now how do I access it with my node app? these are my values and how I access github Oauth2
How can I get my client id and secret using the Oauth2 server? Sorry I am noob to Oauth2 but I got your server running including jwt and db by Readme.md and Install.md. Will make a deb for it for you soon!

client: {
idParamName: 'client_id', // client_id
secretParamName: 'client_secret', // client_secret
// github - working
id: 'xxxxxxxxxxxxxxxxxxx',
secret: 'xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx',
}
auth: {
// github - working
tokenHost: 'https://github.com',
tokenPath: '/login/oauth/access_token',
authorizePath: '/login/oauth/authorize',
},
http: {
headers: { Accept: 'application/json' , },
},
options: {
bodyFormat: 'form', // form or json
useBasicAuthorizationHeader: 'true',
useBodyAuth: 'true',
},
var authorizationUri = oauth2.authorizationCode.authorizeURL({
redirect_uri: 'https://comain.com/callback',
scope: 'notifications', //github - working
state: 'XXXXXX', //hidden for security
});

Hi i cannot get an confidential client to work.

If i uncheck the confidential checkbox everything works fine. But when i check it and set the password to testclient (the clientid is testclient, too) i always get an unauthorized_client response:

http-bio-8080-exec-3 06/03/2019 17:07:52,902 | DEBUG | org.apache.http.wire | wire | http-outgoing-16 >> "POST /api/token HTTP/1.1[\r][\n]"
http-bio-8080-exec-3 06/03/2019 17:07:52,903 | DEBUG | org.apache.http.wire | wire | http-outgoing-16 >> "Authorization: Basic dGVzdGNsaWVudDp0ZXN0Y2xpZW50[\r][\n]"
http-bio-8080-exec-3 06/03/2019 17:07:52,903 | DEBUG | org.apache.http.wire | wire | http-outgoing-16 >> "Content-Length: 171[\r][\n]"
http-bio-8080-exec-3 06/03/2019 17:07:52,903 | DEBUG | org.apache.http.wire | wire | http-outgoing-16 >> "Content-Type: application/x-www-form-urlencoded[\r][\n]"
http-bio-8080-exec-3 06/03/2019 17:07:52,903 | DEBUG | org.apache.http.wire | wire | http-outgoing-16 >> "Host: localhost:4593[\r][\n]"
http-bio-8080-exec-3 06/03/2019 17:07:52,903 | DEBUG | org.apache.http.wire | wire | http-outgoing-16 >> "Connection: Keep-Alive[\r][\n]"
http-bio-8080-exec-3 06/03/2019 17:07:52,903 | DEBUG | org.apache.http.wire | wire | http-outgoing-16 >> "User-Agent: Apache-HttpClient/4.5.1 (Java/1.8.0_144)[\r][\n]"
http-bio-8080-exec-3 06/03/2019 17:07:52,904 | DEBUG | org.apache.http.wire | wire | http-outgoing-16 >> "Accept-Encoding: gzip,deflate[\r][\n]"
http-bio-8080-exec-3 06/03/2019 17:07:52,904 | DEBUG | org.apache.http.wire | wire | http-outgoing-16 >> "[\r][\n]"
http-bio-8080-exec-3 06/03/2019 17:07:52,904 | DEBUG | org.apache.http.wire | wire | http-outgoing-16 >> "grant_type=authorization_code&code=75c8d083-37f3-4103-9178-08817ae47090&redirect_uri=http%3A%2F%2Flocalhost%3A8080%2FXXX%2FREST%2FUser%2FXXX&client_id=testclient"
http-bio-8080-exec-3 06/03/2019 17:07:52,906 | DEBUG | org.apache.http.wire | wire | http-outgoing-16 << "HTTP/1.1 403 Forbidden[\r][\n]"
http-bio-8080-exec-3 06/03/2019 17:07:52,906 | DEBUG | org.apache.http.wire | wire | http-outgoing-16 << "Connection: Keep-Alive[\r][\n]"
http-bio-8080-exec-3 06/03/2019 17:07:52,906 | DEBUG | org.apache.http.wire | wire | http-outgoing-16 << "Content-Length: 31[\r][\n]"
http-bio-8080-exec-3 06/03/2019 17:07:52,906 | DEBUG | org.apache.http.wire | wire | http-outgoing-16 << "Content-Type: application/json[\r][\n]"
http-bio-8080-exec-3 06/03/2019 17:07:52,906 | DEBUG | org.apache.http.wire | wire | http-outgoing-16 << "Pragma: no-cache[\r][\n]"
http-bio-8080-exec-3 06/03/2019 17:07:52,906 | DEBUG | org.apache.http.wire | wire | http-outgoing-16 << "Cache-Control: no-store[\r][\n]"
http-bio-8080-exec-3 06/03/2019 17:07:52,907 | DEBUG | org.apache.http.wire | wire | http-outgoing-16 << "Access-Control-Allow-Credentials: true[\r][\n]"
http-bio-8080-exec-3 06/03/2019 17:07:52,907 | DEBUG | org.apache.http.wire | wire | http-outgoing-16 << "Access-Control-Allow-Origin: *[\r][\n]"
http-bio-8080-exec-3 06/03/2019 17:07:52,907 | DEBUG | org.apache.http.wire | wire | http-outgoing-16 << "Date: Wed, 06 Mar 2019 16:07:52 GMT[\r][\n]"
http-bio-8080-exec-3 06/03/2019 17:07:52,907 | DEBUG | org.apache.http.wire | wire | http-outgoing-16 << "[\r][\n]"
http-bio-8080-exec-3 06/03/2019 17:07:52,907 | DEBUG | org.apache.http.wire | wire | http-outgoing-16 << "{"error":"unauthorized_client"}"

Any idea whats wrong with my request?

Hey there, coming from rafaelhdr/glewlwyd-oauth2-server#3, I just set up glewlwyd on a test server behind nginx (which handles SSL, among others). I followed the installation steps to the point and got Glewlwyd running, the web app is accessible, I can log in, too. But the index page continues to tell me both "Hello username" and "Please log in to the application":

Clicking on login, I'm told "You are connected as username, What do you wish for?". I can successfully change my profile data at /profile.html.

