OIDC login fails after recent fixes #6148

xcsdm · 2024-06-03T20:29:53Z

After pulling the lastest master docker image, all OIDC login attempts are redirected to the main login page.

Steps:

Open https://mesh.example.com/auth-oidc (or just click the OIDC login button on the login page)
Auth server performs authentication (Authentik in my case) and redirects to [server]/auth-oidc-callback?[many parameters omitted here]
I am redirected to https://mesh.example.com/

Note, I edited line 6789 to the below to test. The failureRedirect is where this is coming from

domain.passport.authenticate(`oidc-${domain.id}`, { failureRedirect: '/mytesturl/', failureFlash: true })(req, res, next);

No errors in the meshcentral container log
No errors or messages in the authlog

If I simply open https://mesh.example.com/auth-oidc-callback the error "LOGIN FAILED: REQUEST CONTAINS NO USER OR SID" is logged in authlog, so logging itself appears to be working.

Expected behavior
Successfully opening the Meshcentral dashboard

Additional context
Reference #6132

Your config.json file

{
  "$schema": "https://raw.githubusercontent.com/Ylianst/MeshCentral/master/meshcentral-config-schema.json",
  "settings": {
    "plugins":{"enabled": false},
    "_mongoDb": null,
    "cert": "mesh.example.com",
    "_WANonly": true,
    "_LANonly": true,
    "sessionKey": "REDACTED",
    "port": 443,
    "_aliasPort": 443,
    "redirPort": 80,
    "_redirAliasPort": 80,
    "AgentPong": 300,
    "TLSOffload": true,
    "SelfUpdate": false,
    "AllowFraming": false,
    "WebRTC": false,
    "_trustedProxy": "CloudFlare",
    "trustedProxy": "10.0.42.253",
    "_ignoreAgentHashCheck": true,
    "authlog": "/opt/meshcentral/meshcentral-data/authlog.log"
  },
  "domains": {
    "": {
      "_title": "MyServer",
      "_title2": "Servername",
      "minify": true,
      "NewAccounts": false,
      "authStrategies": {
        "oidc": {
          "issuer": {
            "issuer": "https://auth.example.com/application/o/meshcentral/",
            "authorization_endpoint": "https://auth.example.com/application/o/authorize/",
            "token_endpoint": "https://auth.example.com/application/o/token/",
            "end_session_endpoint": "https://auth.example.com/application/o/meshcentral/end-session/",
            "jwks_uri": "https://auth.example.com/application/o/meshcentral/jwks/"
          },
          "client": {
            "client_id": "REDACTED",
            "client_secret": "REDACTED"
          },
          "newAccounts": true
        }
      },
      "localSessionRecording": false,
      "_userNameIsEmail": true,
      "certUrl": "https://mesh.example.com",
      "cert": "*.example.com"
    }
  },
  "_letsencrypt": {
    "__comment__": "Requires NodeJS 8.x or better, Go to https://letsdebug.net/ first before>",
    "_email": "myemail@mydomain.com",
    "_names": "myserver.mydomain.com",
    "production": false
  }
}

Docker Compose file:

#version: '3'

networks:
  meshcentral-tier:
    driver: bridge

services:
  mongodb:
    restart: always
    container_name: mongodb
    image: mongo:latest
    env_file:
      - .env
    volumes:
      # mongodb data-directory - A must for data persistence
      - ./meshcentral/mongodb_data:/data/db
    networks:
      - meshcentral-tier

  meshcentral:
    restart: always
    container_name: meshcentral
    # use the official meshcentral container
    #image: ghcr.io/ylianst/meshcentral:latest
    image: ghcr.io/ylianst/meshcentral:master
    #image: ghcr.io/ylianst/meshcentral:1.1.21
    depends_on:
      - mongodb
    ports:
      # MeshCentral will moan and try everything not to use port 80, but you can also use it if you so desire, just change the config.json according to your needs
      - 8086:443
    env_file:
      - .env
    volumes:
      # config.json and other important files live here. A must for data persistence
      - ./meshcentral/data:/opt/meshcentral/meshcentral-data
      # where file uploads for users live
      - ./meshcentral/user_files:/opt/meshcentral/meshcentral-files
      # location for the meshcentral-backups - this should be mounted to an external storage
      - ./meshcentral/backup:/opt/meshcentral/meshcentral-backups
      # location for site customization files
      - ./meshcentral/web:/opt/meshcentral/meshcentral-web
    networks:
      - meshcentral-tier

The text was updated successfully, but these errors were encountered:

si458 · 2024-06-03T20:34:23Z

can you run the meshcentral with debug for authlog and share the logs?
add to you .env this ARGS=--debug authlog and restart then check the console output
OR
set "logs": "authlog" inside of settings in your config.json and check the log.txt file that gets created

p.s: simply visiting https://mesh.example.com/auth-oidc-callback will produce the LOGIN FAILED: REQUEST CONTAINS NO USER OR SID message because you havent passed it any codes or auth etc which is correct

xcsdm · 2024-06-03T20:50:14Z

All logs are during an authentication/login attempt.

from docker compose logs:

meshcentral  | Missing Modules: passport, openid-client, connect-flash
meshcentral  | Installing modules [ 'passport', 'openid-client', 'connect-flash' ]
meshcentral  | NPM Command Line: /usr/bin/node /usr/bin/npm install --save-exact --no-audit --omit=optional --no-fund passport openid-client connect-flash
meshcentral  | MeshCentral HTTP redirection server running on port 80.
meshcentral  | AUTHLOG: Server listening on 0.0.0.0 port 80.
meshcentral  | MeshCentral v1.1.24, Hybrid (LAN + WAN) mode, Production mode.
meshcentral  | MeshCentral Intel(R) AMT server running on mesh.example.com:4433.
meshcentral  | AUTHLOG: Server listening on 0.0.0.0 port 4433.
meshcentral  | AUTHLOG: OIDC: Setting up strategy for domain:
meshcentral  | AUTHLOG: OIDC: Discovering Issuer Endpoints: https://auth.example.com/application/o/meshcentral/
meshcentral  | Loaded web certificate from "https://mesh.example.com", host: "mesh.example.com"
meshcentral  |   SHA384 cert hash: REDACTED
meshcentral  |   SHA384 key hash: REDACTED
meshcentral  | AUTHLOG: OIDC: Adding Issuer Metadata: {"issuer":"https://auth.example.com/application/o/meshcentral/","authorization_endpoint":"https://auth.example.com/application/o/authorize/","token_endpoint":"https://auth.example.com/application/o/token/","end_session_endpoint":"https://auth.example.com/application/o/meshcentral/end-session/","jwks_uri":"https://auth.example.com/application/o/meshcentral/jwks/"}
meshcentral  | AUTHLOG: OIDC: Setup Complete
meshcentral  | AUTHLOG: Setting up authentication strategies login and callback URLs for root domain.
meshcentral  | AUTHLOG: OIDC: Authorization URL: /auth-oidc
meshcentral  | AUTHLOG: OIDC: Callback URL: /auth-oidc-callback
meshcentral  | MeshCentral HTTP server running on port 443.

