Apache Answer throws OpenID connect error

philkunz

redirect_uri did not match any of the client's registered redirect_uris

BrutalBirdie

Thanks for reporting. I am trying to reproduce your issue.
Could you please give me some more details about your Cloudron Version and the App Version of Apache Answer you are using.
Also, is it a fresh install or an updated version?

BrutalBirdie

Could not reproduce:
Cloudron v8.3.1
Apache Answer 1.4.5
org.apache.answer.cloudronapp@1.3.1

Fresh setup.

Currently looking into how OIDC is configured in this app.

BrutalBirdie

Going forward with debugging on your end.

please redact sensitive information

@philkunz can you open a web-terminal of your Apache Answer app and give me the output of:

printenv | grep -i OIDC

and

this can be copy-pasted into the web-terminal

mysql --user=${CLOUDRON_MYSQL_USERNAME} --password=${CLOUDRON_MYSQL_PASSWORD} --host=${CLOUDRON_MYSQL_HOST} ${CLOUDRON_MYSQL_DATABASE} -e "SELECT value FROM config WHERE \`key\`='plugin.status'"

and

mysql --user=${CLOUDRON_MYSQL_USERNAME} --password=${CLOUDRON_MYSQL_PASSWORD} --host=${CLOUDRON_MYSQL_HOST} ${CLOUDRON_MYSQL_DATABASE} -e "SELECT * FROM plugin_config WHERE plugin_slug_name='basic_connector' \G"

philkunz

@BrutalBirdie

root@some-uid:/app/code# printenv | grep -i OIDC
CLOUDRON_OIDC_PROFILE_ENDPOINT=https://my.xxx.xxx/openid/me
CLOUDRON_OIDC_KEYS_ENDPOINT=https://my.xxx.xxx/openid/jwks
CLOUDRON_OIDC_CLIENT_ID=abcdefg
CLOUDRON_OIDC_PROVIDER_NAME=xxx.xxx Cloudron
CLOUDRON_OIDC_AUTH_ENDPOINT=https://my.xxx.xxx/openid/auth
CLOUDRON_OIDC_ISSUER=https://my.xxx.xxx/openid
CLOUDRON_OIDC_DISCOVERY_URL=https://my.xxx.xxx/openid/.well-known/openid-configuration
CLOUDRON_OIDC_TOKEN_ENDPOINT=https://my.xxx.xxx/openid/token
CLOUDRON_OIDC_CLIENT_SECRET= abcdefg

and

root@some-uid:/app/code# mysql --user=${CLOUDRON_MYSQL_USERNAME} --password=${CLOUDRON_MYSQL_PASSWORD} --host=${CLOUDRON_MYSQL_HOST} ${CLOUDRON_MYSQL_DATABASE} -e "SELECT value FROM config WHERE \`key\`='plugin.status'"
mysql: [Warning] Using a password on the command line interface can be insecure.
+---------------------------------------------+
| value                                       |
+---------------------------------------------+
| {"redis_cache":true,"basic_connector":true} |
+---------------------------------------------+

and

root@some-uid:/app/code# mysql --user=${CLOUDRON_MYSQL_USERNAME} --password=${CLOUDRON_MYSQL_PASSWORD} --host=${CLOUDRON_MYSQL_HOST} ${CLOUDRON_MYSQL_DATABASE} -e "SELECT * FROM plugin_config WHERE plugin_slug_name='basic_connector' \G"
mysql: [Warning] Using a password on the command line interface can be insecure.
*************************** 1. row ***************************
              id: 72
plugin_slug_name: basic_connector
           value: {"authorize_url":"https://my.xxx.xxx/openid/auth","check_email_verified":true,"client_id":"abced1234","client_secret":"abcd1234","email_verified_json_path":"email_verified","logo_svg":"","name":"xxx.xxx Cloudron","scope":"openid,profile,email","token_url":"https://my.xxx.xxx/openid/token","user_avatar_json_path":"","user_display_name_json_path":"name","user_email_json_path":"email","user_id_json_path":"sub","user_json_url":"https://my.xxx.xxx/openid/me","user_username_json_path":"preferred_username"}

BrutalBirdie

@philkunz
You have not recently changed your base domain? Example from my.yyy.yyy to my my.xxx.xxx?
A bit confusing, but you get what I write I hope

philkunz

nope. xxx.xxx was always xxx.xxx

BrutalBirdie

Have you tried restarting the app? (just in case)
Because normally on every restart the app sets / updates the oidc config.

What we can try is to manually delete that config and restart the app.

To delete this go to your web-terminal and copy-paste:

mysql --user=${CLOUDRON_MYSQL_USERNAME} --password=${CLOUDRON_MYSQL_PASSWORD} --host=${CLOUDRON_MYSQL_HOST} ${CLOUDRON_MYSQL_DATABASE} -e "DELETE FROM plugin_config WHERE plugin_slug_name='basic_connector'"

and then restart the app.

Then a complete fresh config set should be present, printable by the same command again.

mysql --user=${CLOUDRON_MYSQL_USERNAME} --password=${CLOUDRON_MYSQL_PASSWORD} --host=${CLOUDRON_MYSQL_HOST} ${CLOUDRON_MYSQL_DATABASE} -e "SELECT * FROM plugin_config WHERE plugin_slug_name='basic_connector' \G"

Then we can compare both outputs if something has changed or is missing or got added yada yada.

Maybe just the restart, or deletion and restart is already enough.

philkunz

tried that, still the same error.

philkunz

philkunz

All other apps work without a hitch. Also xxx.xxx is correct.

philkunz

Also changing the location does not do the trick, which should update the redirect url.

nebulon

@philkunz so to narrow this down, if you install a fresh instance of the app, does it work then?

philkunz

Fresh install works as expected.

Just took a look at the redirect uri:

&redirect_uri=%2Fanswer%2Fapi%2Fv1%2Fconnector%2Fredirect%2Fbasic&response_type=code&scope=openid+profile+email&state=state

That looks incomplete?

nebulon

Hm the values within the db should at least get ensured at https://git.cloudron.io/packages/apache-answer-app/-/blob/main/start.sh?ref_type=heads#L90

nebulon

ah the callback uri is not dynamic path wise, so my link is not helping.

BrutalBirdie

@philkunz
Can you compare your faulty instance with the fresh one under the following admin path https://apacheanswers.DOMAIN.TLD/admin/basic_connector?
Maybe there is something in the UI that we are not seeing here

philkunz

I'll use a fresh install then.

nebulon

tracking down changes in the package, that URI hasn't actually changed at all through an update or so. Did you maybe happen to manually configure OpenID integration at some point?