Looking at the sessions table, though, there seems to be something wrong:

For reference, here's my nginx configuration which should fine, I think. What it does:

1. Redirect HTTP to HTTPS
2. Serve static files through nginx (nothing against Ulfius, I just like my web servers to stay consistent) if possible, otherwise through the glewlwyd upstream
3. Serve /api and /config through the glewlwyd upstream

# redirect to HTTPS
server {
  listen      80;
  server_name auth.server.tld;

  location / {
    return 301  https://$host$request_uri;
  }
}

server {
  listen      443 ssl http2;
  server_name auth.server.tld;

  ssl_certificate     /etc/nginx/certs/auth.server.tld/fullchain.pem;
  ssl_certificate_key /etc/nginx/certs/auth.server.tld/privkey.pem;
  include             ssl.conf;

  location @auth {
    proxy_pass       http://auth;

    proxy_set_header Host              $host;
    proxy_set_header X-Real-IP         $remote_addr;
    proxy_set_header X-Forwarded-For   $proxy_add_x_forwarded_for;
    proxy_set_header X-Forwarded-Proto $scheme; 
  }

  location /admin {
    root /var/www/auth/public;
    index index.html;

    try_files $uri $uri/ @auth;
  }

  location /api {
    try_files $uri @auth;
  }

  location /config {
    try_files $uri @auth;
  }
}

Relevant glewlwyd.conf lines:

# url prefix
url_prefix="api"

# path to static files for /admin url
static_files_path="/var/www/auth/public"

# static files prefix
static_files_prefix = "admin"

# login and grant urls
login_url="https://auth.db.sevigne.de/admin/login.html?"
grant_url="https://auth.db.sevigne.de/admin/grant.html?"

Any idea what is wrong here? I'm sure I've made a stupid mistake somewhere.

On a side note - how on earth did you come up with the name? It sounds a little galic to me, but considering you're from Québec City that's somehow improbable 😄

Hi,

I am currently battling with the Admin interface. All requests return 401, despite the fact that I am logged in. https://my.domain.com/api/user/?limit=10. Can we add some logging providing a specific reason why and most importantly that it returned 401.

My token is valid and the signature checks out

eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzUxMiJ9.eyJleHBpcmVzX2luIjo4MjAwLCJpYXQiOjE1NDk4NDM5OTksInNhbHQiOiImNTdBWUxaYWdXPChGQVY1IiwidHlwZSI6ImFjY2Vzc190b2tlbiIsInVzZXJuYW1lIjoiYWRtaW4ifQ.abcd1234

By the way, I am using the latest release. The current quickstart docker image works perfectly. :(

Thanks for creating the project by the way :)

Describe the issue
I use docker image: babelouest/glewlwyd:latest (from 11/3/2019, digest 9347e5910a70) for deployment Glewlwyd2.0.0 in Kubernetes.
I have configured client without any "Authorization types" in client account configuration, and I can still obtain access token for this client with Client Creditentials flow.
I checked - no matter what you set in "Authorization types" in client account (set nothing, 'none', 'something,without,sense' - it is possible with clients in LDAP;) - you cal always get access token in client_creditential flow (i didn't check other flows).

To Reproduce
Configure client without any "Authorization types" and try to get access token in Client Creditentials flow.

Expected behavior
You can obtain access token in Client Creditentials flow only for client with configured "client" in "Authorization types".

System (please complete the following information):

• OS/Environment [Debian]
• Browser used [Mozilla Firefox 68.3.0esr]
• Glewlwyd Version [2.0.0 - docker from babelouest/glewlwyd:latest (from 11/3/2019, digest 9347e5910a70)]

I use docker image from babelouest/glewlwyd (tag:latest) and I have few issues, but docker image is from 11/3/2019 for 2.0.0 version, and there is over 200 commits in github repo since, maybe these issues are solved but we need newer docker image?

It serves me right to just copy the sample config and edit, but there's a typo on:

refresh_token_expiation.

It's missing the r.

It's all good though, only spent about 2 days finding it :-)

Hello, first of all thank you very much for your help weeks before, now I can implement glewlwyd with my own system. Yet, there are some problems that I need to assert because it gave some headaches in these time.

1. Do you have any flow chart or little explanations regarding the login process of user? I found that when I tried to login, and wanted to get an authorization token, I need to send redirection url as one of its request parameters. Is there any way that I can access authorization token with normal xmlHttpRequest/fetch without needing to "redirect" to another page?
2. Sometimes when I tried to get an authorization token, the response of redirection was error=unauthorized_client. I did set the redirect_uri in the webapp manager to my own local address. I said sometimes because it often works but in some cases (randomly, seems like I can't reproduce it with ease) it gave that error. Do you know what factors that drove the condition to be triggered?

Thank you very much :)

Describe the issue
When deploying the docker test container as per documentation. The default credentails as documented (admin password) do not seem to work.

To Reproduce
I started the docker container using:
docker run -v oauth_config:/etc/glewlwyd -p 4593:4593 --name oauth --detach babelouest/glewlwyd

Because my docker machine is on another server I edited the config files as follows:
config.json:
"GlewlwydUrl": "http://my.internal.dns.name:4593/",
"ProfileUrl": "http://my.internal.dns.name:4593/profile.html",
"AdminUrl": "http://my.internal.dns.name:4593/index.html",
"LoginUrl": "http://my.internal.dns.name:4593/login.html",
glewlwyd.conf:
external_url="http://my.internal.dns.name:4593"

Expected behavior
Successful login

Screenshots
The container puts out the following log:
Glewlwyd WARNING: Security - Authorization invalid for username admin at IP Address

System (please complete the following information):

• OS/Environment [e.g. Debian Stretch, Ubuntu 19.04]
  Ubuntu 16.04
• Browser used [e.g. Mozilla Firefox 69, Chrome 77, lynx 2.9]
  Chrome Version 78.0.3904.108
• Glewlwyd Version [e.g. 2.0.0, 1.4.9]
  Current docker image
• Source installation [e.g. Distribution package, GitHub package, build from source]
  Docker Hub
• If applicable, what option did you use to build Glewlwyd
  N/A

