OAuth end_of_popup_response.js script does not execute

pwix · December 28, 2023, 11:00am

Hello,

I am writing a small package to connect a Meteor application to an OpenID Connect external Provider. I have based the code on accounts-github and github-oauth, with a “popup” loginStyle.

On server side, I get the authorization token, the access token, fake user informations (as both the application and OID Provider are in development mode), and the OAuth request handler, registered via OAuth.registerService(), is correctly ran (and I believe correctly handled).
Then flow goes to renderOAuthResult() and endOfLoginResponse(), but the popup doesn’t eventually close.
The popup rightly displays the updated end_of_popup.html template (i.e. with correct data inside it), but the window popup stays blank. It seems that the script is not executed.

As a side note, maybe I should specify that the application runs on http://localhost:3000, and the redirect_url is https://devel.trychlos.lan, because the OID provider only allows https, and I have configured a nginx to redirect the former to the ad-hoc url on localhost.
May this difference in the domains be the cause of the javascript not executing ?

As I understand the Meteor OAuth flow, this is the last step before credentials are passed back to the main window and the user be logged-in. So… Any help would be welcome

Regards
Pierre

paulishca · December 29, 2023, 8:04am

Might find some answers here: GitHub - Akarda/accounts-oidc: A Meteor login service for OpenID Connect (OIDC)

pwix · December 30, 2023, 7:15am

Hi,
Is there any particular reason I may find an answer in this package ?
This is a fork of salleman, which itself is a fork of witch.
I have carefully read the code of the three, but didn’t found any tip for my issue.

Yes, there were of great help when debugging my own code (because OIDC is not exactly OAuth), but in this last step I am blocked. I have tried to rely on maximum on already written code (because I am a bit lazy of course).

Server sends HTML to the client, HTML contains a tag, but script is not executed. Nobody has an idea why ?

xet7 · December 30, 2023, 8:22pm

@pwix

If you are using Meteor 2.14, WeKan fork of salleman OIDC/OAuth2 at wekan/packages/wekan-oidc and wekan/packages/wekan-accounts-oidc directory has been modified to work with many different OIDC/OAuth2 providers:

Docs for various ways to login at wiki:

Login form is at layouts.* files:

Authentication related code is here:

github.com

wekan/wekan/blob/main/server/authentication.js

import { ReactiveCache } from '/imports/reactiveCache';
import Fiber from 'fibers';

Meteor.startup(() => {
  // Node Fibers 100% CPU usage issue
  // https://github.com/wekan/wekan-mongodb/issues/2#issuecomment-381453161
  // https://github.com/meteor/meteor/issues/9796#issuecomment-381676326
  // https://github.com/sandstorm-io/sandstorm/blob/0f1fec013fe7208ed0fd97eb88b31b77e3c61f42/shell/server/00-startup.js#L99-L129
  Fiber.poolSize = 1e9;

  Accounts.validateLoginAttempt(function(options) {
    const user = options.user || {};
    return !user.loginDisabled;
  });

  Authentication = {};

  Authentication.checkUserId = function(userId) {
    if (userId === undefined) {
      const error = new Meteor.Error('Unauthorized', 'Unauthorized');

This file has been truncated. show original

Creating new user is at wekan/models/users.js:

github.com

wekan/wekan/blob/main/models/users.js#L1308


      
                },
                {
                  multi: true,
                },
              );
              return true;
            } else {
              return false;
            }
          },
          setCreateUser(
            fullname,
            username,
            initials,
            password,
            isAdmin,
            isActive,
            email,
            importUsernames,
            userOrgsArray,
            userTeamsArray,

For more info, you can search ChangeLog:

github.com

wekan/wekan/blob/main/CHANGELOG.md

[Mac ChangeLog](https://github.com/wekan/wekan/wiki/Mac)

Newest WeKan at these amd64 platforms:

- Linux bundle
- Snap Candidate
- Docker
- Kubernetes

Fixing other platforms In Progress.

- Install info at Server part of webpage https://wekan.github.io
- Newest Node.js is at https://github.com/wekan/node-v14-esm/releases/tag/v14.21.4
- MongoDB 6.x

[How to upgrade WeKan](https://github.com/wekan/wekan/issues/4585)

# Upcoming WeKan ® release

This release adds the following updates:

This file has been truncated. show original

And open and closed issues:

And PRs:

https://github.com/wekan/wekan/pulls

pwix · January 5, 2024, 4:19am

Hello,
Thanks to all to have taken the time to answer, even if the answer was for another question

Happens that the differences between the domain names that I mentioned in my first post was the source of the issue. So the solution I have chosen is :

install a local nginx, configuring it as

server name is myhost.local.lan, which is the hostname of my station in my local network
only serve https on port 443 with a self-signed certificate,
has a proxy_pass configuration to http://localhost:3000
do not change the meteor run command
points my browser to ‘https://myhost.local.lan’

And all works like a charm.

Regards
Pierre