From authlog.log

Jun 3 20:45:31 meshcentral http[29]: Server listening on 0.0.0.0 port 80.
Jun 3 20:45:32 meshcentral mps[29]: Server listening on 0.0.0.0 port 4433.
Jun 3 20:45:32 meshcentral setupDomainAuthStrategy[29]: OIDC: Setting up strategy for domain:
Jun 3 20:45:32 meshcentral setupDomainAuthStrategy[29]: OIDC: Discovering Issuer Endpoints: https://auth.example.com/application/o/meshcentral/
Jun 3 20:45:33 meshcentral setupDomainAuthStrategy[29]: OIDC: Adding Issuer Metadata: {"issuer":"https://auth.example.com/application/o/meshcentral/","authorization_endpoint":"https://auth.example.com/application/o/authorize/","token_endpoint":"https://auth.example.com/application/o/token/","end_session_endpoint":"https://auth.example.com/application/o/meshcentral/end-session/","jwks_uri":"https://auth.example.com/application/o/meshcentral/jwks/"}
Jun 3 20:45:33 meshcentral setupDomainAuthStrategy[29]: OIDC: Setup Complete
Jun 3 20:45:33 meshcentral setupHTTPHandlers[29]: Setting up authentication strategies login and callback URLs for root domain.
Jun 3 20:45:33 meshcentral setupHTTPHandlers[29]: OIDC: Authorization URL: /auth-oidc
Jun 3 20:45:33 meshcentral setupHTTPHandlers[29]: OIDC: Callback URL: /auth-oidc-callback

In case it is relevant, my nginx reverse proxy config:

# HTTPS server.
server {

  listen 10.0.42.253:443 ssl; 

  include /etc/nginx/ssl.conf;

  server_name mesh.example.com;

 # MeshCentral uses long standing web socket connections, set longer timeouts.
 proxy_send_timeout 330s;
 proxy_read_timeout 330s;

 location / {
   proxy_pass http://10.0.42.253:8086/;
   proxy_http_version 1.1;

 # Allows websockets over HTTPS.
   proxy_set_header Upgrade $http_upgrade;
   proxy_set_header Connection "upgrade";
   proxy_set_header Host $host;
 # Inform MeshCentral about the real host, port and protocol
   proxy_set_header X-Forwarded-Host $host:$server_port;
   proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
   proxy_set_header X-Forwarded-Proto $scheme;
 }
}

si458 · 2024-06-03T20:51:54Z

ok thanks, what about when you try logging in? it should give more logs

xcsdm · 2024-06-03T21:05:38Z

Login as local meshcentral user admin successful

Login with OIDC from Authentik, nothing additional logged
Including the event from authentik logs

From authentik:

{
    "user": {
        "pk": 3,
        "email": "myuser@example.com",
        "username": "myuser"
    },
    "action": "authorize_application",
    "app": "authentik.providers.oauth2.views.authorize",
    "context": {
        "flow": "869ba41c7bec4b44849724e84e6b2c4e",
        "scopes": "profile openid email",
        "http_request": {
            "args": {
                "scope": "openid profile email",
                "state": "i_8im2_gB3EbV35-kspNFIhkab-C-fo7gO5HJ23e7NY",
                "client_id": "REDACTED",
                "failureFlash": "true",
                "redirect_uri": "https://mesh.example.com/auth-oidc-callback",
                "response_type": "code",
                "code_challenge": "zYQRpZ4Tgjkze0PmkoHRCaKyPNkxmRgV9uyxypknuT8",
                "failureRedirect": "/",
                "code_challenge_method": "S256"
            },
            "path": "/api/v3/flows/executor/example-application-authorization/",
            "method": "GET",
            "user_agent": "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/124.0.0.0 Safari/537.36"
        },
        "authorized_application": {
            "pk": "1f2ac4234b1e426086767200e45184cd",
            "app": "authentik_core",
            "name": "MeshCentral-old",
            "model_name": "application"
        }
    },
    "client_ip": "10.0.42.142",
    "expires": "2025-06-03T20:59:59.453Z",
    "brand": {
        "pk": "698fbc6b80a74477a56f504509558c60",
        "app": "authentik_brands",
        "name": "Default brand",
        "model_name": "brand"
    }
}

From docker compose

 sudo docker compose up -d && sudo docker compose logs meshcentral -f
[+] Running 3/3
 ✔ Network meshcentral_meshcentral-tier  Created                                                                                                              0.1s
 ✔ Container mongodb                     Started                                                                                                              0.6s
 ✔ Container meshcentral                 Started                                                                                                              0.7s
meshcentral  | Missing Modules: passport, openid-client, connect-flash
meshcentral  | Installing modules [ 'passport', 'openid-client', 'connect-flash' ]
meshcentral  | NPM Command Line: /usr/bin/node /usr/bin/npm install --save-exact --no-audit --omit=optional --no-fund passport openid-client connect-flash
meshcentral  | MeshCentral HTTP redirection server running on port 80.
meshcentral  | AUTHLOG: Server listening on 0.0.0.0 port 80.
meshcentral  | MeshCentral v1.1.24, Hybrid (LAN + WAN) mode, Production mode.
meshcentral  | MeshCentral Intel(R) AMT server running on mesh.example.com:4433.
meshcentral  | AUTHLOG: Server listening on 0.0.0.0 port 4433.
meshcentral  | AUTHLOG: OIDC: Setting up strategy for domain:
meshcentral  | AUTHLOG: OIDC: Discovering Issuer Endpoints: https://auth.example.com/application/o/meshcentral/
meshcentral  | Loaded web certificate from "https://mesh.example.com", host: "mesh.example.com"
meshcentral  |   SHA384 cert hash: 2a2d2e8b92d3c69e6ea937016c3dd638a3f6fe5c0c86f3a17ec2fe063d6f640a8643d4085c1e264164b5341323cfef19
meshcentral  |   SHA384 key hash: 4700277a409aa747e0b1ac2922a010da2099c20a269b1c6cd97a4001cc1505709a6470b8ad5526d16fd41d272bf2b256
meshcentral  | AUTHLOG: OIDC: Adding Issuer Metadata: {"issuer":"https://auth.example.com/application/o/meshcentral/","authorization_endpoint":"https://auth.example.com/application/o/authorize/","token_endpoint":"https://auth.example.com/application/o/token/","end_session_endpoint":"https://auth.example.com/application/o/meshcentral/end-session/","jwks_uri":"https://auth.example.com/application/o/meshcentral/jwks/"}
meshcentral  | AUTHLOG: OIDC: Setup Complete
meshcentral  | AUTHLOG: Setting up authentication strategies login and callback URLs for root domain.
meshcentral  | AUTHLOG: OIDC: Authorization URL: /auth-oidc
meshcentral  | AUTHLOG: OIDC: Callback URL: /auth-oidc-callback
meshcentral  | MeshCentral HTTP server running on port 443.
meshcentral  | AUTHLOG: Accepted password for admin from 10.0.42.1 port 51034, SessionID: QE+mGIwN, Browser: Chrome/124.0.0.0, OS: Windows/10
meshcentral  | AUTHLOG: User admin logout from 10.0.42.1 port 54152, SessionID: QE+mGIwN, Browser: Chrome/124.0.0.0, OS: Windows/10

si458 · 2024-06-03T21:23:13Z

very strange? works perfectly fine here?

MeshCentral HTTPS server running on mc.mydomain.com:443.
AUTHLOG: User Authorized: {"strategy":"oidc","sid":"~oidc:a1b2c3d4e5xxxxxxxxxxxxx","name":"authentik Default Admin","email":"simon@mydomain.com","emailVerified":true,"groups":["authentik Admins"],"preset":null}
AUTHLOG: OIDC: LOGIN SUCCESS: USER: "~oidc:a1b2c3d4e5xxxxxxxxxxxxx"

i have spotted a few issues with your config.json which you could try fixing to see if it makes a difference?

remove "cert": "*.example.com" as that shouldnt be there
remove "minify": true as the could be a problem with the minify code
change "NewAccounts": false to "NewAccounts": true
this needs to be true otherwise accounts cant be created from your oidc provider

~~edit:~~
~~have you tried pulling the master docker image again as i changed a few things 2 days ago~~
~~https://github.com/Ylianst/MeshCentral/pkgs/container/meshcentral/223949079?tag=master~~

xcsdm · 2024-06-03T22:01:07Z

I made the config.json changes, but they did not fix the issue.

I have removed and re-pulled the master image a few times.