Additional context
None

hi, I got the problem with lib ulfius. May be you know what is the problem

sudo ./glewlwyd --config-file=glewlwyd.conf
./glewlwyd: error while loading shared libraries: libulfius.so: cannot open shared object file: No such file or directory

ulfius is installed from git (make install output)

cp libulfius.so.2.0 /usr/local/lib
cp ulfius.h /usr/local/include
ldconfig -r /usr/local

Describe the issue
When you add LDAP backend client module (valid one!), after logout/login in you can't add/configure Glewlwyd OpenID Connect Plugin.
I set log lovel to DEBUG, but logs are produced only when ldap is misconfigured:

2020-01-03T12:32:04 - Glewlwyd ERROR: connect_ldap_server client - Error binding to ldap server mode (null): Can't contact LDAP server
2020-01-03T12:32:04 - Glewlwyd ERROR: client_module_count_total ldap - Error connect_ldap_server

To Reproduce
Add proper configured LDAP backend client module (you can list LDAP clients in Gwelwyd frontend), logout from Gwelwyd, log in and go to Parameters/Plugins and try to add/reconfigure Glewlwyd OpenID Connect Plugin.
(When LDAP backend is not working - ex. misconfigured - after relogin you can work with Glewlwyd OpenID Connect Plugin).

Expected behavior
You can add/reconfigure OID plugin with working LDAP Clients plugin.

Screenshots

System (please complete the following information):

• OS/Environment [Debian bullseye]
• Browser used [68.3.0esr]
• Glewlwyd Version [oficcial docker 2.0.0 and docker made from source from 20200102]

Please consider supporting U2F and TOTP.

These two libraries may help :
https://github.com/Yubico/libu2f-server
https://github.com/paolostivanin/libcotp

Sorry to annoy again, after the setup as per the Readme I tried to start the service using below command, which says the service started OK. but in actual the service is not running. I verified on browser as well as using ps command.

$ sudo ./glewlwyd-init start --config-file=glewlwyd.conf
Starting Glewlwyd OK

Also, the start-stop-daemon was not available for CentOS therefore I am using direct binary of the same. Which I downloaded from a website. Please help in debugging what's going wrong.

I have just done a clean Ubuntu 16.04 server build and I got as far as the manager and I am getting:

You are not authorized to connect to this application

If I go to /app/login.html it says I am logged in

I am tried putting the webapp in differrent places and a chmod -R a+r, but get the same result. git clone was a couple hours ago so should be up to date.

Hi @babelouest : Let me first thank you for creating very useful OAUTH library in C. I am evaluating the library for our projects. Keep you posted on the findings. Once again, thank you. / Maruthi.

I'm thinking about improvement that will be useful for Glewlwyd in the next release.

If you're willing to help, by making pull requests or helping me guiding Glewlwyd to a better future, feel free to do so!

If you have feature requests that you think may be useful or interesting, you can post comments on this issue.

The core will still be written in C with Ulfius/Hoel libraries and the goal will still be to provide an application to delegate authentication for http based services.

Since I had some feature requests for new authentication methods such as TOTP, and I guess other authentication methods may be required by others. I will implement a modular way to add new authentication back-end, with dynamic libraries.

Also, being able to provide other authentication process than OAuth2 would be a good idea, although I'm not sure how to handle that without designing a dangerous monster. So I won't make this a priority, but I'll think about it.

The front-end will be pimped too, but I don't want to reprogram all of it, so it will not change that much.

Finally, I realized that in the profile page, having just the ip address to identify a session or a refresh token is not enough, I will add the client id and the user agent too.

This is where I'm at on the design right now, hope the to do list will get bigger, but not too much....

is it support http2.0?

Hello there @babelouest .

So as the animated picture above, We can't redirect to callback URL after We successfully authenticated. We also can not input the redirect URL in client page using Administrator, is this a bug? After input at the client tab, the redirect URI textbox remains NULL.

How We do redirect in newest glewlwyd?

Also mention @nicabreon

Hi,

I ran into an odd issue when trying to use the builtin management app. Turns out the scope list sent from grant.html is seperated by a "+", but the logic in auth_check_user_scope_database() uses a " " (space). See the following two backtraces from gdb:

[Switching to Thread 0xb65ffb40 (LWP 8769)]
Breakpoint 1, auth_check_user_scope_database (config=0x808fa18,
    username=0xb5c00a28 "admin", scope_list=0xb5c01410 "g_admin g_profile")
    at user.c:552
552       char * scope, * scope_escaped, * saveptr, * scope_list_escaped = NULL, * scope_list_save = o_strdup(scope_list), * login_escaped = h_escape_string(config->conn, username), * scope_list_join;
(gdb) bt
#0  auth_check_user_scope_database (config=0x808fa18,
    username=0xb5c00a28 "admin", scope_list=0xb5c01410 "g_admin g_profile")
    at user.c:552
#1  0x0805c88c in auth_check_user_scope (config=0x808fa18,
    username=0xb5c00a28 "admin", scope_list=0xb5c01410 "g_admin g_profile")
    at user.c:637
#2  0x08051cba in check_auth_type_implicit_grant (request=0xb5c03d48,
    response=0xb5c00f18, user_data=0x808fa18) at oauth.c:236
#3  0x08053aed in callback_glewlwyd_authorization (request=0xb5c03d48,
    response=0xb5c00f18, user_data=0x808fa18) at webservice.c:59
#4  0xb7e18ff3 in ulfius_webservice_dispatcher ()
   from /usr/local/lib/libulfius.so
#5  0xb7bf6dff in ?? () from /usr/lib/i386-linux-gnu/libmicrohttpd.so.10
#6  0xb7bf836f in ?? () from /usr/lib/i386-linux-gnu/libmicrohttpd.so.10
#7  0xb7c033c6 in ?? () from /usr/lib/i386-linux-gnu/libmicrohttpd.so.10
#8  0xb7bfb863 in ?? () from /usr/lib/i386-linux-gnu/libmicrohttpd.so.10
#9  0xb7bddecb in start_thread (arg=0xb65ffb40) at pthread_create.c:309
#10 0xb7f10d0e in clone () at ../sysdeps/unix/sysv/linux/i386/clone.S:129

