OIDC login broken with 8.1.0 update

msbt

Hi there! I already sent an email to support, but since it's quite urgent, trying here as well, maybe someone has a solution for this. After updating to 8.1.0, OIDC authentication doesn't work anymore. It's easily reproducable, fresh install on 8.0.6 works, 8.1.0 doesn't.

It says Service Unavailable and refuses to login and logs show this:

WARN: [OpenID] Unknown OP error
err: {
"type": "OPError",
"message": "unauthorized_client (requested grant type is not allowed for this client)",
"stack":
OPError: unauthorized_client (requested grant type is not allowed for this client)

Any ideas/workarounds @nebulon @girish @joseph?

nebulon

So after some debugging, the actual fix is to enable the refresh_token grant type also: https://git.cloudron.io/platform/box/-/commit/16fa3390252e29f1803a18990c7b104817fa4d9f

Basically if you add this (also put back the previously suggested code bit) and sytemctl restart box then this should work also for existing directus instances I think.

girish

@msbt I could reprodue this. As a quick fix, you have to revert https://git.cloudron.io/platform/box/-/commit/8621fbda7963b048aa49741c34ff283840f24c90 .

• Edit /home/yellowtent/box/src/oidc.js
• Delete that function issueRefreshToken entirely
• systemctl restart box

Unfortunately, removing above has the sideeffect of showing warnings in dokuwiki alone. But for other apps this is not a problem.

msbt

@girish thanks for the reply, but still getting the same error even after restarting box and Directus. Any other ideas? Some cache that I might need to empty?

msbt

Quick update: apparently removing that snippet and fresh install is working, but for various reasons, reinstalling all my Directus instances is not a great option. Thing I've tried and didn't work: restarting app/box/server, changing location, permissions, cloning, using a fresh browser.

c0decafe

got bitten by this too, commenting out issueRefreshToken + restarting box didn't help:

{
  "name": "DirectusError",
  "extensions": {
    "service": "openid",
    "reason": "Service returned unexpected response: requested grant type is not allowed for this client"
  },
  "code": "SERVICE_UNAVAILABLE",
  "status": 503
}

c0decafe

I confirm that commenting out issueRefreshToken() works only with a fresh install of directus.

nebulon

So after some debugging, the actual fix is to enable the refresh_token grant type also: https://git.cloudron.io/platform/box/-/commit/16fa3390252e29f1803a18990c7b104817fa4d9f

Basically if you add this (also put back the previously suggested code bit) and sytemctl restart box then this should work also for existing directus instances I think.

c0decafe

@nebulon thanks!
I confirm the below fixes it:

curl https://git.cloudron.io/platform/box/-/commit/16fa3390252e29f1803a18990c7b104817fa4d9f.diff | patch -d /home/yellowtent/box -p1
systemctl restart box

msbt

thanks @nebulon & @girish, this does indeed fix everything, appreciate it