This is my access.log from nginx for the auth sessions. Both authentik and meshcentral run through the same reverse proxy. authentik is on a different host internally. meshcentral is on the same host as the nginx reverse proxy

10.0.42.149 - - [03/Jun/2024:17:53:14 -0400] "GET /auth-oidc HTTP/2.0" 302 0 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:126.0) Gecko/20100101 Firefox/126.0"
10.0.42.149 - - [03/Jun/2024:17:53:14 -0400] "GET /application/o/authorize/?client_id=MYCLIENTIDHERE&scope=openid%20profile%20email&response_type=code&redirect_uri=https%3A%2F%2Fmesh.example.com%2Fauth-oidc-callback&state=6w482FKAhvdBjLin-xSGE_kS8fSeb5vV7DEiyQsPYG4&failureRedirect=%2F&failureFlash=true&code_challenge=j_vf4K19nWrcgYn76WoxCSCcAAmbCY02MwQtV3ZLZdA&code_challenge_method=S256 HTTP/2.0" 302 23 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:126.0) Gecko/20100101 Firefox/126.0"
10.0.42.149 - - [03/Jun/2024:17:53:14 -0400] "GET /ws/client/ HTTP/1.1" 101 0 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:126.0) Gecko/20100101 Firefox/126.0"
10.0.42.149 - - [03/Jun/2024:17:53:14 -0400] "GET /if/flow/example-application-authorization/?client_id=MYCLIENTIDHERE&scope=openid+profile+email&response_type=code&redirect_uri=https%3A%2F%2Fmesh.example.com%2Fauth-oidc-callback&state=6w482FKAhvdBjLin-xSGE_kS8fSeb5vV7DEiyQsPYG4&failureRedirect=%2F&failureFlash=true&code_challenge=j_vf4K19nWrcgYn76WoxCSCcAAmbCY02MwQtV3ZLZdA&code_challenge_method=S256 HTTP/2.0" 200 1179 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:126.0) Gecko/20100101 Firefox/126.0"
10.0.42.149 - - [03/Jun/2024:17:53:15 -0400] "GET /api/v3/root/config/ HTTP/2.0" 200 274 "https://auth.example.com/if/flow/example-application-authorization/?client_id=MYCLIENTIDHERE&scope=openid+profile+email&response_type=code&redirect_uri=https%3A%2F%2Fmesh.example.com%2Fauth-oidc-callback&state=6w482FKAhvdBjLin-xSGE_kS8fSeb5vV7DEiyQsPYG4&failureRedirect=%2F&failureFlash=true&code_challenge=j_vf4K19nWrcgYn76WoxCSCcAAmbCY02MwQtV3ZLZdA&code_challenge_method=S256" "Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:126.0) Gecko/20100101 Firefox/126.0"
10.0.42.149 - - [03/Jun/2024:17:53:15 -0400] "GET /api/v3/core/brands/current/ HTTP/2.0" 200 236 "https://auth.example.com/if/flow/example-application-authorization/?client_id=MYCLIENTIDHERE&scope=openid+profile+email&response_type=code&redirect_uri=https%3A%2F%2Fmesh.example.com%2Fauth-oidc-callback&state=6w482FKAhvdBjLin-xSGE_kS8fSeb5vV7DEiyQsPYG4&failureRedirect=%2F&failureFlash=true&code_challenge=j_vf4K19nWrcgYn76WoxCSCcAAmbCY02MwQtV3ZLZdA&code_challenge_method=S256" "Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:126.0) Gecko/20100101 Firefox/126.0"
10.0.42.149 - - [03/Jun/2024:17:53:15 -0400] "GET /api/v3/root/config/ HTTP/2.0" 200 274 "https://auth.example.com/if/flow/example-application-authorization/?client_id=MYCLIENTIDHERE&scope=openid+profile+email&response_type=code&redirect_uri=https%3A%2F%2Fmesh.example.com%2Fauth-oidc-callback&state=6w482FKAhvdBjLin-xSGE_kS8fSeb5vV7DEiyQsPYG4&failureRedirect=%2F&failureFlash=true&code_challenge=j_vf4K19nWrcgYn76WoxCSCcAAmbCY02MwQtV3ZLZdA&code_challenge_method=S256" "Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:126.0) Gecko/20100101 Firefox/126.0"
10.0.42.149 - - [03/Jun/2024:17:53:15 -0400] "GET /if/flow/example-application-authorization/assets/fonts/RedHatDisplay/RedHatDisplay-Medium.woff2 HTTP/2.0" 200 28661 "https://auth.example.com/if/flow/example-application-authorization/?client_id=MYCLIENTIDHERE&scope=openid+profile+email&response_type=code&redirect_uri=https%3A%2F%2Fmesh.example.com%2Fauth-oidc-callback&state=6w482FKAhvdBjLin-xSGE_kS8fSeb5vV7DEiyQsPYG4&failureRedirect=%2F&failureFlash=true&code_challenge=j_vf4K19nWrcgYn76WoxCSCcAAmbCY02MwQtV3ZLZdA&code_challenge_method=S256" "Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:126.0) Gecko/20100101 Firefox/126.0"
10.0.42.149 - - [03/Jun/2024:17:53:15 -0400] "GET /media/public/flow-backgrounds/SpaceInvaders_LGB2VfI.jpg HTTP/2.0" 499 0 "https://auth.example.com/if/flow/example-application-authorization/?client_id=MYCLIENTIDHERE&scope=openid+profile+email&response_type=code&redirect_uri=https%3A%2F%2Fmesh.example.com%2Fauth-oidc-callback&state=6w482FKAhvdBjLin-xSGE_kS8fSeb5vV7DEiyQsPYG4&failureRedirect=%2F&failureFlash=true&code_challenge=j_vf4K19nWrcgYn76WoxCSCcAAmbCY02MwQtV3ZLZdA&code_challenge_method=S256" "Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:126.0) Gecko/20100101 Firefox/126.0"
10.0.42.149 - - [03/Jun/2024:17:53:15 -0400] "GET /api/v3/core/brands/current/ HTTP/2.0" 200 236 "https://auth.example.com/if/flow/example-application-authorization/?client_id=MYCLIENTIDHERE&scope=openid+profile+email&response_type=code&redirect_uri=https%3A%2F%2Fmesh.example.com%2Fauth-oidc-callback&state=6w482FKAhvdBjLin-xSGE_kS8fSeb5vV7DEiyQsPYG4&failureRedirect=%2F&failureFlash=true&code_challenge=j_vf4K19nWrcgYn76WoxCSCcAAmbCY02MwQtV3ZLZdA&code_challenge_method=S256" "Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:126.0) Gecko/20100101 Firefox/126.0"
10.0.42.149 - - [03/Jun/2024:17:53:15 -0400] "GET /api/v3/flows/executor/example-application-authorization/?query=client_id%3DMYCLIENTIDHERE%26scope%3Dopenid%2Bprofile%2Bemail%26response_type%3Dcode%26redirect_uri%3Dhttps%253A%252F%252Fmesh.example.com%252Fauth-oidc-callback%26state%3D6w482FKAhvdBjLin-xSGE_kS8fSeb5vV7DEiyQsPYG4%26failureRedirect%3D%252F%26failureFlash%3Dtrue%26code_challenge%3Dj_vf4K19nWrcgYn76WoxCSCcAAmbCY02MwQtV3ZLZdA%26code_challenge_method%3DS256 HTTP/2.0" 200 195 "https://auth.example.com/if/flow/example-application-authorization/?client_id=MYCLIENTIDHERE&scope=openid+profile+email&response_type=code&redirect_uri=https%3A%2F%2Fmesh.example.com%2Fauth-oidc-callback&state=6w482FKAhvdBjLin-xSGE_kS8fSeb5vV7DEiyQsPYG4&failureRedirect=%2F&failureFlash=true&code_challenge=j_vf4K19nWrcgYn76WoxCSCcAAmbCY02MwQtV3ZLZdA&code_challenge_method=S256" "Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:126.0) Gecko/20100101 Firefox/126.0"
10.0.42.149 - - [03/Jun/2024:17:53:15 -0400] "GET /media/blue-alien/BAlien32.png HTTP/2.0" 499 0 "https://auth.example.com/if/flow/example-application-authorization/?client_id=MYCLIENTIDHERE&scope=openid+profile+email&response_type=code&redirect_uri=https%3A%2F%2Fmesh.example.com%2Fauth-oidc-callback&state=6w482FKAhvdBjLin-xSGE_kS8fSeb5vV7DEiyQsPYG4&failureRedirect=%2F&failureFlash=true&code_challenge=j_vf4K19nWrcgYn76WoxCSCcAAmbCY02MwQtV3ZLZdA&code_challenge_method=S256" "Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:126.0) Gecko/20100101 Firefox/126.0"
10.0.42.149 - - [03/Jun/2024:17:53:15 -0400] "GET /ws/client/ HTTP/1.1" 101 4 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:126.0) Gecko/20100101 Firefox/126.0"
172.26.0.3 - MYCLIENTIDHERE [03/Jun/2024:17:53:15 -0400] "POST /application/o/token/ HTTP/1.1" 200 2007 "-" "openid-client/5.6.5 (https://github.com/panva/node-openid-client)"
10.0.42.149 - - [03/Jun/2024:17:53:15 -0400] "GET /auth-oidc-callback?code=58fff0170700493384ddd0416ba4e136&state=6w482FKAhvdBjLin-xSGE_kS8fSeb5vV7DEiyQsPYG4 HTTP/2.0" 302 46 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:126.0) Gecko/20100101 Firefox/126.0"

si458 · 2024-06-03T22:14:24Z

i think the is an issue with your reverse proxy (nginx)?
from the looks of those logs /auth-oidc-callback?code=xxxxxxxx is returning a 302 status which is a page redirect
BUT
we dont send a 302?
we just build a HTML page with a redirect/refresh on it which would return a 200

res.set('Content-Type', 'text/html');
res.end('<html><head><meta http-equiv="refresh" content=0;url="' + domain.url + '"></head><body></body></html>');

si458 · 2024-06-03T22:18:23Z

also check the redirect url inside authentik
ignore my /oidctest/ as i use the multi-tenant for my testing

si458 · 2024-06-03T22:43:49Z

i think ive found the issue and also discovered another bug too!
im checking domain.id but thats not present if your using authstrategies on the base domain domain ""!
also the redirect url isnt filling in correctly IF you use aliasPort which i am in my case,
so i can run mesh on 127.0.0.1:12346 but using port 443 in docker