[BT 2]
Breakpoint 1, auth_check_user_scope_database (config=0x808fa18,
    username=0xb5c009b8 "admin", scope_list=0xb5c06400 "g_admin+g_profile")
    at user.c:552
552       char * scope, * scope_escaped, * saveptr, * scope_list_escaped = NULL, * scope_list_save = o_strdup(scope_list), * login_escaped = h_escape_string(config->conn, username), * scope_list_join;
(gdb) bt
#0  auth_check_user_scope_database (config=0x808fa18,
    username=0xb5c009b8 "admin", scope_list=0xb5c06400 "g_admin+g_profile")
    at user.c:552
#1  0x0805c88c in auth_check_user_scope (config=0x808fa18,
    username=0xb5c009b8 "admin", scope_list=0xb5c06400 "g_admin+g_profile")
    at user.c:637
#2  0x0805412e in callback_glewlwyd_set_user_scope_grant (request=0xb5c05f00,
    response=0xb5c016f8, user_data=0x808fa18) at webservice.c:179
#3  0xb7e18ff3 in ulfius_webservice_dispatcher ()
   from /usr/local/lib/libulfius.so
#4  0xb7bf6dff in ?? () from /usr/lib/i386-linux-gnu/libmicrohttpd.so.10
#5  0xb7bf836f in ?? () from /usr/lib/i386-linux-gnu/libmicrohttpd.so.10
#6  0xb7c033c6 in ?? () from /usr/lib/i386-linux-gnu/libmicrohttpd.so.10
#7  0xb7bfb863 in ?? () from /usr/lib/i386-linux-gnu/libmicrohttpd.so.10
#8  0xb7bddecb in start_thread (arg=0xb65ffb40) at pthread_create.c:309
#9  0xb7f10d0e in clone () at ../sysdeps/unix/sysv/linux/i386/clone.S:129

I managed to hack around with something like

-    scope = strtok_r(save_scope_list, " ", &saveptr);
+    char sep = ' ';
+    char * tmp_scope = msprintf("%s", scope_list);
+    if(strchr(tmp_scope, '+') != NULL) {
+      sep = '+';
+    }
+    o_free(tmp_scope);
+    scope = strtok_r(save_scope_list, &sep, &saveptr);
     while (scope != NULL) {
       // Check if this user hasn't granted access to this client for this scope
       scope_escaped = h_escape_string(config->conn, scope);
@@ -132,7 +138,7 @@ int grant_client_user_scope_access(struct config_elements * config, const char *
       }
       o_free(scope_escaped);
       json_decref(j_result);
-      scope = strtok_r(NULL, " ", &saveptr);
+      scope = strtok_r(NULL, &sep, &saveptr);
     }

but I know nothing about C and I'm pretty sure this is a silly config error on my side. Any Ideas?

thanks
Paul

Describe the issue
After adding "LDAP backend client module" with checked "Read only", in frontend still is "Read only": "No".
In database (I use mariadb as backend for glewlwyd config) I can see:
> SELECT gcmi_module, gcmi_readonly FROM g_client_module_instance WHERE gcmi_module = 'ldap'; +-------------+---------------+ | gcmi_module | gcmi_readonly | +-------------+---------------+ | ldap | 1 | +-------------+---------------+ 1 row in set (0.001 sec)

but in fronted still "Read only": "No", so everty time you have to remember to mark "Read only" again if you want to change configuration (without "Read only" you have to refill few more fields).

To Reproduce
Add "LDAP backend client module" with checked "Read only" and after save config check it again.

Expected behavior
Read only is honored by backend.

Screenshots

System (please complete the following information):

• OS/Environment [Debian GNU/Linux bullseye]
• Browser used [Mozilla Firefox 68.3.0esr]
• Glewlwyd Version [2.0.0 docker image babelouest/glewlwyd:latest from 11/3/2019 Digest
  9347e5910a70]

Thought I would share what I found necessary to build under Ubuntu 14.04.

sudo apt-get install libcurl4-gnutls-dev uuid-dev libldap2-dev libsqlite3-dev libconfig-dev libgnutls-dev libssl-dev libmysqlclient-dev libtool autoconf

wget https://github.com/akheron/jansson/archive/v2.11.tar.gz
tar -xf v2.11.tar.gz
cd jansson-2.11
autoreconf -i
./configure
make
sudo make install
cd ..

git clone https://github.com/benmcollins/libjwt.git
cd libjwt
autoreconf -i
./configure
make
sudo make install
cd ..

git clone https://github.com/babelouest/orcania.git
cd orcania/src
make static
sudo make static-install
cd ../..

git clone https://github.com/babelouest/yder.git
cd yder/src
make Y_DISABLE_JOURNALD=1 CPPFLAGS=-DY_DISABLE_JOURNALD static
sudo make static-install
cd ../..

git clone https://github.com/babelouest/ulfius.git
cd ulfius/src
make static
sudo make static-install
cd ../..

git clone https://github.com/babelouest/hoel.git
cd hoel/src
make DISABLE_POSTGRESQL=1 static
sudo make static-install
cd ../..

wget http://ftp.gnu.org/gnu/libmicrohttpd/libmicrohttpd-0.9.59.tar.gz
tar -xf libmicrohttpd-0.9.59.tar.gz
cd libmicrohttpd-0.9.59
./configure
make
sudo make install
cd ..

git clone https://github.com/babelouest/glewlwyd.git
cd glewlwyd/src
make LDFLAGS="-lmicrohttpd -lcurl -lsqlite3 `mysql_config --libs_r` -Wl,-rpath -Wl,/usr/local/lib"

I've set the following log settings:

# log mode (console, syslog, file)
log_mode="file"

# log level: NONE, ERROR, WARNING, INFO, DEBUG
log_level="DEBUG"

# output to log file (required if log_mode is file)
log_file="/var/log/glewlwyd.log"

Still, the log file only shows INFO entries. I just tried updating the email address of my admin user, resulting in a 400 response, showing "Error updating user", because I didn't remove nor set the additional_property_name that is included in the config by default. Now, the erroneous response contained the JSON [{"additional_property_value":"additional_property_value is an optional string between 0 and 512 characters"}], so it's pretty clear what causes the issue (even though the optional slightly confuses me, since it doesn't seem to be optional). I'd expect an error like that to show up in the log, but to no avail:

2018-01-12 18:05:19 - Glewlwyd INFO: Start glewlwyd on port 4593, prefix: api, secure: false
2018-01-12 18:06:50 - Glewlwyd INFO: Glewlwyd caught a stop or kill signal (15), exiting
2018-01-12 18:06:50 - Glewlwyd INFO: Starting Glewlwyd Oauth2 authentication service
2018-01-12 18:06:50 - Glewlwyd INFO: Start glewlwyd on port 4593, prefix: api, secure: false
2018-01-12 18:07:17 - Glewlwyd INFO: Glewlwyd caught a stop or kill signal (15), exiting
2018-01-12 18:07:17 - Glewlwyd INFO: Starting Glewlwyd Oauth2 authentication service
2018-01-12 18:07:17 - Glewlwyd INFO: Start glewlwyd on port 4593, prefix: api, secure: false
2018-01-12 18:08:42 - Glewlwyd INFO: Glewlwyd caught a stop or kill signal (15), exiting
2018-01-12 18:08:42 - Glewlwyd INFO: Starting Glewlwyd Oauth2 authentication service
2018-01-12 18:08:42 - Glewlwyd INFO: Start glewlwyd on port 4593, prefix: api, secure: false

Don't get me wrong, I'm incredibly impressed by Glewlwyd and am determined to use it as the authentication server for my current, large project 😊

Hello, In these past three days I've been wanting to redesign your web app front based on my needs. I created my own code base using react and not in the default directory. But when i tried to fetch with url =>(e.g : http://localhost:4593/app/auth/user), i found that in my redesigned web app the results that action was 403 forbidden. Why did it end up like this? or is glewlwyd can only accept request from the directory that have been set up before in glewlwyd.conf ? Your answer is very much appreciated! thank you!

Hello Nico,
I am using let's encrypt TLS from certbot, and this is the conf I wrote in glewlwyd.conf I use:

# TLS/SSL configuration values
use_secure_connection=true
secure_connection_key_file="/etc/letsencrypt/live/domain/privkey.pem"
secure_connection_pem_file="/etc/letsencrypt/live/domain/cert.pem"
secure_connection_ca_file="/etc/letsencrypt/live/domain/chain.pem"

The web and API is running well using browser:

but it doesn't work well with CURL, Insomnia or Postman alike:

I tried to extract the CA cert of the server:

Thanks before Nico..

Not sure if it's just RHEL 6, but I had issues with all the unsigned int in the config struct, the config_lookup_int libarary has long as param 3 - so it was trashing 4 bytes of the next config option in the master config structure each time it got a value. Fixed by changing all appropriate unsigned ints to longs in the .h. (refresh_token_expiration was being trashed by a later grab of session_expiration, since it sits just above it in the .h struct). Code didn't crash but it appeared as a bug where refresh_token_expiration was always seemingly zero despite config being set. Walking through the code highlighted it was being set to 0 by:

config_lookup_int(&cfg, "session_expiration", &config->session_expiration);

Long params as per libconfig.h

extern LIBCONFIG_API int config_lookup_int(const config_t *config,
const char *path, long *value);

sizeof unsigned int: 4
sizeof long: 8.

When I try to authenticate user from http-backend, everything goes well, until login.js requesting /api/profile_list
It getting response - 401, and authentication does not proceed (for some reason, correct http-backend user not authorized for profile_list.

Maybe I'm doing something wrong...

Request:
GET /api/profile_list HTTP/1.0
X-Real-IP: 10.4.250.1
X-Forwarded-For: 10.4.250.1
Host: auth.itstep.kiev.ua
Connection: close
accept: */*
x-requested-with: XMLHttpRequest
user-agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/76.0.3809.100 Safari/537.36
sec-fetch-mode: cors
sec-fetch-site: same-origin
referer: https://auth.itstep.kiev.ua/login.html?client_id=1c_QAZNMBVCDE%2311&scope=profile&callback_url=https%3a%2f%2fauth.itstep.kiev.ua%2fapi%2foidc%2fauth%3fclient_id%3d1c_QAZNMBVCDE%252311%26redirect_uri%3dhttps%253a%252f%252f172.18.0.2%252fOid%252fauthform.html%26response_type%3did_token%2btoken%26scope%3dprofile%26state%3d13c68c998a844bf395047fa497a865d9%26nonce%3df4baf524bd56428199a2e10a0373cc55
accept-encoding: gzip, deflate, br
accept-language: ru-RU,ru;q=0.9,en-US;q=0.8,en;q=0.7
cookie: GLEWLWYD2_SESSION_ID=4JZGljqyHp5wzVWwo7wntnFaLcAFYqeNkEzWM6vBJlujPU5zKyB3deU2cXzYVSw6ZCk0C7Y8dwlNeO4dICNBGRyvgstoyNezV74MuqIPlDlPmTJNLminK8E2ah5gZFsz


Response:
HTTP/1.0 401 Unauthorized
Connection: close
Content-Length: 0
Pragma: no-cache
Cache-Control: no-store
Access-Control-Allow-Credentials: true
Access-Control-Allow-Origin: *
Date: Tue, 26 Nov 2019 17:48:06 GM

Maybe there is some not obvious way to linkt openid-connect with http-backend?

mysql> SOURCE glewlwyd.mariadb.sql

Issue (1): Creation of g_reset_password failed complaining about invalid default value of grp_reset_at.
The fix could be allowing TIMESTAMP NULL as below.
-- Reset a user password
CREATE TABLE g_reset_password (
grp_id INT(11) PRIMARY KEY AUTO_INCREMENT,
grp_username VARCHAR(128) NOT NULL,
grp_ip_source VARCHAR(64) NOT NULL,
grp_token VARCHAR(512) NOT NULL,
grp_enabled TINYINT(1) DEFAULT 1,
grp_issued_at TIMESTAMP DEFAULT CURRENT_TIMESTAMP,
grp_reset_at TIMESTAMP NULL
);
CREATE INDEX i_g_reset_password_username ON g_reset_password(grp_username);

