Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Connection lost during callback #28

Closed
ClundXIII opened this issue Jun 5, 2022 · 10 comments
Closed

Connection lost during callback #28

ClundXIII opened this issue Jun 5, 2022 · 10 comments

Comments

@ClundXIII
Copy link

Hello,

we are having a very weird issue with our Discourse SSO. Ever since one user logged out of impersonation, he is unable to log back in. I appended a screenshot of the Network Connections, the user was logged into Nextcloud previously.
grafik

The Server just closes the connection. I am unable to find any error log. Not inside any of the nginx proxies, not inside Discourse, not inside Nextcloud.

Interestingly it has nothing to do with the network or device. It is just this user that fails to log in.

I also tried clearing out the SSO Data from Discourse, changed the Email Adress to force creation of a new Discourse Account. The Problem still persists. This is also the reason I am posting the issue here and not on the Discourse Forum.
@ClundXIII
Copy link
Author

I have also made a post in the Discourse forum: https://meta.discourse.org/t/sso-callback-closes-connection-0-bytes-sent-by-server-used-logged-out-of-impersonation-previously/229064

@soudis
Copy link
Owner

soudis commented Jun 8, 2022

Hi! Unfortunately I also do not have a clue why this would happen. Can you elaborate a little bit more about what happened?

I understood: A user in discourse impersonated another user and then logged out of discourse. Then we wanted to log back in with is actual user. He was still logged in in nextcloud so nextcloud did not ask for authentification but just provided the sso info for discourse. Then discourse just terminated the connection.

Is this correct?

Generally I do not think this is related to the plugin because the user could log in before and only could not log in again after impersonating someone in discourse. As far as I understood there where no changes to the nextcloud side, so the sso payload would be exactly the same as before, but discourse seems to have a problem processing it.

@ClundXIII
Copy link
Author

ClundXIII commented Jun 13, 2022
edited
Loading

Is this correct?

Yes. But in general the problem persisted through multiple browser, sessions and computers. I tried logging in by myself, the account is completely inaccessible from SSO. Luckily the person is an admin and can use the Email Based Login as a workaround.

Howevery the issue might be unrelated to the impersonation thing. Might be a coincidence.

Generally I do not think this is related to the plugin

That was my though as well, until I deleted the SSO Data from the Discourse Account and logged in with a different Email address. My goal was to force creation of a new user and then merge them both together. But the same issue persists, Discourse still terminates the connection.

So either Discourse still retains some SSO information that breaks the process somehow. Or the SSO dataset sent by Nextcloud has some issue in it. I don't see any other possibility.

@ClundXIII
Copy link
Author

ClundXIII commented Jun 24, 2022
edited
Loading

The Problem is now spreading to other user, I have contacted Discourse Support.

@ClundXIII
Copy link
Author

I think I found the issue: https://meta.discourse.org/t/yahoo-login-for-discourse/74060/13

@ClundXIII
Copy link
Author

ClundXIII commented Jun 24, 2022
edited
Loading

Okay, I found a (temporary) workaround:

/lib/Controller/DiscourseController.php, comment line 131 to 137:

                foreach($allGroups as $group) {
                        if (!($this->groupManager->isInGroup($this->userId, $group->getGID()))) {
                          $remove_groups = $remove_groups.$group->getGID().',';
                        } else {
                          $add_groups = $add_groups.$group->getGID().',';
                        }
                }

We have so many groups, that the callback GET parameters are just too long. I couldn't increase the buffer so far. nginx just does not output any error and discards the connection silently.

@soudis A proper solution would probably be supporting POST as callback.

@soudis
Copy link
Owner

soudis commented Jul 11, 2022

Unfortunately there is no way to do a POST as callback within the discourse API.

I just updated the app to NC23 and add a new parameter to exclude groups from the SSO payload. So, pls update the app and check the exclude groups option.

@soudis
Copy link
Owner

soudis commented Jul 11, 2022

And let me know if it works

@ClundXIII
Copy link
Author

ClundXIII commented Jul 13, 2022
edited
Loading

Unfortunately there is no way to do a POST as callback within the discourse API.

Oh, no. That is not good. We might have to switch to saml if I cannot increase the header size 😱

I just updated the app to NC23 and add a new parameter to exclude groups from the SSO payload. So, pls update the app and check the exclude groups option.
And let me know if it works

App is updated and Box activated, it works now. Thank you!

@ClundXIII
Copy link
Author

We have switched to SAML anyway and the original issue was solved with the group exclusion option.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@ClundXIII @soudis