0006120: openid broken - SOGo | BTS

ID	Project	Category	View Status	Date Submitted	Last Update

0006120	SOGo	Backend Calendar	public	2025-05-05 07:31	2025-05-05 13:49

Reporter	dgeo	Assigned To	qhivert
Priority	normal	Severity	minor	Reproducibility	sometimes
Status	assigned	Resolution	open
Platform	sogo 5.12.1	OS	FreeBSD	OS Version	14.2
Product Version	5.12.1

Summary	0006120: openid broken
Description	unable to parse SOGoOpenIdConfigUrl On login: client get a 501 code Server log: May 5 09:27:02 tsogo1 sogod[50784]: [21717]: [ERROR] <0x0x40143948cd68[GSCBufferString]> json parser: Expected value while parsing array, attempting once more after unescaping... May 5 09:27:02 tsogo1 sogod[50784]: [21717]: [ERROR] <0x0x40143948cd68[GSCBufferString]> total failure. Original string is: e0c^M May 5 09:27:02 tsogo1 sogod[50784]: {"issuer":"https://auth.test.ec-m.fr/oidc","scopes_supported":["openid","profile","email","address","phone","offline_access","client_configuration_scope","uma_authorization","uma_protection","client_registration_scope"],"response_types_supported":["code","token","id_token","id_token token","device_code"],"response_modes_supported":["query","fragment","form_post"],"subject_types_supported":["public","pairwise"],"claim_types_supported":["normal"],"claims_supported":["sub","acr","name","preferred_username","family_name","given_name","middle_name","profile","picture","nickname","website","zoneinfo","locale","updated_at","birthdate","email","email_verified","phone_number","phone_number_verified","address","gender"],"grant_types_supported":["authorization_code","password","client_credentials","refresh_token","urn:ietf:params:oauth:grant-type:uma-ticket"],"id_token_signing_alg_values_supported":["none","RS256","RS384","RS512","PS256","PS384","PS512","ES256","ES384","ES512","HS256","HS384","HS512"],"dpop_signing_alg_values_supported":["RS256","RS384","RS512","ES256","ES384","ES512"],"id_token_encryption_alg_values_supported":["RSA1_5","RSA-OAEP","RSA-OAEP-256","A128KW","A192KW","A256KW","A128GCMKW","A192GCMKW","A256GCMKW","ECDH-ES","ECDH-ES+A128KW","ECDH-ES+A192KW","ECDH-ES+A256KW"],"id_token_encryption_enc_values_supported":["A128CBC-HS256","A192CBC-HS384","A256CBC-HS512","A128GCM","A192GCM","A256GCM"],"userinfo_signing_alg_values_supported":["none","RS256","RS384","RS512","PS256","PS384","PS512","ES256","ES384","ES512","HS256","HS384","HS512"],"userinfo_encryption_alg_values_supported":["RSA1_5","RSA-OAEP","RSA-OAEP-256","A128KW","A192KW","A256KW","A128GCMKW","A192GCMKW","A256GCMKW","ECDH-ES","ECDH-ES+A128KW","ECDH-ES+A192KW","ECDH-ES+A256KW"],"userinfo_encryption_enc_values_supported":["A128CBC-HS256","A192CBC-HS384","A256CBC-HS512","A128GCM","A192GCM","A256GCM"],"acr_values_supported":["mfa-simple"],"request_object_signing_alg_values_supported":["none","RS256","RS384","RS512","PS256","PS384","PS512","ES256","ES384","ES512","HS256","HS384","HS512"],"request_object_encryption_alg_values_supported":["RSA1_5","RSA-OAEP","RSA-OAEP-256","A128KW","A192KW","A256KW","A128GCMKW","A192GCMKW","A256GCMKW","ECDH-ES","ECDH-ES+A128KW","ECDH-ES+A192KW","ECDH-ES+A256KW"],"request_object_encryption_enc_values_supported":["A128CBC-HS256","A192CBC-HS384","A256CBC-HS512","A128GCM","A192GCM","A256GCM"],"introspection_endpoint_auth_methods_supported":["client_secret_basic"],"token_endpoint_auth_methods_supported":["client_secret_basic","client_secret_post","client_secret_jwt","private_key_jwt"],"code_challenge_methods_supported":["plain","S256"],"prompt_values_supported":["none","login","consent"],"claims_parameter_supported":true,"request_uri_parameter_supported":true,"request_parameter_supported":true,"backchannel_logout_supported":true,"frontchannel_logout_supported":true,"pushed_authorization_request_endpoint":"https://auth.test.ec-m.fr/oidc/oidcPushAuthorize","backchannel_logout_session_supported":true,"frontchannel_logout_session_supported":true,"authorization_endpoint":"https://auth.test.ec-m.fr/oidc/oidcAuthorize","token_endpoint":"https://auth.test.ec-m.fr/oidc/oidcAccessToken","userinfo_endpoint":"https://auth.test.ec-m.fr/oidc/oidcProfile","registration_endpoint":"https://auth.test.ec-m.fr/oidc/register","end_session_endpoint":"https://auth.test.ec-m.fr/oidc/oidcLogout","introspection_endpoint":"https://auth.test.ec-m.fr/oidc/introspect","revocation_endpoint":"https://auth.test.ec-m.fr/oidc/revoke","jwks_uri":"https://auth.test.ec-m.fr/oidc/jwks"}^M May 5 09:27:02 tsogo1 sogod[50784]: 0^M May 5 09:27:02 tsogo1 sogod[50784]: ^M May 5 09:27:02 tsogo1 sogod[50784]: May 5 09:27:02 tsogo1 sogod[50784]: [21717:102018] EXCEPTION: <NSException: 0x4014390b08c8> NAME:NSInvalidArgumentException REASON:Tried to add nil value for key 'authorization_endpoint' to dictionary INFO:{} The json is valid, and contains a valid "authorization_endpoint"…
Steps To Reproduce	Using apereo CAS server with openid Connect support (6.6.15 here) sogo config: / auth (openid) / SOGoAuthenticationType = "openid"; / OpenID Connect / OCSOpenIdURL = "mysql://user:pass@localhost:3306/sogo/sogo_openid"; SOGoOpenIdConfigUrl = https://auth.test.ec-m.fr/oidc/.well-known/openid-configuration; SOGoOpenIdClient = "myclient"; SOGoOpenIdClientSecret = "mysecret"; SOGoOpenIdScope = "openid profile email"; SOGoOpenIdEmailParam = "email"; SOGoOpenIdEnableRefreshToken = "NO"; SOGoOpenIdTokenCheckInterval = "120"; SOGoOpenIdLogoutEnabled = "NO";
Tags	No tags attached.