Issue (2): Creation of g_refresh_token failed complaining about incorrect default values of grt_last_seen, grt_expired_at
The fix could be allowing TIMESTAMP NULL as below

-- Refresh token table, to store a signature and meta information on all refresh tokens sent
CREATE TABLE g_refresh_token (
grt_id INT(11) PRIMARY KEY AUTO_INCREMENT,
grt_hash VARCHAR(128) NOT NULL,
grt_authorization_type INT(2) NOT NULL, -- 0: Authorization Code Grant, 1: Implicit Grant, 2: Resource Owner Password Credentials Grant, 3: Client Credentials Grant
grt_username VARCHAR(128) NOT NULL,
grt_issued_at TIMESTAMP DEFAULT CURRENT_TIMESTAMP,
grt_last_seen TIMESTAMP NULL,
grt_expired_at TIMESTAMP NULL,
grt_ip_source VARCHAR(64) NOT NULL,
grt_enabled TINYINT(1) DEFAULT 1
);

Issue (3) This SQL statement appears after creation of g_access_token table. Just move the statement following the creation of g_refresh_token. It is a trivial fix though.
CREATE INDEX i_g_refresh_token_username ON g_refresh_token(grt_username);

#Issue (4). Creation of g_refresh_token failed complaining about incorrect default values of gss_last_seen, gss_expired_at.
The fix could be allowing TIMESTAMP NULL as below

-- Session table, to store signature and meta information on session tokens sent
CREATE TABLE g_session (
gss_id INT(11) PRIMARY KEY AUTO_INCREMENT,
gss_hash VARCHAR(128) NOT NULL,
gss_username VARCHAR(128) NOT NULL,
gss_issued_at TIMESTAMP DEFAULT CURRENT_TIMESTAMP,
gss_last_seen TIMESTAMP NULL,
gss_expired_at TIMESTAMP NULL,
gss_ip_source VARCHAR(64) NOT NULL,
gss_enabled TINYINT(1) DEFAULT 1
);
CREATE INDEX i_g_session_username ON g_session(gss_username);

After the above fixes, mysql> SOURCE glewlwyd.mariadb.sql went through.

Hi Nicolas!
I am unable to use Glewlwyd admin page with the following error:

Can you help me with it?

Glewlwyd version 2.0.0-b1 on Devuan 9.

My configuration:

glewlwyd.conf
port=4593
external_url="http://localhost:4593"
login_url="login.html"
url_prefix="api"
static_files_path="/usr/share/glewlwyd/webapp"
allow_origin="*"
log_mode="console"
log_level="DEBUG"
session_expiration=2419200
session_key="GLEWLWYD2_SESSION_ID"
admin_scope="g_admin"
profile_scope="g_profile"
user_module_path="/usr/local/lib/glewlwyd/user"
client_module_path="/usr/local/lib/glewlwyd/client"
user_auth_scheme_module_path="/usr/local/lib/glewlwyd/scheme"
plugin_module_path="/usr/local/lib/glewlwyd/plugin"
use_secure_connection=false
hash_algorithm = "SHA512"
database =
{
type = "mariadb"
host = "localhost"
user = "glewlwyd"
password = "glewlwyd"
dbname = "glewlwyd"
port = 0
}

config.json
{
"GlewlwydApiUrl": "http://localhost:4593",
"ProfileUrl": "http://localhost:4593/profile.html",
"AdminUrl": "http://localhost:4593/index.html",
"LoginUrl": "http://localhost:4593/login.html",
...

Thanks!

Describe the issue
A clear and concise description of what the issue is, including a clear and concise title.

I have question. how to get login user [email or username, etc] info?

To Reproduce
If possible, post a sample code to reproduce the issue.

1. access_token pick up   it's ok
    const response = await axios({
      method: 'post',
      url: `http://localhost:4593/api/glwd/token`,
      headers: {
        accept: 'application/x-www-form-urlencoded'
      },
      data: qs.stringify({
        grant_type: `authorization_code`,
        code: `${requestToken}`,
        redirect_uri: `${redirect_uri}`,
        client_id: `${clientID}`
      })
    })

   const accessToken = response.data.access_token

2. profile request, response status is ok(200) but data is nothing.

    const session = await axios({
      method: 'get',
      url: `http://localhost:4593/api/glwd/profile/session`,
      headers: {
        Authorization: `Bearer ${accessToken}`
      },
    })
    
   //response.data === {} // no data.

Expected behavior
A clear and concise description of what you expected to happen.

I was expecting.

response.data

{
 email: '[email protected]',
 username: 'test1'
}

But there is no data. => {}

Screenshots
If applicable, add screenshots to help explain your problem.

System (please complete the following information):

• OS/Environment [e.g. Debian Stretch, Ubuntu 19.04]
• Browser used [e.g. Mozilla Firefox 69, Chrome 77, lynx 2.9]
• Glewlwyd Version [e.g. 2.0.0, 1.4.9]
• Source installation [e.g. Distribution package, GitHub package, build from source]
• If applicable, what option did you use to build Glewlwyd

ubuntu 19.04
Chrome 79.0.3945.88
glewlwyd 2.x

Additional context
Add any other context about the problem here.

Hello, Nicolas!

Apparently in the webapp there is a problem with editing properties in the specific data format section. Error occurs when adding new property - "Error while updating module".

Also, I did`t see the new custom properties in the user/client properties db tables.
Checked by default admin user with g_admin/g_profile scope enabled.

What can be wrong?

When requesting /api/profile with a valid token, I get a 401 response without a body. The log file does not show an entry for the failed request, like it would for /api/token.
I tried this without any JS complexity, straight with curl:

$ curl 'https://auth.db.sevigne.de/api/profile' -H 'authorization: Bearer eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzUxMiJ9.eyJleHBpcmVzX2luIjozNjAwLCJpYXQiOjE1MjQ2NTQxNzUsIm5ld19wcm9wZXJ0eSI6ImZvbyIsInNhbHqiOiJEXCIqUXYkZWJkOTltISZvVSIsInNjb3BlIjoibG9naW4iLCJ0eXBlIjoiYWNjZXNzX3Rva2VuIiwidXNlcm5hbWUiOiJ0ZXN0In0.-Q4h_yzB11BS0JUTL3eHM--_E0HGhjg1U8CdWQq0XVa094rTYKcfaF2oeDBJZz6EIlceIKqi64KhtFQe8a6OkA' -i
HTTP/2 401 
server: nginx/1.13.6
date: Wed, 25 Apr 2018 11:05:44 GMT
content-length: 0
pragma: no-cache
cache-control: no-store
access-control-allow-credentials: true
access-control-allow-origin: *

According to API.md#profile-api, this should work as above.
The user has the scope g_profile set. Is there anything else I'm missing?

