SSO Callback closes connection (0 bytes sent by server); used logged out of impersonation previously

simon.michalke · June 5, 2022, 2:43pm

(Note, this was also reported here: Connection lost during callback · Issue #28 · soudis/discoursesso · GitHub)

Hello,

we are having a very weird issue with our Discourse SSO. Ever since one user logged out of impersonation, he is unable to log back in. This is what happens now if he tries to log in: (the user was logged into Nextcloud previously).

The Server just closes the connection. I am unable to find any error log. Not inside any of the nginx proxies, not inside Discourse, not inside Nextcloud.

Interestingly it has nothing to do with the network or device. It is just this user that fails to log in.

I also tried clearing out the SSO Data from Discourse, changed the Email Address to force creation of a new Discourse Account. The Problem still persists.

I suspect this is an issue with the Nextcloud plugin, however I don’t see any error messages by Discourse, which surprises me. (I cleared the log and tried again, no record appeared.)

RGJ · June 5, 2022, 3:00pm

Did you enable Admin - Settings - Login - verbose_discourse_connect_logging ?

simon.michalke · June 5, 2022, 3:25pm

I just did. The only record is:

Verbose SSO log: Started SSO process

add_groups: 
admin: 
moderator: 
avatar_force_update: 
avatar_url: 
bio: 
card_background_url: 
confirmed_2fa: 
email: 
external_id: 
groups: 
locale: 
locale_force_update: 
location: 
logout: 
name: 
no_2fa_methods: 
nonce: <removed>
profile_background_url: 
remove_groups: 
require_2fa: 
require_activation: 
return_sso_url: https://hub.diehumanisten.de/session/sso_login
suppress_welcome_message: 
title: 
username: 
website:

JammyDodger · June 20, 2022, 12:08pm

Is this issue still ongoing @simon.michalke?

simon.michalke · June 20, 2022, 12:36pm

yes, we just tested it again and it still persists.

simon.michalke · June 24, 2022, 9:40am

Okay, now we have a REAL issue. The problem seems to be spreading to other user. And the second one is not an admin and can therefore not use the workaround.

If I want to contact (paid) support, who should I talk to in my case?

JammyDodger · July 5, 2022, 10:04am

Was this the right answer to your issue in the end?

simon.michalke · July 5, 2022, 10:27am

Yes. Nextcloud SSO only supports GET and not POST-based login. Our nginx proxy silently dropped the request since we had too many groups filling up the request header.

Our current workaround is manually patching the Plugin to not include groups:

github.com/soudis/discoursesso

Connection lost during callback

opened 11:45AM - 05 Jun 22 UTC

ClundXIII

Hello, we are having a *very weird* issue with our Discourse SSO. Ever since …one user logged out of impersonation, he is unable to log back in. I appended a screenshot of the Network Connections, the user was logged into Nextcloud previously. ![grafik](https://user-images.githubusercontent.com/4571541/172048806-4fa6ddc2-45fe-4794-b0ff-350f1faf7cb6.png) The Server just closes the connection. I am unable to find any error log. Not inside any of the nginx proxies, not inside Discourse, not inside Nextcloud. Interestingly it has nothing to do with the network or device. It is just this user that fails to log in. I also tried clearing out the SSO Data from Discourse, changed the Email Adress to force creation of a new Discourse Account. The Problem still persists. This is also the reason I am posting the issue here and not on the Discourse Forum.

We will switch to keycloak for authentication soon.