Signed-off-by: si458 <simonsmith5521@gmail.com>

si458 · 2024-06-04T09:54:09Z

OK fixed the aliasport issue, but turns out the domain.id isn't the issue? So I really do think ur issue is because ur reverse proxy is returning 302 rather than forwarding the server url correctly.

One thing u can try is check the redirect_url in the url is correct when it loads up the authentik login page

Another thing is to also copy the url u found in the logs and try pasting it manually in ur browser and see if u see any logs in meshcentral authlog

xcsdm · 2024-06-04T11:39:44Z

What is strange is that reverting back to 1.1.21 works. I have to change the callback url from auth-oidc-callback to oidc-callback and swap to the old format config.json, but it works with the same reverse proxy setup.

The 302 is coming from failureRedirect, but I cannot locate the failure

Something is triggering the failureRedirect instead of just authenticating at line 6789 of webserver.js
If I change the failureRedirect path, the changed path is what is loading.

access.log with original failureRedirect /

10.0.42.149 - - [04/Jun/2024:07:30:07 -0400] "GET /oidc-callback?code=528055ca7c2f4b47a84f7e5f53c8b366&state=soYFEvsnzPm5rg06XAvRWaU1PLz7kIPDDgP0VrcEFXA HTTP/2.0" 302 46 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:126.0) Gecko/20100101 Firefox/126.0"
10.0.42.149 - - [04/Jun/2024:07:30:08 -0400] "GET / HTTP/2.0" 200 10954 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:126.0) Gecko/20100101 Firefox/126.0"

access.log with modified failureRedirect /testurl/

10.0.42.149 - - [04/Jun/2024:07:31:45 -0400] "GET /oidc-callback?code=91a439c0286a410ca4d39085daf1ece9&state=Liv0e5J9Vjkdd2Ox9eS9C_UHf-uv6kb3jZgalJ68EYA HTTP/2.0" 302 62 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:126.0) Gecko/20100101 Firefox/126.0"
10.0.42.149 - - [04/Jun/2024:07:31:45 -0400] "GET /testurl/ HTTP/2.0" 404 847 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:126.0) Gecko/20100101 Firefox/126.0"

si458 · 2024-06-04T13:57:55Z

one thing you can try for me is to check the output from the request BEFORE it heads into handleStrategyLogin
so line 6758 of webserver.js just under var domain = getDomain(req);
is put console.log('oidccallbackurl', domain.passport, req.session);
then restart container and try logging in and watch the console output on your server
you should see a LOT of json output,
can you share it? (might need to hide secret info in it)

xcsdm · 2024-06-04T14:24:59Z

Bingo!

It is working.
I had not configured my OIDC connection on the Authentik side to sign the response

This portion of the log was critical. I'm unsure if it would be easily output from MeshCentral, but it immediately took me to the answer.

meshcentral  |   flash: {
meshcentral  |     error: [
meshcentral  |       'unexpected JWT alg received, expected RS256, got: HS256',
meshcentral  |       'unexpected JWT alg received, expected RS256, got: HS256',
meshcentral  |       'unexpected JWT alg received, expected RS256, got: HS256',
meshcentral  |       'unexpected JWT alg received, expected RS256, got: HS256',
meshcentral  |       'unexpected JWT alg received, expected RS256, got: HS256',
meshcentral  |       'unexpected JWT alg received, expected RS256, got: HS256',
meshcentral  |       'unexpected JWT alg received, expected RS256, got: HS256'
meshcentral  |     ]
meshcentral  |   },

The whole output in case it helps anyone:

meshcentral  | oidccallbackurl Authenticator {
meshcentral  |   _key: 'passport',
meshcentral  |   _strategies: {
meshcentral  |     session: SessionStrategy {
meshcentral  |       name: 'session',
meshcentral  |       _key: 'passport',
meshcentral  |       _deserializeUser: [Function: bound ]
meshcentral  |     },
meshcentral  |     'oidc-': OpenIDConnectStrategy {
meshcentral  |       _client: Client {
meshcentral  |         authorization_signed_response_alg: 'RS256',
meshcentral  |         client_id: 'REDACTED',
meshcentral  |         client_secret: 'REDACTED',
meshcentral  |         grant_types: [
meshcentral  |           'authorization_code'
meshcentral  |         ],
meshcentral  |         id_token_signed_response_alg: 'RS256',
meshcentral  |         introspection_endpoint_auth_method: 'client_secret_basic',
meshcentral  |         post_logout_redirect_uri: 'https://mesh.example.com/login',
meshcentral  |         redirect_uris: [
meshcentral  |           'https://mesh.example.com/auth-oidc-callback'
meshcentral  |         ],
meshcentral  |         response_types: [
meshcentral  |           'code'
meshcentral  |         ],
meshcentral  |         revocation_endpoint_auth_method: 'client_secret_basic',
meshcentral  |         token_endpoint_auth_method: 'client_secret_basic'
meshcentral  |       },
meshcentral  |       _issuer: Issuer {
meshcentral  |         acr_values_supported: [
meshcentral  |           'goauthentik.io/providers/oauth2/default'
meshcentral  |         ],
meshcentral  |         authorization_endpoint: 'https://auth.example.com/application/o/authorize/',
meshcentral  |         claim_types_supported: [
meshcentral  |           'normal'
meshcentral  |         ],
meshcentral  |         claims_parameter_supported: false,
meshcentral  |         claims_supported: [
meshcentral  |           'sub',
meshcentral  |           'iss',
meshcentral  |           'aud',
meshcentral  |           'exp',
meshcentral  |           'iat',
meshcentral  |           'auth_time',
meshcentral  |           'acr',
meshcentral  |           'amr',
meshcentral  |           'nonce',
meshcentral  |           'email',
meshcentral  |           'email_verified',
meshcentral  |           'name',
meshcentral  |           'given_name',
meshcentral  |           'preferred_username',
meshcentral  |           'nickname',
meshcentral  |           'groups',
meshcentral  |           'uid'
meshcentral  |         ],
meshcentral  |         code_challenge_methods_supported: [
meshcentral  |           'plain',
meshcentral  |           'S256'
meshcentral  |         ],
meshcentral  |         device_authorization_endpoint: 'https://auth.example.com/application/o/device/',
meshcentral  |         end_session_endpoint: 'https://auth.example.com/application/o/meshcentral/end-session/',
meshcentral  |         grant_types_supported: [
meshcentral  |           'authorization_code',
meshcentral  |           'refresh_token',
meshcentral  |           'implicit',
meshcentral  |           'client_credentials',
meshcentral  |           'password',
meshcentral  |           'urn:ietf:params:oauth:grant-type:device_code'
meshcentral  |         ],
meshcentral  |         id_token_signing_alg_values_supported: [
meshcentral  |           'HS256'
meshcentral  |         ],
meshcentral  |         introspection_endpoint: 'https://auth.example.com/application/o/introspect/',
meshcentral  |         introspection_endpoint_auth_methods_supported: [
meshcentral  |           'client_secret_post',
meshcentral  |           'client_secret_basic'
meshcentral  |         ],
meshcentral  |         issuer: 'https://auth.example.com/application/o/meshcentral/',
meshcentral  |         jwks_uri: 'https://auth.example.com/application/o/meshcentral/jwks/',
meshcentral  |         redirect_uri: 'https://mesh.example.com/oidc-callback',
meshcentral  |         request_parameter_supported: false,
meshcentral  |         request_uri_parameter_supported: true,
meshcentral  |         require_request_uri_registration: false,
meshcentral  |         response_modes_supported: [
meshcentral  |           'query',
meshcentral  |           'fragment',
meshcentral  |           'form_post'
meshcentral  |         ],
meshcentral  |         response_types_supported: [
meshcentral  |           'code',
meshcentral  |           'id_token',
meshcentral  |           'id_token token',
meshcentral  |           'code token',
meshcentral  |           'code id_token',
meshcentral  |           'code id_token token'
meshcentral  |         ],
meshcentral  |         revocation_endpoint: 'https://auth.example.com/application/o/revoke/',
meshcentral  |         revocation_endpoint_auth_methods_supported: [
meshcentral  |           'client_secret_post',
meshcentral  |           'client_secret_basic'
meshcentral  |         ],
meshcentral  |         scopes_supported: [
meshcentral  |           'email',
meshcentral  |           'profile',
meshcentral  |           'openid'
meshcentral  |         ],
meshcentral  |         subject_types_supported: [
meshcentral  |           'public'
meshcentral  |         ],
meshcentral  |         token_endpoint: 'https://auth.example.com/application/o/token/',
meshcentral  |         token_endpoint_auth_methods_supported: [
meshcentral  |           'client_secret_post',
meshcentral  |           'client_secret_basic'
meshcentral  |         ],
meshcentral  |         userinfo_endpoint: 'https://auth.example.com/application/o/userinfo/'
meshcentral  |       },
meshcentral  |       _verify: [Function: oidcCallback],
meshcentral  |       _passReqToCallback: false,
meshcentral  |       _usePKCE: 'S256',
meshcentral  |       _key: 'oidc-',
meshcentral  |       _params: [Object],
meshcentral  |       _extras: {},
meshcentral  |       name: 'auth.example.com'
meshcentral  |     }
meshcentral  |   },
meshcentral  |   _serializers: [ [Function (anonymous)] ],
meshcentral  |   _deserializers: [ [Function (anonymous)] ],
meshcentral  |   _infoTransformers: [],
meshcentral  |   _framework: {
meshcentral  |     initialize: [Function: initialize],
meshcentral  |     authenticate: [Function: authenticate]
meshcentral  |   },
meshcentral  |   _sm: SessionManager {
meshcentral  |     _key: 'passport',
meshcentral  |     _serializeUser: [Function: bound ]
meshcentral  |   },
meshcentral  |   Authenticator: [Function: Authenticator],
meshcentral  |   Passport: [Function: Authenticator],
meshcentral  |   Strategy: <ref *1> [Function: Strategy] { Strategy: [Circular *1] },
meshcentral  |   strategies: { SessionStrategy: [Function: SessionStrategy] },
meshcentral  |   _userProperty: 'user'
meshcentral  | } Session {
meshcentral  |   flash: {
meshcentral  |     error: [
meshcentral  |       'unexpected JWT alg received, expected RS256, got: HS256',
meshcentral  |       'unexpected JWT alg received, expected RS256, got: HS256',
meshcentral  |       'unexpected JWT alg received, expected RS256, got: HS256',
meshcentral  |       'unexpected JWT alg received, expected RS256, got: HS256',
meshcentral  |       'unexpected JWT alg received, expected RS256, got: HS256',
meshcentral  |       'unexpected JWT alg received, expected RS256, got: HS256',
meshcentral  |       'unexpected JWT alg received, expected RS256, got: HS256'
meshcentral  |     ]
meshcentral  |   },
meshcentral  |   'oidc-': {
meshcentral  |     state: 'LzkRQPOPEzsQEMcSu1wZc6dwoC3myJ1xcpzYrdh2caI',
meshcentral  |     response_type: 'code',
meshcentral  |     code_verifier: 'kKB1wjl5sWpeToldqna3_2eYFkRr9bS47J4nVzBwRJk'
meshcentral  |   },
meshcentral  |   regenerate: [Function (anonymous)],
meshcentral  |   save: [Function (anonymous)]
meshcentral  | }
meshcentral  | AUTHLOG: User Authorized: {"strategy":"oidc","sid":"~oidc:myuser@example.com","name":"My User","email":"myuser@example.com","emailVerified":true,"groups":["authentik Admins","MeshCentral Users"],"preset":null}
meshcentral  | AUTHLOG: OIDC: LOGIN SUCCESS: USER: "~oidc:myuser@example.com"

si458 · 2024-06-04T14:29:38Z

glad u got it fixed!
can u do me a favour tho?
can you close this issue as you have fixed it now :)
and can you ALSO open a new enhancement request and just explain in it,
can we plz display the flash errors for the external auths like saml or oidc on the login screen
currently i dont think we display any errors!
if we had the errors being displayed it would of helped this issue out alot quicker!

p.s:
my output shows this below, so yeh yours is different even tho we use the same software for auth

id_token_signing_alg_values_supported: [
  'RS256'
],

p.s again:
what setting did you change in authentik? i want to replicate the issue to get it to display errors

xcsdm · 2024-06-04T14:41:05Z

The authentik setting was on the Oauth2 Provider, under the Redirect URIs/Origins, I had no Signing Key selected.

This worked in 1.1.21, but with the updated libraries, it looks to be required now.