Hello,

Do you think in build this as a docker image? If you need, i would appreciate to help you on this.

If you don't know Docker, it would make very simple to start an instance with a single command (docker run babelouest/glewlwyd, and then is just curl). Here is an example of oauth2 server on docker: https://hub.docker.com/r/gisjedi/go-oauth2-server/

I made one image for testing (because the documentation is based on Debian, so i build from a Docker Debian image), and worked very fine. I was thinking in a configurable docker image, by adding a glewlwyd.conf (or by env vars). A good example is MariaDB docker documentation page: https://hub.docker.com/_/mariadb/

Do you think is a good idea? Have any suggestions/recommendations?

Ps.: Thank you very much for this library. It is awesome.

1. I am able to build glewlwyd with dependencies and the server is run.

Console log of the glewlwyd server:
2017-03-04T18:41:06 - Glewlwyd INFO: Starting Glewlwyd Oauth2 authentication service
2017-03-04T18:41:06 - Glewlwyd INFO: Start glewlwyd on port 4593, prefix: oauth, secure: false

2. When I tried to load the login_url, (http://localhost/oauth/login.html?), the login page is not displayed. It failed with http://localhost/config - file not found.

@babelouest, I am new to glewlwyd. Please help me in running the app.

webapp/login.html

window.onload = function () {
		params = getQueryParams(location.search);
    $.get("../config/", function (result) {
      api_prefix = result.api_prefix;
      checkUser();
    });
};

Hi,

My system is Ubuntu server 18.04. I've downloaded and compiled glewlwyd-2.0.0-b3 and went with make && sudo make install.

Then I did sqlite3 /var/cache/glewlwyd/glewlwyd.db < docs/database/init.sqlite3.sql and of course I made sure the path is writable by sudo chown -R me:me /var/cache/glewlwyd/.

In the /usr/local/etc/glewlwyd/glewlwyd.conf the database setting is:

external_url="http://my_public_ip:4593"
# ...
database =
{
  type = "sqlite3"
  path = "/var/cache/glewlwyd/glewlwyd.db"
};

In the /usr/local/share/glewlwyd/webapp/config.json:

"GlewlwydUrl": "http://my_public_ip:4593/",
"ProfileUrl": "http://my_public_ip:4593/profile.html",
"AdminUrl": "http://my_public_ip:4593/index.html",
"LoginUrl": "http://my_public_ip:4593/login.html",

Then I ran glewlwyd as my priv glewlwyd --config-file=/usr/local/etc/glewlwyd/glewlwyd.conf --log_mode=console --log-level=DEBUG

But the administrator page is nothing like the GETTING STARTED page, it's empty. And logger doesn't says anything about it.

Did I missed or overlook something?

Many thanks for glewlwyd and your time on this.

the callback ur is https://172.18.0.2/Oid/authform.htm
The 302 redirect to that url looks like Location: https://172.18.0.2/Oid/authform.html#state=%26state%3deb9b84b8b40941878101565e75da6f08&access_token=eyJhbG

the state param is incorrect...

is there a way to map LDAP groups to certain scopes? I cant seem to find any info on if that is possible or how to do it?

In the App GUI, the name and client id fields are interchanged.
GUI: Clients
Please refer to Line Numbers 855, 856 - function ClientRow () Line numbers 878, 879

This makes the webapp with some bugs when the prefix is changed

After build and configuring up, login with following credentials
admin
password

Does not work. Authorisation page says that login/password is incorrect.

And one other question is what is the rationale of using LDAP?

@babelouest , I am unable to debug what is the source of the following error.

Issue: I tried add a client through GUI app (webapp). I could not add new client app. I tried again and again and succeeded - not sure why it failed before.

An error dialog pops up saying Error adding client...

Issue: I tried to update a client that was added in the step above. I got error all the time.

The browser log shows: http://localhost:4593/glewlwyd/client/picominer_dashboard 400 Bad request.
http://localhost:4593/glewlwyd/ such as user/:user etc are also failing with 4XX errors.

Not sure where the issue is.

Could you please look into it.

Sorry for troubling you.

Best Regards
Maruthi

Hello Nicolas Mora,
I have tried this latest glewlwyd from INSTALL.md (https://github.com/babelouest/glewlwyd/blob/master/docs/INSTALL.md)
both compiling from source, and using .deb package has this error, accessing / , /login.html, and all possible routes.

This is glewlwyd.conf for --config-file args, mainly copy from sample included.

#
#
# Glewlwyd SSO Authorization Server
#
# Copyright 2016-2019 Nicolas Mora <[email protected]>
# Gnu Public License V3 <http://fsf.org/>
#
#

# port to open for remote commands
port=4593

# external url to access to this instance
external_url="http://MY_IP:4593"

# login url relative to external url
login_url="login.html"

# url prefix
url_prefix="api"

# path to static files for /webapp url
# static_files_path="/usr/share/glewlwyd/webapp/"
static_files_path="/ssoserver/webapp/"

# access-control-allow-origin value
allow_origin="*"

# log mode (console, syslog, journald, file)
log_mode="console"

# log level: NONE, ERROR, WARNING, INFO, DEBUG
log_level="DEBUG"

# output to log file (required if log_mode is file)
# log_file="/var/log/glewlwyd.log"
log_file = "/ssoserver/build/logglewlwyd.log"

# cookie domain
# cookie_domain="localhost"

# cookie_secure, this options SHOULD be set to 1, set this to 0 to test glewlwyd on insecure connection http instead of https
cookie_secure=0