dgeo 2025-05-05 07:40 reporter ~0018205	log file unmodified attached sogo.log (4,276 bytes) May 5 09:39:45 tsogo1 sogod[50784]: [21717]: [ERROR] <0x0x401439592228[GSCBufferString]> json parser: Expected value while parsing array, attempting once more after unescaping... May 5 09:39:45 tsogo1 sogod[50784]: [21717]: [ERROR] <0x0x401439592228[GSCBufferString]> total failure. Original string is: e0c^M May 5 09:39:45 tsogo1 sogod[50784]: {"issuer":"https://auth.test.ec-m.fr/oidc","scopes_supported":["openid","profile","email","address","phone","offline_access","client_configuration_scope","uma_authorization","uma_protection","client_registration_scope"],"response_types_supported":["code","token","id_token","id_token token","device_code"],"response_modes_supported":["query","fragment","form_post"],"subject_types_supported":["public","pairwise"],"claim_types_supported":["normal"],"claims_supported":["sub","acr","name","preferred_username","family_name","given_name","middle_name","profile","picture","nickname","website","zoneinfo","locale","updated_at","birthdate","email","email_verified","phone_number","phone_number_verified","address","gender"],"grant_types_supported":["authorization_code","password","client_credentials","refresh_token","urn:ietf:params:oauth:grant-type:uma-ticket"],"id_token_signing_alg_values_supported":["none","RS256","RS384","RS512","PS256","PS384","PS512","ES256","ES384","ES512","HS256","HS384","HS512"],"dpop_signing_alg_values_supported":["RS256","RS384","RS512","ES256","ES384","ES512"],"id_token_encryption_alg_values_supported":["RSA1_5","RSA-OAEP","RSA-OAEP-256","A128KW","A192KW","A256KW","A128GCMKW","A192GCMKW","A256GCMKW","ECDH-ES","ECDH-ES+A128KW","ECDH-ES+A192KW","ECDH-ES+A256KW"],"id_token_encryption_enc_values_supported":["A128CBC-HS256","A192CBC-HS384","A256CBC-HS512","A128GCM","A192GCM","A256GCM"],"userinfo_signing_alg_values_supported":["none","RS256","RS384","RS512","PS256","PS384","PS512","ES256","ES384","ES512","HS256","HS384","HS512"],"userinfo_encryption_alg_values_supported":["RSA1_5","RSA-OAEP","RSA-OAEP-256","A128KW","A192KW","A256KW","A128GCMKW","A192GCMKW","A256GCMKW","ECDH-ES","ECDH-ES+A128KW","ECDH-ES+A192KW","ECDH-ES+A256KW"],"userinfo_encryption_enc_values_supported":["A128CBC-HS256","A192CBC-HS384","A256CBC-HS512","A128GCM","A192GCM","A256GCM"],"acr_values_supported":["mfa-simple"],"request_object_signing_alg_values_supported":["none","RS256","RS384","RS512","PS256","PS384","PS512","ES256","ES384","ES512","HS256","HS384","HS512"],"request_object_encryption_alg_values_supported":["RSA1_5","RSA-OAEP","RSA-OAEP-256","A128KW","A192KW","A256KW","A128GCMKW","A192GCMKW","A256GCMKW","ECDH-ES","ECDH-ES+A128KW","ECDH-ES+A192KW","ECDH-ES+A256KW"],"request_object_encryption_enc_values_supported":["A128CBC-HS256","A192CBC-HS384","A256CBC-HS512","A128GCM","A192GCM","A256GCM"],"introspection_endpoint_auth_methods_supported":["client_secret_basic"],"token_endpoint_auth_methods_supported":["client_secret_basic","client_secret_post","client_secret_jwt","private_key_jwt"],"code_challenge_methods_supported":["plain","S256"],"prompt_values_supported":["none","login","consent"],"claims_parameter_supported":true,"request_uri_parameter_supported":true,"request_parameter_supported":true,"backchannel_logout_supported":true,"frontchannel_logout_supported":true,"pushed_authorization_request_endpoint":"https://auth.test.ec-m.fr/oidc/oidcPushAuthorize","backchannel_logout_session_supported":true,"frontchannel_logout_session_supported":true,"authorization_endpoint":"https://auth.test.ec-m.fr/oidc/oidcAuthorize","token_endpoint":"https://auth.test.ec-m.fr/oidc/oidcAccessToken","userinfo_endpoint":"https://auth.test.ec-m.fr/oidc/oidcProfile","registration_endpoint":"https://auth.test.ec-m.fr/oidc/register","end_session_endpoint":"https://auth.test.ec-m.fr/oidc/oidcLogout","introspection_endpoint":"https://auth.test.ec-m.fr/oidc/introspect","revocation_endpoint":"https://auth.test.ec-m.fr/oidc/revoke","jwks_uri":"https://auth.test.ec-m.fr/oidc/jwks"}^M May 5 09:39:45 tsogo1 sogod[50784]: 0^M May 5 09:39:45 tsogo1 sogod[50784]: ^M May 5 09:39:45 tsogo1 sogod[50784]: May 5 09:39:45 tsogo1 sogod[50784]: [21717:102018] EXCEPTION: <NSException: 0x4014390b11c8> NAME:NSInvalidArgumentException REASON:Tried to add nil value for key 'authorization_endpoint' to dictionary INFO:{} sogo.log (4,276 bytes)

