OpenID Issue Following Recent Updates

TheMoodBoardz

Hi. Since Packaged v1.17.1 onwards was published I have had a few servers that run Traccar/Cloudron have the following issue;

"<!DOCTYPE><html><head><title>Error</title></head><html><body>500 - Server Error</body></html>"

It's not clear from the logs where the issue is - It's resulting in not being able to log in at all unless the OpenID config is removed fully.

james

Hello @TheMoodBoardz
Thanks for reporting. I am trying to reproduce this now.
What type of setup did you chose at installation?

TheMoodBoardz

@james It would be "Leave user management to the app"

james

I have installed Traccar with version 1.17.1.

• Login > no issue
• Update 1.17.2
• Login > no issue
• Update 1.17.3
• Login > no issue
• Update 1.18.0
• Login > no issue

Since you are stating you have installed the app with "Leave user management to the app" and also state the issue gets resolved by removing the OpenID config. Which should not be present when you have chosen "Leave user management to the app".

Do you have a custom OpenID config in your Traccar app?
Would you be able to share your /app/data/traccar.xml file so I can take a look?

Also, you can move the /app/data/traccar.xml to example /app/data/traccar.xml.backup and restart the app so the app will generate a fresh config which should work out of the box.

TheMoodBoardz

@james I have tried moving the traccar.xml to traccar.xml.backup to get a new config - it allows the login through plain old login however as soon as I put the OpenID config in it starts with the same issue.

If I pull the backup from when it was on v1.17.1 it has the exact same traccar.xml as it does on v1.18.0 - on v1.17.1 the OpenID login works without issue however as soon as its updated past v1.17.1 the OpenID login stops working.

I have also tried a fresh install and the issue happens as soon as I add the OpenID config.

From what I can tell from the documentation from Traccar - no changes are needed to my OpenID config.

Here is my current config - removed all the sensitive information;

---

<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE properties SYSTEM "http://java.sun.com/dtd/properties.dtd">
<properties>
  <entry key="config.default">/app/code/conf/default.xml</entry>
  <!--

    This is the main configuration file. All your configuration parameters should be placed in this file.

    Default configuration parameters are located in the "default.xml" file. You should not modify it to avoid issues
    with upgrading to a new version. Parameters in the main config file override values in the default file. Do not
    remove "config.default" parameter from this file unless you know what you are doing.

    For list of available parameters see following page: https://www.traccar.org/configuration-file/

    -->
  <entry key="database.driver">com.mysql.cj.jdbc.Driver</entry>
  <entry key="database.url">jdbc:mysql://mysql:3306/3e3f4a623283f4e9?serverTimezone=UTC&amp;allowPublicKeyRetrieval=true&amp;useSSL=false&amp;allowMultiQueries=true&amp;autoReconnect=true&amp;useUnicode=yes&amp;characterEncoding=UTF-8&amp;sessionVariables=sql_mode=''</entry>
  <entry key="database.user">3e3f4a6</entry>
  <entry key="database.password">6ec5a5caf84a05efcbf10adef7c2</entry>
  <entry key="web.url">https://tracx.emaildomain.com</entry>
  <entry key="mail.smtp.host">mail</entry>
  <entry key="mail.smtp.port">2525</entry>
  <entry key="mail.smtp.starttls.enable">false</entry>
  <entry key="mail.smtp.from">noreply@emaildomain.com</entry>
  <entry key="mail.smtp.auth">true</entry>
  <entry key="mail.smtp.username">noreply@emaildomain.com</entry>
  <entry key="mail.smtp.password">e1ba1aaf24e2e0a2eef481564a</entry>
  <entry key="logger.console">true</entry>
  <entry key="logger.queries">false</entry>
  <entry key="logger.level">config</entry>
  <entry key="logger.fullStackTraces">true</entry>
  <!-- https://github.com/traccar/traccar/blob/8eecfdcf5c59f92158a6c339d1622e0e9d67968c/src/main/java/org/traccar/config/Keys.java -->
  <entry key="users.defaultDeviceLimit">-1</entry>
  <entry key="media.path">/app/data/media</entry>
  <entry key='openid.force'>true</entry>
  <entry key='openid.clientId'>we31jf8xagqqdk4edscg3</entry>
  <entry key='openid.clientSecret'>zs8c6q92vujaz15asguwsb</entry>
  <entry key='openid.issuerUrl'>https://sso.domainname.com/application/o/traccar</entry>
  <entry key="openid.authUrl">https://sso.domainname.com/application/o/authorize</entry>
  <entry key="openid.tokenUrl">https://sso.domainname.com/application/o/token</entry>
  <entry key="openid.userInfoUrl">https://sso.domainname.com/application/o/userinfo</entry>
</properties>

james

Hello @TheMoodBoardz for the future, please put code into code blocks for better readability.
I have edited your last post to do so.

Example:

```
Your Code goes here
```
resulting in:

Your Code goes here

nebulon

@TheMoodBoardz so since you do not use Cloudron SSO, you have configured a custom OpenID provider. Maybe traccar has a regression in latests release which breaks your auth provider. For reference using Cloudron OpenID provider is setup with those config variables: https://git.cloudron.io/packages/traccar-app/-/blob/master/traccar.xml.template?ref_type=heads#L28

Those (when the values are actually set during installtion) seem to work. Maybe check if for example removing <entry key='openid.force'>true</entry> in yours works?

TheMoodBoardz

Just wanted to follow up, after a few rounds of testing and confirm that I have now resolved the issue.

The breakthrough came after inspecting the tracker-server.log file, which pointed to a GeneralException: The returned issuer doesn't match the expected error. The root cause was a subtle mismatch between the URL in the openid.issuerUrl parameter in my traccar.xml and the actual issuer URL being returned by my OpenID provider (it appears a trailing slash was the main culprit). While ensuring the openid.issuerUrl is a perfect match is one solution, I found that removing that parameter entirely and reverting to the Cloudron OpenID configuration using openid.authUrl, openid.tokenUrl, and openid.userInfoUrl with the correct, full URLs also solved the problem.

By the looks of it - It seems the recent Traccar update(s) enforces stricter OpenID Connect validation. Thanks for the pointers!

nebulon

Great that you managed to get this resolved quickly and thanks for sharing the solution.