# session expiration, default is 4 weeks
session_expiration=2419200

# session key
session_key="GLEWLWYD2_SESSION_ID"

# admin scope name
admin_scope="g_admin"

# profile scope name
profile_scope="g_profile"

# user_module path
# user_module_path="/usr/lib/glewlwyd/user"
user_module_path="/ssoserver/build/_user"

# client_module path
# client_module_path="/usr/lib/glewlwyd/client"
client_module_path="/ssoserver/build/_client"

# user_auth_scheme_module path
# user_auth_scheme_module_path="/usr/lib/glewlwyd/scheme"
user_auth_scheme_module_path= "/ssoserver/build/_scheme"

# plugin_module path
# plugin_module_path="/usr/lib/glewlwyd/plugin"
plugin_module_path="/ssoserver/build/_plugin"

# TLS/SSL configuration values
use_secure_connection=false
secure_connection_key_file="/etc/ssl/certs/cert.key"
secure_connection_pem_file="/etc/ssl/certs/cert.pem"
secure_connection_ca_file="/etc/ssl/certs/ca.crt"

# Algorithms available are SHA1, SHA256, SHA512, MD5, default is SHA256
hash_algorithm = "SHA512"

# MariaDB/Mysql database connection
database =
{
  type     = "mariadb"
  host     = "localhost"
  user     = "glewlwyd"
  password = "glewlwyd"
  dbname   = "glewlwyd"
  port     = 3306
};

# mime types for webapp files
static_files_mime_types =
(
  {
    extension = ".html"
    mime_type = "text/html"
  },
  {
    extension = ".css"
    mime_type = "text/css"
  },
  {
    extension = ".js"
    mime_type = "application/javascript"
  },
  {
    extension = ".json"
    mime_type = "application/json"
  },
  {
    extension = ".png"
    mime_type = "image/png"
  },
  {
    extension = ".jpg"
    mime_type = "image/jpeg"
  },
  {
    extension = ".jpeg"
    mime_type = "image/jpeg"
  },
  {
    extension = ".ttf"
    mime_type = "font/ttf"
  },
  {
    extension = ".woff"
    mime_type = "font/woff"
  },
  {
    extension = ".woff2"
    mime_type = "font/woff2"
  },
  {
    extension = ".map"
    mime_type = "application/octet-stream"
  },
  {
    extension = ".ico"
    mime_type = "image/x-icon"
  }
)

This is the screenshot I running using .deb package:

and this is running using source-compiled binary:

Could You tell me, maybe there is step I missed?
The default 4093 is automatically run the web UI, doesn't it?
Thanks

Hello, Nicolas.
I am trying to manage glewlwyd 2.0.0-b2 using webapp on fresh debian "buster" system, but it`s not working for me right now.

After login page with admin/password it was an error:

If I trying to add new scope or something else:

On browser console you can see the following error message and 401 http code - unauthorized:

_XML Parsing Error: no root element found
Location: http://tarqeq.vpn:4593/api/scope?offset=0&limit=20
Line Number 1, Column 1:

my configs

glewlwyd.conf
external_url="http://tarqeq.vpn:4593"
login_url="login.html"
url_prefix="api"
static_files_path="/usr/local/share/glewlwyd/webapp/"
...

config.json
"GlewlwydUrl": "http://tarqeq.vpn:4593/",
"ProfileUrl": "http://tarqeq.vpn:4593/profile.html",
"AdminUrl": "http://tarqeq.vpn:4593/index.html",
"LoginUrl": "http://tarqeq.vpn:4593/login.html"
...

So that it could be?
Thanks.

LDAP was not configured. Set ldap_auth = false in the config file.
While login from the webapp, get_user (...) [file: user.c] is called that access ldap resources and thus leasing to a core dump.

I applied a possible quick fix in the user.c, get_user (...) function as below before accessing either LDAP, database sources.

if (config->has_auth_ldap && search_ldap) {
      j_user = get_user_ldap(config, login);
  }
if (config->has_auth_database && !check_result_value(j_user, G_OK) && search_database) {
      json_decref(j_user);
      j_user = get_user_database(config, login);
}

I am able to access the webapp pages after the fix.

This looks like a good work - thank you for sharing it.

Wondering how this server can be used in tandem with other oAuth providers. For example, consider this scenario:

• Lets say there is a website that relies on oAuth (supporting this server as one of the backends)
• lets say, the website also supports other oAuth backends (such as google etc.)
• now, assume one user logs in with google on the website.

What happens afterwards? Would an equivalent user be created on this Glewlwyd server?

Also, is it possible to associate custom data with user login? For example, his configuration options or some other settings etc?

Hi !
I wanted to try your OAuth2 server but failed to configure Active Directory settings, i got this message Glewlwyd ERROR: Error ldap search: Operations error when i want to Grant access once i'am connected.
Do the admin has to be be into the ldap ? Is there any other debug ldap output that i can get ?

What am i missing ? Do you need any other information ?

Thanks a lot,

Trying to bring up an instance I'm seeing the following:

$ sudo /usr/local/bin/glewlwyd --config-file=/etc/glewlwyd/glewlwyd.conf
Error, auth ldap error parameters
Error config file

The following check seems to be failing in file glewlwyd.c:
cur_auth_ldap_confidential_property_client_read != NULL

config_setting_lookup_string(auth, "confidential_property_client_read", &cur_auth_ldap_confidential_property_client_read);

I'd add that in the config but not sure what the RHS value should be.

When a RSA or ECDSA certificate is not valid due to multiple causes (file corrupted, wrong certificate, etc.), a jwt can be generated but it never can be validated by Glewlwyd, so no user can be authenticated properly, since the session token is a JWT and is checked every time the user requires a new session or asks for a new access or refresh token.

So Glewlwyd must perform a check of its own certificate at startup and must exit if the check fails.

Some OpenID-connect clients authenticating by email field in profile - and that field is missing in the HTTP user profile
Is there a chance to get generated email field, by providing some template to the HTTP backend?

As outlined in the API docs for GET /api/profile/, the response should include the user's scopes. However they don't currently:

{
    "name": "Test McTest",
    "email": "[email protected]",
    "login": "test",
    "additional_property_value": "bar",
    "additional_property_name": "foo"
}

Is this by design? I'd like to avoid parsing the token in the client, if possible.