qhivert 2025-05-05 09:07 administrator ~0018206	Hello, found the problem. Your endpoint use this for the get response HTTP/1.1 200 200 Transfer-Encoding: chunked ... This header, deprecated for HTTP/2.0 (https://developer.mozilla.org/en-US/docs/Web/HTTP/Reference/Headers/Transfer-Encoding) is not supported by sogo. The data received for the endpoint in this transfer mode is: <size of chunk> <chunk of data> <size of chunk> .... <0> As sogo don't support this, he thinks that the size of chunk is actual data meaning it will read something like this e0c {"issuer"... Hence the fail of the json parser. I see that your apereo CAs 6.5.15 has reach end of life (https://apereo.github.io/cas/developer/Maintenance-Policy.html#eol-schedule) I'm not sure the 7.x.x version doesn't use this header anymore, though. Would you be able to install a fresh apereo cas server with their last version and test it?

dgeo 2025-05-05 13:49 reporter ~0018207	Thank you, I'll try, but not very quickly…

Date Modified	Username	Field	Change
2025-05-05 07:31	dgeo	New Issue
2025-05-05 07:40	dgeo	Note Added: 0018205
2025-05-05 07:40	dgeo	File Added: sogo.log
2025-05-05 07:52	qhivert	Steps to Reproduce Updated
2025-05-05 07:53	qhivert	Assigned To	=> qhivert
2025-05-05 07:53	qhivert	Status	new => assigned
2025-05-05 09:07	qhivert	Note Added: 0018206
2025-05-05 09:07	qhivert	Status	assigned => feedback
2025-05-05 13:49	dgeo	Note Added: 0018207
2025-05-05 13:49	dgeo	Status	feedback => assigned