admin", "pass": "xxxxx" }
        ]
      },
      "authStrategies": {
        "__comment__": "This section is used to allow users to login using other accounts. You will need to get an API key from the services and register callback URL's",
        "oidc": {
          "authorizationURL": "https://id.example.com/realms/master/protocol/openid-connect/auth",
          "callbackURL": "https://mc.example.com/oidc-callback",
          "clientid": "meshcentral2",
          "clientsecret": "Nope",
          "issuer": "https://id.example.com/realms/master",
          "tokenURL": "https://id.example.com/realms/master/protocol/openid-connect/token",
          "userInfoURL": "https://id.example.com/realms/master/protocol/openid-connect/userinfo",
          "logoutURL": "https://id.example.com/realms/master/protocol/openid-connect/logout",
          "newAccounts": true
        }
      }
    }
  }
}

Error message from MC2:

ERR: AuthorizationError: Invalid scopes: openid openid profile email groups
    at Function.process_params (/opt/meshcentral/meshcentral/node_modules/express/lib/router/index.js:346:12)
    at /opt/meshcentral/meshcentral/node_modules/express/lib/router/index.js:284:15
    at Layer.handle [as handle_request] (/opt/meshcentral/meshcentral/node_modules/express/lib/router/layer.js:95:5)
    at Route.dispatch (/opt/meshcentral/meshcentral/node_modules/express/lib/router/route.js:114:3)
    at next (/opt/meshcentral/meshcentral/node_modules/express/lib/router/route.js:144:13)
    at /opt/meshcentral/meshcentral/webserver.js:6434:120
    at authenticate (/opt/meshcentral/meshcentral/node_modules/passport/lib/middleware/authenticate.js:370:7)
    at attempt (/opt/meshcentral/meshcentral/node_modules/passport/lib/middleware/authenticate.js:369:16)
    at Strategy.authenticate (/opt/meshcentral/meshcentral/node_modules/passport-openidconnect/lib/strategy.js:99:25)

[mstrhakr]

The passport-openidconnect module adds 'openid' to the beginning of the scope (as it is required), I removed it from the request as well as the unused 'groups' scope.

[Ylianst]

Just accepted #4494, working on a release now.

[Ylianst]

MeshCentral v1.0.81 is out with this fix. Thanks you @mstrhakr

[mstrhakr]

MeshCentral v1.0.81 is out with this fix. Thanks you @mstrhakr

As always, I'm happy to help.

[axemann]

Holy cow that was fast! You guys are awesome! 👍

[axemann]

I tested it with my Keycloak install and it appears all is well now with logging in. Thanks again @mstrhakr and @Ylianst!