Making SSO via OAuth2 Basic plugin work with our Identity Provider

Hi everybody, we are trying to make SSO via OAuth2 Basic plugin work with our Identity Provider, but we are running back to the same issue over and over :roll_eyes:

Any help or light over this issue is super duper appreciated!

Scenario and error log are both provided below.

Overview

  • Self hosted Discourse running on DigitalOcean;
  • Standard Install; works like a charm (for about a year);
  • Updated to the latest version [v2.0.0.beta9];
  • Discourse OAuth2 Basic plugin installed and configured (screenshot can be found below);
  • IDP provider fully functional and working with several other applications.

Error message from /logs

(oauth2_basic) Authentication failure! **invalid_credentials**: OAuth2::**Error, invalid_client**: The client MUST NOT use more than one authentication method in each request.
{"error_description":"The client MUST NOT use more than one authentication method in each request.","error":"invalid_client"}

We have checked the source code, but could not figure anything out of it :cry:
It seems that a callback is successfully initiated, but something else than fails.

ruby/2.4.0/gems/omniauth-1.6.1/lib/omniauth/strategy.rb:473:in `fail!'
ruby/2.4.0/gems/omniauth-oauth2-1.4.0/lib/omniauth/strategies/oauth2.rb:78:in `rescue in callback_phase'
ruby/2.4.0/gems/omniauth-oauth2-1.4.0/lib/omniauth/strategies/oauth2.rb:66:in `callback_phase'
ruby/2.4.0/gems/omniauth-1.6.1/lib/omniauth/strategy.rb:230:in `callback_call'

https://github.com/omniauth/omniauth/releases/tag/v1.6.1 can be found here.
source code file is ouath2.rb
https://github.com/omniauth/omniauth-oauth2/releases/tag/v1.5.0 can be found here
source code file is strategy.rb