xcsdm · 2024-06-04T14:42:01Z

Closing as fixed

commit 602eb3c Author: Simon Smith <simonsmith5521@gmail.com> Date: Sun Jun 23 21:00:30 2024 +0100 add encoding options to remote desktop (Ylianst#6198) Signed-off-by: si458 <simonsmith5521@gmail.com> commit 28c522c Author: si458 <simonsmith5521@gmail.com> Date: Sun Jun 23 14:21:08 2024 +0100 add android version+api to dtails page Signed-off-by: si458 <simonsmith5521@gmail.com> commit df91c90 Author: si458 <simonsmith5521@gmail.com> Date: Thu Jun 20 22:34:08 2024 +0100 fix ip fliters from files Ylianst#3401 Signed-off-by: si458 <simonsmith5521@gmail.com> commit 81557ab Author: si458 <simonsmith5521@gmail.com> Date: Thu Jun 20 18:16:34 2024 +0100 forgot user new events filter fix Ylianst#6189 Signed-off-by: si458 <simonsmith5521@gmail.com> commit 6b21bac Author: si458 <simonsmith5521@gmail.com> Date: Thu Jun 20 18:07:50 2024 +0100 fix new events appearing when filtered Ylianst#6189 Signed-off-by: si458 <simonsmith5521@gmail.com> commit 46ebadf Author: Simon Smith <simonsmith5521@gmail.com> Date: Thu Jun 20 12:36:24 2024 +0100 fix mac mpkg agent again (Ylianst#6194) Signed-off-by: si458 <simonsmith5521@gmail.com> commit 6c3e60e Author: si458 <simonsmith5521@gmail.com> Date: Mon Jun 17 10:54:58 2024 +0100 update translate.json Signed-off-by: si458 <simonsmith5521@gmail.com> commit 7955bc4 Author: si458 <simonsmith5521@gmail.com> Date: Mon Jun 17 10:10:35 2024 +0100 include connect-flash with passport to allow displaying of errors Signed-off-by: si458 <simonsmith5521@gmail.com> commit 482e79f Author: Simon Smith <simonsmith5521@gmail.com> Date: Mon Jun 17 09:48:21 2024 +0100 fix meshcentral-web-domain translate displaying (Ylianst#6180) Signed-off-by: si458 <simonsmith5521@gmail.com> commit 0a89d07 Author: Simon Smith <simonsmith5521@gmail.com> Date: Fri Jun 14 09:56:02 2024 +0100 add userSessionsSort for session sorting (Ylianst#6177) Signed-off-by: si458 <simonsmith5521@gmail.com> commit c053c14 Author: si458 <simonsmith5521@gmail.com> Date: Wed Jun 12 14:23:37 2024 +0100 fix star covering desc in list view Ylianst#6174 Signed-off-by: si458 <simonsmith5521@gmail.com> commit 5950b2c Author: si458 <simonsmith5521@gmail.com> Date: Tue Jun 11 20:46:45 2024 +0100 make sure to clear flash errors after display to avoid showing again Ylianst#6154 Signed-off-by: si458 <simonsmith5521@gmail.com> commit 42a07e9 Author: si458 <simonsmith5521@gmail.com> Date: Tue Jun 11 20:38:09 2024 +0100 fix passport failureRedirect for subdomain paths Signed-off-by: si458 <simonsmith5521@gmail.com> commit d7341ab Author: si458 <simonsmith5521@gmail.com> Date: Tue Jun 11 20:06:19 2024 +0100 display flash errors for external auths like saml or oidc on the login screen Ylianst#6154 Signed-off-by: si458 <simonsmith5521@gmail.com> commit 74d6252 Author: si458 <simonsmith5521@gmail.com> Date: Tue Jun 11 17:02:20 2024 +0100 increase uploadFile buffer to speed up file uploads Ylianst#6169 Signed-off-by: si458 <simonsmith5521@gmail.com> commit b08f382 Author: si458 <simonsmith5521@gmail.com> Date: Tue Jun 11 10:05:58 2024 +0100 fix obj.user._id undefined for rdp/ssh Ylianst#6127 Signed-off-by: si458 <simonsmith5521@gmail.com> commit 6976992 Author: si458 <simonsmith5521@gmail.com> Date: Tue Jun 4 10:26:29 2024 +0100 fix oidc paths with aliasport Ylianst#6148 Signed-off-by: si458 <simonsmith5521@gmail.com> commit b1c3e2a Author: si458 <simonsmith5521@gmail.com> Date: Sat Jun 1 23:17:13 2024 +0100 remove power-monitor server side to fix windows battery levels Ylianst#6143 Signed-off-by: si458 <simonsmith5521@gmail.com> commit c67a76b Author: si458 <simonsmith5521@gmail.com> Date: Sat Jun 1 20:31:25 2024 +0100 fix oidc reauth Ylianst#6132 Signed-off-by: si458 <simonsmith5521@gmail.com> commit 62199d8 Author: si458 <simonsmith5521@gmail.com> Date: Sat Jun 1 17:13:22 2024 +0100 fix handleStrategyLogin invalid token/user Signed-off-by: si458 <simonsmith5521@gmail.com> commit 52a2194 Author: si458 <simonsmith5521@gmail.com> Date: Tue May 28 20:00:33 2024 +0100 require connect-flash for oidc Ylianst#6132 Signed-off-by: si458 <simonsmith5521@gmail.com> commit 2b3c329 Author: si458 <simonsmith5521@gmail.com> Date: Tue May 28 18:26:21 2024 +0100 remove comments and console.log meshctrl.js Signed-off-by: si458 <simonsmith5521@gmail.com> commit 17cf36e Author: si458 <simonsmith5521@gmail.com> Date: Tue May 28 18:24:39 2024 +0100 add installflags to agentdownload in meshctrl.js Ylianst#6133 Signed-off-by: si458 <simonsmith5521@gmail.com> commit a171cde Author: si458 <simonsmith5521@gmail.com> Date: Sat May 25 16:57:15 2024 +0100 update package-lock.json Signed-off-by: si458 <simonsmith5521@gmail.com> commit 5d5e861 Author: Ylian Saint-Hilaire <ysainthilaire@hotmail.com> Date: Sat May 25 08:38:28 2024 -0700 Version 1.1.24 commit 26ac23c Author: si458 <simonsmith5521@gmail.com> Date: Fri May 24 17:27:22 2024 +0100 fix web-rdp/web-ssh save creds per user Signed-off-by: si458 <simonsmith5521@gmail.com> commit 5a7e3d9 Author: si458 <simonsmith5521@gmail.com> Date: Fri May 24 16:25:25 2024 +0100 fix allowSavingDeviceCredentials description Signed-off-by: si458 <simonsmith5521@gmail.com> commit abbb0fa Author: si458 <simonsmith5521@gmail.com> Date: Fri May 24 15:51:39 2024 +0100 fix sharing keyboard input after Ctrl+Alt+Delete Ylianst#6120 Signed-off-by: si458 <simonsmith5521@gmail.com> commit 89b67ff Author: si458 <simonsmith5521@gmail.com> Date: Fri May 24 15:30:03 2024 +0100 fix sharing latency and timer Signed-off-by: si458 <simonsmith5521@gmail.com> commit 6c685d5 Author: si458 <simonsmith5521@gmail.com> Date: Fri May 24 10:54:27 2024 +0100 fix realname undefined Ylianst#6118 Signed-off-by: si458 <simonsmith5521@gmail.com> commit 49b5612 Author: Ylian Saint-Hilaire <ysainthilaire@hotmail.com> Date: Thu May 23 15:47:44 2024 -0700 Updated ExpressJS to 4.19.2 commit aa8f45f Author: Ylian Saint-Hilaire <ysainthilaire@hotmail.com> Date: Thu May 23 15:32:29 2024 -0700 Version 1.1.23 commit 7cf14a2 Author: si458 <simonsmith5521@gmail.com> Date: Thu May 23 20:59:33 2024 +0100 meshctrl deviceinfo error on unescaped nodeid Signed-off-by: si458 <simonsmith5521@gmail.com> commit 7e7361d Author: si458 <simonsmith5521@gmail.com> Date: Tue May 21 20:01:45 2024 +0100 add/fix iplocation Signed-off-by: si458 <simonsmith5521@gmail.com> commit 4cd7b40 Author: si458 <simonsmith5521@gmail.com> Date: Tue May 21 19:42:52 2024 +0100 fix linux storage volumes 0kb Signed-off-by: si458 <simonsmith5521@gmail.com> commit bc6451f Author: si458 <simonsmith5521@gmail.com> Date: Tue May 21 19:04:43 2024 +0100 migrate groups.enabled in oidc Ylianst#6104 Signed-off-by: si458 <simonsmith5521@gmail.com> commit f1ba76a Author: si458 <simonsmith5521@gmail.com> Date: Tue May 21 17:47:39 2024 +0100 fix device notifications not dismissing on other web sessions Signed-off-by: si458 <simonsmith5521@gmail.com> commit 385a473 Author: si458 <simonsmith5521@gmail.com> Date: Tue May 21 16:56:56 2024 +0100 forgot oidc group schema fix Signed-off-by: si458 <simonsmith5521@gmail.com> commit 5c13f17 Author: si458 <simonsmith5521@gmail.com> Date: Tue May 21 16:05:00 2024 +0100 fix oidc sync groups Signed-off-by: si458 <simonsmith5521@gmail.com> commit 323ef2d Author: si458 <simonsmith5521@gmail.com> Date: Sat May 18 19:45:31 2024 +0100 fix cookieEncoding hex for 2fa Ylianst#6096 Signed-off-by: si458 <simonsmith5521@gmail.com> commit dd24993 Author: Simon Smith <simonsmith5521@gmail.com> Date: Sat May 18 18:30:26 2024 +0100 fix keyboard shortcuts and add restore default keyboard shortcuts (Ylianst#6103) Signed-off-by: si458 <simonsmith5521@gmail.com> commit 30d958f Author: si458 <simonsmith5521@gmail.com> Date: Sat May 18 12:26:27 2024 +0100 fix auth-oidc-callback examples Signed-off-by: si458 <simonsmith5521@gmail.com> commit 1c8d664 Author: si458 <simonsmith5521@gmail.com> Date: Fri May 17 20:01:12 2024 +0100 fix oidc groups.claim undefined Signed-off-by: si458 <simonsmith5521@gmail.com> commit b22e56b Author: Simon Smith <simonsmith5521@gmail.com> Date: Fri May 17 18:09:48 2024 +0100 add openidConnectStrategy to mkdocs.yml commit bc2f34b Author: Simon Smith <simonsmith5521@gmail.com> Date: Fri May 17 17:13:59 2024 +0100 remove sendconsoletext from computer-identifiers.js commit e8da6a6 Author: si458 <simonsmith5521@gmail.com> Date: Fri May 17 14:41:51 2024 +0100 add nodeid to info in console Ylianst#6097 Signed-off-by: si458 <simonsmith5521@gmail.com> commit 77d268d Author: si458 <simonsmith5521@gmail.com> Date: Tue May 14 20:49:08 2024 +0100 listdevice filter should be string Ylianst#6091 Signed-off-by: si458 <simonsmith5521@gmail.com> commit 23ee76e Author: si458 <simonsmith5521@gmail.com> Date: Tue May 14 10:11:49 2024 +0100 fix mac volume detection for older os Signed-off-by: si458 <simonsmith5521@gmail.com> commit be3e333 Author: si458 <simonsmith5521@gmail.com> Date: Tue May 14 00:13:46 2024 +0100 add macos storage volumes using df Signed-off-by: si458 <simonsmith5521@gmail.com> commit e3f6822 Author: si458 <simonsmith5521@gmail.com> Date: Mon May 13 23:44:47 2024 +0100 add linux storage volumes using df Signed-off-by: si458 <simonsmith5521@gmail.com> commit b71b4d0 Author: si458 <simonsmith5521@gmail.com> Date: Mon May 13 21:47:08 2024 +0100 bring power-monitor server side to fix mac battery levels Signed-off-by: si458 <simonsmith5521@gmail.com> commit bf7957e Author: Simon Smith <simonsmith5521@gmail.com> Date: Sun May 12 15:45:24 2024 +0100 add zerossl acme (Ylianst#6084) Signed-off-by: si458 <simonsmith5521@gmail.com> commit 19eb123 Author: Simon Smith <simonsmith5521@gmail.com> Date: Sun May 12 15:37:47 2024 +0100 set min to node 16 (Ylianst#5955) Signed-off-by: si458 <simonsmith5521@gmail.com> commit 274bb52 Author: Simon Smith <simonsmith5521@gmail.com> Date: Fri May 10 14:12:39 2024 +0100 allow msh get/set/delete from console (Ylianst#6074) Signed-off-by: si458 <simonsmith5521@gmail.com> commit 33c0e82 Author: si458 <simonsmith5521@gmail.com> Date: Tue May 7 14:16:23 2024 +0100 fix mobile ui upload mesh agent core Signed-off-by: si458 <simonsmith5521@gmail.com> commit 56d6527 Author: Simon Smith <simonsmith5521@gmail.com> Date: Wed Apr 24 09:09:35 2024 +0100 add run commands to mobile ui (Ylianst#6044) Signed-off-by: si458 <simonsmith5521@gmail.com> commit 3ce2fd9 Author: adnan29979 <148310766+adnan29979@users.noreply.github.com> Date: Mon Apr 22 05:19:22 2024 +0600 Missing languages added to translator All languages from source code default.handlebars added to translator.htm commit eb27334 Author: adnan29979 <148310766+adnan29979@users.noreply.github.com> Date: Mon Apr 22 00:20:51 2024 +0600 Doc update - Addition of 'How to Contribute' section (Ylianst#6046) commit 414d9b9 Author: si458 <simonsmith5521@gmail.com> Date: Fri Apr 19 11:48:49 2024 +0100 undo Ylianst#5452 and Ylianst#6036 commits Signed-off-by: si458 <simonsmith5521@gmail.com> commit 1747ff7 Author: si458 <simonsmith5521@gmail.com> Date: Thu Apr 18 20:48:58 2024 +0100 fix email in use meshctrl reply Ylianst#6036 Signed-off-by: si458 <simonsmith5521@gmail.com> commit f39b6f8 Author: si458 <simonsmith5521@gmail.com> Date: Thu Apr 18 20:22:25 2024 +0100 add smtp user/pass to schema and help docs Signed-off-by: si458 <simonsmith5521@gmail.com> commit ca868af Author: Simon Smith <simonsmith5521@gmail.com> Date: Thu Apr 18 17:09:31 2024 +0100 update translate readme.txt url Ylianst#6041 commit 410c84c Author: Simon Smith <simonsmith5521@gmail.com> Date: Thu Apr 18 17:07:01 2024 +0100 add --mysql --mariadb arguments for stateless run (Ylianst#6031) Signed-off-by: si458 <simonsmith5521@gmail.com> commit 18b731f Author: Attocode1 <3877747+Attocode1@users.noreply.github.com> Date: Thu Apr 18 09:41:07 2024 -0500 Updated install document - Corrected chmod command examples. (Ylianst#6035) commit 832e618 Author: si458 <simonsmith5521@gmail.com> Date: Mon Apr 15 18:48:25 2024 +0100 forgot semicolon in a hurry meshctrl.js Ylianst#6029 Signed-off-by: si458 <simonsmith5521@gmail.com> commit 7b8cf85 Author: si458 <simonsmith5521@gmail.com> Date: Mon Apr 15 18:46:40 2024 +0100 dont require, use readFileSync and phase for config.json in meshctrl Ylianst#6029 Signed-off-by: si458 <simonsmith5521@gmail.com> commit 1dca9e2 Author: si458 <simonsmith5521@gmail.com> Date: Mon Apr 15 14:51:18 2024 +0100 fix missing connect-flash again Ylianst#6028 Signed-off-by: si458 <simonsmith5521@gmail.com> commit 30d570f Author: Simon Smith <simonsmith5521@gmail.com> Date: Mon Apr 15 13:00:42 2024 +0100 translation fixes for meshcentral-data-domain (Ylianst#6027) * dont translate min files * translate meshcentral-web-domain folders with --translate * also translate default views folder incase of changes Signed-off-by: si458 <simonsmith5521@gmail.com> commit f854c80 Author: si458 <simonsmith5521@gmail.com> Date: Sat Apr 13 23:00:43 2024 +0100 fix meshctrl configfile undefined Signed-off-by: si458 <simonsmith5521@gmail.com> commit f5891f2 Author: Simon Smith <simonsmith5521@gmail.com> Date: Fri Apr 12 10:43:06 2024 +0100 fix custom public folders for dns domains (Ylianst#6018) Signed-off-by: si458 <simonsmith5521@gmail.com> commit 1da33f0 Author: Simon Smith <simonsmith5521@gmail.com> Date: Thu Apr 11 18:51:54 2024 +0100 add nice404 to invite and fix invite with dns use Ylianst#6017 Signed-off-by: si458 <simonsmith5521@gmail.com> commit e025e95 Author: Simon Smith <simonsmith5521@gmail.com> Date: Thu Apr 11 17:43:08 2024 +0100 fix authStrategyFlags using wrong domain (Ylianst#6015) Signed-off-by: si458 <simonsmith5521@gmail.com> commit ccf57be Author: Simon Smith <simonsmith5521@gmail.com> Date: Tue Apr 9 13:31:00 2024 +0100 add missing rights to meshctrl and meshServerRightsArrayToNumber (Ylianst#6004) Signed-off-by: si458 <simonsmith5521@gmail.com> commit 4ba08a9 Author: Simon Smith <simonsmith5521@gmail.com> Date: Tue Apr 9 11:47:32 2024 +0100 unEscape ssh/rdp creds from db (Ylianst#6001) Signed-off-by: si458 <simonsmith5521@gmail.com> commit 548edd1 Author: Simon Smith <simonsmith5521@gmail.com> Date: Sun Apr 7 19:12:01 2024 +0100 add lastbootuptime to columns and device powered on event (Ylianst#5999) Signed-off-by: si458 <simonsmith5521@gmail.com> commit 31ebb21 Author: si458 <simonsmith5521@gmail.com> Date: Sat Apr 6 23:47:02 2024 +0100 fix ipv6 only letsencrypt Ylianst#5988 Signed-off-by: si458 <simonsmith5521@gmail.com> commit 4a3c6db Author: adnan29979 <148310766+adnan29979@users.noreply.github.com> Date: Sun Apr 7 02:27:01 2024 +0600 Fixing documentation of gmail smtp (Ylianst#5998) • removal of "accessToken" from documentation, since it is not in the source code. • addition of a new step of 'changing publishing status from testing to production' • removal of a duplicate picture in index.md and adding an appropriate pic instead. commit f9af1ff Author: si458 <simonsmith5521@gmail.com> Date: Sat Apr 6 21:11:32 2024 +0100 fix powertimeline daylights savings on mobile ui Ylianst#5997 Signed-off-by: si458 <simonsmith5521@gmail.com> commit 95e7997 Author: si458 <simonsmith5521@gmail.com> Date: Sat Apr 6 21:09:43 2024 +0100 fix daylight savings in powertimeline Ylianst#5997 Signed-off-by: si458 <simonsmith5521@gmail.com> commit 9081a6a Author: buckybytes <158571971+buckybytes@users.noreply.github.com> Date: Fri Apr 5 08:35:18 2024 -0500 Google Workspace OAuth2 SMTP Documentation (Ylianst#5939) commit afc6165 Author: si458 <simonsmith5521@gmail.com> Date: Wed Apr 3 11:41:16 2024 +0100 nochecks description attempt 3 Ylianst#5987 Signed-off-by: si458 <simonsmith5521@gmail.com> commit c9c0a6c Author: si458 <simonsmith5521@gmail.com> Date: Wed Apr 3 11:22:29 2024 +0100 fix nocheck description again Ylianst#5987 Signed-off-by: si458 <simonsmith5521@gmail.com> commit b46c322 Author: si458 <simonsmith5521@gmail.com> Date: Wed Apr 3 11:18:46 2024 +0100 fix nochecks description Ylianst#5987 Signed-off-by: si458 <simonsmith5521@gmail.com> commit 4ff5a5c Author: si458 <simonsmith5521@gmail.com> Date: Wed Apr 3 11:14:42 2024 +0100 add letsencrypt nochecks to schema Ylianst#5987 Signed-off-by: si458 <simonsmith5521@gmail.com> commit 65d1346 Author: Simon Smith <simonsmith5521@gmail.com> Date: Wed Apr 3 09:51:18 2024 +0100 open files/folders on desktop with files and console with openfile (Ylianst#5986) Signed-off-by: si458 <simonsmith5521@gmail.com> commit 5d1c8ca Author: Simon Smith <simonsmith5521@gmail.com> Date: Tue Apr 2 23:36:05 2024 +0100 add open web link to mobile ui (Ylianst#5985) Signed-off-by: si458 <simonsmith5521@gmail.com> commit 9294488 Author: Simon Smith <simonsmith5521@gmail.com> Date: Mon Apr 1 15:48:01 2024 +0100 fix name display for oauth (Ylianst#5980) Signed-off-by: si458 <simonsmith5521@gmail.com> commit d2a0946 Author: Simon Smith <simonsmith5521@gmail.com> Date: Mon Apr 1 00:21:47 2024 +0100 add user import via csv file (Ylianst#5978) Signed-off-by: si458 <simonsmith5521@gmail.com> commit 3be8ec5 Author: Simon Smith <simonsmith5521@gmail.com> Date: Sun Mar 31 22:28:10 2024 +0100 add mac uninstall and fix windows uninstall (Ylianst#5976) Signed-off-by: si458 <simonsmith5521@gmail.com> commit 1024894 Author: Simon Smith <simonsmith5521@gmail.com> Date: Sun Mar 31 19:20:15 2024 +0100 check db exists first before creating in postgres (Ylianst#5968) Signed-off-by: si458 <simonsmith5521@gmail.com> commit 8e8cc4b Author: si458 <simonsmith5521@gmail.com> Date: Sun Mar 31 14:05:20 2024 +0100 rename 2x mac image Signed-off-by: si458 <simonsmith5521@gmail.com> commit ce93c89 Author: si458 <simonsmith5521@gmail.com> Date: Sun Mar 31 13:55:41 2024 +0100 fix null values in filters Signed-off-by: si458 <simonsmith5521@gmail.com> commit 7b67b99 Author: si458 <simonsmith5521@gmail.com> Date: Sun Mar 31 13:52:16 2024 +0100 fix postgres nedbtodb Signed-off-by: si458 <simonsmith5521@gmail.com> commit 95bbd71 Author: Simon Smith <simonsmith5521@gmail.com> Date: Sun Mar 31 13:50:38 2024 +0100 add filter for events (Ylianst#5975) * add filter to node events * add filter to my events * add filter to user events * improve sql querys Signed-off-by: si458 <simonsmith5521@gmail.com> commit 8e6cc14 Author: Simon Smith <simonsmith5521@gmail.com> Date: Fri Mar 29 18:11:29 2024 +0000 set flatpickr to 1 minute increments (Ylianst#5974) Signed-off-by: si458 <simonsmith5521@gmail.com> commit 862e2ee Author: buckybytes <158571971+buckybytes@users.noreply.github.com> Date: Wed Mar 27 06:26:38 2024 -0500 Various grammar, spelling, and clarity issues. (Ylianst#5964) * Update plugins.md * Update faq.md * Update debugging.md * Update customization.md * Update codesigning.md * Update assistant.md commit 81e9803 Author: si458 <simonsmith5521@gmail.com> Date: Mon Mar 25 13:41:42 2024 +0000 fix mac memory part number Signed-off-by: si458 <simonsmith5521@gmail.com> commit fbae83d Author: Ylian Saint-Hilaire <ysainthilaire@hotmail.com> Date: Sun Mar 24 11:43:32 2024 -0700 Version 1.1.22 commit 8498414 Author: adnan29979 <148310766+adnan29979@users.noreply.github.com> Date: Mon Mar 25 00:32:08 2024 +0600 Doc update - Agent Invitation Customization (Ylianst#5937) * Update assistant.md * Email Invite and customization * Update assistant.md * Email Invitation pic upload * point agent invitation customization to assistant.md commit d33aa25 Author: Ylian Saint-Hilaire <ysainthilaire@hotmail.com> Date: Sun Mar 24 11:14:42 2024 -0700 Updated Spanish translation. commit 8775b7d Author: Ylian Saint-Hilaire <ysainthilaire@hotmail.com> Date: Sun Mar 24 11:03:33 2024 -0700 Set login autocomplete to off when set to false in config.json. commit e6ee203 Author: Simon Smith <simonsmith5521@gmail.com> Date: Fri Mar 22 14:31:47 2024 +0000 add biosSerial/biosMode to csv (Ylianst#5949) Signed-off-by: si458 <simonsmith5521@gmail.com>

