OIDC authentication causes critical error about meshcentral HOT 15 CLOSED

ok ive fixed the reauth problem! c67a76b
basically when u first hit the oidc callback from your provider you have session info,
but when u try hitting the page again (by say pressing back history)
the session info had vanished as you are already logged in and verified.
so just need to do a check to carry on if you already authed!

from meshcentral.

Hmm this should already be fixed?
Check the /opt/meshcentral/package.json it should include connect-flash if I remember?

Will check soon when laptops switched on

Edit. Pr here for the fix? 1dca9e2

from meshcentral.

I can see

"connect-flash": "0.1.1",

in the dependencies. This is /opt/meshcentral/meshcentral/package.json in the docker container. and connect-flash is definitely in the node-modules.

Edit. The changes from the pr are confirmed in the meshcentral.js

from meshcentral.

ok so im confused why you get this error? as normally it just means that package is missing but im guessing its been removed somewhere! will have a look soon

from meshcentral.

We are having the same issue, just haven't had the opportunity to look into it, after the service restarts, and you go back to the login page, it goes straight in, so feels like the return page that the oidc hits, is the one missing the required function

from meshcentral.

erm just re-read ur issue, the error is erroring inside the node_modules of passport.js
so is nothing to do with meshcentral!
which is quite worrying?

from meshcentral.

just out of curiosity, try setting ur config like below (i use authentik for my testing)

"authStrategies": {
        "oidc": {
            "issuer": {
                "issuer": "https://auth.myserver.com/application/o/meshcentral-oidc/",
                "authorization_endpoint": "https://auth.myserver.com/application/o/authorize/",
                "token_endpoint": "https://auth.myserver.com/application/o/token/",
                "endsession_endpoint": "https://auth.myserver.com/application/o/meshcentral-oidc/end-session/",
                "jwks_uri": "https://auth.myserver.com/application/o/meshcentral-oidc/jwks/"
            },
            "client": {
              "client_id": "CLIENTIDHERE",
              "client_secret": "CLIENTSECRETHERE
            },
            "newAccounts": true
        }
      }

OR
try the basic config here - https://ylianst.github.io/MeshCentral/meshcentral/openidConnectStrategy/#basic-config-file-example

from meshcentral.

ok i think ive found the issue, but need you to confirm for me
(as i cannot replicate the issue but think i found why its missing)
line 6768 inside /opt/meshcentral/meshcentral/webserver.js
just under parent.authLog('setupHTTPHandlers', `OIDC: Authorization URL: ${authURL}`);
you need to add obj.app.use(require('connect-flash')());
then restart the meshcentral container (dont redeploy, just restart it!) and try again

from meshcentral.

Close.

First, it did allow login. If I click a PC, then click the "My Devices" icon (top on left), works as expected.
If I click on a PC, then click Back in the browser, I get "Internal Server Error" with this logged:

meshcentral  | MeshCentral HTTP redirection server running on port 80.
meshcentral  | MeshCentral v1.1.24, Hybrid (LAN + WAN) mode, Production mode.
meshcentral  | MeshCentral Intel(R) AMT server running on mesh.xcsdm.com:4433.
meshcentral  | Loaded web certificate from "https://mesh.xcsdm.com", host: "mesh.xcsdm.com"
meshcentral  |   SHA384 cert hash: 2a2d2e8b92d3c69e6ea937016c3dd638a3f6fe5c0c86f3a17ec2fe063d6f640a8643d4085c1e264164b5341323cfef19
meshcentral  |   SHA384 key hash: 4700277a409aa747e0b1ac2922a010da2099c20a269b1c6cd97a4001cc1505709a6470b8ad5526d16fd41d272bf2b256
meshcentral  | MeshCentral HTTP server running on port 443.
meshcentral  | ERR: Error: did not find expected authorization request details in session, req.session["oidc:auth.xcsdm.com"] is undefined
meshcentral  |     at /opt/meshcentral/meshcentral/node_modules/openid-client/lib/passport_strategy.js:132:13
meshcentral  |     at OpenIDConnectStrategy.authenticate (/opt/meshcentral/meshcentral/node_modules/openid-client/lib/passport_strategy.js:191:5)
meshcentral  |     at attempt (/opt/meshcentral/meshcentral/node_modules/passport/lib/middleware/authenticate.js:378:16)
meshcentral  |     at authenticate (/opt/meshcentral/meshcentral/node_modules/passport/lib/middleware/authenticate.js:379:7)
meshcentral  |     at /opt/meshcentral/meshcentral/webserver.js:6787:124
meshcentral  |     at Layer.handle [as handle_request] (/opt/meshcentral/meshcentral/node_modules/express/lib/router/layer.js:95:5)
meshcentral  |     at next (/opt/meshcentral/meshcentral/node_modules/express/lib/router/route.js:149:13)
meshcentral  |     at urlencodedParser (/opt/meshcentral/meshcentral/node_modules/body-parser/lib/types/urlencoded.js:91:7)
meshcentral  |     at Layer.handle [as handle_request] (/opt/meshcentral/meshcentral/node_modules/express/lib/router/layer.js:95:5)
meshcentral  |     at next (/opt/meshcentral/meshcentral/node_modules/express/lib/router/route.js:149:13)

from meshcentral.

@xcsdm that will be because when you press the back button its returning you back to the reauth page which will be invalid because you are already logged in/missing authentication.

can you just try changing ur config.json to look like the above for me and restarting? #6132 (comment)

from meshcentral.

@xcsdm ok i can replicate ur Error: did not find expected authorization request details in session issue
i get the same thing, not too sure why?
will look into it, but will push the fix for the auth login for you!

from meshcentral.

Sorry I did not mention. I did change the config to match your example. Login works fine. I can remote control PCs, etc.

from meshcentral.

@xcsdm ah right no worries!
will look into the Error: did not find expected authorization request details in session as soon as i can again
as you use docker you can use the master image as it includes fixes 👍
(this image is build every time we push something to the master branch for people to test or use the latest features!)

from meshcentral.

commit to fix the redirect if someone tries to return auth but no user/cookie/etc... 62199d8

from meshcentral.