Full Backtrace Error Log
/var/www/discourse/vendor/bundle/ruby/2.4.0/gems/logster-1.2.9/lib/logster/logger.rb:93:in `add_with_opts' /var/www/discourse/vendor/bundle/ruby/2.4.0/gems/logster-1.2.9/lib/logster/logger.rb:50:in `add' /usr/local/lib/ruby/2.4.0/logger.rb:543:in `error' /var/www/discourse/vendor/bundle/ruby/2.4.0/gems/omniauth-1.6.1/lib/omniauth/strategy.rb:161:in `log' /var/www/discourse/vendor/bundle/ruby/2.4.0/gems/omniauth-1.6.1/lib/omniauth/strategy.rb:473:in `fail!' /var/www/discourse/vendor/bundle/ruby/2.4.0/gems/omniauth-oauth2-1.4.0/lib/omniauth/strategies/oauth2.rb:78:in `rescue in callback_phase' /var/www/discourse/vendor/bundle/ruby/2.4.0/gems/omniauth-oauth2-1.4.0/lib/omniauth/strategies/oauth2.rb:66:in `callback_phase' /var/www/discourse/vendor/bundle/ruby/2.4.0/gems/omniauth-1.6.1/lib/omniauth/strategy.rb:230:in `callback_call' /var/www/discourse/vendor/bundle/ruby/2.4.0/gems/omniauth-1.6.1/lib/omniauth/strategy.rb:187:in `call!' /var/www/discourse/vendor/bundle/ruby/2.4.0/gems/omniauth-1.6.1/lib/omniauth/strategy.rb:167:in `call' /var/www/discourse/vendor/bundle/ruby/2.4.0/gems/omniauth-1.6.1/lib/omniauth/strategy.rb:189:in `call!' /var/www/discourse/vendor/bundle/ruby/2.4.0/gems/omniauth-1.6.1/lib/omniauth/strategy.rb:167:in `call' /var/www/discourse/vendor/bundle/ruby/2.4.0/gems/omniauth-1.6.1/lib/omniauth/strategy.rb:189:in `call!' /var/www/discourse/vendor/bundle/ruby/2.4.0/gems/omniauth-1.6.1/lib/omniauth/strategy.rb:167:in `call' /var/www/discourse/vendor/bundle/ruby/2.4.0/gems/omniauth-1.6.1/lib/omniauth/strategy.rb:189:in `call!' /var/www/discourse/vendor/bundle/ruby/2.4.0/gems/omniauth-1.6.1/lib/omniauth/strategy.rb:167:in `call' /var/www/discourse/vendor/bundle/ruby/2.4.0/gems/omniauth-1.6.1/lib/omniauth/strategy.rb:189:in `call!' /var/www/discourse/vendor/bundle/ruby/2.4.0/gems/omniauth-1.6.1/lib/omniauth/strategy.rb:167:in `call' /var/www/discourse/vendor/bundle/ruby/2.4.0/gems/omniauth-1.6.1/lib/omniauth/strategy.rb:189:in `call!' /var/www/discourse/vendor/bundle/ruby/2.4.0/gems/omniauth-1.6.1/lib/omniauth/strategy.rb:167:in `call' /var/www/discourse/vendor/bundle/ruby/2.4.0/gems/omniauth-1.6.1/lib/omniauth/strategy.rb:189:in `call!' /var/www/discourse/vendor/bundle/ruby/2.4.0/gems/omniauth-1.6.1/lib/omniauth/strategy.rb:167:in `call' /var/www/discourse/vendor/bundle/ruby/2.4.0/gems/omniauth-1.6.1/lib/omniauth/builder.rb:63:in `call' /var/www/discourse/lib/middleware/omniauth_bypass_middleware.rb:22:in `call' /var/www/discourse/vendor/bundle/ruby/2.4.0/gems/rack-2.0.4/lib/rack/conditional_get.rb:25:in `call' /var/www/discourse/vendor/bundle/ruby/2.4.0/gems/rack-2.0.4/lib/rack/head.rb:12:in `call' /var/www/discourse/lib/middleware/anonymous_cache.rb:198:in `call' /var/www/discourse/vendor/bundle/ruby/2.4.0/gems/rack-2.0.4/lib/rack/session/abstract/id.rb:232:in `context' /var/www/discourse/vendor/bundle/ruby/2.4.0/gems/rack-2.0.4/lib/rack/session/abstract/id.rb:226:in `call' /var/www/discourse/vendor/bundle/ruby/2.4.0/gems/actionpack-5.1.4/lib/action_dispatch/middleware/cookies.rb:613:in `call' /var/www/discourse/vendor/bundle/ruby/2.4.0/gems/actionpack-5.1.4/lib/action_dispatch/middleware/callbacks.rb:26:in `block in call' /var/www/discourse/vendor/bundle/ruby/2.4.0/gems/activesupport-5.1.4/lib/active_support/callbacks.rb:97:in `run_callbacks' /var/www/discourse/vendor/bundle/ruby/2.4.0/gems/actionpack-5.1.4/lib/action_dispatch/middleware/callbacks.rb:24:in `call' /var/www/discourse/vendor/bundle/ruby/2.4.0/gems/actionpack-5.1.4/lib/action_dispatch/middleware/debug_exceptions.rb:59:in `call' /var/www/discourse/vendor/bundle/ruby/2.4.0/gems/actionpack-5.1.4/lib/action_dispatch/middleware/show_exceptions.rb:31:in `call' /var/www/discourse/vendor/bundle/ruby/2.4.0/gems/logster-1.2.9/lib/logster/middleware/reporter.rb:31:in `call' /var/www/discourse/vendor/bundle/ruby/2.4.0/gems/railties-5.1.4/lib/rails/rack/logger.rb:36:in `call_app' /var/www/discourse/vendor/bundle/ruby/2.4.0/gems/railties-5.1.4/lib/rails/rack/logger.rb:26:in `call' /var/www/discourse/config/initializers/100-quiet_logger.rb:16:in `call' /var/www/discourse/config/initializers/100-silence_logger.rb:29:in `call' /var/www/discourse/vendor/bundle/ruby/2.4.0/gems/actionpack-5.1.4/lib/action_dispatch/middleware/remote_ip.rb:79:in `call' /var/www/discourse/vendor/bundle/ruby/2.4.0/gems/actionpack-5.1.4/lib/action_dispatch/middleware/request_id.rb:25:in `call' /var/www/discourse/vendor/bundle/ruby/2.4.0/gems/rack-2.0.4/lib/rack/method_override.rb:22:in `call' /var/www/discourse/vendor/bundle/ruby/2.4.0/gems/actionpack-5.1.4/lib/action_dispatch/middleware/executor.rb:12:in `call' /var/www/discourse/vendor/bundle/ruby/2.4.0/gems/rack-2.0.4/lib/rack/sendfile.rb:111:in `call' /var/www/discourse/vendor/bundle/ruby/2.4.0/gems/rack-mini-profiler-1.0.0/lib/mini_profiler/profiler.rb:174:in `call' /var/www/discourse/vendor/bundle/ruby/2.4.0/gems/message_bus-2.1.4/lib/message_bus/rack/middleware.rb:63:in `call' /var/www/discourse/lib/middleware/request_tracker.rb:186:in `call' /var/www/discourse/vendor/bundle/ruby/2.4.0/gems/railties-5.1.4/lib/rails/engine.rb:522:in `call' /var/www/discourse/vendor/bundle/ruby/2.4.0/gems/railties-5.1.4/lib/rails/railtie.rb:185:in `public_send' /var/www/discourse/vendor/bundle/ruby/2.4.0/gems/railties-5.1.4/lib/rails/railtie.rb:185:in `method_missing' /var/www/discourse/vendor/bundle/ruby/2.4.0/gems/rack-2.0.4/lib/rack/urlmap.rb:68:in `block in call' /var/www/discourse/vendor/bundle/ruby/2.4.0/gems/rack-2.0.4/lib/rack/urlmap.rb:53:in `each' /var/www/discourse/vendor/bundle/ruby/2.4.0/gems/rack-2.0.4/lib/rack/urlmap.rb:53:in `call' /var/www/discourse/vendor/bundle/ruby/2.4.0/gems/unicorn-5.4.0/lib/unicorn/http_server.rb:606:in `process_client' /var/www/discourse/vendor/bundle/ruby/2.4.0/gems/unicorn-5.4.0/lib/unicorn/http_server.rb:701:in `worker_loop' /var/www/discourse/vendor/bundle/ruby/2.4.0/gems/unicorn-5.4.0/lib/unicorn/http_server.rb:549:in `spawn_missing_workers' /var/www/discourse/vendor/bundle/ruby/2.4.0/gems/unicorn-5.4.0/lib/unicorn/http_server.rb:142:in `start' /var/www/discourse/vendor/bundle/ruby/2.4.0/gems/unicorn-5.4.0/bin/unicorn:126:in `<top (required)>' /var/www/discourse/vendor/bundle/ruby/2.4.0/bin/unicorn:23:in `load' /var/www/discourse/vendor/bundle/ruby/2.4.0/bin/unicorn:23:in `<main>'
Plugin Settings

Note: some sensitive information has been redacted
Oauth2 Authorize url set as: /as/authorization.oauth2?client_id=myclientidhere&response_type=token&redirect_uri=https://discuss.mysitehere.com/auth/oauth2_basic/callback

Oauth2 token url set as: /as/token.oauth2

Oauth2 user json url set as: /idp/userinfo.openid?schema=openid&access_token=:token

4 Likes

Just for future readers wondering for the solution for the issue above.

The PingIdentity OAuth server cannot handle two authentication methods being used at the same time. The plugin sends a Basic Authorization header to the server as well, just to be on the safe side, and the server chokes on this. This behaviour can be disabled by setting the site setting oauth2_send_auth_header to false.

11 Likes