xcsdm added the bug label Jun 3, 2024

si458 added a commit that referenced this issue Jun 4, 2024

fix oidc paths with aliasport #6148

6976992

Signed-off-by: si458 <simonsmith5521@gmail.com>

xcsdm closed this as completed Jun 4, 2024

xcsdm mentioned this issue Jun 4, 2024

display flash errors for external auths like saml or oidc on the login screen #6154

Closed

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

OIDC login fails after recent fixes #6148

OIDC login fails after recent fixes #6148

xcsdm commented Jun 3, 2024

si458 commented Jun 3, 2024 •

edited

Loading

xcsdm commented Jun 3, 2024 •

edited

Loading

si458 commented Jun 3, 2024

xcsdm commented Jun 3, 2024

si458 commented Jun 3, 2024 •

edited

Loading

xcsdm commented Jun 3, 2024

si458 commented Jun 3, 2024

si458 commented Jun 3, 2024 •

edited

Loading

si458 commented Jun 3, 2024

si458 commented Jun 4, 2024

xcsdm commented Jun 4, 2024

si458 commented Jun 4, 2024

xcsdm commented Jun 4, 2024 •

edited

Loading

si458 commented Jun 4, 2024 •

edited

Loading

xcsdm commented Jun 4, 2024

xcsdm commented Jun 4, 2024

OIDC login fails after recent fixes #6148

OIDC login fails after recent fixes #6148

Comments

xcsdm commented Jun 3, 2024

si458 commented Jun 3, 2024 • edited Loading

xcsdm commented Jun 3, 2024 • edited Loading

si458 commented Jun 3, 2024

xcsdm commented Jun 3, 2024

si458 commented Jun 3, 2024 • edited Loading

xcsdm commented Jun 3, 2024

si458 commented Jun 3, 2024

si458 commented Jun 3, 2024 • edited Loading

si458 commented Jun 3, 2024

si458 commented Jun 4, 2024

xcsdm commented Jun 4, 2024

si458 commented Jun 4, 2024

xcsdm commented Jun 4, 2024 • edited Loading

si458 commented Jun 4, 2024 • edited Loading

xcsdm commented Jun 4, 2024

xcsdm commented Jun 4, 2024

si458 commented Jun 3, 2024 •

edited

Loading

xcsdm commented Jun 3, 2024 •

edited

Loading

si458 commented Jun 3, 2024 •

edited

Loading

si458 commented Jun 3, 2024 •

edited

Loading

xcsdm commented Jun 4, 2024 •

edited

Loading

si458 commented Jun 4, 2024 •

edited

Loading